We continue our review of the different obligations employers have around the region in relation to collecting, using and storing employee data by looking at some further common issues.
|China||No. However, matters relating to data privacy are usually stated as part of the employment contract, staff handbook or other internal rules.||Yes. The obligations which apply are complex and will vary depending on whether the organisation is a operator of critical information infrastructure (“CII“).|
|Hong Kong||Yes. Employers mush take all practicable steps to ensure that their policies and practices in relation to PI are readily accessible and that a person can ascertain the kind of PI held by the data user (i.e. the employer) and the main purposes for which the PI is or is to be used.||No. However, the overseas transfer of PI remains subject to the general data protection provisions regarding the collection and use of data, including the principle that PI cannot be used for any other purpose than that for which it was to be used at the time of collection and any directly related purpose, without the express consent of the data subject.|
|Japan||No. However, it is common practice to include the standard uses of PI in Work Rules / employment contracts so employees know what uses they have already consented to.||Yes, consent must be obtained to transfer PI overseas, and the o|
|Singapore||Yes. Employers must develop and implement policies and practices that are necessary for them to meet their obligations under the PDPA and develop a process to receive and respond to complaints that may arise.||Yes. In addition to the Consent and Notification requirements, employers cannot transfer any PI to a country or territory outside Singapore except in accordance with requirements prescribed under the PDPA, to ensure that organisations provide a standard of protection of PI comparable to the protection under the PDPA. The requirements are to:
|South Korea||Yes. Employers must establish and implement an internal management plan for the secure processing of personal information.||Yes. The requirements that apply for international data transfers (including those made among affiliate entities) vary depending on whether the data transfer constitutes a third party provision or the outsourcing of PI processing.|
|Thailand||No.||No. However, sending PI overseas without the employees’ consent could be in violation of employees’ right to privacy under the Constitution.|
If you would like further information on this topic, please contact Fatim Jumabhoy at firstname.lastname@example.org.