TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. PDPO: Hong Kong's Personal Data Privacy Ordinance Guide
Legal Compliance

PDPO: Hong Kong's Personal Data Privacy Ordinance Guide

Learn what the PDPO is, its six data protection principles, enforcement powers, and how to comply with Hong Kong's privacy law.

TermsBox Team|April 3, 20269 min read

The PDPO, formally known as the Personal Data (Privacy) Ordinance (Cap. 486), is Hong Kong's principal data protection statute. Enacted in 1995 and significantly amended in 2012, the PDPO establishes rules for how organizations collect, store, use, and transfer personal data within Hong Kong.

This guide explains the PDPO's core requirements, its six Data Protection Principles, enforcement mechanisms, and practical compliance steps. It is provided for educational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your situation.

What Is the PDPO?

The Personal Data (Privacy) Ordinance is one of Asia's earliest comprehensive data protection laws. It governs any person or organization (called a "data user" under the Ordinance) that controls the collection, holding, processing, or use of personal data in Hong Kong.

The PDPO defines "personal data" as any data that relates directly or indirectly to a living individual, from which it is practicable for the identity of that individual to be directly or indirectly ascertained. This covers names, email addresses, phone numbers, identification numbers, and any other information that can identify a person.

The law is enforced by the Privacy Commissioner for Personal Data (PCPD), an independent statutory body with investigation and enforcement powers.

The Six Data Protection Principles Under the PDPO

The PDPO is built around six Data Protection Principles (DPPs) set out in Schedule 1 of the Ordinance. These principles form the backbone of all PDPO compliance obligations.

DPP1: Purpose and Manner of Collection

Personal data must be collected for a lawful purpose directly related to a function or activity of the data user. The data collected must be necessary and not excessive. Data subjects must be informed of the purpose of collection, whether it is obligatory or voluntary, and the classes of persons to whom the data may be transferred.

DPP2: Accuracy and Duration of Retention

Data users must take all practicable steps to ensure personal data is accurate and not kept longer than necessary for the purpose for which it was collected. Organizations should establish retention schedules and delete data once the original purpose has been fulfilled.

DPP3: Use of Personal Data

Personal data must not be used for any purpose other than the original purpose for which it was collected, or a directly related purpose, unless the data subject gives voluntary and explicit consent.

DPP4: Security of Personal Data

Data users must take all practicable steps to protect personal data against unauthorized or accidental access, processing, erasure, loss, or use. This includes both technical measures (encryption, access controls) and organizational measures (staff training, policies).

DPP5: Information to Be Generally Available

Data users must take all practicable steps to make publicly available their policies and practices regarding personal data. This typically means publishing a Privacy Information Collection Statement (PICS) and a Privacy Policy Statement (PPS).

DPP6: Access and Correction

Data subjects have the right to request access to their personal data and to request correction of inaccurate data. Data users must comply with access requests within 40 days and must not charge excessive fees.

PDPO Enforcement and Penalties

The PCPD has broad powers to investigate complaints, conduct inspections, and issue enforcement notices. Understanding the penalty structure helps organizations prioritize compliance efforts.

Key enforcement mechanisms include:

  • Enforcement notices: The PCPD can issue notices requiring data users to remedy contraventions. Failure to comply with an enforcement notice is a criminal offence carrying fines up to HK$50,000 and imprisonment up to two years.
  • Repeated contravention: If a data user contravenes an enforcement notice a second time, fines increase to HK$100,000 and imprisonment up to five years.
  • Direct marketing offences: Using personal data for direct marketing without consent can result in fines up to HK$500,000 and imprisonment up to three years under Section 35C.
  • Disclosure offences: The 2021 amendments introduced offences for doxxing (disclosing personal data without consent with intent to cause harm), with penalties of up to HK$1,000,000 and five years imprisonment.

