Hong Kong's Personal Data (Privacy) Ordinance (Cap. 486) gives you specific rights over your personal data. Learn what the PDPO requires of companies, how the PCPD enforces those requirements, and how to use your legal rights after a data breach.
The Personal Data (Privacy) Ordinance (PDPO, Cap. 486) is Hong Kong's primary data protection legislation, enacted in 1995 and substantially amended in 2021. The PDPO establishes six Data Protection Principles (DPPs) that govern how organisations — referred to as "data users" — must collect, use, store, and share personal data. The six DPPs cover: purpose and means of collection; accuracy and retention; use for original purpose; data security; transparency and openness about data policies; and access and correction rights. Any organisation that collects personal data from Hong Kong residents — regardless of whether the organisation is based in Hong Kong — may be subject to the PDPO's requirements. The Privacy Commissioner for Personal Data (PCPD) is the independent regulator responsible for enforcing the ordinance.
The 2021 PDPO amendments significantly strengthened the law's enforcement tools. The amendments introduced mandatory Data Breach?">data breach notification obligations — companies that experience a data breach must notify the PCPD and affected individuals "as soon as practicable" — replacing the previous voluntary notification framework. The amendments also created a new criminal offence for doxxing (disclosing personal data with intent to harm), introduced enhanced penalty tiers with fines up to HK$1 million and imprisonment up to 5 years for serious violations, and expanded the PCPD's investigative and enforcement powers. These changes brought the PDPO closer to the standard set by the EU's GDPR, though Hong Kong's framework remains less prescriptive on technical security requirements than European law.
For Guide for Hong Kong">Hong Kong residents, the practical significance of the PDPO is the set of rights it grants you as a "data subject" — the individual whose data is collected. The most important rights are: the right to know what personal data an organisation holds about you (data access requests); the right to request correction of inaccurate data; the right to object to direct marketing; the right to complain to the PCPD if you believe your data has been mishandled; and since the 2021 amendments, the right to be notified when a breach affecting your data occurs. These rights apply to data held by banks, insurers, employers, government departments, utilities, healthcare providers, and any other organisation that has collected your personal data.
The right to access personal data held about you is one of the most powerful rights in the PDPO. Under DPP 6, you can submit a Data Access Request (DAR) to any organisation that holds your personal data, requesting a copy of all data they hold about you. The organisation must respond within 40 days (previously 30 days, extended by the 2021 amendments to accommodate more complex requests). They must provide the data in an intelligible form and may charge a reasonable fee (typically capped at HK$50-200 depending on the organisation). If the organisation refuses, fails to respond within 40 days, or provides an incomplete response, you can complain to the PCPD. Data Access Requests are particularly useful after a suspected identity theft incident — obtaining your complete records from banks, the credit bureau, government databases, and other organisations reveals what data they hold and whether any unauthorised changes have been made.
The right to correction (DPP 6, Section 22) allows you to request that inaccurate personal data be corrected. This is critical for identity theft victims: if a fraudster has changed your registered address at a bank, added a fraudulent beneficiary, or caused incorrect records to be created at government agencies, a formal data correction request under the PDPO creates a legal obligation for the organisation to investigate and correct the inaccuracy. Pair this with a police report number for maximum effect — the PDPO correction right combined with a formal fraud complaint creates both a civil and a criminal pathway for resolution. Organisations that refuse to correct demonstrably inaccurate data in your file can be reported to the PCPD for DPP 6 violation.
The right to object to direct marketing (Part 6A of the PDPO) allows you to opt out of marketing use of your personal data at any time. More relevantly for cybersecurity, the PDPO's use limitation principle (DPP 3) prohibits organisations from using your personal data for purposes beyond what was disclosed at the time of collection. If a company shares your data with a third party without your consent and that third party's data subsequently ends up in a breach, the original company may have violated DPP 3. This creates an actionable PDPO complaint even if the company didn't experience the breach directly. The PCPD has issued guidance on data processors (third-party service providers) and data sharing, placing obligations on companies to ensure adequate contractual protections when sharing data with processors.
