Personal Data (Privacy) Ordinance

    Hong Kong

    Personal Data (Privacy) Ordinance

    Cap. 486 of the Laws of Hong Kong

    In Hong Kong, the main legislation on data protection is the Personal Data (Privacy) Ordinance (the “PDPO”). The PDPO regulates the collection, use and handling of personal data.

    Last Updated: July 30, 2019

  • General

    The PDPO is in line with the Data Protection Directive 95/46/EC (replaced by the GDPR), although with some significant limitations. The PDPO is a principle-based law. Schedule 1 of the PDPO sets out the six data protection principles (“DPPs”), which govern the collection, use, processing, security, retention/destruction and access to personal data. The PDPO underwent major reform in 2012, in particular to add specific provisions and restrictions against the use and provision of personal data in direct marketing. The Privacy Commissioner for Personal Data (the “PCO”) is the enforcement body of the PDPO. Hong Kong does not have any specific data protection laws for particular industry sectors, although many industry associations have guidelines and rules about the applicability of the PDPO.

  • Lawfulness, Fairness and Nondiscrimination

    The PDPO does not require consent from a data subject so long as the data subject is informed at the time of or before collection of the purpose for which his or her personal data is to be used and the classes of persons to whom the data may be transferred. However, consent must be given by the data subject when personal data is used in direct marketing. The use of personal data must be limited for the purpose as informed. If a data user wish to process personal data collected for unrelated purpose, express consent of the data subject is required. The PDPO provides some exceptions for the need to obtain express consent.

  • Purpose specification, Use Limitation and Suitability

    An organization that processes Personal Data must limit the use of the Personal Data to only those activities which are necessary to accomplish the identified purpose(s) for which the Personal Data was collected.

  • Data Minimisation, Storage Limitation and Accuracy

    An organization that processes Personal Data must erase personal data once the stated purposes have been fulfilled and legal obligations met.

  • Data Subjects Rights

    Under DPP 6 of the PDPO, a person whose data is held by a data user is entitled to:

    1. ascertain whether the data user holds data about them; and
    2. request a copy of and corrections to that data.

    The PDPO provides exemptions for data users, such as legal professional privilege, etc.

  • Cross-Border Data Transfer

    Under Section 33 of the PDPO, the data user cannot transfer personal data unless

    1. the data user has reasonable grounds for believing that the destination jurisdiction has substantially similar provisions to the PDPO;
    2. the data subject consents in writing to the transfer; or
    3. the data user has exercised due diligence to ensure that the personal data will not be treated in a manner which will violate the PDPO.
  • Enforcement

    Failure to comply with the PDPO may lead to criminal sanctions (fines and/or imprisonment). Penalties for direct marketing offenses could led to a fine of up to HKD 1 million (approximately USD 127,715) and five years’ imprisonment.

  • DatabreachPedia


    In Hong Kong, there is no legal obligation to notify personal data breaches. These are generally taken to be suspected breaches of data security of personal data held by a data user, exposing the data to the risk of unauthorized or accidental access, processing, erasure, loss or other use. The Privacy Commissioner has however issued a non-binding guidance note where it encourages data users to report personal data breaches and to take active remedial steps to lessen the damage that a data breach may cause to the individuals.

    Is it Mandatory to Notify Individuals?

    No, but recommended.

    Is it Mandatory to Notify Regulator?

    No, but recommended.

    Notification Deadline

    As soon as practicable.

    Responsible Regulator

    Privacy Commissioner for Personal Data, Hong Kong
    12/F, Sunlight Tower,
    248 Queen’s Road East,
    Wanchai, Hong Kong

    Phone: 2827 2827
    Fax: 2877 7026

    Breach Notification Format

    The individuals should be notified through email, telephone, in writing or in person. If this is not feasible, a substitute public notice can be posted. The Privacy Commissioner should preferably be notified using the Commissioner’s breach notification form and an online portal.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit or connect on LinkedIn, Twitter and Facebook.