All Countries
Data Privacy
Data Controller Agreement

Data Controller Agreement Template for Hong Kong

Create a bespoke document in minutes,  or upload and review your own.

4.6 / 5
4.8 / 5

Let's create your Data Controller Agreement

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get your first 2 documents free

Your data doesn't train Genie's AI

You keep IP ownership of your information

Key Requirements PROMPT example:

Data Controller Agreement

"I need a Data Controller Agreement for my fintech startup based in Hong Kong that will be processing customer payment data and sharing it with third-party payment providers, with operations starting March 2025."

Celebrated by
Collaborations with
Investors
Document background
This Data Controller Agreement is essential for organizations operating in Hong Kong that collect, process, or control personal data. It is designed to ensure compliance with the Personal Data (Privacy) Ordinance (PDPO) and related regulations, while establishing clear protocols for data protection. The agreement is particularly relevant in scenarios where multiple entities may be involved in data processing activities or where there's a need to clearly define data controller responsibilities. It includes provisions for data security, breach notification, data subject rights, and cross-border data transfers, reflecting Hong Kong's specific regulatory requirements and international best practices in data protection. The document is crucial for businesses seeking to demonstrate compliance with Hong Kong's data protection regime and maintain proper data governance structures.
Suggested Sections

1. Parties: Identification of the data controller and any other parties to the agreement

2. Background: Context of the agreement and relationship between the parties

3. Definitions: Definitions of key terms used in the agreement, including specific PDPO-related terminology

4. Scope and Purpose: Defines the scope of data processing activities and legitimate purposes

5. Data Protection Obligations: Core obligations under PDPO and related regulations

6. Data Security: Security measures required to protect personal data

7. Data Subject Rights: Procedures for handling data subject requests and rights

8. Breach Notification: Protocol for reporting and handling data breaches

9. Audit Rights: Rights and procedures for auditing compliance

10. Confidentiality: Confidentiality obligations regarding processed data

11. Term and Termination: Duration of the agreement and termination provisions

12. Return or Destruction of Data: Obligations regarding data handling upon termination

13. Liability and Indemnities: Allocation of risks and responsibilities

14. General Provisions: Standard contractual provisions including governing law and jurisdiction

Optional Sections

1. Cross-border Transfers: Required when personal data will be transferred outside Hong Kong

2. Sub-processing: Required when the controller may engage sub-processors

3. Industry-Specific Compliance: Required for regulated industries like financial services or healthcare

4. Data Protection Officer: Required when parties need to appoint dedicated data protection officers

5. Insurance Requirements: Required when specific insurance coverage for data protection is needed

6. Force Majeure: Optional provisions for handling unforeseen circumstances affecting data processing

7. Change Control: Required when formal procedures for changes to data processing are needed

Suggested Schedules

1. Schedule 1 - Categories of Personal Data: Detailed list of personal data types being processed

2. Schedule 2 - Processing Activities: Detailed description of authorized processing activities

3. Schedule 3 - Security Measures: Technical and organizational security measures

4. Schedule 4 - Sub-processors: List of authorized sub-processors if applicable

5. Schedule 5 - Data Retention Periods: Specific retention periods for different data categories

6. Appendix A - Data Transfer Mechanisms: Details of cross-border transfer arrangements if applicable

7. Appendix B - Technical Requirements: Technical specifications for data processing systems

8. Appendix C - Contact Details: Key contacts for data protection matters

Authors

Alex Denne

Head of Growth (Open Source Law) @ Genie AI | 3 x UCL-Certified in Contract Law & Drafting | 4+ Years Managing 1M+ Legal Documents | Serial Founder & Legal AI Author

Linkedin in social icon imageX social icon image
alex.den.21@genieai.co
Relevant legal definitions
Personal Data
Data Subject
Processing
Data Controller
Data Processor
Data Protection Laws
PDPO
Privacy Commissioner
Authorized Person
Business Day
Confidential Information
Data Protection Impact Assessment
Data Breach
Security Measures
Sub-processor
Third Party
Processed Data
Special Categories of Personal Data
Cross-border Transfer
Data Protection Officer
Regulatory Authority
Technical and Organizational Measures
Permitted Purpose
Data Processing Schedule
Compliance Records
Data Subject Request
Notice
Material Breach
Force Majeure Event
Legitimate Interest
Privacy Policy
Required Consents
Security Standards
Service Level Agreement
Term
Territory
Applicable Laws
Authorized Recipients
Business Purpose
Effective Date
Group Company
Implementation Date
Intellectual Property Rights
Personal Data Breach
Representatives
Restricted Transfer
Standard Contractual Clauses
Clauses
Interpretation
Appointment
Obligations and Rights
Data Protection
Data Processing
Data Security
Confidentiality
Sub-Processing
Cross-Border Transfers
Audit Rights
Data Subject Rights
Breach Notification
Liability
Indemnification
Insurance
Term and Termination
Data Return and Deletion
Assignment
Force Majeure
Notice
Severability
Entire Agreement
Variation
Waiver
Third Party Rights
Governing Law
Dispute Resolution
Compliance with Laws
Records and Audit
Service Levels
Change Control
Personnel
Business Continuity
Cooperation
Relevant Industries

Financial Services

Healthcare

Technology

E-commerce

Professional Services

Education

Insurance

Telecommunications

Retail

Manufacturing

Logistics

Real Estate

Consulting

Relevant Teams

Legal

Compliance

Information Technology

Information Security

Risk Management

Operations

Data Protection

Privacy

Regulatory Affairs

Corporate Governance

Audit

Relevant Roles

Chief Privacy Officer

Data Protection Officer

Chief Information Security Officer

Chief Compliance Officer

Privacy Manager

Legal Counsel

Information Security Manager

Compliance Manager

Risk Manager

IT Director

Operations Director

Chief Technology Officer

Chief Legal Officer

Data Protection Specialist

Privacy Analyst

Industries
Personal Data (Privacy) Ordinance (Cap. 486): The primary legislation governing personal data protection in Hong Kong, establishing data protection principles and compliance requirements for data controllers
PCPD Guidance on Data Processor Contracts: Guidelines issued by the Privacy Commissioner providing specific requirements for contracts between data controllers and data processors
PDPO (Amendment) 2021: Updates to the PDPO addressing doxxing-related offenses and enforcement powers, which may affect data handling obligations
Electronic Transactions Ordinance (Cap. 553): Relevant for electronic execution and record-keeping requirements in data processing agreements
Cybersecurity Guidelines by PCPD: Guidelines on security measures and standards for protecting personal data in electronic form
Cross-border Transfer Guidelines: PCPD guidance on transferring personal data outside of Hong Kong, including recommended contractual clauses
Data Retention Guidelines: PCPD guidance on proper data retention and disposal practices that should be reflected in the agreement
Teams

Employer, Employee, Start Date, Job Title, Department, Location, Probationary Period, Notice Period, Salary, Overtime, Vacation Pay, Statutory Holidays, Benefits, Bonus, Expenses, Working Hours, Rest Breaks,  Leaves of Absence, Confidentiality, Intellectual Property, Non-Solicitation, Non-Competition, Code of Conduct, Termination,  Severance Pay, Governing Law, Entire Agreemen

Find the exact document you need

International Data Transfer Addendum

A Hong Kong law-governed addendum that establishes terms for international personal data transfers, ensuring compliance with PDPO and international data protection standards.

find out more

Data Privacy Risk Assessment

A structured assessment of privacy risks and compliance requirements under Hong Kong's PDPO, evaluating data protection measures and providing risk mitigation strategies.

find out more

Personal Data Agreement

A Hong Kong law-governed agreement establishing terms for personal data processing between data users and processors, ensuring PDPO compliance.

find out more

Data Controller Agreement

A Hong Kong law-governed agreement establishing data controller obligations and responsibilities under the PDPO.

find out more

Order Of Meeting Minutes

A legal record of corporate meeting proceedings and decisions that complies with Hong Kong Companies Ordinance requirements.

find out more

Data Processing Addendum

A Hong Kong law-governed addendum establishing terms for personal data processing between controllers and processors, ensuring PDPO compliance.

find out more

Data Confidentiality Agreement

A Hong Kong law-governed agreement establishing confidentiality obligations and data protection requirements between parties sharing sensitive information.

find out more

Contributor Licence Agreement

A Hong Kong law-governed agreement establishing terms for licensing intellectual property rights from contributors to a project maintainer.

find out more

Joint And Several Promissory Note

A Hong Kong law-governed financial instrument where multiple borrowers jointly and severally promise to repay a specified sum to a lender.

find out more

Data Processing Addendum DPA

A Hong Kong law-governed agreement that establishes terms for personal data processing, ensuring compliance with PDPO requirements.

find out more

International Contract Of Sale

A Hong Kong law-governed agreement for international sale of goods, covering delivery, payment, and trade compliance terms.

find out more

Controller To Controller Data Processing Agreement

A Hong Kong law-governed agreement between two data controllers establishing terms for sharing and processing personal data in compliance with the PDPO.

find out more

Intercompany Credit Agreement

A Hong Kong law-governed agreement establishing credit arrangements between related companies within the same corporate group, setting out loan terms, conditions, and regulatory compliance requirements.

find out more

Intra Company Loan Agreement

Hong Kong law-governed agreement establishing loan terms between related companies within the same corporate group.

find out more

Sub Loan Agreement

A Hong Kong law-governed agreement documenting terms for the on-lending of funds from a primary loan to a subsequent borrower.

find out more

Data Protection Addendum

A Hong Kong law-governed addendum that sets out data protection obligations between controllers and processors, ensuring PDPO compliance.

find out more

Commission Split Agreement Between Agents

A Hong Kong law-governed agreement establishing commission sharing arrangements between licensed real estate agents, including split ratios and payment terms.

find out more

Download our whitepaper on the future of AI in Legal

By providing your email address you are consenting to our Privacy Notice.
Thank you for downloading our whitepaper. This should arrive in your inbox shortly. In the meantime, why not jump straight to a section that interests you here: https://www.genieai.co/our-research
Oops! Something went wrong while submitting the form.

Genie’s Security Promise

Genie is the safest place to draft. Here’s how we prioritise your privacy and security.

Your documents are private:

We do not train on your data; Genie’s AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

Our bank-grade security infrastructure undergoes regular external audits

We are ISO27001 certified, so your data is secure

Organizational security

You retain IP ownership of your documents

You have full control over your data and who gets to see it

Innovation in privacy:

Genie partnered with the Computational Privacy Department at Imperial College London

Together, we ran a £1 million research project on privacy and anonymity in legal contracts

Want to know more?

Visit our Trust Centre for more details and real-time security updates.

Read our Privacy Policy.