Global menu

Our global pages


Five things you should know about PCPD’s Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data

  • Hong Kong
  • Privacy, data protection and cybersecurity - GDPR


On 12 May 2022, the Office of the Privacy Commissioner for Personal Data (“PCPD”) issued guidance on recommended model clauses for cross-border transfers of personal data outside of Hong Kong (“Guidance”). The Guidance contains two sets of recommended model contractual clauses (“RMCs”) which may be incorporated into general commercial agreements between data transferors and recipients.

Here are five key things you should know about the Guidance and the RMCs:

1. The Guidance is targeted at SMEs

While all data users may take reference from the RMCs, the Guidance is especially targeted at local small and medium enterprises (“SMEs”), which may experience practical difficulties in drafting appropriate contractual terms for effecting cross-border transfers of personal data that are compliant with the Personal Data Privacy Ordinance (Cap. 486) (“PDPO”).

2. The RMCs are not binding

While section 33 of the PDPO imposes restrictions on cross-border transfers of data, it is not yet in operation. Thus, although adoption of the RMCs is recommended by the PCPD, it is not currently binding on data users.

3. The RMCs caters for two types of cross-border data transfer scenarios

The two sets of RMCs provided by the PCPD are, respectively, applicable to where data is transferred: (1) from one data user to another data user (i.e. data controller to data controller); and (2) from a data user to a data processor (i.e. data controller to data processor). The RMCs can be used either where personal data is transferred by a Hong Kong entity outside of Hong Kong, or where personal data is transferred between two entities, both of which are outside Hong Kong, but such transfer is controlled by a Hong Kong data user.

4. Corporations may consider adopting additional contractual measures on top of the RMCs

While the RMCs helpfully set out the transferor and transferee’s more fundamental and basic obligations in a cross-border transfer of personal data, the PCPD recommends that data users additionally consider whether it is appropriate to incorporate additional contractual assurances set out in its earlier guidance issued in December 2014. These assurances include additional reporting and audit rights, a breach notification regime and obligations to co-operate with data users.

5. Less stringent than data transfer obligations required under the GDPR

For corporations whose data transfer agreements (“DTA”) are already compliant with the EU’s General Data Protection Regulation (“GDPR”), it may not be necessary for them to additionally incorporate the RMCs into their existing DTAs. This is because the 2021 EU standard contractual clauses, which are required to be complied with under the GDPR, are more stringent in nature than the RMCs. Nonetheless, data users should take note that use of the RMCs per se will not automatically achieve compliance with requirements of data protection laws in other jurisdictions (e.g. the GDPR or the Personal Information Protection Law of the PRC).

To read the Guidance, please see here.

For further information on requirements for the cross-border transfers of personal data, please contact us.