| This is the text of the Hong Kong Personal Data (Privacy) Ordinance, with hypertext (click and jump) links to all paragraph and section cross references, and to the definitions of all terms defined in the Ordinance. For information about the conventions adopted in setting this out, please refer to the separate page. |  |
 |
 |  this part |  | |
PART VI
MATCHING PROCEDURES AND TRANSFERS OF PERSONAL DATA, ETC.
30. Matching procedure not to be carried out except
with consent of data subject, etc.
(1) A data user shall not carry out, whether in whole or in part,
a matching procedure—
(a) unless and until each individual who is a data subject of
the personal data the subject of that procedure has given
his prescribed consent to the procedure being carried out;
(b) unless and until the Commissioner has consented under
section 32 to the procedure being carried out;
(c) unless the procedure—
(i) belongs to a class of matching procedures specified
in a notice under subsection (2); and
(ii) is carried out in accordance with the conditions, if
any, specified in the notice; or
(d) unless it is required or permitted under any provision of
any Ordinance specified in Schedule 4.
(2) For the purposes of this section, the Commissioner may, by
notice in the Gazette, specify—
(a) a class of matching procedures;
(b) subject to subsection (3), the conditions if any, subject to
which a matching procedure belonging to that class shall be
carried out.
(3) The Commissioner shall, before specifying any conditions in a
notice under subsection (2), consult with—
(a) such bodies representative of data users to which the
conditions will apply (whether in whole or in part); and
(b) such other interested persons, as he thinks fit.
(4) It is hereby declared that a notice under subsection (2) is
subsidiary legislation.
(5) Subject to subsection (6), a data user shall not take adverse
action against an individual in consequence (whether in whole or in
part) of the carrying out of a matching procedure—
(a) unless the data user has served a notice in writing on
the individual—
(i) specifying the adverse action it proposes to take
and the reasons therefor; and
(ii) stating that the individual has 7 days after the
receipt of the notice within which to show cause
why that action should not be taken; and
(b) until the expiration of those 7 days.
(6) Subsection (5) shall not operate to prevent a data user from
taking adverse action against an individual if compliance with the
requirements of that subsection would prejudice any investigation
into the commission of an offence or the possible commission of an
offence.
31. Matching procedure request
(1) A data user proposing to carry out, whether in whole or in
part, a matching procedure may make a request—
(a) in the specified form;
(b) to the Commissioner; and
(c) seeking the Commissioner's consent under section 32 to
the carrying out of that procedure.
(2) Where 2 or more data users may each make a matching procedure
request in respect of the same matching procedure, then any of those
data users may make such a request on behalf of all those data users,
and the provisions of this Ordinance (including subsection (1) )
shall be construed accordingly.
(3) Without prejudice to the generality of subsection (2), it is
hereby declared that a matching procedure request may be made in
relation to 2 or more matching procedures, or a series of matching
procedures, and the other provisions of this Ordinance (including
section 32) shall be construed accordingly.
32. Determination of matching procedure request
(1) The Commissioner shall determine a matching procedure
request—
(a) not later than 45 days after receiving the request; and
(b) by taking into account the prescribed matters applicable
to the request and—
(i) where he is satisfied as to those matters, serving
a notice in writing on the requestor stating that
he consents to the carrying out of the matching
procedure to which the request relates subject to
the conditions, if any, specified in the notice;
(ii) where he is not so satisfied, serving a notice in
writing on the requestor stating—
(A) that he refuses to consent to the carrying out
of the matching procedure to which the request
relates; and
(B) such of those matters in respect of which he is
not so satisfied and the reasons why he is not
so satisfied.
(2) For the avoidance of doubt, it is hereby declared that a
consent in a notice under subsection (1)(b)(i) to the carrying out of
a matching procedure to which a matching procedure request relates
shall not operate to prevent a data user who is neither the requestor
nor, where section 31(2) applies to the request, any data user on
whose behalf such request was made, from carrying out, whether in
whole or in part, the procedure.
(3) An appeal may be made to the Administrative Appeals Board—
(a) against—
(i) any conditions specified in a notice under
subsection (1)(b)(i); or
(ii) any refusal specified in a notice under subsection
(l)(b)(ii);and
(b) by the requestor on whom the notice was served or any
data user on whose behalf the matching procedure request
concerned was made.
(4) In this section, "prescribed matter" means a matter
specified in Schedule 5.