Unlike the GDPR's percentage-of-turnover fines (up to 20 million EUR or 4% of annual global turnover under Article 83), the PDPO uses fixed monetary penalties. However, the criminal liability component, including imprisonment, makes PDPO enforcement particularly serious.

How the PDPO Compares to GDPR and Other Privacy Laws

Organizations operating across jurisdictions often need to understand how the PDPO relates to other data protection frameworks.

Feature PDPO (Hong Kong) GDPR (EU/EEA) PIPL (Mainland China)
Enacted 1995 (amended 2012, 2021) 2018 2021
Legal basis for processing Lawful purpose + DPPs Six legal bases (Article 6) Consent + other bases (Article 13)
Consent for marketing Opt-in required Opt-in required Separate consent required
Data breach notification Recommended, not mandatory 72-hour mandatory (Article 33) Immediate notification required
Cross-border transfer No specific restriction Adequacy decisions or safeguards Security assessment for certain transfers
Maximum fine HK$1,000,000 EUR 20,000,000 / 4% turnover RMB 50,000,000 / 5% turnover
Criminal penalties Yes (imprisonment) Varies by member state Yes (personal liability)

One notable gap in the PDPO is the absence of a mandatory data breach notification requirement. The PCPD has issued guidance recommending notification, but it is not a statutory obligation. This contrasts sharply with the GDPR's 72-hour notification window under Article 33.

PDPO Direct Marketing Rules

The 2012 amendments to the PDPO introduced strict direct marketing provisions under Part VIA (Sections 35A through 35L). These rules are among the most enforcement-active areas of the Ordinance.

Before using personal data for direct marketing, a data user must:

  1. Inform the data subject of the intention to use their data for direct marketing
  2. Specify the types of personal data to be used
  3. Identify the classes of marketing subjects (goods, services, or facilities)
  4. State whether the data will be provided to third parties for their direct marketing
  5. Obtain the data subject's written consent (opt-in)

"Direct marketing" under the PDPO includes email, SMS, phone calls, postal mail, and fax communications offering goods, services, or facilities. The PCPD has clarified that targeting advertising through social media platforms using personal data also falls within scope.

Organizations that send marketing emails or run targeted campaigns involving Hong Kong residents should ensure their privacy policy generator output clearly addresses direct marketing disclosures.

PDPO Compliance Checklist

Meeting your obligations under the PDPO requires systematic effort across your organization. The following checklist covers the essential compliance steps.

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now

Data inventory and mapping:

  • Identify all personal data you collect, hold, or process
  • Document the lawful purpose for each data type
  • Map data flows, including transfers to third parties or processors
  • Establish retention schedules aligned with DPP2

Transparency and notices:

  • Draft a Privacy Information Collection Statement (PICS) for each collection point
  • Publish a Privacy Policy Statement (PPS) on your website
  • Ensure notices specify the purpose of collection, voluntariness, and transfer recipients

Consent management:

  • Implement opt-in consent mechanisms for direct marketing
  • Record and store consent evidence with timestamps
  • Provide easy opt-out mechanisms in every marketing communication

Security measures:

  • Implement access controls, encryption, and logging in line with DPP4
  • Train staff on data handling procedures
  • Conduct regular security assessments
  • Develop a data breach response plan (recommended by the PCPD even though not mandatory)

Data subject rights:

  • Establish a process for handling data access requests within 40 days
  • Allow data correction requests and maintain audit trails
  • Set reasonable fees (if any) for access requests, subject to PCPD guidelines

Using an automated compliance platform like TermsBox can help you generate and maintain a privacy policy that addresses PDPO requirements. The privacy policy generator produces documents that cover data collection disclosures, purpose limitation, and data subject rights.

Cross-Border Data Transfers Under the PDPO

Section 33 of the PDPO restricts transfers of personal data outside Hong Kong. Although this section was enacted in 1995, it has not yet been brought into force. In practice, the PCPD has issued a Guidance Note on recommended model contractual clauses for cross-border transfers.

