Personal Data Privacy

In Hong Kong, complaints about misuse of personal data are handled by the Office of the Privacy Commissioner for Personal Data (PCPD) under the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”).

‍

1. Time Limit

You should lodge the complaint within 2 years from the date you became aware of the misuse.

Earlier submission is recommended to preserve evidence.

‍

2. Who Can Complain

Any data subject who believes a data user has contravened the PDPO in handling their personal data.

‍

3. How to Lodge

You can submit a complaint to PCPD in writing via:

• Online form on PCPD’s website.
• Email.
• Post or fax.
• In person at PCPD office.

‍

4. Information to Provide

Include:

• Your name and contact details.
• Details of the organisation/person complained of.
• Description of the misuse (dates, events, evidence).
• Copies of relevant documents (e.g., correspondence, screenshots).
• Indicate if you have already approached the organisation to resolve the matter.

‍

5. Complaint Procedure

• Preliminary Review — PCPD assesses whether the matter falls under PDPO.
• Mediation — PCPD may attempt to resolve through mediation.
• Formal Investigation — If serious contravention suspected, PCPD may investigate under s.38(b) PDPO.
• Enforcement Notice — If breach found, PCPD may require remedial action.
• Prosecution — For certain criminal offences (e.g., doxxing under s.64), PCPD may prosecute or refer to Police/Department of Justice.
• Notification — PCPD informs complainant of the outcome.

‍

6. Special Cases

Doxxing: PCPD can investigate and prosecute directly.

Direct Marketing misuse: PCPD can prosecute under Part 6A PDPO.

‍

7. Civil Action

You may also bring a civil claim for compensation under s.66 PDPO if you suffered damage from the contravention.

‍

Under Hong Kong’s Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”), breaching a Data Protection Principle (DPP) is not itself a criminal offence, but certain contraventions of the Ordinance are offences and can lead to fines, imprisonment, and civil liability.

‍

1. Enforcement Notice Breaches

If the Privacy Commissioner finds a contravention of PDPO, they may issue an Enforcement Notice (s.50 PDPO).

Failure to comply is an offence:

2. Direct Marketing Offences (Part 6A)

• Using personal data for direct marketing without prescribed consent:
  
  • Fine up to HK$500,000 and imprisonment up to 3 years.
• Providing personal data to a third party for gain without consent:
  
  • Fine up to HK$1,000,000 and imprisonment up to 5 years.

‍

3. Doxxing Offences (s.64 PDPO)

Two-tier criminal regime:

• First-tier (s.64(3A)): Disclosing personal data without consent with intent or recklessness to cause specified harm — fine up to HK$100,000 and imprisonment up to 2 years.
• Second-tier (s.64(3C)): If specified harm actually occurs — fine up to HK$1,000,000 and imprisonment up to 5 years.

‍

4. Unauthorised Disclosure for Gain or Harm (s.64(1))

Disclosing personal data obtained from a data user without consent, with intent to obtain gain or cause loss — fine up to HK$1,000,000 and imprisonment up to 5 years.

‍

5. Failure to Comply with PCPD Investigation Powers

• Not complying with a written notice under s.66E(1) — fine up to HK$50,000 and imprisonment up to 6 months (summary), or fine up to HK$200,000 and imprisonment up to 1 year (indictment).
• Providing false/misleading information with intent to defraud — fine up to HK$100,000 and imprisonment up to 6 months (summary), or fine up to HK$1,000,000 and imprisonment up to 2 years (indictment).

‍

6. Other Criminal Provisions

• Contravening cessation notice (s.66O) — fine up to HK$50,000 and imprisonment up to 2 years (first conviction), higher penalties for subsequent convictions.
• Contravention of s.26 (failure to erase data no longer required) — fine up to HK$10,000.

‍

7. Civil Liability

• Section 66 PDPO: Data subjects may claim compensation for damage caused by contravention.
• PCPD may provide legal assistance (s.66B).

Under Hong Kong’s Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”), individuals (data subjects) have several statutory rights concerning their personal data held by data users.

‍

1. Right to Know

Ascertain whether personal data is held by a data user (DPP6, s.18 PDPO).

Be informed about:

• The purpose of data collection.
• Classes of persons to whom data may be transferred.
• Whether providing data is mandatory or voluntary.
• Consequences of not providing data.
• Rights to access and correct data.

‍

2. Right of Access

A data subject is entitled to request a copy of their personal data held by a data user.

(DPP6, s.18–s.28 PDPO)

• Must be in writing (Data Access Request — DAR).
• Data user must respond within 40 days.
• A reasonable fee may be charged (not exceeding direct cost).
• Data must be provided in an intelligible form.

