'Most Innovative Startup 2020' by RSA - Watch the video

Learn More

Hong Kong’s PDPO

In Hong Kong, the Personal Data (Privacy) Ordinance (Cap. 486) (the "PDPO") regulates the collection, holding, processing, disclosure, and usage of personal data. The PDPO was enacted in 1995 and took effect from December 1996, but significant amendments were brought into it in 2012. The Data Protection Principles ( the “DPPs or DPP”), contained in Schedule 1 to the PDPO outline how entities should collect, handle, disclose, and use personal data.  The Office of the Privacy Commissioner for Personal Data (the “PCPD”) is the regulatory authority that enforces the PDPO in Hong Kong and also issues several guidelines for the organizations to effectively comply with the PDPO.

Definitions of key terms

The following are the major definations of key terms:

Personal Data

Personal Data means information that relates to a living individual and can be used to identify that individual. Personal data should also exist in a form in which access to, or processing of the data is practicable.

Data User

Data User is a person or entity who, either alone or jointly with other persons, controls the collection, holding, processing, or use of personal data. This is the same as the term 'data controller.'

Data Processor

Data Processor is a person or entity who processes personal data on behalf of another person or entity (a data user) instead of for his/her purpose(s).

Consent

Consent is not a prerequisite for collecting personal data unless the personal data is used for a new purpose or for direct marketing purposes. Where consent is required, consent means to express and voluntary consent.

Data Subjects' Rights under the PDPO:

The PDPO prescribes the following rights for the data subjects;

  • DPP 6 provides data subjects with the right to request access to and correction of their personal data. A data user should give reasons when refusing a data subject’s request to access or correction of his/her personal data.
  • Data subjects have the right to be informed by data user(s) regarding the holding of their personal data.
  • There is no explicit right to erasure available under the PDPO, however, data subjects can request the data user to delete his/her personal data that is no longer necessary for the processing. Also, data users are not allowed to retain personal data longer than necessary.
  • Under the PDPO, there is no right to object to processing (including profiling) available, but data subjects may opt-out from direct marketing activities.

Who needs to comply with the PDPO?

The PDPO applies to private and public sector organizations that process, use, hold, or collect personal data. It covers any organization that deals with the collection and processing of personal data irrespective of the location of processing provided that the personal data is controlled by the data user based in Hong Kong.

 

The PDPO provides the following exemptions for the processing of personal data in Part VIII;

  • specified public or judicial interests
  • domestic or recreational purposes, or for
  • employment purposes.

The PDPO does not directly regulate data processors; therefore, they do not directly come under the application scope of the PDPO. However, data users are required to, by contractual or other means, ensure that their data processors meet the applicable requirements of the PDPO. 


Organizations' obligations under the PDPO:

  • PDPO does not explicitly state accountability principles and other privacy management related measures; however, the PCPD recommends that the organizations need to adopt privacy management systems to ensure compliance with the PDPO. For this purpose, the appointment of data protection officers and having privacy impact assessments are also recommended by the PCPD.
  • DPP5 obliges data users to take all practicable steps to ensure openness of their personal data policies and practices, the kind of personal data they hold, and the main purposes for holding it.
  • Data users must take all practicable steps to protect the personal data they hold against unauthorized or accidental access, processing, erasure, loss, or use.
  • There is no mandatory breach notification requirement, but notification to the PCPD (and data subjects, where appropriate) is recommended.
  • Under the PDPO, certification and adherence to an approved code of practice are not explicitly made a legal basis for the cross-border transfer.

Non Compliance Risks and Penalties:

Under the PDPO, noncompliance with DPPs is not considered an offense; however, contravention of specific provisions of the PDPO is an offense that can result in hefty fines and imprisonment.

  • Contravention of an enforcement notice issued by the Commissioner is an offense that may result in a maximum fine of HK $50,000 and imprisonment for two years.
  • Subsequent convictions can result in a maximum fine of HK $100,000 and imprisonment for two years.
  • Contravention of section 26 of the PDPO that requires data users to delete unnecessary personal data is an offense, which is punishable by a fine of up to HK$10,000.
  • Data subjects may also seek compensation by civil action from data users for damage caused by a contravention of the PDPO.

The PCPD has issued a table detailing the penalties for each contravention of the PDPO. This table can be found here.


How can Securiti.ai help?

SECURITI.ai’s award-winning compliance solution revolves around the concept of PrivacyOps, which calls for utilizing robotic automation, artificial intelligence, and machine learning. This system provides enterprises with a system that automates the majority of compliance tasks, freeing up crucial resources for other areas of business.

SECURITI.ai helps businesses discover data over a web of internal and external systems, links personal data with each individual, conducts an automated internal assessment of policies as well as third-party vendors, manages consent, and does a lot more!

While businesses may hesitate to take the leap towards automation from their current manual methods for fear of the costs and change in infrastructure, it is clear that automation is truly the way forward. Automation increases ROI as well as productivity lowers cost and improves accuracy.  It pays for itself and brings organizations several benefits along with it.

Automation helps you with swift and efficient compliance with the PDPO  as well as other data privacy regulations. Watch it in action today!

Automating privacy operations across your organization

The multi-disciplinary practice to grow trust-equity of your brand and comply with privacy regulations.

Get the Book

“By leveraging the PrivacyOps constructs from this book across our organization we were able to not only save time and money but also mitigate the risks associated with manual methods of privacy management.”

- Marty Collins, Chief Privacy and Legal Officer, QuinStreet, Inc

Key Facts

1

A data subject can withdraw his/her consent previously given by the written notice.

2

There are currently no restrictions on the transfer of personal data outside of Hong Kong under the PDPO. However, Section 33 of the PDPO sets out requirements for the cross-border transfer that have not yet come into force.

3

Hong Kong’s government is currently reviewing the PDPO for possible amendments to ensure mandatory breach requirements and introducing new provisions for strengthening the protection of personal data.

4

The PCPD has the power to inspect a data user's privacy management system to make recommendations on how compliance may be enhanced by the data user.