All Countries
Data Privacy
Data Protection Addendum

Data Protection Addendum Template for Hong Kong

Create a bespoke document in minutes,  or upload and review your own.

4.6 / 5
4.8 / 5

Let's create your Data Protection Addendum

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get your first 2 documents free

Your data doesn't train Genie's AI

You keep IP ownership of your information

Key Requirements PROMPT example:

Data Protection Addendum

"Need a Data Protection Addendum for our Hong Kong bank's relationship with a cloud service provider in Singapore, with specific provisions for cross-border data transfers and financial sector compliance requirements to be effective from March 2025."

Celebrated by
Collaborations with
Investors
Document background
This Data Protection Addendum is essential for organizations operating under Hong Kong law that engage in data processing relationships. It supplements existing service agreements when one party processes personal data on behalf of another, ensuring compliance with the Personal Data (Privacy) Ordinance (PDPO) and related regulations. The document becomes particularly crucial when organizations handle sensitive personal data, engage in cross-border data transfers, or operate in regulated industries. It addresses key requirements such as data security measures, breach notification procedures, and data subject rights, while incorporating specific provisions required by Hong Kong's privacy framework and regulatory guidelines. The addendum should be regularly reviewed and updated to reflect changes in data protection laws and regulatory expectations.
Suggested Sections

1. Parties: Identification of the data controller and data processor, including their registered addresses and company details

2. Background: Context of the addendum, reference to the main agreement, and purpose of data processing activities

3. Definitions: Key terms used in the addendum, including those from PDPO and relevant guidelines

4. Scope and Purpose of Processing: Detailed description of the permitted data processing activities and their specific purposes

5. Obligations of the Data Processor: Core responsibilities including security measures, confidentiality, and compliance with data protection principles

6. Data Controller Rights and Instructions: Controller's authority to issue instructions and monitor compliance

7. Security Requirements: Specific technical and organizational measures required for data protection

8. Data Breach Notification: Procedures and timeframes for reporting data breaches

9. Subprocessing: Conditions and requirements for engaging subprocessors

10. Data Subject Rights: Procedures for handling data access, correction, and deletion requests

11. Audit Rights: Controller's rights to audit processor's compliance

12. Term and Termination: Duration of the addendum and termination provisions

13. Return or Deletion of Data: Obligations regarding personal data upon termination

14. Governing Law and Jurisdiction: Specification of Hong Kong law and jurisdiction

Optional Sections

1. Cross-border Data Transfers: Required when personal data will be transferred outside Hong Kong, including safeguards and compliance measures

2. Industry-Specific Requirements: Additional provisions for regulated industries (e.g., financial services, healthcare)

3. Data Protection Impact Assessment: Procedures for conducting DPIAs when processing high-risk data

4. Special Categories of Data: Additional safeguards for sensitive personal data

5. Insurance Requirements: Specific insurance obligations for data protection

6. Business Continuity: Measures for ensuring continuous data protection during disruptions

7. Exit Management: Detailed procedures for transitioning data processing to another processor

Suggested Schedules

1. Schedule 1 - Processing Activities: Detailed description of data processing activities, categories of data subjects and personal data

2. Schedule 2 - Technical and Organizational Measures: Specific security measures and controls implemented

3. Schedule 3 - Approved Subprocessors: List of pre-approved subprocessors and their processing activities

4. Schedule 4 - Data Transfer Mechanisms: Details of cross-border transfer arrangements and safeguards

5. Appendix A - Security Breach Response Plan: Detailed procedures for handling and reporting data breaches

6. Appendix B - Compliance Checklist: Checklist of PDPO requirements and compliance measures

7. Appendix C - Data Handling Procedures: Standard operating procedures for routine data processing activities

Authors

Alex Denne

Head of Growth (Open Source Law) @ Genie AI | 3 x UCL-Certified in Contract Law & Drafting | 4+ Years Managing 1M+ Legal Documents | Serial Founder & Legal AI Author

Linkedin in social icon imageX social icon image
alex.den.21@genieai.co
Relevant legal definitions
Addendum
Applicable Data Protection Law
Authorized Personnel
Business Day
Confidential Information
Controller
Cross-border Transfer
Data Access Request
Data Breach
Data Collection Statement
Data Correction Request
Data Protection Impact Assessment
Data Protection Principles
Data Subject
Data Subject Rights
Effective Date
Group Company
Hong Kong
Information Notice
Main Agreement
Material Breach
Personal Data
PDPO
Privacy Commissioner
Privacy Impact Assessment
Privacy Management Programme
Processor
Processing
Security Measures
Sensitive Personal Data
Services
Standard Contractual Clauses
Sub-processor
Technical and Organizational Measures
Term
Third Party
Transfer Mechanism
Relevant Industries

