Hong Kong: Personal Data (Privacy) Ordinance (PDPO)

« Back to Glossary Index

Hong Kong’s data privacy laws are governed by the Personal Data (Privacy) Ordinance (PDPO), which was introduced in 1996 and came into full effect in 1997. The PDPO is designed to regulate the collection, use, storage, and handling of personal data by businesses and other organizations.

The PDPO is based on six data protection principles, which include:

  • Purpose and manner of collection: Personal data should only be collected for a lawful purpose that is directly related to a function or activity of the organization.
  • Accuracy and retention: Personal data should be accurate, complete, and kept up-to-date. It should not be retained for longer than necessary.
  • Use: Personal data should only be used for the purpose for which it was collected, unless the individual concerned has given their express consent.
  • Security: Personal data should be protected by appropriate security measures against unauthorized access, processing, erasure, loss or use.
  • Information to data subjects: Individuals have the right to know what personal data is being held about them, and how it is being used.
  • Data access and correction: Individuals have the right to access their personal data, and to request that any inaccuracies be corrected.

The PDPO applies to any individual or organization that collects, holds, processes, or uses personal data in Hong Kong, including government agencies, businesses, and non-profit organizations. It covers both automated and manual data processing activities.

Under the PDPO, businesses must obtain explicit consent from individuals before collecting and using their personal data. They must also provide clear and concise information about the purpose of data collection, how the data will be used, and who it will be shared with.

In addition, the PDPO imposes strict requirements on the transfer of personal data outside of Hong Kong. Businesses must ensure that adequate data protection measures are in place before transferring personal data overseas.

The Office of the Privacy Commissioner for Personal Data (PCPD) is responsible for enforcing the PDPO in Hong Kong. The PCPD has the power to investigate complaints, issue enforcement notices, and prosecute offenders who violate the PDPO.

In conclusion, Hong Kong’s Personal Data (Privacy) Ordinance provides a comprehensive framework for the protection of personal data in the region. It imposes strict obligations on businesses and organizations to protect personal data, and gives individuals strong rights to control how their data is collected, used, and shared.

Download this Resource