PDPO Data User Obligations
Hong Kong has a law called the Personal Data (Privacy) Ordinance (“PDPO”), which imposes obligations on data users. These include the duty to provide data subjects with a PICS (Personal Information Collection Statement) prior to collecting the personal information of data subject. This is required for the purposes of data protection and data security.
Generally, the PDPO applies to the collection and processing of personal data by data users in Hong Kong as well as the transfer of such data outside of Hong Kong. However, there are some exceptions to the PDPO that may apply in certain circumstances.
1. In addition to the PDPO, there are other laws that data users must comply with in Hong Kong such as the Gambling (Monitoring and Enforcement) Act 1961 and the Gaming Ordinance 2006. These laws are designed to protect gamblers’ rights and interests and to ensure that gambling activities are conducted safely.
2. The PDPO does not contain any express provisions conferring extra-territorial application.
In some cases, data users are required to appoint an agent in Hong Kong to oversee and conduct the processing of personal data on their behalf. Such an agent is usually referred to as a “processor” or a “data processor”.
3. Data processing in Hong Kong is governed by the PDPO and the Gambling (Monitoring and Administration) Regulations 2011. The regulations contain provisions on the licensing of data processors, the establishment of an effective data protection regime, and the notification of data users.
4. The Gambling (Monitoring and Administration) Ordinance contains provisions requiring gambling operators to implement technical measures in order to prevent fraudulent activity. This includes, but is not limited to, monitoring of betting activity and the use of electronic surveillance systems.
5. The Gambling (Monitoring and Enforcement) Ordinance also requires that operators establish a database of customers, with a minimum retention period of seven days. The database is maintained and accessed by the operator and can be used to generate reports of betting activity.
6. The Gambling (Monitoring and Administrati) Ordinance also requires that gambling operators provide their clients with clear, detailed, and comprehensive notices of their policies on how their services are provided. This can be achieved by displaying the terms of service on the website or providing these documents to their customers in written form.
7. The Gambling (Monitoring and Enforcement) Regulations prohibit gambling operators from offering any form of financial compensation to persons whose betting activity has resulted in loss or damage. This is to prevent people from gambling without a sound financial plan in place.
8. The Gambling (Monitoring and Monitoring) Ordinance also imposes on gambling operators a requirement to notify the Commission of any breach of these requirements within 72 hours. This requirement is to ensure that the commission can respond quickly to any concerns or complaints regarding gambling activity.
9. The Gambling (Monitoring and Investigation) Regulations also require that the Commission investigate any suspected fraud or other illegal activity. The Commission can then take appropriate action to protect the public.