News & Insights

Enhanced guidance on sharing of personal data with third parties for direct marketing purposes

View PDF

Authored by: Simon Deane and Natalie Chan

The HKMA issued guidance to AIs in November 2021 to strengthen the protection of personal data of banking customers. When sharing customers’ personal data collected through online channels (including mobile apps) with third parties for the purposes of direct marketing by the third parties, AIs should either (i) ask customers to approach the third parties directly so that the customers can provide their personal data and/or consent directly to the third parties; or (ii) redirect the customers from the AIs’ websites / mobile apps to the websites / mobile apps of the third parties so as to provide their personal data and/or consent for direct marketing by such third parties directly.

For the avoidance of doubt, third parties include group companies of AIs.

Under the redirection approach, apart from complying with the relevant provisions of the Personal Data (Privacy) Ordinance and the data protection principles, AIs should also be mindful of the following:

  • Provision of reminder message before the redirection is performed to alert customers to the fact that there will be a redirection and explain the purpose(s) of the redirection.
  • Reminder messages should be clear and readily readable (e.g. with a reasonable font size and layout).
  • AIs should not bundle the redirection and/or any transfer of personal data of customers to third parties in the process of bank account opening or provision of banking services.
  • AIs should carefully assess what kinds of data the third parties require, and only share a minimum amount of customer personal data on a “need-to-know” basis.
  • Explicit consent for sharing the customers’ personal data to third parties should be obtained by the AIs before the redirection and additional consent is required for using the personal data for direct marketing purposes by the third parties.

To access a full version of the Guidance, please see here.

Key Contacts

Simon Deane

Consultant | Banking and Finance

Email or call +852 2825 9209

Related Services and Sectors:

Banking and Finance, Data Protection and Privacy

Portfolio Builder

Select the legal services that you would like to download or add to the portfolio

Download    Add to portfolio   
Title Type CV Email

Remove All


Click here to share this shortlist.
(It will expire after 30 days.)