Everything You Need to Know About Hong Kong PDPO Rules in 2025

Do I need to appoint a Data Protection Officer for my company in Hong Kong?

No, under Hong Kong’s data protection laws, there is no mandatory requirement to appoint a Data Protection Officer (DPO). However, adopting best practices can help your SME stay compliant with Hong Kong data privacy regulations.

Understanding Hong Kong Data Protection and PDPO Compliance

The Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) governs Hong Kong’s data protection landscape. It requires data users (i.e., companies handling personal data) to follow the Data Protection Principles. While the law does not mandate appointing a DPO, Privacy Management Programme — A Best Practice Guide recommends implementing a Privacy Management Programme (PMP) and appointing a DPO.

Who Should Be the DPO?

• For large organisations: Senior executive
• For small companies, e.g., SMEs: The owner or operator

Duties of a DPO (According to the Practice Guide)

The PCPD’s Practice Guide outlines three main responsibilities:

• Establish and maintain the Privacy Management Programme (PMP):
  Keep records of personal data, coordinate data handling procedures, and monitor data breach incidents.
• Review the effectiveness of the PMP:
  Regularly assess and update controls, ensuring ongoing compliance with Hong Kong data protection laws.
• Report to top management:
  Keep senior leadership informed about compliance issues, privacy complaints, and incidents.

Additional Resources

Learn more about compliance for online businesses in Hong Kong in our blog on how to comply with the Personal Data (Privacy) Ordinance (PDPO) for an online business.

‍

Can I act as a Data Protection Officer if I run a small business?

Yes. Although there is no mandatory requirement to appoint a Data Protection Officer (DPO), in Privacy Management Programme — A Best Practice Guide, the Privacy Commissioner for Personal Privacy, Hong Kong (PCPD) recommends implementing a Privacy Management Programme (PMP) and appointing a DPO.

For small businesses, the owner or operator should serve as the DPO, whereas for large organisations, it should be a senior executive.

Conclusion: If you own/run a small business, you should serve as the DPO. You are responsible for structuring, designing and managing the PMP, including all procedures, training, monitoring/auditing, documenting, evaluating, and follow-up. 

Additional Resources

Learn more about compliance for online businesses in Hong Kong in our blog on how to comply with the Personal Data (Privacy) Ordinance (PDPO) for an online business.

‍

If I don’t sell to the EU, can I ignore GDPR?

Not necessarily. Under the EU’s General Data Protection Regulation (GDPR), your organisation may still need to comply if you process the personal data of individuals in the EU when monitoring their behaviour.

Does GDPR Apply if I Don’t Sell to the EU?

Yes, GDPR applies if:

• You are monitoring individuals in the EU, regardless of whether you offer goods or services there.
• You target your services at EU residents, for example, through the language or currency used on your website.

GDPR does not apply if:

• You do not target or monitor individuals in the EU.
• Your services are offered outside the EU without targeting EU customers.
• Customers in the EU access your services incidentally, such as when travelling.

Clarifying your website and service offerings can help ensure compliance. For instance, explicitly stating that your services are not intended for the EU or actively excluding orders from the EU can reduce legal risks.

Monitoring Behaviour

“Monitoring behaviour” under GDPR means tracking individuals online, profiling them, or predicting their preferences and actions. Examples include:

• Behavioural advertising
• Use of cookies or other online tracking tools
• Personalised health or diet analytics

If your business engages in any of these activities with individuals in the EU, GDPR may apply, even if you’re not selling directly to EU customers.

Not sure whether your email marketing campaign complies with data privacy laws? Take a look at our Guide to Email Advertising Management!

Conclusion

Even if you are not selling to the EU, monitoring the behaviour of individuals in the region can trigger GDPR obligations. It’s crucial to assess your online activities and clearly communicate your target markets on your website.

‍

Can I use my customers’ phone numbers or email addresses to send them promotions?

Yes, but only if you follow the notification and consent requirements under the Personal Data (Privacy) Ordinance (Cap. 486). Failing to do so can lead to significant penalties, including fines up to HKD 1 million and imprisonment up to 5 years.

Not sure whether your email marketing campaign complies with data privacy laws? Take a look at our Guide to Email Advertising Management!

What are the rules for using personal data for direct marketing?

Sending promotional messages using your customers’ contact details is considered “direct marketing” under PDPO. To do this legally, you must:

• Provide your customers with certain prescribed information
• Obtain their consent before using their personal data for marketing purposes

What information must I provide to my customers?

When notifying your customers about direct marketing, you need to include:

• That you intend to use their personal data for direct marketing
• That you cannot use their data unless they give consent
• The kinds of personal data to be used (e.g., name, email, phone number)
• The classes of marketing subjects (e.g. beauty products) in relation to which the personal data is to be used
• The response channel through which the data subject may communicate the data subject’s consent to the intended use free of charge.

When should I provide this information?

The PCPD recommends informing your customers as soon as you plan to use their data for marketing, ideally at the time of data collection or before you send any promotional messages.

How do I obtain valid consent?

You must not use personal data for direct marketing unless the customer has given clear consent, which can be:

• An indication of no objection to the use or provision of the personal data (e.g., where the opt-out checkbox is left unchecked on the notification form)
• An oral or written indication of consent

If consent is given orally, you must send a written confirmation within 14 days, including:

• The date you received the consent
• The types of personal data permitted
• The permitted class of marketing subjects

How do I handle opt-out requests?

Customers have the right to stop receiving marketing messages at any time. You must:

• Cease using their personal data for direct marketing immediately upon request
• Accept opt-out requests in any manner (orally or in writing)
• Make it easy for customers to opt out, such as by including an opt-out link in emails or a hotline in SMS messages

‍

Do I need written consent to share my customer list with a marketing partner?

Yes. A data user should not provide personal data to another person for use by that person in direct marketing unless the data subject’s written consent is obtained. This requirement applies to all transfers of personal data, including those to a parent company, subsidiary, or associated company.

Under the Personal Data (Privacy) Ordinance (Cap. 486), a data user who intends to provide the data subject’s personal data to another person is required to provide the data subject with the prescribed information in writing and obtain his/her written consent. Verbal consent

is not sufficient. In addition, if the personal data is transferred for gain (i.e., in return for money or other property), data subjects must also be explicitly informed in writing about this.

Not sure whether your email marketing campaign complies with data privacy laws? Take a look at our Guide to Email Advertising Management!

What to Include in the Written Notice?

1. The data user intends to provide the personal data of the data subject to another person for use by that person in direct marketing
2. The data user may not so provide the data unless it has received the data subject’s written consent to the intended provision
3. The provision of the data is for gain (if applicable)
4. The kinds of personal data to be provided (e.g., name, email, phone number)
5. The classes of persons to whom the data are to be provided
6. The classes of marketing subjects (e.g., beauty products) in relation to which the data is to be used
7. The response channel through which the data subject may, without charge by the data user, communicate the data subject’s consent to the intended provision in writing.

Example

A customer applied for an account with a bank and consented to the bank’s use of his/her personal data for marketing its banking products. If an insurance company which belongs to the same holding company wants to use the customer’s personal data for direct marketing, a new consent has to be obtained.

Summary

Always get explicit written consent before sharing personal data for direct marketing. Non-compliance can result in fines of up to HKD 1 million and imprisonment for up to five years. 

Need help navigating this issue? Check out Ask.Legal — our AI-powered legal assistant is ready to help 24/7.

‍