Policies
Personal Data (Privacy) Ordinance
I. Application
(1) This Division does not apply if a data user provides, otherwise than for gain, personal data of a data subject to another person for use by that other person in offering, or advertising the availability, of—
(a) social services run, subvented or subsidized by the Social Welfare Department;
(b) health care services provided by the Hospital Authority or Department of Health; or
(c) any other social or health care services which, if not provided, would be likely to cause serious harm to the physical or mental health of—
(i) the individual to whom the services are intended to be provided; or (ii) any other individual.
(2) This Division does not apply if a data user provides personal data of a data subject to an agent of the data user for use by the agent in carrying out direct marketing on the data user's behalf.
35J. Data user to take specified action before providing personal data
(1) A data user who intends to provide a data subject's personal data to another person for use by that other person in direct marketing must take each of the actions specified in subsection (2).
(2) The data user must—
(a) inform the data subject in writing—
(i) that the data user intends to so provide the personal data; and
(ii) that the data user may not so provide the data unless the data user has received the data subject's written consent to the intended provision;
(b) provide the data subject with the following written information in relation to the intended provision—
(i) if the data is to be provided for gain, that the data is to be so provided;
(ii) the kinds of personal data to be provided;
(iii) the classes of persons to which the data is to be provided; and
(iv) the classes of marketing subjects in relation to which the data is to be used; and
(c) provide the data subject with a channel through which the data subject may, without charge by the data user, communicate the data subject's consent to the intended provision in writing.
(3) Subsection (1) applies irrespective of whether the personal data is collected from the data subject by the data user.
(4) The information provided under subsection (2)(a) and (b) must be presented in a manner that is easily understandable and easily readable.
(5) A data user who provides personal data of a data subject to another person for use by that other person in direct marketing without taking each of the actions specified in subsection (2) commits an offence and is liable on conviction—
(a) if the data is provided for gain, to a fine of $1,000,000 and to imprisonment for 5 years; or
(b) if the data is provided otherwise than for gain, to a fine of $500,000 and to imprisonment for 3 years.
(6) In any proceedings for an offence under subsection (5), it is a defence for the data user charged to prove that the data user took all reasonable precautions and exercised all due diligence to avoid the commission of the offence.
35K. Data user must not provide personal data for use in direct marketing without data subject's consent
(1) A data user who has complied with section 35J must not provide the data subject's personal data to another person for use by that other person in direct marketing unless—
(a) the data user has received the data subject's written consent to the intended provision of personal data, as described in the information provided by the data user under section 35J(2)(b), either generally or selectively;
(b) if the data is provided for gain, the intention to so provide was specified in the information under section 35J(2)(b)(i); and
(c) the provision is consistent with the data subject's consent.
(2) For the purposes of subsection (1)(c), the provision of personal data is consistent with the data subject's consent if—
(a) the personal data falls within a permitted kind of personal data;
(b) the person to whom the data is provided falls within a permitted class of persons; and
(c) the marketing subject in relation to which the data is to be used falls within a permitted class of marketing subjects.
(3) A data subject may communicate to a data user the consent to a provision of personal data either through a response channel or other written means.
(4) A data user who contravenes subsection (1) commits an offence and is liable on conviction—
(a) if the data user provides the personal data for gain, to a fine of $1,000,000 and to imprisonment for 5 years; or
(b) if the data user provides the personal data otherwise than for gain, to a fine of $500,000 and to imprisonment for 3 years.
(5) In any proceedings for an offence under subsection (4), it is a defence for the data user charged to prove that the data user took all reasonable precautions and exercised all due diligence to avoid the commission of the offence.
35L. Data subject may require data user to cease to provide personal data for use in direct marketing
(1) A data subject who has been provided with information by a data user under section 35J(2)(b) may, at any time, require the data user—
(a) to cease to provide the data subject's personal data to any other person for use by that other person in direct marketing; and
(b) to notify any person to whom the data has been so provided to cease to use the data in direct marketing.
(2) Subsection (1) applies irrespective of whether the data subject has earlier given consent to the provision of the personal data.
(3) A data user who receives a requirement from a data subject under subsection (1) must, without charge to the data subject, comply with the requirement.
(4) If a data user is required to notify a person to cease to use a data subject's personal data in direct marketing under a requirement referred to in subsection (1)(b), the data user must so notify the person in writing.
(5) A person who receives a written notification from a data user under subsection (4) must cease to use the personal data in direct marketing in accordance with the notification.
(6) A data user who contravenes subsection (3) commits an offence and is liable on conviction—
(a) if the contravention involves a provision of personal data of a data subject for gain, to a fine of $1,000,000 and to imprisonment for 5 years; or
(b) in any other case, to a fine of $500,000 and to imprisonment for 3 years.
(7) A person who contravenes subsection (5) commits an offence and is liable on conviction to a fine of $500,000 and to imprisonment for 3 years.
(8) In any proceedings for an offence under subsection (6) or (7), it is a defence for the data user or person charged to prove that the data user or person took all reasonable precautions and exercised all due diligence to avoid the commission of the offence.
(9) This section does not affect the operation of section 26.
35M. Prescribed consent for providing personal data for use in direct marketing under data protection principle 3
Despite section 2(3), where a data user requires, under data protection principle 3, the prescribed consent of a data subject for providing any personal data of the data subject to another person for use in direct marketing, the data user is to be taken to have obtained the consent if the data user has not contravened section 35J, 35K or 35L.
通知
即時