Are You Infringing On Hong Kong’s PDPO?


Have you done any of these lately?

  1. Sent emails to old clients that your company no longer serves,
  2. Failed to update your marketing database with opt-out requests,
  3. Contacted someone in your mailing list who had requested to be removed from  your mailing list, or
  4. Sent personal data of clients to your email account.

If so, whatever your intentions, you will have violated the Personal Data (Privacy) Ordinance (PDPO).   Twitter Tweet this

Data privacy

Enacted in Hong Kong in 1995, PDPO seeks to protect the privacy of individuals in relation to personal data.

In an article titled Hong Kong Regulators Step up Enforcement on Personal Data Protectionby the Data Protection Report in May this year, an insurance agent, marketing agency, as well as portfolio manager were penalised for the improper handling of personal data by the Securities and Futures Commission (“SFC”) under the PDPO. In each case, the plaintiffs were sentenced to a Community Service Order, fine, and SFC disciplinary action respectively.

So, what is personal data?

Personal data is information that:

  • Relates to a living person,
  • Can identify that person, and
  • Is stored in a form that allows for processing.

These include names, identity card numbers, and medical and employment records.

Section 35C of the PDPO requires that your company provide the following information to the individual orally or in writing before using his personal data in direct marketing:

  1. You intend to use his/her personal data;
  2. You may not so use the data without his/her consent
  3. The kind(s) of personal data you will use;
  4. The classes of goods, facilities or services you offer/advertise; and
  5. The channel through which the individual may communicate his/her consent to the intended use.

Pursuant to section 35G(3) of the Ordinance, a company which receives a customer’s request for cessation of using his personal data in direct marketing must comply with the request without charge.

Failure to comply with any of the above requirements is a criminal offence, which is punishable by a fine of up to HK$500,000 and imprisonment for up to 3 years.

Source: Privacy Commissioner for Personal Data

So, what can organisations do to avoid infringing on the PDPO?

6 Data Protection Principles - HK PDPO
Source: Office of the Privacy Commissioner for Personal Data Hong Kong

Ensure you have a well-drafted data protection policy that outlines the following:

  1. Your purpose of collecting the data,
  2. The classes of persons to whom the data may be transferred,
  3. How long you will keep the data for,
  4. The steps you will take in event of unauthorised or accidental access, processing, erasure, loss or use, and
  5. How an individual can reach out to access his/her personal data and  make corrections.

If you collect data on your website, it is also required by law that you have a Website Privacy Policy that informs customers about how you use their data.


Get a free Website Privacy Policy with a Zegal free trial

Get started
Sign up for a free trial. No minimum commitment, no credit card required.

In today’s era of internet and connectivity, consumers are more concerned than ever about protecting the privacy of their personal data. Observe good data management practices, and you will be putting your customers at ease.

Like what you just read?

Subscribe to our newsletter and be the first to hear of the latest Dragon happenings, tips and insights!