Skip to main content

GDPR will come into force in May 2018 Hong Kong Enterprises should get prepared

Release Date: 9 Apr 2018 11137 Views

The EU General Data Protection Regulation (GDPR) will come into force on 25 May 2018. One of the new developments introduced under the GDPR to the data protection landscape outside the EU is the explicit requirement of compliance by organizations established in non-EU jurisdictions in specified circumstances. As the EU is Hong Kong’s second largest trading partner, the new GDPR’s extra-territorial effect suggests that as long as Hong Kong Enterprises collect and process personal data of EU individuals, they should be prepared to comply with GDPR’s requirements.


The GDPR considers not only the location of the data processing, but also the location of the individual whose data is being processed. The GDPR applies to Hong Kong businesses which process personal data in relation to:

  1. The offering of goods or services to individuals in the EU (regardless of whether payment is taken); or
  2. The monitoring of the behavior of individuals with the EU

Here are some scenarios that HK Businesses may be impacted by GDPR due to use of Internet:

  1. HK Company without any EU subsidiaries offering free social media services via a website hosted in US to individuals in the EU – GDPR applies
  2. HK hotel book business using cookies to track past customers’ (including EU-based customers) browsing in order to target specific hotel adverts to them – GDPR applies
  3. HK flower delivery company allowing individuals in the EU to make orders for fulfilment only in HK. The price for the flower delivery services is denominated in an EU currency – GDPR applies
  4. HK retailer with a website for orders/deliveries. The website is accessible to individuals in the EU in English. The currency is the HK dollar and the address fields only allow HK addresses – GDPR doesn’t apply


The Privacy Commissioner for Personal Data, Hong Kong (Privacy Commissioner) already issued the “European Union General Data Protection Regulation (GDPR) 2016” booklet on 3 April 2018, which aims at raising awareness amongst organizations / businesses in Hong Kong of the possible impact of the new regulatory framework for data protection in the European Union, as well as comparing some of the major requirements with those set out in the Personal Data (Privacy) Ordinance, Laws of Hong Kong (Cap 486) (PDPO).


The booklet can be downloaded from the link below: