Tech Data HK – Transferring Personal Data From Hong Kong to Other Locations or to Overseas Territories Under the PDPO

Tech Data Distribution (Hong Kong) Limited (“Tech Data HK”), a TD SYNNEX (NYSE: SNX) company, is the leading global distributor and solutions aggregator for the IT ecosystem. The company enables its customers in 100+ countries to maximize the value of their technology investments, demonstrate business outcomes and unlock growth opportunities with a unique combination of products, services and solutions from 1,500+ best-in-class technology vendors. Tech Data HK serves customers as an innovative partner, leveraging a robust network of over 2,300+ locations worldwide and employing more than 18,000 dedicated, customer-focused co-workers to unite compelling IT products, services and solutions across all major platforms.

In a world where personal data is the new currency, effective and efficient legal transfer of that information from one jurisdiction to another is essential. Whether that data is being transferred from Hong Kong to other locations or to Mainland China under the “one country, two systems” principle, or to overseas territories under the PDPO, there are a number of key points to consider.

First, it is important to define who is a data user under the PDPO. A data user is defined as a person who, alone or jointly or in common with other persons controls the collection, holding, processing and use of personal data. It is essential that this test be applied correctly, as failure to do so can result in a requirement for a transfer impact assessment.

The PDPO also contains an obligation to disclose to data subjects the purposes for which personal data is collected and the classes of persons to whom it may be disclosed or made available. These obligations are typically fulfilled by providing these details in a Personal Information Collection Statement, as required under DPP 1.

A data transfer impact assessment is not required under the PDPO but, in many circumstances, a company will be required to undertake one as part of its due diligence process. This is particularly true for companies that are considering entering into standard contractual clauses with EEA data exporters and importing that personal data into Hong Kong.

Finally, the PDPO requires that the personal data of data subjects be kept in a secure manner and only used for the purposes for which it was collected. A failure to comply with this requirement can result in a penalty of up to $10 million or 20% of the company’s annual turnover, whichever is higher. This is a significant amount of money that businesses will want to avoid. To do so, they should ensure that their security measures are effective and review them regularly. This includes ensuring that they are up-to-date and incorporating any changes to their IT environment. This should be done in conjunction with a comprehensive data governance program to help minimize the risk of non-compliance.