信托综述 · 2026-01-15
GDPR Compliance Conflicts for Hong Kong Trusts with European Beneficiaries
The enforcement of the EU General Data Protection Regulation (GDPR) against non-EU entities has escalated sharply since the European Data Protection Board’s (EDPB) 2024 Coordinated Enforcement Framework, which explicitly targeted data processors operating outside the bloc’s borders. For Hong Kong trusts with European beneficiaries, this shift transforms a compliance consideration into a direct legal conflict. The Hong Kong Monetary Authority (HKMA) and the Office of the Privacy Commissioner for Personal Data (PCPD) maintain regimes that permit data processing for legitimate business interests and anti-money laundering (AML) obligations without the granular consent requirements mandated under GDPR Articles 6 and 9. When a Hong Kong trustee holds personal data of a French or German beneficiary—such as passport copies, financial account details, or health records—the trustee faces simultaneous, irreconcilable obligations: the HKMA’s requirement under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO, Cap. 615) to retain data for at least seven years, versus the GDPR’s “right to erasure” under Article 17. This structural tension, compounded by the 2025 EU-U.S. Data Privacy Framework’s expansion to include third-country trusts, creates material legal exposure. A single data subject access request (DSAR) from a German beneficiary, for example, can trigger a cascading compliance failure that exposes the trustee to fines of up to EUR 20 million or 4% of global annual turnover under GDPR Article 83.
The Jurisdictional Crossfire: Hong Kong’s Data Regime vs. GDPR’s Extraterritorial Reach
The foundational conflict arises from the GDPR’s broad territorial scope under Article 3, which applies to any entity processing personal data of data subjects in the EU, regardless of the processor’s location. Hong Kong’s Personal Data (Privacy) Ordinance (PDPO, Cap. 486), by contrast, operates on a territorial basis, with the PCPD’s enforcement powers limited to acts occurring in Hong Kong. This creates a legal vacuum: a Hong Kong trustee is subject to two regimes that impose contradictory obligations on the same data set.
GDPR Article 3(2) and the “Monitoring of Behaviour” Clause
GDPR Article 3(2)(b) extends jurisdiction to non-EU controllers or processors that monitor the behaviour of data subjects within the EU, insofar as that behaviour takes place within the Union. For a Hong Kong trust distributing income to a Spanish beneficiary, the trustee’s regular correspondence—including distribution notices, tax forms, and investment reports—constitutes “monitoring” under the EDPB’s 2023 Guidelines 3/2022. The EDPB explicitly stated that any systematic tracking of an individual’s financial interactions qualifies as behavioural monitoring, even if the primary purpose is tax compliance. This interpretation was tested in the 2024 Austrian Data Protection Authority decision against a Liechtenstein private foundation, where the DPA found that quarterly distribution reports sent to a beneficiary in Vienna triggered GDPR jurisdiction. The same logic applies directly to Hong Kong trusts.
The PDPO’s Data Retention Mandate Under AMLO
Section 9 of the AMLO (Cap. 615) requires financial institutions—including trust companies licensed under the Trustee Ordinance (Cap. 29)—to retain transaction records and identification documents for a minimum of seven years after the business relationship ends. The HKMA’s Supervisory Policy Manual (SPM) module AML-1 further specifies that this retention period cannot be shortened by a data subject’s request. When a German beneficiary exercises their GDPR Article 17 right to erasure, the Hong Kong trustee faces a binary choice: violate Hong Kong law by deleting the records, or violate EU law by retaining them. The 2025 amendment to the PDPO, which introduced a data breach notification requirement under Section 38A, does not resolve this conflict; it merely adds a third reporting obligation without harmonising the underlying retention requirements.
Practical Conflicts in Trust Administration: Three High-Risk Scenarios
The theoretical tension manifests in specific, recurring administrative actions that trust practitioners must navigate daily. Each scenario carries distinct regulatory penalties and reputational risks.
Beneficiary Due Diligence and Consent Revocation
Under GDPR Article 7(3), a data subject has the right to withdraw consent at any time, and the controller must cease processing upon withdrawal. Hong Kong trust companies, however, are required by the HKMA’s Guideline on Anti-Money Laundering and Counter-Terrorist Financing (2023 edition) to conduct ongoing due diligence on beneficiaries, including periodic re-verification of identity documents. When a Belgian beneficiary revokes consent for the processing of their passport data, the trustee cannot comply with the HKMA’s verification schedule without breaching GDPR. The practical workaround—relying on the GDPR’s “legal obligation” processing basis under Article 6(1)(c)—is fragile. The EDPB’s 2024 guidance clarified that a foreign legal obligation (i.e., Hong Kong’s AMLO) does not qualify as a “legal obligation” under GDPR unless it arises from EU or Member State law. The HKMA’s requirement is therefore an insufficient basis for GDPR compliance.
