How Can Hong Kong SMEs Comply with PDPO for Cross-Border Data Transfers?

For entrepreneurs and SMEs expanding into Asia, Hong Kong remains one of the most attractive places to start a business. You can own 100% of a Hong Kong private limited company, even if you live overseas. Under the Companies Ordinance (Cap. 622), there is no requirement for a local resident director — but every company must have at least one individual director and a company secretary (the secretary must be a Hong Kong resident or a Hong Kong‑registered corporate service provider).

While this makes Hong Kong a flexible base, SMEs operating across borders must also manage data privacy compliance — especially when transferring personal data overseas.

Why Cross‑Border Transfers Matter

When personal data leaves Hong Kong — for example, to be stored on overseas cloud servers or accessed by a parent company abroad — it may be subject to weaker or different privacy laws in the destination jurisdiction.

Even though Section 33 of the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”), which would formally regulate cross‑border data transfers, is enacted but not yet in force, SMEs must still comply with the PDPO’s general Data Protection Principles (DPPs) when transferring data overseas.

Current Legal Position (2025)

• No statutory prohibition on overseas transfers yet — s.33 is not operational.
• But DPP1, DPP3, and DPP4 still apply:
  
  • DPP1 — Collect data fairly and lawfully, and only for a lawful purpose directly related to your function.
  • DPP3 — Use data only for the original or directly related purpose unless you have the data subject’s prescribed consent.
  • DPP4 — Take all practicable steps to safeguard personal data from unauthorised or accidental access, processing, loss, or use — this applies to overseas processors too.

Best Practice Steps for SMEs

1. Identify Cross‑Border Data Flows
   
   • Map all personal data you collect (customers, employees, suppliers).
   • Note where it is stored, accessed, or processed — including overseas cloud servers or head office systems.
2. Assess the Destination’s Privacy Protections
   
   • Check whether the overseas jurisdiction has laws broadly comparable to the PDPO.
   • Since the PCPD has not yet issued a “white list” of jurisdictions, you must make your own assessment.
3. Put Contractual Safeguards in Place
   
   • Use written agreements with overseas recipients (including parent companies) requiring them to:
     
     • Use the data only for agreed purposes.
     • Implement security measures equivalent to DPP4.
     • Limit retention and securely delete data when no longer needed.
   • The PCPD has published Model Contractual Clauses you can adapt.
4. Obtain Prescribed Consent Where Needed
   
   • If the transfer involves a new purpose not originally disclosed, get express, voluntary, informed consent from the data subject.
   • Avoid vague blanket clauses — be specific about where the data will go and why.
5. Review and Monitor Regularly
   
   • Periodically check that the overseas entity is meeting agreed standards.
   • Update agreements and policies when systems, laws, or business processes change.

Extra Tips for SMEs

• Keep a record of all cross‑border transfers, risk assessments, and agreements.
• Train staff to recognise and report potential cross‑border data issues.
• Build these checks into your Privacy Management Programme so they are part of routine operations.
• Even though s.33 is not yet in force, adopting these measures now will make compliance easier when it is activated.

Key Takeaway

For now, Hong Kong SMEs are not legally barred from transferring personal data overseas, but they must still comply with the PDPO’s existing principles. Following the PCPD’s best practice guidance — especially contractual safeguards and proper consent — will protect your business today and future‑proof it for when s.33 comes into force.

Need help navigating this issue? Check out Ask.Legal — our AI-powered legal assistant is ready to help 24/7.