Hong Kong: Recently published Model Contractual Clauses
Organizations that make cross-border transfers of personal data can now rely on the Recommended Standard Contractual Clauses (RMC), recently published by the Personal Data Protection Commissioner (PCPD).
Both sets of RMCs are for controller-to-controller transfers and controller-to-processor transfers. RMCs can be used in:
- cross-border transfers of personal data between an entity inside and outside Hong Kong; and
- transfers of personal data between two entities outside of Hong Kong, where the transfer is controlled by a Hong Kong data controller.
These stand-alone clauses can be incorporated into existing data processing agreements, or more generally into commercial agreements between the assignor and data assignees. Organizations may decide to incorporate additional and more complex contractual assurances to address other rights and obligations not included in the RMC (i.e. reporting, audit and inspection rights, data breach notification, compliance with regulatory investigations, etc.).
Wider Considerations on Cross-Border Transfers
Use of RMC containing key PDPO compliance requirements will indicate compliance with part of the requirements of Article 33 of the Personal Data Protection Ordinance (PDPO), taking reasonable steps and exercising due diligence reasonable to ensure that personal data is processed in a manner consistent with the PDPO.
While Article 33 of the PDPO, which imposes restrictions on cross-border transfers, has not yet entered into force, these PMRs provide more certainty as to the approach favored by the PCPD.