‍

3. Right to Correction

• If data is inaccurate, the data subject may request correction (s.23 PDPO).
• If satisfied the data is inaccurate, the data user must correct it within 40 days.
• If refusing, the data user must give written reasons.

‍

4. Right to Prevent Direct Marketing Use

• Individuals can require a data user to cease using their personal data for direct marketing and/or stop providing it to third parties for direct marketing (Part 6A PDPO).
• Consent for direct marketing must be express, voluntary, informed. Silence is not consent.
• Withdrawal of consent must be in writing.

‍

5. Right to Compensation

• If a data user contravenes PDPO and causes damage, the data subject may claim civil compensation (s.66 PDPO).
• The Privacy Commissioner may grant legal assistance.

‍

6. Right to Erasure (Limited)

• No general “right to be forgotten” under PDPO.
• Under s.26 PDPO, personal data must be erased when no longer required for the purpose of use, unless prohibited by law or public interest.

‍

7. Right to Complain

• Individuals may lodge a complaint with the Privacy Commissioner for Personal Data (PCPD) if they believe PDPO has been contravened.
• PCPD can investigate, issue enforcement notices, and prosecute certain offences.

‍

8. Exemptions

Rights may be restricted in certain circumstances (Part 8 PDPO), e.g.:

• Crime prevention/detection (s.58).
• Health grounds (s.59).
• Legal professional privilege (s.60).
• Employment-related exemptions (ss.53–56).
• News activities (s.61).
• Statistics and research (s.62).

‍

Under Hong Kong’s Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”), Data Protection Principle 4 (DPP4) requires data users to take all practicable steps to protect personal data against unauthorised or accidental access, processing, erasure, loss or use.

Organisations must adopt security measures proportionate to:

• The nature of the data.
• The harm that could result from a breach.
• The integrity, prudence and competence of persons with access.

‍

2. Recommended Security Measures

Organisations should implement both technical and administrative safeguards:

3. Consequences of Non-Compliance

Enforcement Notice from the Privacy Commissioner.

Criminal liability if failing to comply with an enforcement notice.

Civil compensation claims from affected data subjects.

‍

Yes, personal data can be transferred outside Hong Kong, but it is subject to compliance with the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”) and its Data Protection Principles (especially DPP1 and DPP3).

‍

Section 33 PDPO, which specifically restricts cross-border transfers, has been enacted but is not yet in force. Therefore, there is currently no statutory prohibition on transferring personal data outside Hong Kong, provided other PDPO requirements are met.

‍

1. Current Legal Position

No active blanket ban on overseas transfers.

Transfers must still comply with:

• DPP1(3) — the data subject must be informed at or before collection about the classes of persons to whom the data may be transferred, including overseas recipients if applicable.
• DPP3(1) — the data must only be used (including transferred) for the original stated purpose or a directly related purpose, unless the data subject’s prescribed consent is obtained.

‍

2. Best Practice for Cross-Border Transfers

Even though s.33 is not yet in force, the Privacy Commissioner for Personal Data (PCPD) recommends:

• Informing data subjects explicitly if their data will be transferred outside Hong Kong.
• Ensuring the overseas recipient offers comparable data protection standards.
• Using contractual safeguards to bind overseas recipients to PDPO-equivalent obligations.

‍

3. Section 33 (Not Yet Commenced)

If brought into force, s.33 would prohibit transferring personal data outside Hong Kong unless the destination jurisdiction:

• Has laws substantially similar to PDPO; or
• The data user has taken steps to ensure the recipient will protect the data to PDPO standards; or
• The data subject has given express consent after being informed of the possible consequences.

‍

4. Related Offences

If an overseas transfer involves:

• Using data for a new purpose without consent — breach of DPP3.
• Disclosure without consent with intent to cause harm or gain — possible offence under s.64 PDPO (including doxxing provisions).

‍

Yes.

‍

Under Hong Kong’s Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”), Data Protection Principle 6 (DPP6) and Part 5 of the Ordinance give a data subject (the individual to whom the personal data relates) the legal right to request access to their personal data held by a data user.

‍

1. Statutory Right of Access

A data subject is entitled to ascertain whether a data user holds personal data about them and to obtain a copy of such data. (DPP6, s.18 PDPO)

‍

2. How to Make a Request

• The request is called a Data Access Request (DAR).
• It must be in writing — the Privacy Commissioner’s Office provides a standard form (OPS003).
• The request should specify clearly:
  
  • The personal data sought.
  • Whether the request is for access, correction, or both.