Financial Services

Healthcare

Technology

E-commerce

Education

Professional Services

Insurance

Telecommunications

Retail

Manufacturing

Logistics

Real Estate

Hospitality

Relevant Teams

Legal

Compliance

Information Technology

Information Security

Risk Management

Privacy

Operations

Procurement

Data Management

Technology

Corporate Governance

Vendor Management

Relevant Roles

Chief Privacy Officer

Data Protection Officer

Chief Information Security Officer

Chief Compliance Officer

Privacy Counsel

Legal Counsel

IT Director

Information Security Manager

Compliance Manager

Risk Manager

Operations Director

Chief Technology Officer

Privacy Manager

General Counsel

Contract Manager

Industries
Personal Data (Privacy) Ordinance (Cap. 486): Hong Kong's primary data protection legislation that regulates the collection, use, and handling of personal data. It sets out six data protection principles covering data collection, accuracy, retention, usage, security, and access rights.
PCPD Guidelines on Cross-border Data Transfers: Guidelines issued by the Privacy Commissioner for Personal Data on the requirements and best practices for transferring personal data outside of Hong Kong.
HKMA Cybersecurity Fortification Initiative: Regulatory framework by the Hong Kong Monetary Authority that includes requirements for data protection in the banking and financial services sector.
PCPD Guidance on Data Processor Contracts: Specific guidelines on contractual terms and conditions that should be included when engaging data processors, including security measures and processing restrictions.
Data Protection Principles (DPPs): The six fundamental principles under the PDPO that form the core foundation of Hong Kong's data protection regime, covering collection, accuracy, retention, use, security, and access to personal data.
Electronic Transactions Ordinance (Cap. 553): Legislation governing electronic records and signatures, which is relevant for data protection in digital transactions and electronic storage of personal data.
Teams

Employer, Employee, Start Date, Job Title, Department, Location, Probationary Period, Notice Period, Salary, Overtime, Vacation Pay, Statutory Holidays, Benefits, Bonus, Expenses, Working Hours, Rest Breaks,  Leaves of Absence, Confidentiality, Intellectual Property, Non-Solicitation, Non-Competition, Code of Conduct, Termination,  Severance Pay, Governing Law, Entire Agreemen

Find the exact document you need

International Data Transfer Addendum

A Hong Kong law-governed addendum that establishes terms for international personal data transfers, ensuring compliance with PDPO and international data protection standards.

find out more

Data Privacy Risk Assessment

A structured assessment of privacy risks and compliance requirements under Hong Kong's PDPO, evaluating data protection measures and providing risk mitigation strategies.

find out more

Personal Data Agreement

A Hong Kong law-governed agreement establishing terms for personal data processing between data users and processors, ensuring PDPO compliance.

find out more

Data Controller Agreement

A Hong Kong law-governed agreement establishing data controller obligations and responsibilities under the PDPO.

find out more

Order Of Meeting Minutes

A legal record of corporate meeting proceedings and decisions that complies with Hong Kong Companies Ordinance requirements.

find out more

Data Processing Addendum

A Hong Kong law-governed addendum establishing terms for personal data processing between controllers and processors, ensuring PDPO compliance.

find out more

Data Confidentiality Agreement

A Hong Kong law-governed agreement establishing confidentiality obligations and data protection requirements between parties sharing sensitive information.

find out more

Contributor Licence Agreement

A Hong Kong law-governed agreement establishing terms for licensing intellectual property rights from contributors to a project maintainer.

find out more

Joint And Several Promissory Note

A Hong Kong law-governed financial instrument where multiple borrowers jointly and severally promise to repay a specified sum to a lender.

find out more

Data Processing Addendum DPA

A Hong Kong law-governed agreement that establishes terms for personal data processing, ensuring compliance with PDPO requirements.

find out more

International Contract Of Sale

A Hong Kong law-governed agreement for international sale of goods, covering delivery, payment, and trade compliance terms.

find out more

Controller To Controller Data Processing Agreement

A Hong Kong law-governed agreement between two data controllers establishing terms for sharing and processing personal data in compliance with the PDPO.

find out more

Intercompany Credit Agreement

A Hong Kong law-governed agreement establishing credit arrangements between related companies within the same corporate group, setting out loan terms, conditions, and regulatory compliance requirements.

find out more

Intra Company Loan Agreement

Hong Kong law-governed agreement establishing loan terms between related companies within the same corporate group.

find out more

Sub Loan Agreement

A Hong Kong law-governed agreement documenting terms for the on-lending of funds from a primary loan to a subsequent borrower.

find out more

Data Protection Addendum

A Hong Kong law-governed addendum that sets out data protection obligations between controllers and processors, ensuring PDPO compliance.

find out more

Commission Split Agreement Between Agents

A Hong Kong law-governed agreement establishing commission sharing arrangements between licensed real estate agents, including split ratios and payment terms.

find out more

Download our whitepaper on the future of AI in Legal

By providing your email address you are consenting to our Privacy Notice.
Thank you for downloading our whitepaper. This should arrive in your inbox shortly. In the meantime, why not jump straight to a section that interests you here: https://www.genieai.co/our-research
Oops! Something went wrong while submitting the form.

Genie’s Security Promise

Genie is the safest place to draft. Here’s how we prioritise your privacy and security.

Your documents are private:

We do not train on your data; Genie’s AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

Our bank-grade security infrastructure undergoes regular external audits

We are ISO27001 certified, so your data is secure

Organizational security

You retain IP ownership of your documents

You have full control over your data and who gets to see it

Innovation in privacy:

Genie partnered with the Computational Privacy Department at Imperial College London

Together, we ran a £1 million research project on privacy and anonymity in legal contracts

Want to know more?

Visit our Trust Centre for more details and real-time security updates.

Read our Privacy Policy.