The Office of the Privacy Commissioner for Personal Data issues two sets of Recommended Model Contractual Clauses for cross-border transfer of personal data

On 12 May 2022, the Office of the Privacy Commissioner for Personal Data (“Commissioner“) issued the new “Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data” (“Guidance Note“).  The Guidance Note provides two sets of Recommended Model Contractual Clauses (“RMCs“) in its Schedule to assist local small and medium-sized enterprises in drafting contractual clauses to ensure that personal data will be protected to the same extent as provided under the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO“) when they are transferred abroad.

The two new sets of RMCs supplement those issued by the Commissioner in December 2014 in its “Guidance on Personal Data Protection in Cross-border Data Transfer” and are designed to cater for two cross-border data transfer scenarios as follows:

  • Data user to data user: Where personal data is transferred from one data user to another data user (both the data transferor and data transferee will use the data for their separate business purposes).
  • Data user to data processor: Where personal data is transferred from a data user to its data processor (the data processor will only process the personal data for purposes designated by the data user).

The general terms and conditions set out in the RMCs are applicable to transfer of personal data from a Hong Kong entity to another entity outside of Hong Kong, or between two entities both of which are outside Hong Kong when the data transfer process is controlled by a Hong Kong data user.

Please note that the RMCs are only recommended best practices for adoption by data users as part of their data governance responsibility to protect and respect the personal data privacy of data subjects. They may be adapted and modified so long as they are consistent with the requirements of the PDPO.  In addition to the RCMs, data users should also consider the necessity of incorporating additional contractual assurances, rights and obligations before transferring data abroad in the specific context.  As at the date of this news update, section 33 of the PDPO (which imposes restrictions on cross-border data transfers) is not yet in operation.

For further details, the full media statement and Guidance Note can be found here.

24 June 2022