Before a data user can use a person`s personal data for direct marketing purposes or make it available to others for that purpose, the data user must obtain the consent of the person concerned or ask for “no objection” to the intended use or destination. As a result, a person may object to the intended use of their personal data for direct marketing. In addition, a data user who uses the personal data of a person concerned in direct marketing without his consent or does not provide relevant information such as the nature of personal data to be used commits an offence punishable by a fine of 500,000 HKD (approximately 58,000 EUROS) and a prison sentence of three years (s. 35C PDPO). In addition, a data user who transmits personal data on profits and direct marketing purposes to third parties must expect a fine of HKD 1 million (approximately 116,000 euros) and a five-year prison sentence. The DPP one stipulates that the collection of personal data must be necessary, legal and fair and that such collection must be actually granted by the person concerned. It also contains information that a data user must provide to a person concerned about or before collecting data, including: if the person concerned is a minor (i.e. under 18 years of age) and if the prescribed consent of the minor is required in accordance with the DPP3, a person with parental responsibility may give the required consent on behalf of the minor. If the person concerned has been prejudiced as a result of a violation of the PDPO, the PCPD may grant him legal assistance when opening proceedings against the data user concerned in order to claim damages (Article 66B PDPO). Before an investigation is opened, the PCPD will also attempt to resolve the problem in a less formal way through mediation or mediation. Data processors are not directly regulated. Unlike a user, a data processor or a processing, it does not automatically enter the PDPO area.
There is no legal obligation for data users to inform the PCPD, the individuals concerned or the parties concerned of data breaches. However, it is recommended that data users report the incident to the PCPD as soon as possible via an infringement notification form and all affected individuals to ensure that immediate corrective action can be taken to mitigate any damage. The first prison sentence for PDPO offences was imposed in December 2014. In that case, a former insurance agent was sentenced to four weeks in prison for misdemeanors, including two counts of misrepresentation to the Data Protection Commissioner. It should be noted, however, that the insurance officer also pleaded guilty to other frauds and that his sentence for poDP violations is due to his conduct during the data protection delegate`s investigation and not to the violation of the PDPO`s data protection principles. Following in the footsteps of its EU counterparts, the PCPD has been committed since 2014 to ensuring that users of organisational data implement a privacy management (PMP) programme to ensure the protection of personal data as part of their corporate governance responsibility and to apply it as a business imperative throughout the organisation. For a person to be a data user, not only must one of the processes listed above take place, but the person must control that process. “Control” is not defined in the OPDP, but the terms were examined in court in R v Griffin (The Times, March 5, 1993), where the English High Court found that an independent accountant “controlled” the personal data he had received from clients, over which he was entitled to manipulate according to his own professional judgment.