The provisions of the Personal Data (Privacy) (Amendment) Ordinance (PDPAO) relating to direct marketing are expected to come into effect in April 2013. Here we answer five key questions for fund promoters.
Yes, the law defines “direct marketing” very broadly.
Before using personal data for direct marketing purposes, you (the data user) must inform the client (the data subject) that the personal data may be used for direct marketing and obtain the client's prior informed consent or indication of no objection. You must provide the client with information about the personal data to be used (e.g. name, telephone); the class of products, facilities or services to be marketed; and a response channel whereby the client can provide consent. For existing clients, there are “grandfathering” provisions: see question 4.
Client consent can be obtained generally or selectively with regard to the intended use of the personal data, and one-off consent will be acceptable provided the consent is not withdrawn.
Any transfer of personal data for direct marketing (whether intra group or not) must comply with the new PDPAO requirements. You will need to provide the information noted at 2 above in writing, state if such transfer is for gain, and obtain the prior specific informed consent of the client for such transfer. Companies transferring clients' personal data to group companies for use in direct marketing should review how such data is transferred, how such transfers are tracked and who is responsible for managing and monitoring personal data requests. Non-compliance with the provisions where personal data are provided for gain will constitute a criminal offence with fines of up to HK$1,000,000 and imprisonment for up to five years; where the breaches are not in respect of provision of personal data for gain, the sanctions are fines of up to HK$500,000 and imprisonment for up to three years. A defence is available if the data user can prove that it took all reasonable precautions and exercised all due diligence to avoid the commission of the offence.
In order to benefit from the defence, companies are advised to review current practices regarding the collection and use of personal data in direct marketing in order to promote compliance with the PDPAO and to demonstrate adequate measures are in place.