3. Data User’s Obligations

• Must respond within 40 days of receiving the DAR.
• If unable to comply within 40 days, must inform the requester in writing with reasons and comply as soon as practicable.
• May charge a reasonable fee not exceeding the direct cost of compliance.
• Must provide the data in an intelligible form.
• If refusing, must give written reasons.

‍

4. Correction Rights

If the data subject finds the data inaccurate, they may request correction.

If satisfied that the data is inaccurate, the data user must correct it within 40 days.

‍

5. Exemptions

Access rights may be refused in certain situations under Part 8 PDPO, such as:

• Crime prevention/detection (s.58).
• Health grounds (s.59).
• Legal professional privilege (s.60).
• Employment-related exemptions (ss.53–56).
• News activities (s.61).

‍

6. Enforcement

If a data user fails to comply without valid exemption:

The Privacy Commissioner may issue an enforcement notice.

Non-compliance with the notice is a criminal offence.

The data subject may also seek civil compensation under s.66 PDPO.

‍

Yes. Data users must first obtain the data subject’s consent before using their personal data for direct marketing. They must clearly inform the individual of their intention to use the data, specifying what types of personal data will be used and which categories of marketing activities it relates to. They also need to provide a free and easy way for the data subject to give consent.

‍

The information must be presented in a clear and understandable way to help individuals make informed decisions. Furthermore, if a data user uses the personal data for direct marketing for the first time, they must notify the data subject of their right to opt out, and must stop using the data for such purposes if the individual chooses to opt out. 

‍

‍

1. Purpose & Manner of Collection: 

Personal Date must be collected for a lawful purpose directly related to a function/activity where the collection is adequate but not excessive. The data subjects shall also be notified of the data collection. 

‍

2. Accuracy & Retention: 

Data users shall keep data accurate and up‑to‑date. More importantly, they should not retain the collected data for longer than necessary.

‍

3. Use of Personal Data: 

Unless with prescribed content, the collected data shall not be used for a new purpose if it is not mentioned at the time the data was collected. 

‍

Prescribed consent means the express consent given voluntarily by the data subject. 

‍

4. Security of Personal Data: 

Take practicable steps to protect against unauthorised/accidental access, processing, loss, or use.

‍

5. Openness: 

Data users shall make policies and practices on personal data (not the actual data) handling publicly available.

‍

6. Access & Correction: 

Data users shall allow data subjects to ascertain whether data is held, access it, and request corrections. If it is found that the data contained is inaccurate, the data subject can request the data user to correct the record. 

‍

Upon requests, the data user must accede to them within a statutory period of 40 days, or provide an explanation regarding why they could not process the request within 40 days. 

‍

Under Hong Kong’s Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”), compliance obligations apply to any “data user” in both the private and public sectors — including government departments — that collect, hold, process, or use personal data.

‍

1. Who is a “Data User”

‍

Defined in s.2 PDPO as:

A person who, either alone or jointly with other persons, controls the collection, holding, processing or use of personal data.

‍

This includes:

• Companies (e.g., banks, telecom operators, retailers, employers).
• Sole proprietors and partnerships.
• Government departments and statutory bodies.
• NGOs and charities.
• Schools and educational institutions.
• Professional practices (e.g., law firms, medical clinics).

‍

2. Activities Triggering Compliance

If an entity collects, holds, processes, or uses personal data in Hong Kong, it must comply with the PDPO’s Data Protection Principles (DPPs) and other provisions.

‍

Key obligations include:

• Lawful and fair collection (DPP1).
• Accuracy and retention limits (DPP2).
• Use only for stated purposes or with consent (DPP3).
• Security safeguards (DPP4).
• Openness about data policies (DPP5).
• Access and correction rights (DPP6).

‍

3. Exemptions

Certain situations are exempt from some or all PDPO requirements (Part 8 PDPO), including:

• Household or recreational purposes (s.52) — purely personal use.
• Judicial functions (s.51A).
• Employment-related exemptions (ss.53–56).
• Crime prevention/detection (s.58).
• Health grounds (s.59).
• Legal professional privilege (s.60).
• News activities (s.61).
• Statistics and research (s.62).
• Emergency situations (s.63C).

‍

In Hong Kong, the definition of “personal data” is set out in Section 2 of the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”).

‍

Statutory Definition

"personal data" means any data —

(a) relating directly or indirectly to a living individual;

(b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and

(c) in a form in which access to or processing of the data is practicable.

‍

Examples includes:

• names, 
• ID numbers, 
• addresses, 
• phone numbers, 
• biometric data, 
• medical records, and 
• any information from which identity can be ascertained.

‍