The PDPO defines personal data as any data that can be used to identify an individual, whether it is in a form that can be directly or indirectly associated with him or her. It also covers any data that can be used to verify an individual’s identity. The PDPO prohibits the collection, holding, processing or use of personal data that is not in accordance with its provisions, unless an exception is met. Some of the most common exemptions include safeguarding the security of Hong Kong, defence and international relations, crime prevention or detection, assessment of any tax or duty, preventive health care, journalism activities, and life-threatening emergency situations.

Section 33 PDPO and cross-border transfers of personal data

It is common practice for international digital content and online service providers to store customer data on cloud servers in one location in order to save operational costs. However, if these servers are accessible outside of Hong Kong, they may be in breach of Section 33 PDPO, unless an exception is met.

In addition to avoiding violations of the PDPO, it is important for data users to understand the legal context in which they are operating. This will help them to comply with the law and protect their customers’ privacy rights. Among the most important factors are whether or not the data they collect is sensitive and whether it falls within the definition of personal data. In addition, they should ensure that the data is collected legally and that it is only used for the purposes it was collected for. Finally, they should ensure that their internal policies and procedures comply with the PDPO. If they do not, they will be at risk of fines and penalties under the PDPO.

