How Personal Data Is Transferred to Third Parties Under the PDPO

In the context of the PDPO, personal data may only be transferred to a third party if it is necessary for the fulfilment of the purpose for which it was collected. Moreover, the transfer of personal data to a third party may only take place where there is an express consent from the data subject. If the transferring organisation is not established in Hong Kong, it must obtain the consent of the data subject before the transfer takes place.

However, if the data processing cycle takes place outside of Hong Kong, it must comply with the PDPO unless it falls within one of the exceptions set out in the PDPO. Furthermore, the transferring organisation must take reasonable steps to ensure that the data it transfers is protected against accidental or unauthorised destruction, loss or disclosure and that the recipient is not authorised to use it for any other purposes.

To help the data transfer process run smoothly, the transferring organisation should document the reason for the transfer, and the identity of the recipient. It is also helpful to document the terms and conditions of the transfer. These documents should be reviewed regularly to ensure compliance with the PDPO.

The transferring organisation should be aware of the data protection laws in the destination country, and must implement appropriate safeguards to protect the transferred personal data. This should include having a written contract with the recipient to ensure that personal data is not used for any purpose other than that for which it was transferred. The transferring organisation should also document the steps it has taken to protect the personal data against accidental or unauthorised destruction, loss or theft.

If the transferring organisation is not established in the EEA, it must impose adequate security measures to ensure that personal data is secure during transfer. These should include encryption and authentication. The transferring organisation should also have a system in place to monitor the activities of its staff and third parties to ensure that data is not transferred to the wrong person, or for the wrong reasons.

It is also important to have a clear procedure for dealing with complaints. This should be documented in writing, and should cover all aspects of the data transfer. The transferring organisation should be able to respond to complaints within 30 days of receiving them.

For more information on the PDPO and its implementation, please see the website of the Office of the Privacy Commissioner. The website contains a number of useful publications, including an online guide for transferring personal data overseas. This can be found at The guide is intended to be a tool for assisting organisations in their efforts to implement the PDPO. The guide outlines the key steps that must be taken to prepare for a data transfer under the PDPO, and provides advice on how to prepare a transfer agreement. It also offers guidance on the data protection implications of various types of transfers, and identifies possible risks and mitigation strategies.