New Look. Always Premium. 1000+ Google Reviews & 100+ Authentic Video testimonials you won’t find with our competitors — click and watch!

Collection of Personal Data

Hong Kong companies must comply with the Personal Data (Privacy) Ordinance (PDPO) when collecting and using customer data for marketing purposes.

Learn more ↓

Key Takeaways: 

  • Collection of personal data in Hong Kong are regulated by the The Personal Data (Privacy) Ordinance (the “PDPO”). 
  • Before using a customer’s personal data for marketing purposes, you must obtain their explicit consent. 
  • Direct marketing refers to any attempt to promote goods or services by sending communications specifically to an individual by name.
  • Failure to comply with the PDPO is punishable by fine and imprisonment. 
A image of a person filling in his personal information, displaying the collection of personal data.

In Hong Kong, direct marketing is a common business practice. Hong Kong businesses often collect and use personal data for the purpose of marketing and advertising.  

It is important to note that direct marketing activities in Hong Kong are under strict supervision of the Personal Data (Privacy) Ordinance (PDPO). Before you use your customers’ personal data for direct marketing purposes, it is important to make sure your business is complying with the data protection laws in Hong Kong. 

What is The Personal Data (Privacy) Ordinance (PDPO)? 

The Personal Data (Privacy) Ordinance (the “PDPO”) is one of longest standing comprehensive data protection laws in Hong Kong, it was passed in 1995 and took effect from December 1996. The PDPO was designed to protect the privacy of individuals regarding their personal data, and applies to any “data user” (both individual or company) that collects, holds, or processes personal data in Hong Kong.

Personal data refers to any data relating to a living individual from which it is practicable to directly or indirectly ascertain their identity. This information can exist in any form, whether digital or paper, and includes names, phone numbers, addresses, photos, identity card numbers, and employment or medical records.

The PDPO is built on six core data protection principles that every business must follow:

  1. Collection Purpose and Means: Data must be collected for a lawful purpose directly related to the company’s function. The collection should be necessary and not excessive.
  2. Accuracy and Retention: Data users must ensure the data is accurate and is not kept longer than necessary to fulfill the original purpose.
  3. Use: Data cannot be used for a new purpose (other than the one specified at collection) unless the individual gives explicit, voluntary consent.
  4. Security: Companies must implement appropriate security measures to protect personal data against unauthorized or accidental access, processing, or loss.
  5. Openness: Companies must be transparent about the types of data they hold and their policies regarding how that data is used.
  6. Data Access and Correction: Individuals have the right to ask a company if they hold their data, have access to it, and request corrections if it is inaccurate.

Why does it matter?

As a company incorporated in Hong Kong, it is essential to operate in compliance with the local data protection laws such as the PDPO. 

In today’s digital world, e-commerce businesses often engage in online marketing activities and it almost always involves the use of someone’s personal information. The PDPO defines direct marketing as the attempts to promote goods or services, by sending any forms of communication sent to a specific person by name, via mail, email, fax, or phone, etc. 

You cannot use a customer’s information for marketing without their explicit, prior consent. Before using personal data for direct marketing for the first time, the company has an obligation to inform the individual of their “opt-out” right. This means you must explicitly tell the customer they can choose to stop receiving marketing materials from you at any time, free of charge.

What are the penalties for not complying with The Personal Data (Privacy) Ordinance?

Violating the PDPO is not just a civil matter, it can be a criminal offense, punishable by fine and imprisonment. The PCPD (Office of the Privacy Commissioner for Personal Data) can also issue “Enforcement Notices” requiring a company to stop certain data practices immediately.

Disclaimer: The above does not constitute legal advice. While we are happy to share our business experience to assist you, we recommend seeking professional legal counsel for specific concerns.

Frequently Asked Questions about collection of personal data

1. What counts as personal data?

Personal data is any information in digital or physical form, such as contact details, ID numbers, or records, that can be used to identify a living individual either directly or indirectly.

2. What is The Personal Data (Privacy) Ordinance (PDPO)?

Enacted in 1996, the PDPO is a long-standing data protection framework in Hong Kong, designed to safeguard individual privacy by regulating how any person or organization collects, holds, and processes personal data.

3. What are the 6 six core data protection principles of the PDPO?

According to the PDPO, Hong Kong businesses must follow six core principles: collecting only necessary data for lawful purposes, ensuring its accuracy, offering secure data storage, obtaining consent for new uses, maintaining transparency, and granting individuals the right to access and correct their information.

4. What is the definition of direct marketing?

The PDPO defines direct marketing as the attempts to promote goods or services, by sending any forms of communication sent to a specific person by name, via mail, email, fax, or phone, etc.