The Personal Data (Privacy) Ordinance (Cap. 486) strictly regulates the provision of personal data to third parties for use in direct marketing, including the sale of personal data.
When you, as a data user, wish to provide personal data to third parties for use in direct marketing, you must inform the customers in writing:
- that you intend to transfer their personal data and that you may not transfer unless the customer gives written consent
- the kinds of personal data to be provided
- Will the data be transferred for gain?
- What are the classes of persons to whom the data will be provided?
- Provide your customers with a free channel through which they can communicate their consent to the intended use
Present information to your customers in an easily understandable, or if in written form, easily readable, manner to help them make an informed choice
Unless you have received written consent from your customers, you are not allowed to provide their personal data to a third party (section 35K of the Ordinance).
Moreover, your customers can, at any time and irrespective of whether any previous consent has been given, require you to stop providing their personal data to a third party for use in direct marketing and can notify any third party to whom their data has been so provided to stop using the data in direct marketing in writing. If you have received any of these instructions, you must comply with them without charging the data subjects.
If you contravene any of the requirements regarding the provision of personal data to third parties for use in direct marketing, you may have committed an offence:
- Contraventions involving the provision of personal data for gain, including the sale of personal data: The maximum penalty is five-year imprisonment and a fine of HK$1,000,000.
- Other contraventions: The maximum penalty is three-year imprisonment and a fine of HK$500,000.
Key takeaways
- You can only give away your customers’ personal data to third parties for use in direct marketing if you have obtained their consent.
- You may have committed a criminal offence if you contravene any requirement regarding the provision of personal data to third parties for use in direct marketing.