PDPO: Hong Kong's Personal Data Privacy Ordinance Guide
Learn what the PDPO is, its six data protection principles, enforcement powers, and how to comply with Hong Kong's privacy law.
The PDPO, formally known as the Personal Data (Privacy) Ordinance (Cap. 486), is Hong Kong's principal data protection statute. Enacted in 1995 and significantly amended in 2012, the PDPO establishes rules for how organizations collect, store, use, and transfer personal data within Hong Kong.
This guide explains the PDPO's core requirements, its six Data Protection Principles, enforcement mechanisms, and practical compliance steps. It is provided for educational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your situation.
What Is the PDPO?
The Personal Data (Privacy) Ordinance is one of Asia's earliest comprehensive data protection laws. It governs any person or organization (called a "data user" under the Ordinance) that controls the collection, holding, processing, or use of personal data in Hong Kong.
The PDPO defines "personal data" as any data that relates directly or indirectly to a living individual, from which it is practicable for the identity of that individual to be directly or indirectly ascertained. This covers names, email addresses, phone numbers, identification numbers, and any other information that can identify a person.
The law is enforced by the Privacy Commissioner for Personal Data (PCPD), an independent statutory body with investigation and enforcement powers.
The Six Data Protection Principles Under the PDPO
The PDPO is built around six Data Protection Principles (DPPs) set out in Schedule 1 of the Ordinance. These principles form the backbone of all PDPO compliance obligations.
DPP1: Purpose and Manner of Collection
Personal data must be collected for a lawful purpose directly related to a function or activity of the data user. The data collected must be necessary and not excessive. Data subjects must be informed of the purpose of collection, whether it is obligatory or voluntary, and the classes of persons to whom the data may be transferred.
DPP2: Accuracy and Duration of Retention
Data users must take all practicable steps to ensure personal data is accurate and not kept longer than necessary for the purpose for which it was collected. Organizations should establish retention schedules and delete data once the original purpose has been fulfilled.
DPP3: Use of Personal Data
Personal data must not be used for any purpose other than the original purpose for which it was collected, or a directly related purpose, unless the data subject gives voluntary and explicit consent.
DPP4: Security of Personal Data
Data users must take all practicable steps to protect personal data against unauthorized or accidental access, processing, erasure, loss, or use. This includes both technical measures (encryption, access controls) and organizational measures (staff training, policies).
DPP5: Information to Be Generally Available
Data users must take all practicable steps to make publicly available their policies and practices regarding personal data. This typically means publishing a Privacy Information Collection Statement (PICS) and a Privacy Policy Statement (PPS).
DPP6: Access and Correction
Data subjects have the right to request access to their personal data and to request correction of inaccurate data. Data users must comply with access requests within 40 days and must not charge excessive fees.
PDPO Enforcement and Penalties
The PCPD has broad powers to investigate complaints, conduct inspections, and issue enforcement notices. Understanding the penalty structure helps organizations prioritize compliance efforts.
Key enforcement mechanisms include:
- Enforcement notices: The PCPD can issue notices requiring data users to remedy contraventions. Failure to comply with an enforcement notice is a criminal offence carrying fines up to HK$50,000 and imprisonment up to two years.
- Repeated contravention: If a data user contravenes an enforcement notice a second time, fines increase to HK$100,000 and imprisonment up to five years.
- Direct marketing offences: Using personal data for direct marketing without consent can result in fines up to HK$500,000 and imprisonment up to three years under Section 35C.
- Disclosure offences: The 2021 amendments introduced offences for doxxing (disclosing personal data without consent with intent to cause harm), with penalties of up to HK$1,000,000 and five years imprisonment.
Unlike the GDPR's percentage-of-turnover fines (up to 20 million EUR or 4% of annual global turnover under Article 83), the PDPO uses fixed monetary penalties. However, the criminal liability component, including imprisonment, makes PDPO enforcement particularly serious.
How the PDPO Compares to GDPR and Other Privacy Laws
Organizations operating across jurisdictions often need to understand how the PDPO relates to other data protection frameworks.
| Feature | PDPO (Hong Kong) | GDPR (EU/EEA) | PIPL (Mainland China) |
|---|---|---|---|
| Enacted | 1995 (amended 2012, 2021) | 2018 | 2021 |
| Legal basis for processing | Lawful purpose + DPPs | Six legal bases (Article 6) | Consent + other bases (Article 13) |
| Consent for marketing | Opt-in required | Opt-in required | Separate consent required |
| Data breach notification | Recommended, not mandatory | 72-hour mandatory (Article 33) | Immediate notification required |
| Cross-border transfer | No specific restriction | Adequacy decisions or safeguards | Security assessment for certain transfers |
| Maximum fine | HK$1,000,000 | EUR 20,000,000 / 4% turnover | RMB 50,000,000 / 5% turnover |
| Criminal penalties | Yes (imprisonment) | Varies by member state | Yes (personal liability) |
One notable gap in the PDPO is the absence of a mandatory data breach notification requirement. The PCPD has issued guidance recommending notification, but it is not a statutory obligation. This contrasts sharply with the GDPR's 72-hour notification window under Article 33.
