The European Union (EU) General Data Protection Regulation 2016 (GDPR) came into force on 25 May 2018. A brief summary of the GDPR can be found here: https://www.mayerbrown.com/The-GDPR-The-Changes-That-Will-Affect-Your-Business-05-25-2018/.

Organisations in Hong Kong may need to comply with the GDPR if it (1) has an establishment in the EU, where personal data is processed in the context of the activities of the establishment, regardless of whether the data is actually processed in the EU, or (2) does not have an establishment in the EU, but offers goods or services to or monitor the behaviour of individuals in the EU.

As some requirements in the GDPR are not found in Hong Kong’s existing Personal Data (Privacy) Ordinance (Cap. 486), the Privacy Commissioner for Personal Data issued a booklet (the "Booklet") to outline the possible impact of the new regulatory framework on organisations or businesses in Hong Kong.

A number of features of the GDPR are highlighted in the Booklet, including the following:

  • Extra-territorial application
  • Personal data covered
  • New data privacy governance, data mapping and impact assessment
  • Sensitive personal data
  • Consent
  • Mandatory breach notification
  • Data processors’ obligations
  • New and enhanced rights for individuals
  • Data rotection seals, codes of conduct and cross-jurisdiction data transfer
  • Sanctions

The press release of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) and the Booklet are available at: https://www.pcpd.org.hk/english/news_events/media_statements/press_20180403.html