We continue our review of the different obligations employers have around the region in relation to collecting, using and storing employee data by looking at some further common issues.
| Country | Is it necessary for employers to have a separate data privacy policy? | Are there any restrictions on sending personal information ("PI") overseas e.g. to payroll/HR in overseas headquarters? |
| China | No. However, matters relating to data privacy are usually stated as part of the employment contract, staff handbook or other internal rules. | Yes. The obligations which apply are complex and will vary depending on whether the organisation is a operator of critical information infrastructure ("CII"). |
| Hong Kong | Yes. Employers mush take all practicable steps to ensure that their policies and practices in relation to PI are readily accessible and that a person can ascertain the kind of PI held by the data user (i.e. the employer) and the main purposes for which the PI is or is to be used. | No. However, the overseas transfer of PI remains subject to the general data protection provisions regarding the collection and use of data, including the principle that PI cannot be used for any other purpose than that for which it was to be used at the time of collection and any directly related purpose, without the express consent of the data subject. |
| Indonesia | Yes. An electronic system administrator must have a specific internal data privacy policy. | No. However, sending PI overseas may be classified as sending to third party and may be considered as breach of data privacy without express prior consent from the relevant employee. |
| Japan | No. However, it is common practice to include the standard uses of PI in Work Rules / employment contracts so employees know what uses they have already consented to. | Yes, consent must be obtained to transfer PI overseas, and the o |
| Singapore | Yes. Employers must develop and implement policies and practices that are necessary for them to meet their obligations under the PDPA and develop a process to receive and respond to complaints that may arise. | Yes. In addition to the Consent and Notification requirements, employers cannot transfer any PI to a country or territory outside Singapore except in accordance with requirements prescribed under the PDPA, to ensure that organisations provide a standard of protection of PI comparable to the protection under the PDPA. The requirements are to:
|
| South Korea | Yes. Employers must establish and implement an internal management plan for the secure processing of personal information. | Yes. The requirements that apply for international data transfers (including those made among affiliate entities) vary depending on whether the data transfer constitutes a third party provision or the outsourcing of PI processing. |
| Thailand | No. | No. However, sending PI overseas without the employees' consent could be in violation of employees' right to privacy under the Constitution. |
If you would like further information on this topic, please contact Fatim Jumabhoy at fatim.jumabhoy@hsf.com.
Key contacts
Steve Bell
Managing Partner - Employment, Industrial Relations and Safety (Australia, Asia), Melbourne
Emma Rohsler
Regional Head of Practice (EMEA) - Employment Pensions and Incentives, Paris
Disclaimer
Herbert Smith Freehills LLP has a Formal Law Alliance (FLA) with Singapore law firm Prolegis LLC, which provides clients with access to Singapore law advice from Prolegis. The FLA in the name of Herbert Smith Freehills Prolegis allows the two firms to deliver a complementary and seamless legal service.