Despite Section 33's inactive status, organizations should still exercise caution when transferring data outside Hong Kong:

  • Ensure the receiving jurisdiction provides adequate data protection
  • Use contractual safeguards such as data processing agreements
  • Inform data subjects about cross-border transfers in your privacy policy
  • Monitor PCPD guidance, as Section 33 may be activated in the future

For businesses operating websites that serve Hong Kong users alongside EU or US visitors, your privacy policy should address both the PDPO and applicable regulations such as the GDPR or CCPA. A comprehensive privacy policy generator can help structure disclosures that cover multiple jurisdictions.

Recent PDPO Amendments and Developments

The PDPO has undergone significant updates in recent years that expand its scope and enforcement teeth.

2021 Doxxing Amendments: The Personal Data (Privacy) (Amendment) Ordinance 2021 introduced two new offences targeting doxxing. Section 64(3A) criminalizes disclosing personal data without consent with intent to cause specified harm. Section 64(3C) covers disclosure without consent where specified harm results, even without intent. The PCPD was also granted new powers to conduct criminal investigations and issue cessation notices requiring removal of doxxing content.

Increased enforcement activity: The PCPD has been increasingly active in issuing enforcement notices and prosecuting offences. In 2023 and 2024, the PCPD published guidance on the use of artificial intelligence and personal data, emphasizing that DPP1 (purpose limitation) and DPP4 (security) apply fully to AI-driven data processing.

Proposed reform discussions: The Hong Kong government has periodically discussed modernizing the PDPO to align more closely with international standards, including introducing mandatory breach notification and administrative fines. Organizations should monitor these developments and plan for stricter requirements.

Frequently Asked Questions

What does PDPO stand for?

PDPO stands for the Personal Data (Privacy) Ordinance, which is Hong Kong's primary data protection law enacted in 1995 and enforced by the Privacy Commissioner for Personal Data (PCPD).

Who does the PDPO apply to?

The PDPO applies to any individual, company, or public body that controls the collection, holding, processing, or use of personal data in Hong Kong, regardless of where the data subject is located.

What are the penalties for violating the PDPO?

Penalties range from fines of HK$50,000 to HK$1,000,000 and imprisonment of up to five years, depending on the offence. The PCPD can also issue enforcement notices that carry criminal liability if ignored.

Does the PDPO require consent for direct marketing?

Yes. Since the 2012 amendments, the PDPO requires data users to obtain explicit, opt-in consent before using personal data for direct marketing. Failure to comply can result in fines up to HK$500,000 and three years imprisonment.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Related Articles

Legal Compliance

AI and Data Privacy: A Practical Guide for Businesses

Learn how AI and data privacy intersect, including legal obligations, compliance strategies, and steps to protect personal data in AI systems.

April 4, 202613 min read
Legal Compliance

AI GDPR Compliance: A Practical Guide for Businesses

Learn how AI GDPR rules affect your business, including legal obligations, compliance steps, and penalties for AI systems processing personal data.

April 4, 202614 min read
Legal Compliance

Apple's Data & Privacy Website: How to Use privacy.apple.com

Apple's data & privacy website at privacy.apple.com lets you download, correct, or delete your data. A step-by-step guide, plus how long a request takes.

April 4, 202613 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • What Is the PDPO?
  • The Six Data Protection Principles Under the PDPO
  • DPP1: Purpose and Manner of Collection
  • DPP2: Accuracy and Duration of Retention
  • DPP3: Use of Personal Data
  • DPP4: Security of Personal Data
  • DPP5: Information to Be Generally Available
  • DPP6: Access and Correction
  • PDPO Enforcement and Penalties
  • How the PDPO Compares to GDPR and Other Privacy Laws
  • PDPO Direct Marketing Rules
  • PDPO Compliance Checklist
  • Cross-Border Data Transfers Under the PDPO
  • Recent PDPO Amendments and Developments
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.