Hong Kong DPA issues Model Contractual Clauses for cross-border data transfers



Hong Kong’s Privacy Commissioner for Personal Data (PCPD) published, on 12 May, its Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data.

The two sets of Recommended Model Contractual Clauses (RMCs) cater for two different scenarios in cross-border data transfers:

  1. from one data user to another data user; and
  2. from a data user to a data processor.

The model clauses may be adapted by organisations, especially small and medium-sized enterprises.

As section 33 of the Privacy Ordinance which imposes restrictions on cross-border transfers of data is not yet in effect, this Guidance recommends best practices to be adopted.

The DPA says, however, that it is advisable for organisations to incorporate the RMCs into cross-border data transfers, as their adoption will illustrate that the data controller has taken all reasonable precautions and exercised all due diligence. The DPA will take this into account when considering enforcement actions.

See PCPD - Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data