The 2021 PDPO amendments introduced mandatory data breach notification obligations that significantly changed the landscape for Hong Kong residents. When a company experiences a data breach, it must notify the PCPD "as soon as practicable" — the PCPD guidance suggests this typically means within 5 days for serious breaches, though the ordinance itself uses "as soon as practicable" rather than specifying a fixed timeframe. Simultaneously, affected individuals must be notified in a manner that allows them to take protective action. The notification must include at minimum: a description of what data was accessed or disclosed; the likely consequences of the breach; the measures taken or proposed; and contact details for further enquiries. Companies that fail to meet these notification obligations face penalties under the amended PDPO.
In practice, the quality and timeliness of breach notifications from Hong Kong companies varies considerably. Large, regulated financial institutions (banks supervised by HKMA, insurers supervised by IA) tend to have more robust incident response procedures and more transparent breach notifications, partly because their primary regulators (HKMA, IA) have separate cybersecurity and incident reporting requirements that operate alongside the PDPO. Smaller companies and non-regulated entities may provide less comprehensive notifications or be slower to discover and disclose breaches. The PCPD has published guidance on breach handling and has a dedicated team for breach investigations, but enforcement resources are limited compared to the volume of breaches affecting HK residents annually.
What should you expect to receive if a company that holds your data experiences a breach? The notification should be direct (email or mail to your registered contact details, or in-app notification for digital services), clear in describing what data was affected, and specific about what protective steps you should take. If you receive a breach notification that is vague, difficult to understand, or lacks specific guidance, you are entitled to contact the company for more information under DPP 6 (data access) and DPP 5 (transparency). If the company's breach response has been inadequate — particularly if they delayed notification, didn't notify you when they should have, or provided misleading information about the scope of the breach — a PCPD complaint is appropriate. The PCPD can compel further information and investigate the adequacy of the company's response.
Filing a complaint with the PCPD is a structured process that begins with exhausting your remedies with the company concerned. The PCPD generally requires complainants to first attempt to resolve the issue directly with the data user before accepting a formal complaint. Write to the company explaining the violation, what remedy you seek, and giving them a reasonable timeframe (typically 30 days) to respond. Keep copies of all correspondence. If the company fails to respond adequately, proceed to the PCPD complaint. Complaints can be filed online at pcpd.org.hk/complaint, by email ([email protected]), or by visiting the PCPD's office at 12/F, 248 Queen's Road East, Wanchai. The PCPD also operates a privacy enquiry hotline at 2827 2827 (Monday to Friday, 9am-5pm).
The PCPD complaint process involves several stages. After receiving your complaint, the PCPD will first assess whether it falls within the PDPO's scope and whether it is properly substantiated. If the complaint is accepted, the PCPD will notify the data user (the company) and invite their response. The PCPD can request documentary evidence from both parties, conduct interviews, and in serious cases exercise its investigative powers to access company systems and records. For complex investigations involving large data breaches, the process may take 6-18 months. The PCPD publishes guidance notes and investigation reports on significant cases, which can be helpful in understanding how similar complaints have been resolved and what standard of evidence is expected.
Outcomes from PCPD complaints range from informal resolution (the company agrees to correct data or improve practices) to enforcement notices (legally binding instructions to take specified actions) to prosecution referral for criminal violations. The PCPD can also issue public reprimands and publish enforcement notices — the reputational consequences of a public PCPD enforcement action are significant for businesses, which creates meaningful pressure for compliance. For identity theft victims, the most valuable practical outcomes are: the company being directed to correct fraudulent records (supporting your credit bureau and lender disputes); the company providing full details of what data was breached (supporting your protective measures); and where relevant, the creation of a documented investigation record that assists in civil litigation or further criminal proceedings by the HKPF.