PDPO Direct Marketing Rules
The 2012 amendments to the PDPO introduced strict direct marketing provisions under Part VIA (Sections 35A through 35L). These rules are among the most enforcement-active areas of the Ordinance.
Before using personal data for direct marketing, a data user must:
- Inform the data subject of the intention to use their data for direct marketing
- Specify the types of personal data to be used
- Identify the classes of marketing subjects (goods, services, or facilities)
- State whether the data will be provided to third parties for their direct marketing
- Obtain the data subject's written consent (opt-in)
"Direct marketing" under the PDPO includes email, SMS, phone calls, postal mail, and fax communications offering goods, services, or facilities. The PCPD has clarified that targeting advertising through social media platforms using personal data also falls within scope.
Organizations that send marketing emails or run targeted campaigns involving Hong Kong residents should ensure their privacy policy generator output clearly addresses direct marketing disclosures.
PDPO Compliance Checklist
Meeting your obligations under the PDPO requires systematic effort across your organization. The following checklist covers the essential compliance steps.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowData inventory and mapping:
- Identify all personal data you collect, hold, or process
- Document the lawful purpose for each data type
- Map data flows, including transfers to third parties or processors
- Establish retention schedules aligned with DPP2
Transparency and notices:
- Draft a Privacy Information Collection Statement (PICS) for each collection point
- Publish a Privacy Policy Statement (PPS) on your website
- Ensure notices specify the purpose of collection, voluntariness, and transfer recipients
Consent management:
- Implement opt-in consent mechanisms for direct marketing
- Record and store consent evidence with timestamps
- Provide easy opt-out mechanisms in every marketing communication
Security measures:
- Implement access controls, encryption, and logging in line with DPP4
- Train staff on data handling procedures
- Conduct regular security assessments
- Develop a data breach response plan (recommended by the PCPD even though not mandatory)
Data subject rights:
- Establish a process for handling data access requests within 40 days
- Allow data correction requests and maintain audit trails
- Set reasonable fees (if any) for access requests, subject to PCPD guidelines
Using an automated compliance platform like TermsBox can help you generate and maintain a privacy policy that addresses PDPO requirements. The privacy policy generator produces documents that cover data collection disclosures, purpose limitation, and data subject rights.
Cross-Border Data Transfers Under the PDPO
Section 33 of the PDPO restricts transfers of personal data outside Hong Kong. Although this section was enacted in 1995, it has not yet been brought into force. In practice, the PCPD has issued a Guidance Note on recommended model contractual clauses for cross-border transfers.
Despite Section 33's inactive status, organizations should still exercise caution when transferring data outside Hong Kong:
- Ensure the receiving jurisdiction provides adequate data protection
- Use contractual safeguards such as data processing agreements
- Inform data subjects about cross-border transfers in your privacy policy
- Monitor PCPD guidance, as Section 33 may be activated in the future
For businesses operating websites that serve Hong Kong users alongside EU or US visitors, your privacy policy should address both the PDPO and applicable regulations such as the GDPR or CCPA. A comprehensive privacy policy generator can help structure disclosures that cover multiple jurisdictions.
Recent PDPO Amendments and Developments
The PDPO has undergone significant updates in recent years that expand its scope and enforcement teeth.
2021 Doxxing Amendments: The Personal Data (Privacy) (Amendment) Ordinance 2021 introduced two new offences targeting doxxing. Section 64(3A) criminalizes disclosing personal data without consent with intent to cause specified harm. Section 64(3C) covers disclosure without consent where specified harm results, even without intent. The PCPD was also granted new powers to conduct criminal investigations and issue cessation notices requiring removal of doxxing content.
Increased enforcement activity: The PCPD has been increasingly active in issuing enforcement notices and prosecuting offences. In 2023 and 2024, the PCPD published guidance on the use of artificial intelligence and personal data, emphasizing that DPP1 (purpose limitation) and DPP4 (security) apply fully to AI-driven data processing.
Proposed reform discussions: The Hong Kong government has periodically discussed modernizing the PDPO to align more closely with international standards, including introducing mandatory breach notification and administrative fines. Organizations should monitor these developments and plan for stricter requirements.
Frequently Asked Questions
What does PDPO stand for?
PDPO stands for the Personal Data (Privacy) Ordinance, which is Hong Kong's primary data protection law enacted in 1995 and enforced by the Privacy Commissioner for Personal Data (PCPD).
Who does the PDPO apply to?
The PDPO applies to any individual, company, or public body that controls the collection, holding, processing, or use of personal data in Hong Kong, regardless of where the data subject is located.
What are the penalties for violating the PDPO?
Penalties range from fines of HK$50,000 to HK$1,000,000 and imprisonment of up to five years, depending on the offence. The PCPD can also issue enforcement notices that carry criminal liability if ignored.
Does the PDPO require consent for direct marketing?
Yes. Since the 2012 amendments, the PDPO requires data users to obtain explicit, opt-in consent before using personal data for direct marketing. Failure to comply can result in fines up to HK$500,000 and three years imprisonment.