All Countries
Corporate Governance
Intercompany Data Processing Agreement

Intercompany Data Processing Agreement Template for Hong Kong

Create a bespoke document in minutes,  or upload and review your own.

4.6 / 5
4.8 / 5

Let's create your Intercompany Data Processing Agreement

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get your first 2 documents free

Your data doesn't train Genie's AI

You keep IP ownership of your information

Key Requirements PROMPT example:

Intercompany Data Processing Agreement

"I need an Intercompany Data Processing Agreement under Hong Kong law for my financial services group, where our Hong Kong headquarters will process customer data on behalf of our Singapore subsidiary, with implementation planned for March 2025."

Celebrated by
Collaborations with
Investors
Document background
The Intercompany Data Processing Agreement is essential for multinational companies operating in Hong Kong that need to establish formal arrangements for processing personal data within their group structure. This document becomes necessary when one group entity processes personal data on behalf of another, requiring compliance with Hong Kong's Personal Data (Privacy) Ordinance (PDPO) and associated regulations. The agreement is particularly important in the context of Hong Kong's data protection regime, which requires documented arrangements for data processing activities, even between affiliated entities. It addresses key aspects such as data security measures, breach reporting procedures, audit requirements, and cross-border transfer mechanisms, while taking into account the intra-group nature of the relationship. This template is designed to balance regulatory compliance with practical considerations of intra-group operations.
Suggested Sections

1. Parties: Identification of the group companies involved - typically one entity as data controller and another as data processor

2. Background: Context of the agreement, relationship between the parties as group companies, and purpose of the data processing arrangement

3. Definitions: Key terms including Personal Data, Processing, Controller, Processor, Applicable Data Protection Laws, Group Companies, etc.

4. Scope and Purpose of Processing: Detailed description of the processing activities, types of personal data, and purposes for which data will be processed

5. Obligations of the Data Controller: Controller's responsibilities including providing instructions, ensuring legal basis for processing, and responding to data subject requests

6. Obligations of the Data Processor: Processor's duties including processing only on documented instructions, maintaining confidentiality, implementing security measures

7. Security Measures: Technical and organizational measures required to protect personal data

8. Sub-processing: Conditions and requirements for engaging other group companies or external sub-processors

9. Data Breach Notification: Procedures for reporting and handling personal data breaches within the group

10. Audit Rights: Controller's rights to verify compliance, considering the intra-group nature of the relationship

11. Term and Termination: Duration of the agreement and termination provisions

12. Data Return and Deletion: Requirements for handling personal data upon termination

13. Governing Law and Jurisdiction: Specification of Hong Kong law and jurisdiction

Optional Sections

1. Cross-border Transfers: Required if personal data will be transferred outside of Hong Kong, specifying transfer mechanisms and safeguards

2. Group Data Protection Standards: Optional section referring to internal group policies and standards for data protection

3. Cost Allocation: Optional section for specifying any inter-company charges for processing services

4. Insurance: Optional section for specifying insurance requirements, though less common in intra-group agreements

5. Force Majeure: Optional clause defining circumstances beyond parties' control, though less formal in intra-group context

6. Relationship with Other Group Agreements: Optional section clarifying interaction with other intra-group agreements

Suggested Schedules

1. Schedule 1 - Processing Activities: Detailed description of processing activities, categories of data subjects, types of personal data, and processing purposes

2. Schedule 2 - Technical and Organizational Measures: Detailed security measures and controls implemented to protect personal data

3. Schedule 3 - Approved Sub-processors: List of approved sub-processors within or outside the group

4. Schedule 4 - Transfer Mechanisms: Details of mechanisms used for international data transfers, if applicable

5. Appendix A - Data Breach Response Plan: Detailed procedures for handling and reporting data breaches

6. Appendix B - Standard Forms: Templates for routine matters such as sub-processor approval requests, audit notifications, etc.

Authors

Alex Denne

Head of Growth (Open Source Law) @ Genie AI | 3 x UCL-Certified in Contract Law & Drafting | 4+ Years Managing 1M+ Legal Documents | Serial Founder & Legal AI Author

Linkedin in social icon imageX social icon image
alex.den.21@genieai.co
Relevant legal definitions
Affiliate
Agreement
Applicable Data Protection Laws
Authorized Personnel
Business Day
Confidential Information
Controller
Data Breach
Data Protection Impact Assessment
Data Protection Laws
Data Protection Principles
Data Subject
Data Subject Request
Effective Date
Force Majeure Event
Group
Group Company
Hong Kong
Information Notice
Instructions
International Transfer
Material Breach
Parent Company
PDPO
Personal Data
Personal Data Breach
Processing
Processor
Regulatory Authority
Representatives
Security Measures
Services
Special Categories of Personal Data
Sub-processor
Technical and Organizational Measures
Term
Territory
Third Party
Transfer Mechanism
Relevant Industries

