SecurePrivacy Logo

Hong Kong Personal Data Privacy Ordinance (PDPO)

View Law Text
Maximum Fine
HKD 1M
Scope
National
Regulator
PCPD
Enacted
2012

Need Help with Hong Kong Personal Data Privacy Ordinance (PDPO) Compliance?

Get expert guidance on implementing Hong Kong's data protection requirements and ensuring ongoing compliance for your organization.

Get Expert Help

Overview

The Personal Data (Privacy) Ordinance establishes comprehensive requirements for the collection, use, and handling of personal data in Hong Kong.

Key Facts

  • Enacted in 1995, major amendment in 2012
  • Enforced by Privacy Commissioner for Personal Data
  • Includes specific requirements for direct marketing

Key Principles

Collection Purpose and Means

Personal data must be collected in a lawful and fair way for a directly related purpose.

Requirements

  • Specify collection purpose
  • Use lawful means
  • Collect necessary data only
  • Inform data subjects
  • Document collection

Examples

  • PICS statements
  • Collection forms
  • Purpose documentation
  • Notification records

Accuracy and Retention

Personal data must be accurate and not kept longer than necessary.

Requirements

  • Verify data accuracy
  • Update procedures
  • Define retention periods
  • Implement deletion
  • Regular reviews

Examples

  • Verification processes
  • Update procedures
  • Retention schedules
  • Deletion logs

Use Limitation

Personal data must only be used for the purpose for which it was collected.

Requirements

  • Purpose specification
  • Use restrictions
  • Consent for new uses
  • Documentation
  • Regular audits

Examples

  • Purpose statements
  • Consent records
  • Use logs
  • Audit reports

Compliance Requirements

Data Protection Principles

Implementation of the six data protection principles under PDPO.

Implementation Steps

  • Document collection purposes
  • Ensure data accuracy
  • Define retention periods
  • Implement security measures
  • Maintain transparency

Required Documentation

  • Privacy policies
  • Collection statements
  • Retention schedules
  • Security procedures
  • Compliance records

Direct Marketing Requirements

Specific requirements for using personal data in direct marketing.

Implementation Steps

  • Obtain explicit consent
  • Provide clear information
  • Enable opt-out mechanisms
  • Maintain consent records
  • Regular compliance checks

Required Documentation

  • Consent forms
  • Marketing notices
  • Opt-out records
  • Compliance logs
  • Review documentation

Data Transfer Requirements

Requirements for transferring personal data outside Hong Kong.

Implementation Steps

  • Assess transfer necessity
  • Implement safeguards
  • Document transfers
  • Monitor compliance
  • Regular reviews

Required Documentation

  • Transfer assessments
  • Safeguard documentation
  • Transfer records
  • Monitoring logs
  • Review reports

Enforcement & Penalties

Administrative Penalties

The Privacy Commissioner for Personal Data (PCPD) can impose various penalties for PDPO violations.

Penalty Categories

Direct Marketing Violations
Up to HKD 1M and imprisonment
For unauthorized use of personal data in direct marketing
Non-Compliance
Up to HKD 50,000
For failing to comply with enforcement notices
Repeat Offenses
Up to HKD 100,000
For subsequent violations

Example Cases

Marketing Company
HKD 750,000
2023 - Unauthorized use of personal data for direct marketing
Data Broker
HKD 500,000
2022 - Illegal collection and sale of personal data

Criminal Penalties

Serious violations may result in criminal prosecution.

Penalty Categories

Doxxing
Up to HKD 1M and 5 years imprisonment
For disclosure of personal data without consent
False Statements
Up to HKD 100,000
For providing false information to the Commissioner
Obstruction
Up to HKD 50,000
For obstructing the Commissioner's investigations

Example Cases

Doxxing Incident
HKD 800,000
2023 - Malicious disclosure of personal information
Investigation Obstruction
HKD 40,000
2022 - Refusing to cooperate with PCPD investigation