We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
28 August 2019
The General Data Protection Regulation (GDPR) came into effect in the European Union on 25 May 2018. At its core, the GDPR aims to give individuals more control over the way in which their personal data is collected, retained, managed and processed. Despite being an EU regulation, the GDPR's application extends to companies in Hong Kong.
The GDPR applies to companies which collect and process personal data relating to:
It does not matter where the organisation which collects and processes personal data is located. The GDPR rules apply when the personal data of an individual located in the European Union is collected and processed. If a business in Hong Kong does this, it will be subject to the GDPR. This applies to any individuals who are located in the European Union; the data subjects do not necessarily have to be EU citizens. On the other hand, if an EU citizen is located outside the European Union when their personal data is collected and processed, the GDPR does not apply.
Hong Kong companies which fall within the scope of the GDPR typically:
Businesses which fail to comply with the GDPR are subject to fines of up to 4% of their annual global turnover of the preceding year or a penalty of €20 million (whichever is higher).
With the introduction of the GDPR, Hong Kong employers with a connection to the European Union are potentially subject to wider data protection obligations than those which apply under the Personal Data (Privacy) Ordinance of Hong Kong (Cap 486) (PDPO). International companies in Hong Kong – especially those which hire expatriate employees from the European Union or have EU-based employees – should pay extra attention to these obligations as they must collect and process the personal data of individuals located in the European Union. Accordingly, HR teams should dedicate time and resources to cover each new compliance area imposed by the GDPR.
Obtain explicit consent
Review and update HR documents
Data subjects are granted several new rights under the GDPR, including:
These rights will be triggered as a result of non-compliance with the GDPR data protection principles, such as retaining data for longer than necessary. Therefore, employers must establish a set of rules and procedures to record and act on such requests by their current and former employees and job applicants. Policies relating to recruitment and obtaining references and medical records of employees must be updated in this regard.
Data security training
Employers must notify the Data Protection Authority in the relevant member state of a data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to individuals' rights and freedoms. If the data breach is likely to significantly affect individuals' rights and freedoms, those individuals must also be notified without undue delay. To minimise the risk of a data breach, training must be provided to employees who collect, process and control personal data to make sure that they fully understand their data protection and security obligations.
Recent high-profile data privacy breaches have aroused considerable public concern over data privacy. Employees are increasingly aware of the issue and have heightened expectations of the way in which their employers deal with personal data. Several countries have amended their data privacy laws to keep abreast of developments in recent years, and Hong Kong may need to consider updating the PDPO, which first came into operation in 1996 and was last updated in 2012.
For further information on this topic please contact Patricia Yeung at Howse Williams by telephone (+852 2803 3688) or email (firstname.lastname@example.org). The Howse Williams website can be accessed at www.howsewilliams.com.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.