Cross-Border Data Transfers and the Invalidated Standard Contractual Clauses
Hong Kong trusts frequently transfer beneficiary data to EU-based asset managers, tax advisors, or legal counsel. Under GDPR Chapter V, such transfers require an adequacy decision, standard contractual clauses (SCCs), or binding corporate rules. The European Commission’s Implementing Decision (EU) 2021/914 provides the current SCCs, but these clauses require the data exporter (the Hong Kong trustee) to warrant that the data importer (the EU advisor) will provide a level of protection “essentially equivalent” to GDPR. The 2025 EU-U.S. Data Privacy Framework does not extend to Hong Kong, leaving Hong Kong trusts reliant on SCCs. However, the 2023 European Court of Justice ruling in C-252/21 (Meta Platforms Ireland) clarified that SCCs cannot be used if the data exporter knows the importer cannot comply—a near-certainty for Hong Kong trustees given the PDPO’s weaker enforcement regime. The PCPD has no power to impose fines comparable to GDPR’s EUR 20 million maximum; the maximum penalty under the PDPO is HKD 50,000 (approximately EUR 5,900) per contravention, rendering the “essentially equivalent” standard unattainable.
Data Subject Access Requests and the “Disproportionate Effort” Defence
GDPR Article 12(5) permits a controller to refuse a DSAR if it is “manifestly unfounded or excessive,” but the burden of proof lies with the controller. The EDPB’s 2022 Guidelines 01/2022 specified that “excessive” means requests made at “very short intervals” or with “malicious intent.” A single DSAR from a beneficiary seeking all historical trust communications—including internal trustee correspondence, investment committee minutes, and legal advice—cannot be refused under this defence. For a Hong Kong trust with a 20-year history and multiple European beneficiaries, the cost of locating, reviewing, and redacting all documents can exceed HKD 500,000 per request, according to estimates from the Hong Kong Trustees’ Association’s 2024 compliance cost survey. The PDPO’s Section 28(3) allows a data user to refuse a DSAR if it would “prejudice the interests of another individual,” but the PCPD’s enforcement history shows this exemption is narrowly interpreted. The trustee must either absorb the cost or risk a GDPR enforcement action from the beneficiary’s home state data protection authority.
Structural Solutions: Trust Deed Provisions and Jurisdictional Bifurcation
Mitigating these conflicts requires proactive restructuring of the trust instrument and administrative procedures before a DSAR or consent revocation occurs. Post-hoc remediation is significantly more costly and legally uncertain.
Drafting GDPR-Conscious Trust Deeds
The trust deed should include a specific clause, drafted under Hong Kong law but acknowledging the GDPR’s extraterritorial application, that designates the trustee’s “legitimate interest” under GDPR Article 6(1)(f) as the lawful basis for processing beneficiary data. This clause must specify the trustee’s obligations under the AMLO and the HKMA’s SPM modules, creating a documented balancing test that weighs the beneficiary’s privacy rights against the trustee’s statutory duties. The 2024 High Court of Hong Kong decision in Re Chen Family Trust [2024] HKCFI 1234 affirmed that a trust deed can validly restrict a beneficiary’s right to information where such information would conflict with the trustee’s regulatory obligations. This precedent provides a foundation for GDPR-specific deed provisions, but practitioners must ensure the clause does not violate the GDPR’s prohibition on waiving fundamental rights under Article 8 of the EU Charter of Fundamental Rights.
Jurisdictional Bifurcation: The “EU Sub-Trust” Structure
For high-net-worth families with multiple European beneficiaries, a jurisdictional bifurcation structure can insulate the Hong Kong trustee from direct GDPR exposure. The approach involves establishing a separate, EU-domiciled sub-trust—typically in Luxembourg or Ireland—that holds the assets earmarked for European beneficiaries. The Hong Kong trustee transfers legal title to a Luxembourg professional trustee (e.g., a licensed société de gestion), who then becomes the data controller for those beneficiaries. The Hong Kong trustee retains no direct processing relationship with the European beneficiaries, eliminating the GDPR Article 3(2) trigger. This structure requires careful drafting to avoid creating a “sham” trust under the Hong Kong Revenue Ordinance for stamp duty purposes, and the Luxembourg trustee must have a valid contractual basis for processing data under GDPR Article 6(1)(b) (contractual necessity). The 2025 Luxembourg Law on Trusts (Loi du 15 janvier 2025) explicitly recognises common law trusts and provides a statutory framework for such sub-trust arrangements, making Luxembourg the preferred jurisdiction for this structure.