33. Prohibition against transfer of personal data to place
outside Hong Kong except in specified circumstances
(1) This section shall not apply to personal data other than
personal data the collection, holding, processing or use of
which—
(a) takes place in Hong Kong; or
(b) is controlled by a data user whose principal place of
business is in Hong Kong.
(2) A data user shall not transfer personal data to a place
outside Hong Kong unless—
(a) the place is specified for the purposes of this section
in a notice under subsection (3);
(b) the user has reasonable grounds for believing that there
is in force in that place any law which is substantially
similar to, or serves the same purposes as, this
Ordinance;
(c) the data subject has consented in writing to the transfer;
(d) the user has reasonable grounds for believing that, in
all the circumstances of the case—
(i) the transfer is for the avoidance or mitigation of
adverse action against the data subject;
(ii) it is not practicable to obtain the consent in
writing of the data subject to that transfer; and
(iii) if it was practicable to obtain such consent, the
data subject would give it;
(e) the data are exempt from data protection principle 3 by
virtue of an exemption under Part VIII; or
(f) the user has taken all reasonable precautions and
exercised all due diligence to ensure that the data will
not, in that place, be collected, held, processed or used
in any manner which, if that place were Hong Kong, would
be a contravention of a requirement under this Ordinance.
(3) Where the Commissioner has reasonable grounds for believing
that there is in force in a place outside Hong Kong any law which is
substantially similar to, or serves the same purposes as, this
Ordinance, he may, by notice in the Gazette, specify that place for
the purposes of this section.
(4) Where the Commissioner has reasonable grounds for believing
that in a place specified in a notice under subsection (3) there is
no longer in force any law which is substantially similar to, or
serves the same purposes as, this Ordinance, he shall, either by
repealing or amending that notice, cause that place to cease to be
specified for the purposes of this section.
(5) For the avoidance of doubt, it is hereby declared that—
(a) for the purposes of subsection (1)(b), a data user which
is a company incorporated in Hong Kong is a data user
whose principal place of business is in Hong Kong;
(b) a notice under subsection (3) is subsidiary legislation;
and
(c) this section shall not operate to prejudice the
generality of section 50.
34. Use of personal data in direct marketing
(1) A data user who—
(a) has obtained personal data from any source (including the
data subject); and
(b) uses the data for direct marketing purposes, shall—
(i) the first time he so uses those data after this
section comes into operation, inform the data
subject that the data user is required, without
charge to the data subject, to cease to so use
those data if the data subject so requests;
(ii) if the data subject so requests, cease to so use
those data without charge to the data subject.
(2) In this section—
"direct marketing" means—
(a) the offering of goods, facilities or services;
(b) the advertising of the availability of goods, facilities
or services; or
(c) the solicitation of donations or contributions for
charitable, cultural, philanthropic, recreational,
political or other purposes,
by means of—
(i) information or goods sent to any person by mail,
facsimile transmission, electronic mail, or other
similar means of communication, where the
information or goods are addressed to a specific
person or specific persons by name; or
(ii) telephone calls made to specific persons.
35. Repeated collections of personal data
in same circumstances
(1) A data user who—
(a) has complied with the provisions of data protection
principle 1(3) in respect of the collection of any
personal data from the data subject ("first collection");
and
(b) on any subsequent occasion again collects personal data
from the data subject ("subsequent collection"),
is not required to comply with those provisions in respect of the
subsequent collection if, but only if—
(i) to comply with those provisions in respect of that
subsequent collection would be to repeat, without
any material difference, what was done to comply
with that principle in respect of the first
collection; and
(ii) not more than 12 months have elapsed between the
first collection and the subsequent collection.
(2) For the avoidance of doubt, it is hereby declared that
subsection (1) shall not operate to prevent a subsequent collection
from becoming a first collection if, but only if, the data user
concerned has complied with the provisions of data protection
principle 1(3) in respect of the subsequent collection.
|  this part | | |
Contents
[Prelim. & definitions]
[Admin.] [Codes of practice]
[Returns & register]
[Data access & correction]
[Matching & transfers] [Complaints, etc.]
[Exemptions] [Offences]
[Forms, fees, etc.]
[Sched 1: Data protection principles]
[Sched 2: Finances]
[Sched 3: Prescribed information]
[Sched 4: Other ordinances]
[Sched 5: Prescribed matters]
[Sched 6: Warrants]
|
For consulting on compliance with the Personal Data (Privacy) Ordinance or creative help with business planning, information technology, project management and the Internet please contact us. |