This is the text of the Hong Kong Personal Data (Privacy) Ordinance, with hypertext (click and jump) links to all paragraph and section cross references, and to the definitions of all terms defined in the Ordinance. For information about the conventions adopted in setting this out, please refer to the separate page. conventions-used link

PRIVACY HOME PAGE

 Contents
 [Prelim. & definitions]    [Admin.]    [Codes of practice]    [Returns & register]    [Data access & correction]    [Matching & transfers]    [Complaints, etc.]    [Exemptions]    [Offences]    [Forms, fees, etc.]
 [Sched 1: Data protection principles]    [Sched 2: Finances]    [Sched 3: Prescribed information]    [Sched 4: Other ordinances]    [Sched 5: Prescribed matters]    [Sched 6: Warrants]

Foot of this part
       
Previous Part
Next Part
       

                                PART VI

          MATCHING PROCEDURES AND TRANSFERS OF PERSONAL DATA, ETC.

30. Matching procedure not to be carried out except
    with consent of data subject, etc.

   (1)  A data user shall not carry out, whether in whole or in part,
a matching procedure(a) unless and until each individual who is a data subject of
            the personal data the subject of that procedure has given
            his prescribed consent to the procedure being carried out;
        (b) unless and until the Commissioner has consented under
            section 32 to the procedure being carried out;
        (c) unless the procedure—
              (i) belongs to a class of matching procedures specified
                  in a notice under subsection (2); and
             (ii) is carried out in accordance with the conditions, if
                  any, specified in the notice; or
        (d) unless it is required or permitted under any provision of
            any Ordinance specified in Schedule 4.
   (2)  For the purposes of this section, the Commissioner may, by
notice in the Gazette, specify—
        (a) a class of matching procedures;
        (b) subject to subsection (3), the conditions if any, subject to
            which a matching procedure belonging to that class shall be
            carried out.
   (3)  The Commissioner shall, before specifying any conditions in a
notice under subsection (2), consult with—
        (a) such bodies representative of data users to which the
            conditions will apply (whether in whole or in part); and
        (b) such other interested persons, as he thinks fit.
   (4)  It is hereby declared that a notice under subsection (2) is
subsidiary legislation.
   (5)  Subject to subsection (6), a data user shall not take adverse
action against an individual in consequence (whether in whole or in
part) of the carrying out of a matching procedure—
        (a) unless the data user has served a notice in writing on
            the individual—
              (i) specifying the adverse action it proposes to take
                  and the reasons therefor; and
             (ii) stating that the individual has 7 days after the
                  receipt of the notice within which to show cause
                  why that action should not be taken; and
        (b) until the expiration of those 7 days.
   (6)  Subsection (5) shall not operate to prevent a data user from
taking adverse action against an individual if compliance with the
requirements of that subsection would prejudice any investigation
into the commission of an offence or the possible commission of an
offence. 
31. Matching procedure request

   (1)  A data user proposing to carry out, whether in whole or in
part, a matching procedure may make a request—
        (a) in the specified form;
        (b) to the Commissioner; and
        (c) seeking the Commissioner's consent under section 32 to
            the carrying out of that procedure.
   (2)  Where 2 or more data users may each make a matching procedure
request in respect of the same matching procedure, then any of those
data users may make such a request on behalf of all those data users,
and the provisions of this Ordinance (including subsection (1) )
shall be construed accordingly.
   (3)  Without prejudice to the generality of subsection (2), it is
hereby declared that a matching procedure request may be made in
relation to 2 or more matching procedures, or a series of matching
procedures, and the other provisions of this Ordinance (including
section 32) shall be construed accordingly.

32. Determination of matching procedure request

   (1)  The Commissioner shall determine a matching procedure
request—
        (a) not later than 45 days after receiving the request; and
        (b) by taking into account the prescribed matters applicable
            to the request and—
              (i) where he is satisfied as to those matters, serving
                  a notice in writing on the requestor stating that
                  he consents to the carrying out of the matching
                  procedure to which the request relates subject to
                  the conditions, if any, specified in the notice;
             (ii) where he is not so satisfied, serving a notice in
                  writing on the requestor stating—
                  (A) that he refuses to consent to the carrying out
                      of the matching procedure to which the request
                      relates; and
                  (B) such of those matters in respect of which he is
                      not so satisfied and the reasons why he is not
                      so satisfied.
   (2)  For the avoidance of doubt, it is hereby declared that a
consent in a notice under subsection (1)(b)(i) to the carrying out of
a matching procedure to which a matching procedure request relates
shall not operate to prevent a data user who is neither the requestor
nor, where section 31(2) applies to the request, any data user on
whose behalf such request was made, from carrying out, whether in
whole or in part, the procedure.
   (3)  An appeal may be made to the Administrative Appeals Board—
        (a) against—
              (i) any conditions specified in a notice under
                  subsection (1)(b)(i); or
             (ii) any refusal specified in a notice under subsection
                  (l)(b)(ii);and
        (b) by the requestor on whom the notice was served or any
            data user on whose behalf the matching procedure request
            concerned was made.
   (4)  In this section, "prescribed matter" means a matter
specified in Schedule 5.