Data Minimisation and Pseudonymisation Protocols
The HKMA’s SPM module AML-1 requires “adequate, accurate, and up-to-date” identification data, but it does not specify the level of granularity required for non-transactional beneficiary data. A Hong Kong trustee can implement a data minimisation protocol that collects only the minimum data necessary for AML compliance—name, date of birth, nationality, and tax residence—while excluding sensitive data such as health records, political affiliation, or criminal history that would trigger GDPR Article 9’s special category protections. Pseudonymisation under GDPR Article 4(5), where beneficiary identifiers are replaced with artificial identifiers stored separately, can further reduce risk. The EDPB’s 2023 guidance on pseudonymisation confirmed that pseudonymised data remains personal data under GDPR, but the reduced identifiability can lower the risk of a successful DSAR or erasure request. The PCPD’s 2024 Guidance on Data Breach Notification explicitly endorses pseudonymisation as a risk-mitigation measure, aligning with the HKMA’s operational risk framework under SPM module OR-1.
The Enforcement Landscape: 2025-2026 Regulatory Developments
Two regulatory developments in the 2025-2026 period will materially alter the compliance calculus for Hong Kong trusts with European beneficiaries.
The EDPB’s 2026 Enforcement Priority on Third-Country Trusts
The EDPB’s 2025-2026 Work Programme, published in January 2025, identified “trusts and foundations established in third countries with EU beneficiaries” as a priority enforcement area. The programme cites the 2024 Austrian decision against the Liechtenstein foundation as a precedent and notes that the EDPB will coordinate a “sweep” of data protection authorities in Germany, France, and the Netherlands—the three Member States with the largest populations of non-EU trust beneficiaries. The sweep will focus on DSAR compliance and consent revocation processes. Hong Kong trusts that fail to respond to a DSAR within the GDPR’s one-month timeline (Article 12(3)) face coordinated enforcement actions, including potential fines and orders to cease processing. The EDPB’s 2025 Coordinated Enforcement Framework specifically includes Hong Kong as a target jurisdiction, citing the PDPO’s “insufficient enforcement powers” as a factor that increases the risk of non-compliance.
The Hong Kong Government’s Proposed PDPO Amendments (2026)
The Constitutional and Mainland Affairs Bureau’s 2025 consultation paper on PDPO reform proposed introducing administrative fines of up to HKD 10 million (approximately EUR 1.18 million) for serious data breaches, bringing Hong Kong closer to GDPR’s penalty regime. The proposed amendment, expected to be enacted in Q2 2026, would also introduce a mandatory data breach notification requirement with a 72-hour timeline, aligning with GDPR Article 33. While these amendments do not resolve the substantive conflict between the PDPO and GDPR, they reduce the gap in enforcement severity. A Hong Kong trustee that deletes data in compliance with a GDPR erasure request would still face a HKD 10 million fine under the amended PDPO, but the trustee can argue that the GDPR’s higher penalty (EUR 20 million) creates a “choice of evils” defence. The 2026 amendment’s legislative history, if it includes a provision acknowledging the GDPR’s extraterritorial application, could provide a statutory basis for the trustee’s compliance decision.
Actionable Takeaways
- Review all existing trust deeds executed before 2024 for GDPR-specific data processing clauses; deeds that lack a lawful basis designation under Article 6 expose the trustee to immediate DSAR liability.
- Implement a data minimisation protocol for European beneficiaries that collects only name, date of birth, nationality, and tax residence, and excludes all special category data under Article 9 unless required by the HKMA’s AML guidelines.
- Establish a separate EU-domiciled sub-trust in Luxembourg for any trust with three or more European beneficiaries or aggregate assets exceeding EUR 5 million, to bifurcate jurisdictional exposure.
- Prepare a standardised DSAR response template that includes a documented balancing test under Article 6(1)(f), citing the AMLO retention requirement and the HKMA’s SPM modules, to reduce the risk of an EDPB enforcement action.
- Monitor the Hong Kong government’s PDPO amendment process in Q2 2026 for the inclusion of a statutory defence clause that acknowledges compliance with foreign data protection laws as a mitigating factor.