The Privacy Commissioner for Personal Data (“PCPD”) has published a FAQ on the practical implications of the (“New SCCs”) which was adopted by the European Commission and came into effect on 27 June 2021. From 27 September 2021 onwards, data exporters and data importers can only conclude contracts which incorporate the New SCCs for the transfer of personal data out of the European Union.

The New SCCS will apply where a data exporter is subject to the General Data Protection Regulation (“GDPR”), and therefore is relevant to businesses in Hong Kong who are subject to the GDPR regime. Businesses in Hong Kong may now be required to accept the New SCCs where they act as data importers receiving personal data from European Union (“EU”)/European Economic Area (“EEA”).

Examples of Hong Kong organisations which may be subject to the New SCCs include:-

  • Hong Kong organisations with businesses or operations in the EU/EEA which transfer personal data to elsewhere;
  • Hong Kong data controllers which import EU/EEA personal data from another data controller that is subject to the GDPR; and
  • Hong Kong organisations which import EU/EEA personal data as data processors.

Organisations are given a transitional period of 18 months from the date when the New SCCs became effective i.e. from 27 June 2021 to 27 December 2022 to replace all existing contracts containing the old standard contractual clauses with the New SCCs, provided that the processing operations being the subject matter of the contractual agreement remain unchanged and that the transfer of personal data is subject to appropriate safeguards.

The full text of the PCPD’s FAQ can be found here.