How does the GDPR affect Hong Kong employers?

Application of GDPR to Hong Kong businesses
Implications for Hong Kong employers
Steps to consider
Comment

The General Data Protection Regulation (GDPR) came into effect in the European Union on 25 May 2018. At its core, the GDPR aims to give individuals more control over the way in which their personal data is collected, retained, managed and processed. Despite being an EU regulation, the GDPR's application extends to companies in Hong Kong.

Application of GDPR to Hong Kong businesses

The GDPR applies to companies which collect and process personal data relating to:

• the offering of goods or services to individuals in the European Union; or
• the monitoring of the behaviour of individuals in the European Union (eg, cookie profiling).

It does not matter where the organisation which collects and processes personal data is located. The GDPR rules apply when the personal data of an individual located in the European Union is collected and processed. If a business in Hong Kong does this, it will be subject to the GDPR. This applies to any individuals who are located in the European Union; the data subjects do not necessarily have to be EU citizens. On the other hand, if an EU citizen is located outside the European Union when their personal data is collected and processed, the GDPR does not apply.

Hong Kong companies which fall within the scope of the GDPR typically:

• have branch offices in the European Union or employees based in the European Union;
• have a business presence in the European Union; and
• conduct business dealings with individuals in the European Union.

Businesses which fail to comply with the GDPR are subject to fines of up to 4% of their annual global turnover of the preceding year or a penalty of €20 million (whichever is higher).

Implications for Hong Kong employers

With the introduction of the GDPR, Hong Kong employers with a connection to the European Union are potentially subject to wider data protection obligations than those which apply under the Personal Data (Privacy) Ordinance of Hong Kong (Cap 486) (PDPO). International companies in Hong Kong – especially those which hire expatriate employees from the European Union or have EU-based employees – should pay extra attention to these obligations as they must collect and process the personal data of individuals located in the European Union. Accordingly, HR teams should dedicate time and resources to cover each new compliance area imposed by the GDPR.

Steps to consider

Obtain explicit consent
In addition to the general practice of issuing a privacy notice detailing the purposes of collecting personal data to employees under the PDPO, employers must also obtain "freely given, informed, specific and unambiguous" consent from employees before collecting and processing their personal data. An employee's silence, inactivity or failure to uncheck a pre-checked box will not constitute consent. The same applies to job applicants such that employers must obtain their consent to collect, process and retain their personal data during the application process, particularly for applications made via a company website which uses cookies to track users' behaviour.

Review and update HR documents
Data subjects are granted several new rights under the GDPR, including:

• the right to erasure (ie, deletion of their personal data); and
• the right to restrict or object to processing (including profiling).

These rights will be triggered as a result of non-compliance with the GDPR data protection principles, such as retaining data for longer than necessary. Therefore, employers must establish a set of rules and procedures to record and act on such requests by their current and former employees and job applicants. Policies relating to recruitment and obtaining references and medical records of employees must be updated in this regard.

Data security training
Employers must notify the Data Protection Authority in the relevant member state of a data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to individuals' rights and freedoms. If the data breach is likely to significantly affect individuals' rights and freedoms, those individuals must also be notified without undue delay. To minimise the risk of a data breach, training must be provided to employees who collect, process and control personal data to make sure that they fully understand their data protection and security obligations.

Comment

Recent high-profile data privacy breaches have aroused considerable public concern over data privacy. Employees are increasingly aware of the issue and have heightened expectations of the way in which their employers deal with personal data. Several countries have amended their data privacy laws to keep abreast of developments in recent years, and Hong Kong may need to consider updating the PDPO, which first came into operation in 1996 and was last updated in 2012.

For further information on this topic please contact Patricia Yeung at Howse Williams by telephone (+852 2803 3688) or email (patricia.yeung@howsewilliams.com). The Howse Williams website can be accessed at www.howsewilliams.com.