Organisations engaging in cross border transfers of personal data may now rely on the Recommended Model Contractual Clauses (RMCs), recently published by the Privacy Commissioner for Personal Data (PCPD).

The two sets of RMCs are intended for controller to controller transfers, and controller to processor transfers. The RMCs may be used in:

• cross border transfers of personal data between an entity within and outside of Hong Kong; and
• transfers of personal data between two entities outside of Hong Kong, where the transfer is controlled by a Hong Kong data controller.

These free-standing clauses may be incorporated into existing data processing agreements, or more generally into commercial agreements between data transferor and transferees. Organisations may decide to incorporate additional, more complex contractual assurances to address other rights and obligations not included in the RMCs (i.e. reporting, audit and inspection rights, data breach notification, compliance with regulatory investigations etc).

Wider cross-border transfer considerations

The use of RMCs containing key PDPO compliance requirements will be indicative of fulfilling part of the requirements under section 33 of the Personal Data Protection Ordinance (PDPO), by taking reasonable steps and exercising due diligence to ensure personal data is treated in a manner compliant with the PDPO.

Whilst section 33 of the PDPO, which imposes restrictions on cross-border transfers, has yet to come in force, these RMCs provide more certainty as to the PCPD’s preferred approach.