Introduction

The General Data Protection Regulation (GDPR), enacted by the European Union (EU), represents one of the most comprehensive and stringent data protection frameworks in the world.  The GDPR became effective on 26 May 2018.  Further, the GDPR was incorporated into the European Economic Area (EEA) Agreement by the EEA Joint Committee on 6 July 2018, extending the application of GPPR.

The GDPR applies to and imposes obligations on both controllers and processors.  It introduced a comprehensive data privacy law that regulates the collection, processing, and protection of personal data of individuals within the European Union (EU) and European Economic Area (EEA). 

Extra-territorial scope

It is important to note that unlike Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) (the “PDPO”), GDPR contains provisions conferring extra-territorial application.  The GDPR applies to:

• Controllers and processors that processed personal data in the context of the activities of an EU establishment, regardless of whether the data processing takes place in the EU; and
• Non-EU controllers and processors with no EU establishment that offer goods or services to individuals in the EU or monitor their behaviour that takes place in the EU.

The European Data Protection Board issued guidelines on the territorial scope of GDPR which provide more guidance on organisations to assess whether one’s activities fall within the ambit of GDPR.  Generally speaking, GDPR can apply to Hong Kong companies companies in the following ways:

• Direct Application of GDPR:
  • GDPR applies directly to Hong Kong companies if they have an establishment (e.g. subsidiary, branch office, or stable arrangements) in the EU.
  • GDPR also applies to Hong Kong companies with no EU establishment if they offer goods or services to individuals in the EU or monitor the behaviour of individuals in the EU (e.g. through tracking cookies).
• International Data Transfers:
  • If a Hong Kong company receives personal data from the EU, it must comply with GDPR requirements for international data transfers, such as having adequate safeguards like standard contractual clauses or binding corporate rules.

What is personal data

According to the GDPR, personal data is defined as:

“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

This broad definition covers a wide range of information that can directly or indirectly identify an individual, including:

• Direct identifiers like names, identification numbers, online identifiers (IP addresses, cookie IDs, etc.)
• Indirect identifiers like location data, physical, physiological, genetic, mental, economic, cultural or social factors
• Online identifiers like IP addresses, cookie IDs, advertising IDs
• Biometric data like facial images, fingerprints
• Genetic data like DNA information
• Health data related to physical or mental health

Under the GDPR, the processing of special categories of personal data is generally prohibited unless specific conditions are met, such as explicit consent from the data subject, reasons for substantial public interest, or for purposes related to healthcare, employment or legal claims.  The special categories of personal data are:

• Personal data revealing racial or ethnic origin
• Personal data revealing political opinions
• Personal data revealing religious or philosophical beliefs
• Personal data revealing trade union membership
• Genetic data
• Biometric data processed for the purpose of uniquely identifying a natural person
• Data concerning health
• Data concerning a natural person’s sex life or sexual orientation

Principles governing personal data

According to the GDPR, there are seven key principles governing the processing of personal data:

1. Lawfulness, fairness and transparency 

Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.

2. Purpose limitation 

Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.

3. Data minimisation

Personal data processed must be adequate, relevant and limited to what is necessary for the stated purposes.

4. Accuracy 

Personal data must be accurate and kept up to date. Inaccurate data should be erased or rectified without delay.

5. Storage limitation 

Personal data shall be kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which it is processed.

6. Integrity and confidentiality (security) 

Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized/unlawful processing and accidental loss, destruction or damage.

7. Accountability 

The data controller is responsible for and must be able to demonstrate compliance with the above principles.

These principles form the core of data governance under the GDPR. They aim to protect fundamental rights like privacy and data protection while allowing organizations to process personal data fairly and transparently for legitimate purposes.

Enforcement and sanctions

The GDPR provides data subject and national supervisory authorities with significant powers to enforce its provisions including both (i) investigative powers, and (ii) corrective powers.  The GDPR permits each country to grant additional powers to their supervisory authorities if they do not conflict with the GDPR.

Administrative Fines

The GDPR allows data protection authorities to impose substantial administrative fines for non-compliance. There are two tiers of fines – depends on the type of violation:

• Lower Tier Fines:
  • Up to €10 million or 2% of the company’s global annual turnover of the preceding financial year, whichever is higher.
  • This applies to violations of controllers’ and processors’ obligations under Articles 8, 11, 25-39, 42 and 43 related to data protection principles, data subjects’ rights, and legal bases for processing.

• Higher Tier Fines:
  • Up to €20 million or 4% of the company’s global annual turnover of the preceding financial year, whichever is higher.
  • This applies to violations of core principles for processing personal data under Articles 5, 6, 9 and infringements of data subjects’ fundamental rights and freedoms.

Compensation to Data Subjects

Under Articles 79 and 82 of the GDPR, data subjects have the right to claim compensation from controllers or processors for material or immaterial damage suffered due to infringement of the GDPR.

*** ***

Contact us for information on how we can help you navigate the regulatory landscape, and how our team can help devise cost-effective measures to comply with the GDPR.

Alfred Leung, Partner

(E: alfredleung@hkytl.com T: +852 3468 7202)

This article is introductory in nature. Its content is current at the date of publication.  It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this article. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.