The changes to the Personal Data (Privacy) Ordinance (PDPO) relating to direct marketing are now in effect, with the commencement on 1 April 2013 of the relevant sections of the Personal Data (Privacy) (Amendment) Ordinance.
Here we answer five common questions from our funds clients on the changes.
1. I regularly contact my Hong Kong individual clients about fund products which may interest them. Is this direct marketing?
Yes; the law defines “direct marketing” very broadly. However, if personal data (that is, information identifying the individual such as an email address) is collected from an individual representative of a corporate client and the fund products are targeted at the corporation which the person represents and not the individual himself, the direct marketing provisions under the PDPO would not, in the words of the relevant Guidance Note, be “enforced”.
2. How can I comply with the new requirements when direct marketing to an investor in Hong Kong for the first time?
Before using personal data for direct marketing purposes, you (the data user) must (i) inform the investor (the data subject) that his personal data may be used for the purpose of direct marketing and (ii) obtain the investor’s prior informed consent (or indication of no objection). You must also let the investor know what personal data will be used (e.g. name, telephone); what sort of products, facilities or services will be marketed to him; and how he can formally consent. For existing clients however, there are fortunately some “grandfathering” provisions (see Question 4).
3. Do I need to get an investor’s consent every time I market a new product or service to them?
<span style=”font-family:” verdana;=”” font-size:=”” small;”>no;=”” provided=”” the=”” marketing=”” is=”” within=”” scope=”” of=”” terms=”” original=”” consent.=”” consent=”” to=”” use=”” personal=”” data=”” can=”” be=”” obtained=”” generally=”” or=”” limited=”” specific=”” products=”” services=”” as=”” well=”” data.=”” one-off=”” also=”” acceptable=”” has=”” not=”” been=”” withdrawn.=”” which=”” will=”” put=”” must=”” however=”” a=”” permitted=”” under=”” given.
4. What about existing investors? Are there any transitional measures?
The PDPO has “grandfathering” provisions for existing investors: the direct marketing restrictions will not apply to an investor if, before 1 April 2013 (i) you had explicitly and clearly informed the investor that you were intending to use his personal data in order to market certain products, facilities or services to him; (ii) you have used his data for direct marketing; (iii) the investor has not required you to stop doing so; and (iv) you otherwise comply with the PDPO. These “grandfathering” provisions do not however apply to the use of personal data by, or the transfer of personal data to, group companies (see Question 5).
5. Our Hong Kong office is part of a global group. What steps should we be taking to ensure good data protection practices?
Any transfer of personal data for direct marketing, whether to a group company or an external party, must comply with the new PDPO requirements. Accordingly, before you can transfer an investor’s personal data you need to notify the investor in writing:
You need to obtain the prior specific informed written consent of the investor to such transfer.
Companies transferring investors’ personal data to group companies for use in direct marketing should review how such data is being transferred, how such transfers are tracked and who is responsible for managing and monitoring personal data requests.
Non-compliance with the provisions where personal data is provided for gain will constitute a criminal offence with fines of up to HK$1,000,000 and imprisonment for up to five years. The penalties for other breaches are only slightly less onerous: fines of up to HK$500,000 and imprisonment for up to three years. A defence is available if the data user can prove that it took all reasonable precautions and exercised all due diligence to avoid the commission of the offence.
In order to be able to benefit from the defence however, our clients are advised to review their current practices regarding the collection, use and/or transfer of personal data in direct marketing, in order to promote compliance with the new PDPO requirements and to demonstrate adequate measures are in place.