Hong Kong Personal Data Privacy Ordinance (PDPO)
View Law TextNeed Help with Hong Kong Personal Data Privacy Ordinance (PDPO) Compliance?
Get expert guidance on implementing Hong Kong's data protection requirements and ensuring ongoing compliance for your organization.
Get Expert HelpOverview
The Personal Data (Privacy) Ordinance establishes comprehensive requirements for the collection, use, and handling of personal data in Hong Kong.
Key Facts
- Enacted in 1995, major amendment in 2012
- Enforced by Privacy Commissioner for Personal Data
- Includes specific requirements for direct marketing
Key Principles
Collection Purpose and Means
Personal data must be collected in a lawful and fair way for a directly related purpose.
Requirements
- Specify collection purpose
- Use lawful means
- Collect necessary data only
- Inform data subjects
- Document collection
Examples
- PICS statements
- Collection forms
- Purpose documentation
- Notification records
Accuracy and Retention
Personal data must be accurate and not kept longer than necessary.
Requirements
- Verify data accuracy
- Update procedures
- Define retention periods
- Implement deletion
- Regular reviews
Examples
- Verification processes
- Update procedures
- Retention schedules
- Deletion logs
Use Limitation
Personal data must only be used for the purpose for which it was collected.
Requirements
- Purpose specification
- Use restrictions
- Consent for new uses
- Documentation
- Regular audits
Examples
- Purpose statements
- Consent records
- Use logs
- Audit reports
Compliance Requirements
Data Protection Principles
Implementation of the six data protection principles under PDPO.
Implementation Steps
- Document collection purposes
- Ensure data accuracy
- Define retention periods
- Implement security measures
- Maintain transparency
Required Documentation
- Privacy policies
- Collection statements
- Retention schedules
- Security procedures
- Compliance records
Direct Marketing Requirements
Specific requirements for using personal data in direct marketing.
Implementation Steps
- Obtain explicit consent
- Provide clear information
- Enable opt-out mechanisms
- Maintain consent records
- Regular compliance checks
Required Documentation
- Consent forms
- Marketing notices
- Opt-out records
- Compliance logs
- Review documentation
Data Transfer Requirements
Requirements for transferring personal data outside Hong Kong.
Implementation Steps
- Assess transfer necessity
- Implement safeguards
- Document transfers
- Monitor compliance
- Regular reviews
Required Documentation
- Transfer assessments
- Safeguard documentation
- Transfer records
- Monitoring logs
- Review reports
Enforcement & Penalties
Administrative Penalties
The Privacy Commissioner for Personal Data (PCPD) can impose various penalties for PDPO violations.
Penalty Categories
Example Cases
Criminal Penalties
Serious violations may result in criminal prosecution.