THE 2012 AMENDMENT OF THE PDPO Flashcards
What is the purpose of the 2012 Amendment to the PDPO?
To enhance data protection and address new challenges, particularly concerning direct marketing and data processing by third parties.
What must organizations do before using personal data for direct marketing purposes?
Organizations must inform individuals and obtain their explicit and informed consent.
What mechanism must be provided for individuals regarding direct marketing communications?
Clear and simple mechanisms must be provided for individuals to opt out of direct marketing communications at any time.
What are the rules for marketing in HK?
Data users who wish to use personal data for their own direct marketing purposes must obtain prior consent from the data subject and notify the data subject accordingly. If consent is given orally, data users have the additional obligation to send a written confirmation to the data subject confirming the particulars of the consent received. Sharing personal data with a third party requires prior written consent.
What restrictions were placed on the transfer of personal data to third parties for direct marketing purposes?
Explicit consent from the data subject is required.
What penalties were introduced for non-compliance with the direct marketing provisions?
Stringent penalties, including fines and imprisonment, were introduced.
What are the key amendments in the Personal Data (Privacy) (Amendment) Ordinance 2012?
Use of Personal Data for Direct Marketing (Sections 35B to 35H):
Data users (organizations that collect and use personal data) must inform individuals (data subjects) of their intention to use their personal data for direct marketing purposes.
Data users must provide clear information on the types of personal data to be used and the categories of goods or services to be marketed.
Data subjects must be given an opportunity to opt-out (withdraw consent) from the use of their personal data for direct marketing.
Provision of Personal Data to Another for Use in Direct Marketing (Sections 35I and 35M):
Data users must obtain explicit consent from data subjects before providing their personal data to a third party for direct marketing purposes.
Data subjects must be informed of the types of personal data to be transferred, the classes of transferees, and the purpose of the transfer.
Exclusions for Social Services, Welfare Departments, and Healthcare Services: Certain social services, welfare departments, and healthcare services are excluded from the requirements for direct marketing under specified conditions.
This exclusion is designed to ensure that essential services can continue to operate without undue restriction while still respecting privacy concerns.
Disclosure of Personal Data Obtained Without Consent:
It is an offense to disclose personal data obtained without the data subject’s consent with the intent to obtain gain or cause loss (Section 64).
This aims to prevent misuse or unauthorized disclosure of personal data.
Regulating Data Processors:
Data users must adopt contractual or other means to ensure that data processors (third-party service providers who process personal data on behalf of data users) comply with the same data protection requirements.
Data processors must take all practicable steps to protect personal data from unauthorized or accidental access, processing, erasure, loss, or use.
Enforcement Notices:
The Privacy Commissioner for Personal Data (PCPD) is empowered to issue enforcement notices to data users who contravene the PDPO, requiring them to remedy the contravention within a specified period.
Failure to comply with an enforcement notice is an offense and can result in legal action.
Legal Assistance for Aggrieved Individuals:
The PCPD can provide legal assistance to individuals who have suffered damage (including injury to feelings) as a result of a contravention of the PDPO, facilitating their pursuit of compensation through civil proceedings.
