Apart from our Personal Data (Privacy) Ordinance (“PDPO”), the European Union’s GDPR which takes effect from 25 May 2018 is an important breakthrough in our data privacy legislation having considered its wide geographical application and the severe monetary penalty to be imposed, as shown in a recent Germany’s case that €35.3 million fine was imposed against an international retailer which adopted inappropriate measures in monitoring and processing the personal data of several hundred employees at one of its branch in Nuremberg.
What are the basic principles for processing data under GDPR?
The GDPR holds the controllers legally accountable for their compliance with various principles in lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality. For example, if a Hong Kong company has to discharge its duties on integrity and confidentiality, it has to implement and set up appropriate cyber and data security measures, thus, to add in more stringent data security contractual provisions in their contracts with the data processors.
To what extent is a Hong Kong company affected?
The GDPR has an extra-territorial effect. A Hong Kong company may need to comply with the GDPR if it:
1. has no establishment in the EU but offers goods or services to, or monitor the behaviour of individuals in the EU territory; or
2. has an establishment in the EU, where personal data is processed in the context of the activities of the establishment, regardless of whether the data is actually processed within the EU. 
Both data controllers and data processors are regulated when they process the personal data collected from the relevant activities.
- A Hong Kong online sales website, which uses English as language of instruction, has shipping destination to EU member countries
- A Hong Kong app which provides a location service to tourists from Hong Kong when they are travelling in the EU territory
- A EU group company which shares and transfers data to its HK subsidiary for storage and analysis
However, the processing activity related to offer of goods and services will only be caught when it intentionally targets individuals within the EU territory. If the processing relates to a service that is only offered to individuals outside the EU, but the service is not withdrawn when such individuals enter the EU territory, the related processing will not be subject to the GDPR.
- A Hong Kong mobile news app which provides daily news updates in Chinese language to the Hong Kong users (who provide Hong Kong mobile number in subscribing for the services). The news update services are not subject to GDPR when the Hong Kong users enter the EU territory.
What are the consequences if a company data practice falls below the GDPR standard?
The administrative fines for contravention of the GDPR consist of two tiers, depending on the types of violations. The lower tier fine can be up to €10 million, or 2% of the total worldwide annual turnover of preceding financial year (in the case of an undertaking), whichever is higher. The upper tier fine can be up to €20 million, or 4% of the total worldwide annual turnover of preceding financial year (in the case of an undertaking), whichever is higher.
Under what circumstances will companies be penalised?
Lower tier fines may be imposed if the company fails to comply with any of the following (non-exhaustive list):
1. obtaining parental consent for processing of children’s personal data;
2. processing personal data anonymously if it is not necessary to identify the data subjects;
3. giving data breach notification;
4. appointing data protection officer; or
Upper tier fines may be imposed if the company fails to comply with the following (non-exhaustive list):
1. complying with the basic principles for processing, such as obtaining consent before processing;
2. complying with the data subjects’ rights, such as right to erasure, right to object to processing;
3. transferring personal data to a recipient in a third country through lawful mechanism; or
What is the difference between ‘data controllers and data processors’ under GDPR and ‘data users’ under PDPO?
To put it simply, ‘controller’ usually refers to the people or companies which decide on how and for what purpose the personal data will be processed, whereas ‘processor’ refers to the people or companies which process the data on behalf of the controller. A company can act in both capacities.
Meanwhile, ‘data users’ is a general concept used in Hong Kong under the PDPO. It is a collective term which covers both ‘data controllers’ and ‘data processors’ as used in GDPR. While GDPR regulates both controllers and processors, processors are not directly regulated by the PDPO.
Consent is a lawful ground for data processing under GDPR. Is it different from the current practice of obtaining consent in Hong Kong?
In Hong Kong, the practice of customers’ ticking in a consent box is usually relevant to the company’s use of the personal data for direct marketing activities. Consent is not a pre-requisite for the collection of personal data in the first place, but it is required when the data collected will be used for a different purpose.
Under the legal principles briefly mentioned above, several lawful grounds are available for companies to collect and process any personal data. The giving of consent is one of them and is probably the most common ground provided that it must be freely given, specific, informed, and unambiguous.
There are other major corporate measures required under GDPR but not under PDPO
The following (non-exhaustive) measures are necessary in demonstrating compliance with GDPR but are not legally required under the PDPO:-
Data protection officer (“DPO”)
Company, regardless of its size, is required to appoint a DPO if its core activities consist of processing which systematically monitor data subjects on a large scale, such as online tracking, profiling (predictions about individual’s preferences), or processing a large scale of sensitive personal data.
DPO is responsible for monitoring the compliance with GDPR and contacting with the supervisory authority.
Data breach notification and remedial actions
The data controllers are required to give notification to the EU regulators of a data breach without undue delay (and where feasible, no later than 72 hours after having become aware of it), unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.
Other major corporate measures include (but not limited to):
- Internal data protection policy
- Data protection impact assessment
- Planned IT system to cover the concept of privacy by design and by default
This article is co-authored by Ms. Milly Hung, Partner of Litigation Department, Mr. Michael Lau, the Associate and Mr. Calvin Lo, the Trainee Solicitor of Stevenson, Wong & Co. Due to the impact of the Covid-19 Pandemic, the potential effects of GDPR to the processing of the staff health data do raise concerns. If you have any problem in relation to this matter, please contact Ms. Milly Hung.
This article is for information purposes only. Its content does not constitute legal advice and should not be treated as such. Stevenson, Wong & Co. will not be liable to you in respect of any special, indirect or consequential loss or damage.
 See Article 5 of the GDPR
 Examples of an establishment: the presence of sales offices in the EU or an appointment of sales agents or representatives which promote, sell, advertise or market goods or services to individuals in the EU. See also Recital 22 for its definition.
 See Article 3 of the GDPR
 See p. 15 of European Data Protection Board’s Guidelines 3/2018 on the territorial scope of the GDPR (Version 2.1)
 See Article 83(4) of the GDPR
 See Article 83(5) of the GDPR
 See Articles 8, 11, 25 to 29, 41 42, 43 and 83(4) of the GDPR
 See Articles 5, 6, 7, 9, 12 to 22, 44 to 49, 58, 84(5) and Chapter IX of the GDPR
 See Recitals (7) and (8) of the GDPR
 See Data Protection Principle 3 of the PDPO
 See Article 4(11) of the GDPR