These jurisdiction checklists are practical scoping aids for privacy, DPO, DSAR, transfer, incident, and vendor governance decisions. Confirm obligations against your facts before relying on any checklist as advice.
Hong Kong Data Protection Checklist
Personal Data (Privacy) Ordinance (Cap. 486) - Comprehensive compliance guide
Key Provisions
Section 1: Short title and commencement
Gives the short title "Personal Data (Privacy) Ordinance" and empowers the Secretary for Constitutional and Mainland Affairs to appoint its commencement date by notice in the Gazette.
Section 2: Interpretation
Key Definitions:
- act: any deed or deliberate omission
- personal data: any information about a living person from which they can be identified
- data subject: the living individual whom the personal data is about
- data user: anyone who controls the collection, holding, processing or use of personal data
- processing: any change to personal data, like adding, deleting or rearranging it
- disclosing: revealing personal data or information inferred from it
- Commissioner: the Privacy Commissioner for Personal Data who enforces the Ordinance
- code of practice: any approved guidance document on handling personal data
Section 3: Application
Makes the Ordinance binding on all public and private bodies in Hong Kong, with narrow exceptions (e.g., personal/family use not disclosed).
Section 4: Data protection principles
A data user shall not do an act, or engage in a practice, that contravenes a data protection principle unless the act or practice is required or permitted under this Ordinance.
Section 5: Establishment of Privacy Commissioner
Creates the independent Privacy Commissioner for Personal Data, a corporate sole with investigative and enforcement powers.
Section 12: Approval of codes of practice
Authorises the Commissioner to approve, publish, revise or withdraw sector-specific codes giving practical guidance on complying with the Ordinance.
Section 14: Data user returns
Requires designated classes of "data users" to file annual returns containing prescribed information (e.g., categories of personal data processed).
Section 15: Register of data users
Mandates the Commissioner to maintain a publicly inspectable database of all data-user returns and updates.
Section 18: Data access request
Gives individuals (or their agents) a right to ask any data user whether they hold the individual's personal data, and to receive a copy of it within 40 days.
Section 22: Data correction request
Allows individuals to require a data user to rectify, erase or complete their personal data within 40 days, subject to specified exceptions.
Section 26: Erasure of personal data no longer required
Obligates data users to erase personal data that is no longer needed for any purpose under which it was collected.
Section 30: Matching procedure not to be carried out except with consent
Prohibits automated matching of personal data for adverse-action purposes unless the individual has consented.
Section 33: Prohibition against transfer of personal data outside Hong Kong
Bars cross-border transfers unless adequate protection is ensured (e.g., recipient jurisdiction, contract terms, consent).
Section 35C: Data user to take specified action before using personal data in direct marketing
Requires a data user to give clear notice and obtain consent before first using personal data for direct marketing.
Section 35E: Data user must not use personal data in direct marketing without consent
Flat ban on direct-marketing uses absent consent, with opt-out and prescribed-consent mechanisms.
Section 37: Complaints
Enables any person to lodge a complaint with the Commissioner about potential breaches of the Ordinance.
Section 38: Investigations by Commissioner
Grants the Commissioner power to investigate suspected breaches—by complaint or on own motion—including inspections and evidence-gathering.
Section 50: Enforcement notices
Allows the Commissioner to issue binding notices requiring a data user to remedy non-compliance, with offences for ignoring them.
Section 64: Offences for disclosing personal data without consent
Creates criminal offences (and daily penalties) for unlawful disclosure or use of personal data.
Section 66: Compensation
Gives courts power to award compensation to individuals suffering damage through contravention of the Ordinance.
Section 67: Power of Commissioner to specify forms
Empowers the Commissioner to prescribe forms and fees for notices, returns and applications under the Ordinance.
Compliance Checklist
Section 18: Data access request
For Data Users:
Set up procedures to log and respond to access requests within 40 days; train staff on handling requests and fees.
For Third Parties:
Cooperate with data users' request-handling processes; provide requested data promptly when asked.
Section 22: Data correction request
For Data Users:
Maintain clear processes for correcting, erasing or completing data; track requests and confirmations.
For Third Parties:
Assist data users by flagging inaccurate records and updating or deleting data as directed.
Section 26: Erasure no longer required
For Data Users:
Implement retention schedules tied to collection purposes; securely erase data once it falls outside retention periods.
For Third Parties:
Follow data users' retention schedules; certify destruction of data after contracts end.
Section 30: Matching procedure
For Data Users:
Obtain express consent before any automated matching; document consent records.
For Third Parties:
Do not perform matching without written authority; report any intended matching activities to data user.
Section 33: Cross-border transfers
For Data Users:
Use standard contractual clauses or ensure recipient's law offers equivalent protection; log all transfers.
For Third Parties:
Comply with contract terms; do not transfer data beyond approved jurisdictions or purposes.
Section 35C/35E: Direct marketing
For Data Users:
Implement opt-in mechanisms; keep clear records of marketing consents and opt-outs; stop marketing promptly on demand.
For Third Parties:
Do not use or share personal data for marketing unless data user instructs and consent is documented.
Section 37/38: Complaints & investigations
For Data Users:
Establish internal escalation for potential breaches; cooperate fully with Commissioner inspections and investigations.
For Third Parties:
Provide access to relevant records; assign liaison for Commissioner's enquiries or site inspections.
Section 50: Enforcement notices
For Data Users:
Monitor for notices; have corrective-action plans ready; assign senior manager to ensure timely compliance.
For Third Parties:
Assist data user in investigating non-compliance; implement corrective steps under supervision.
Section 64: Offences for unlawful disclosure
For Data Users:
Enforce "least-privilege" access controls; encrypt sensitive personal data; log disclosures and accesses.
For Third Parties:
Follow strict instructions on data access; immediately report any inadvertent or suspicious disclosures.
Section 66: Compensation
For Data Users:
Maintain liability insurance; keep audit trails to demonstrate compliance; seek legal advice on historic disputes.
For Third Parties:
Keep detailed processing logs; cooperate in damage assessments and provide factual support to data user.
Need Help with Hong Kong PDPO Compliance?
Our expert team can guide you through Hong Kong's Personal Data (Privacy) Ordinance requirements and ensure your organization meets all compliance obligations.
Checklist to implementation
Need a fact-specific view?
Data>Nuance can turn this checklist into a scoped action plan for your product, vendor stack, cross-border transfers, DSAR workflow, breach readiness, or DPO operating model.