What are the penalties for noncompliance with any applicable data protection laws?
Noncompliance with data privacy laws and data breaches may lead to sanctions, fines, and penalties. The amounts are usually calculated according to the risk to which personal rights were exposed and the preventive measures taken by the data controllers, processors and sub-processors in relation to their respective role in the chain of personal data processing.
Hong Kong’s Personal Data (Privacy) Ordinance doesn’t create direct criminal offences for noncompliance with the data protection principles. Instead, the Privacy Commissioner may serve Enforcement Notices directly to data users to direct them to remedy the issue, and, if applicable, prevent recurrence. Not following an enforcement notice can result in a fine of up to HK$50,000 and up to 2 years’ imprisonment on the first conviction. In addition, individuals who suffer damages (including emotional damages) can seek compensation.
Misusing or inappropriately using personal data in direct marketing, non-compliance with individual data access requests and unauthorized disclosure of personal data can result in criminal penalties.
HR Best Practices: Before processing personal data, make sure to be in line with the security measures necessary to ensure data security within your organization. In the event an employee or third-party performs a wrongful act, employers may only be able to avoid liability in cases where the employer can prove reasonable practical steps were taken to prevent the employee (or third-party) from engaging in wrongful acts and practices.