33. Prohibition against transfer of personal data to place
    outside Hong Kong except in specified circumstances

   (1)  This section shall not apply to personal data other than
personal data the collection, holding, processing or use of
        which—
        (a) takes place in Hong Kong; or
        (b) is controlled by a data user whose principal place of
            business is in Hong Kong.
   (2)  A data user shall not transfer personal data to a place
outside Hong Kong unless—
        (a) the place is specified for the purposes of this section
            in a notice under subsection (3);
        (b) the user has reasonable grounds for believing that there
            is in force in that place any law which is substantially
            similar to, or serves the same purposes as, this
            Ordinance;
        (c) the data subject has consented in writing to the transfer;
        (d) the user has reasonable grounds for believing that, in
            all the circumstances of the case—
              (i) the transfer is for the avoidance or mitigation of
                  adverse action against the data subject;
             (ii) it is not practicable to obtain the consent in
                  writing of the data subject to that transfer; and
            (iii) if it was practicable to obtain such consent, the
                  data subject would give it;
        (e) the data are exempt from data protection principle 3 by
            virtue of an exemption under Part VIII; or
        (f) the user has taken all reasonable precautions and
            exercised all due diligence to ensure that the data will
            not, in that place, be collected, held, processed or used
            in any manner which, if that place were Hong Kong, would
            be a contravention of a requirement under this Ordinance.
   (3)  Where the Commissioner has reasonable grounds for believing
that there is in force in a place outside Hong Kong any law which is
substantially similar to, or serves the same purposes as, this
Ordinance, he may, by notice in the Gazette, specify that place for
the purposes of this section.
   (4)  Where the Commissioner has reasonable grounds for believing
that in a place specified in a notice under subsection (3) there is
no longer in force any law which is substantially similar to, or
serves the same purposes as, this Ordinance, he shall, either by
repealing or amending that notice, cause that place to cease to be
specified for the purposes of this section.
   (5)  For the avoidance of doubt, it is hereby declared that—
        (a) for the purposes of subsection (1)(b), a data user which
            is a company incorporated in Hong Kong is a data user
            whose principal place of business is in Hong Kong;
        (b) a notice under subsection (3) is subsidiary legislation;
            and
        (c) this section shall not operate to prejudice the
            generality of section 50.

34. Use of personal data in direct marketing

   (1)  A data user who—
        (a) has obtained personal data from any source (including the
            data subject); and
        (b) uses the data for direct marketing purposes,  shall—
              (i) the first time he so uses those data after this
                  section comes into operation, inform the data
                  subject that the data user is required, without
                  charge to the data subject, to cease to so use
                  those data if the data subject so requests;
             (ii) if the data subject so requests, cease to so use
                  those data without charge to the data subject.
   (2)  In this section—
"direct marketing" means—
        (a) the offering of goods, facilities or services;
        (b) the advertising of the availability of goods, facilities
            or services; or
        (c) the solicitation of donations or contributions for
            charitable, cultural, philanthropic, recreational,
            political or other purposes,
   by means of—
              (i) information or goods sent to any person by mail,
                  facsimile transmission, electronic mail, or other
                  similar means of communication, where the
                  information or goods are addressed to a specific
                  person or specific persons by name; or
             (ii) telephone calls made to specific persons.

35. Repeated collections of personal data
    in same circumstances

   (1)  A data user who—
        (a) has complied with the provisions of data protection
            principle 1(3) in respect of the collection of any
            personal data from the data subject ("first collection");
            and
        (b) on any subsequent occasion again collects personal data
            from the data subject ("subsequent collection"),
is not required to comply with those provisions in respect of the
subsequent collection if, but only if—
              (i) to comply with those provisions in respect of that
                  subsequent collection would be to repeat, without
                  any material difference, what was done to comply
                  with that principle in respect of the first
                  collection; and
             (ii) not more than 12 months have elapsed between the
                  first collection and the subsequent collection.
   (2)  For the avoidance of doubt, it is hereby declared that
subsection (1) shall not operate to prevent a subsequent collection
from becoming a first collection if, but only if, the data user
concerned has complied with the provisions of data protection
principle 1(3) in respect of the subsequent collection.
                        

Head of this part
       
Previous Part
Next Part
       

 Contents
 [Prelim. & definitions]    [Admin.]    [Codes of practice]    [Returns & register]    [Data access & correction]    [Matching & transfers]    [Complaints, etc.]    [Exemptions]    [Offences]    [Forms, fees, etc.]
 [Sched 1: Data protection principles]    [Sched 2: Finances]    [Sched 3: Prescribed information]    [Sched 4: Other ordinances]    [Sched 5: Prescribed matters]    [Sched 6: Warrants]


Other than the Ordinance text, this material, including hypertext links and all HTML code is
 © Copyright G&A Management Consultants Limited, Hong Kong, 1996 - 2001
           
For consulting on compliance with the Personal Data (Privacy) Ordinance
or creative help with business planning, information technology, project
management and the Internet please contact us.