7th Issue (November 2018)

第七期 (2018年12月)

Certain Aspects about Collection and Use of Personal Data – A Reminder


The recent Cathay Pacific Airways’ data breach, in which personal data of 9.4 million passengers were leaked, has raised grave public concern about personal data protection again. In the wake of this incident, the European Union’s General Data Protection Regulation, came into force on 25 May 2018, has also gained widespread attention.


In Hong Kong, privacy rights of a person in relation to personal data are protected by the Personal Data (Privacy) Ordinance (Chapter 486, Laws of Hong Kong) (“PDPO”). The PDPO is a principle-based legislation in that its core provisions regulating the collection, use, transfer and processing of personal data are encapsulated in its six data protection principles (“DPPs”) which can be found in Schedule 1 to the PDPO. This newsletter shall focus on the collection and use of personal data and elaborate on the relevant DPPs. In respect of the use of personal data, it shall address two main areas that are frequently discussed, namely “direct marketing” and “transfer of data inside and outside of Hong Kong”.



1. Definition of “Personal Data”

Prior to discussing the legal framework, “personal data” must first be defined. According to Section 2(1) of the PDPO, “personal data” means any data (a) relating directly or indirectly to a living individual; (b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (c) in a form in which access to or processing of the data is practicable.


2. Collection of Personal Data

The legal obligations in collecting personal data are set out in DPP1, which states that the data so collected must be for a lawful purpose directly related to a function or activity of the data user. Furthermore, the data collected must be necessary but not excessive in relation to the purpose of collection. It is therefore a good practice for data users to consider whether there are any less privacy-intrusive alternatives when collecting personal information.


DPP1(3) also sets out certain notification requirements in relation to collection of personal data. For the purpose of complying with this provision, data user should provide a Personal Information Collection Statement (“PICS”) to the data subject on or before collecting his personal data. A PICS should include statement of purpose for collection, statement as to whether it is obligatory or voluntary for the data subject to supply his personal data, the consequences for him if he fails to supply the data (if it is obligatory for him to supply the data), potential classes of persons to whom the data may be transferred or disclosed, the rights to request access to and correction of his personal data, and the name/job title and address of the individual to whom any such request may be made.


3. Use of Personal Data

According to DPP3, personal data collected must be used only for the purpose for which data is collected or for a directly related purpose, unless prescribed consent is obtained. In assessing whether data is being used for purposes directly related to the original purpose of collection, the Privacy Commissioner for Personal Data (“Commissioner”) will take into account a number of factors, including the nature of the transaction giving rise to the need for using the personal data, and the reasonable expectation of the data subject.


Direct Marketing

One common business practice involving the use of personal data is direct marketing. Under Part 6A of PDPO, a data user, before using personal data for direct marketing, must notify the data subject of the kinds of data to be used and the classes of goods or services that will be marketed, and provide a response channel through which the data subject can communicate consent. However, if the data subject does not consent to the intended use, the data user must not so use his personal data. It should be noted that data subject may at any time require cessation of using his personal data for direct marketing and the data user must comply with such request.


Transfer of data inside and outside of Hong Kong

For transfer of personal data inside Hong Kong, the aforementioned DPP3 will apply as the term “use of personal data” covers “transfer of personal data” in the context of PDPO. If the purpose of transfer is for the third party’s use in direct marketing, data user must notify the data subject of the above information and obtain his written consent.


Transfer of personal data outside Hong Kong is to be regulated under Section 33 of the PDPO which is yet to take effect. Under that provision, data users shall not transfer personal data to a place outside Hong Kong unless one of the following conditions is satisfied:


  1. the place is a part of a “white list” of jurisdictions which the Commissioner specified by notice in the Gazette that there is law to protect personal data to a level commensurate with the PDPO;

  2. the data user has reasonable grounds to believe that there is in force any law in that place which is substantially similar to, or serves the same purpose as the PDPO;

  3. the data subject has consent in writing to the transfer;

  4. the data user has reasonable grounds to believe that (i) the transfer is for the avoidance or mitigation of any adverse action against the data subject, and (ii) it is not practicable to obtain the data subject’s written consent, (iii) but if it was practicable to obtain such consent, then the data subject would give it;

  5. the personal data is exempt from DPP3 of the PDPO by virtue of an exemption under Part VIII of the PDPO; or

  6. the data user has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not be collected, held, processed or used in a manner that would constitute a contravention of the PDPO.


Although Section 33 of the PDPO is not effective yet, data users are recommended to follow the requirements thereunder.


4. Practical Takeaways

  1. Data users should comply with the relevant legal obligations set out in the PDPO on or before collecting and using personal data.

  2. Where the data users intend to use the personal data for direct marketing or transfer the data outside Hong Kong, special attention should be paid to the additional statutory requirements.

  3. Data subject may, at any time, require cessation of using his personal data for direct marketing.



Please note that the information above is a preliminary overview of this specialized area of law. As every case depends on its facts, it is imperative to state that the above does not constitute formal legal advice. We do not accept any responsibility whatsoever in respect of this publication. Should you wish to seek our advice or assistance, please do not hesitate to contact us. If you wish to unsubscribe, please inform us by email at





在香港,个人资料方面的私隐权受《个人资料(私隐)条例》( 香港法例第486章)(下称「该条例」)保障。该条例属原则性法律,其负责规管收集、使用、转移及处理个人资料的主要条文包含在该条例附表一中六项保障资料原则中。本文将集中讨论收集及使用个人资料时的注意事项,并详述相关保障资料原则。就使用个人资料,本文将针对探讨「直接促销」和「香港境内及跨境资料转移」两个商业常用范畴。


























  1. 该地方属专员于宪报指明「白名单」上的司法管辖区,即该地方有与该条例相当的法律以保护个人资料;

  2. 该资料使用者有合理理由相信在该地方有与该条例大体上相似或达致与条例目的相同之目的之法律正在生效;

  3. 有关的资料当事人以书面同意该项转移;

  4. 该资料使用者有合理理由相信(i)该项转移是为避免针对资料当事人的不利行动或减轻该等行动的影响而作出的;(ii)获取资料当事人对该项转移的书面同意为不切实可行的;(iii)及如获取书面同意是切实可行的,则资料当事人会给予同意;

  5. 该资料凭借该条例第8部获豁免而不受保障资料第3原则所管限;或

  6. 该使用者已采取所有合理的预防措施及已作出所有应作出的努力,以确保该资料不会在该地方以违反该条例规定的方式被收集、持有、处理或使用。






1.    资料使用者在收集及使用个人资料之时或之前,应遵从该条例下规定的相关要求。


2.  当资料使用者拟使用个人资料作直接促销用途,或将个人资料转移至香港以外的地方时,应特别注意额外的法律规限及要求。

3.  资料当事人可随时要求资料使用者停止使用该当事人的个人资料于直接促销。