Financial Services

Technology

Healthcare

Retail

Manufacturing

Professional Services

Insurance

Telecommunications

Real Estate

Education

Logistics

Hospitality

Relevant Teams

Legal

Compliance

Information Technology

Information Security

Risk Management

Data Protection

Corporate Governance

Operations

Internal Audit

Privacy

Relevant Roles

Chief Legal Officer

Data Protection Officer

Privacy Manager

Compliance Officer

Legal Counsel

Chief Information Security Officer

IT Director

Risk Manager

Corporate Counsel

Operations Director

Group Privacy Officer

Information Governance Manager

Chief Compliance Officer

Head of Legal

Data Protection Manager

Industries
Personal Data (Privacy) Ordinance (PDPO): Hong Kong's primary data protection legislation that regulates the collection, handling, and use of personal data. It sets out six data protection principles and requirements for data processors.
Companies Ordinance (Cap. 622): Governs company operations in Hong Kong, including requirements for transactions between related companies and documentation requirements for intercompany agreements.
Data Protection Principles (DPPs) under PDPO: Six principles that form the foundation of Hong Kong's data protection regime, covering data collection, accuracy, retention, usage, security, and access rights.
Transfer of Personal Data (Outside Hong Kong) Guidelines: Guidelines issued by the Privacy Commissioner providing requirements and best practices for international data transfers, which may be relevant if the intercompany agreement involves cross-border data flows.
Electronic Transactions Ordinance (Cap. 553): Relevant for electronic execution and record-keeping requirements if the agreement is to be executed or maintained electronically.
Guidance on Data Processor Contracts under PDPO: Specific guidance from the Privacy Commissioner on contractual terms and safeguards required in data processing agreements.
Teams

Employer, Employee, Start Date, Job Title, Department, Location, Probationary Period, Notice Period, Salary, Overtime, Vacation Pay, Statutory Holidays, Benefits, Bonus, Expenses, Working Hours, Rest Breaks,  Leaves of Absence, Confidentiality, Intellectual Property, Non-Solicitation, Non-Competition, Code of Conduct, Termination,  Severance Pay, Governing Law, Entire Agreemen

Find the exact document you need

Intercompany Management Fees Agreement

Hong Kong-governed agreement establishing terms for management services provision between related companies, including fee structures and transfer pricing compliance.

find out more

Intercompany Recharge Agreement

A Hong Kong law-governed agreement setting out terms for intercompany cost and service charges within a corporate group, ensuring compliance with local transfer pricing regulations.

find out more

Intercompany Data Processing Agreement

Hong Kong law-governed agreement regulating personal data processing activities between affiliated companies within the same corporate group, ensuring PDPO compliance.

find out more

Intercompany Cost Plus Agreement

A Hong Kong-law agreement governing the provision of services between related entities on a cost-plus pricing basis, ensuring transfer pricing compliance.

find out more

Intercompany Settlement Agreement

A Hong Kong law-governed agreement establishing settlement processes and financial arrangements between related companies within the same corporate group.

find out more

Intercompany Service Agreement

Hong Kong-governed agreement for regulating service provision between related companies within the same corporate group, ensuring regulatory compliance and operational efficiency.

find out more

Intercompany Loan Agreement

A Hong Kong law-governed agreement establishing loan arrangements between related companies within the same corporate group, including key financial terms and regulatory compliance provisions.

find out more

Download our whitepaper on the future of AI in Legal

By providing your email address you are consenting to our Privacy Notice.
Thank you for downloading our whitepaper. This should arrive in your inbox shortly. In the meantime, why not jump straight to a section that interests you here: https://www.genieai.co/our-research
Oops! Something went wrong while submitting the form.

Genie’s Security Promise

Genie is the safest place to draft. Here’s how we prioritise your privacy and security.

Your documents are private:

We do not train on your data; Genie’s AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

Our bank-grade security infrastructure undergoes regular external audits

We are ISO27001 certified, so your data is secure

Organizational security

You retain IP ownership of your documents

You have full control over your data and who gets to see it

Innovation in privacy:

Genie partnered with the Computational Privacy Department at Imperial College London

Together, we ran a £1 million research project on privacy and anonymity in legal contracts

Want to know more?

Visit our Trust Centre for more details and real-time security updates.

Read our Privacy Policy.