A data user shall not transfer personal data outside Hong Kong unless one of the following conditions is met:
- the place is specified by the Commissioner by notice in the Gazette that there is in force any law which is substantially similar to, or serves the same purposes as, the Ordinance – no place has satisfied this condition up to date.
- The data user has reasonable grounds for believing that there is in force in that place any law which is substantially similar to, or serves the same purposes as, the Ordinance;
- The data subject has consented in writing to the transfer;
- The data user has reasonable grounds for believing that the transfer is for the avoidance or mitigation of adverse action against the data subject; it is not practicable to obtain the consent in writing of the data subject to that transfer; but if it was practicable, such consent would be given;
- The data is exempt from Data Protection Principle 3 by virtue of an exemption under Part VIII of the Ordinance (such as personal data held for news activities, for domestic use, for purpose of prevention of crime etc.); or
- The data user has taken all reasonable precautions and exercised all due diligence to ensure that the data will not, in that place, be collected, held, processed, or used in any manner which, if that place were Hong Kong, would be a contravention of a requirement under the Ordinance. Please note that use of recommended model data transfer clauses to develop an enforceable data transfer contract by data users is one method to satisfy the required due diligence requirement.
International data transfers are generally prohibited, unless the country in which the recipient Controller is located meets at least the same data protection standards (adequate level of protection) as the ones provided under Colombian laws. The transfer is also allowed in cases in which the Data Controller has obtained a transfer authorisation from the Data Subject, and in the following cases:
- exchange of medical data;
- bank and stock transfers;
- transfers agreed under international treaties to which Colombia is a party;
- necessary transfers for a contract between the Data Subject and Controller;
- implementation of pre-contractual measures;
- and transfers legally required in order to safeguard public interests.
The authorised countries for the international transfer of personal data are Australia, Austria, Belgium, Bulgaria, Cyprus, Costa Rica, Croatia, Denmark, Slovakia, Slovenia, Estonia, Spain, United States of America, Finland, France, Greece, Hungary, Ireland, Iceland, Germany, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Mexico, Norway, the Netherlands, Peru, Poland, Portugal, the UK, Czech Republic, Republic of Korea, Romania, Serbia, Sweden, and the countries the European Commission deems appropriately protected.