Data Protection Policy (Hong Kong)
DATA PROTECTION POLICY
Personal Data (Privacy) Ordinance (Cap. 486), Hong Kong SAR
[Organisation Name]
Effective Date: [Effective Date]
Data Protection Contact: [DPO Name], [DPO Contact]
1. PURPOSE AND SCOPE
1.1 This Data Protection Policy (“Policy”) establishes how [Organisation Name] (“the Organisation”) collects, holds, processes, uses, and protects personal data in compliance with the Personal Data (Privacy) Ordinance (Cap. 486) and its six Data Protection Principles.
1.2 This Policy applies to all directors, officers, employees, contractors, and any person who handles personal data on behalf of the Organisation.
2. DATA COLLECTION (DPP 1)
2.1 The Organisation collects the following categories of personal data: [Data Categories]
2.2 Personal data is collected for the following purposes: [Collection Purposes]
2.3 Consent method: [Consent Method]. Data subjects must be informed at the time of collection of the purpose, the classes of persons to whom data may be transferred, and their rights of access and correction.
3. ACCURACY AND RETENTION (DPP 2)
3.1 The Organisation shall take all practicable steps to ensure personal data is accurate and up to date.
3.2 Personal data shall not be retained longer than necessary. General retention period: [Retention Period]. Data shall be securely destroyed after the retention period expires.
4. USE OF PERSONAL DATA (DPP 3)
4.1 Personal data shall only be used for the purpose for which it was collected, or a directly related purpose, unless the data subject has given voluntary and express consent to use for a new purpose.
4.2 Direct marketing: [Direct Marketing Consent]. Where personal data is used for direct marketing, the Organisation shall comply with Part VIA of the PDPO, including obtaining consent and providing an opt-out mechanism.
5. SECURITY (DPP 4)
5.1 The Organisation shall take all practicable steps to protect personal data against unauthorised or accidental access, processing, erasure, loss, or use.
5.2 Security measures: [Security Measures]
6. TRANSPARENCY (DPP 5)
6.1 The Organisation shall make available its policies and practices regarding personal data, including the kinds of data held and the purposes for which data is used. This Policy and the Organisation’s Privacy Policy Statement shall be published on the Organisation’s website.
7. ACCESS AND CORRECTION RIGHTS (DPP 6)
7.1 Data subjects have the right to request access to and correction of their personal data under sections 18 and 22 of the PDPO.
7.2 Access request process: [Access Request Process]
8. TRAINING AND AWARENESS
8.1 Data protection training shall be provided to all employees: [Training Frequency].
9. ENFORCEMENT
9.1 Breach of this Policy may result in: [Disciplinary Measures]
10. GOVERNING LAW
10.1 This Policy is governed by the laws of the Hong Kong Special Administrative Region of the People’s Republic of China, in particular the Personal Data (Privacy) Ordinance (Cap. 486).
ACKNOWLEDGEMENT
I acknowledge that I have read, understood, and agree to comply with this Data Protection Policy.
Employee
________________
Signature
Data Protection Contact
________________
Signature
What Is a Data Protection Policy (Hong Kong)?
A Data Protection Policy in Hong Kong is an internal governance document that sets out how an organisation collects, holds, processes, uses, and protects personal data in compliance with the Personal Data (Privacy) Ordinance (Cap. 486). The policy binds all employees, contractors, and third parties who process personal data on the organisation’s behalf, translating the six statutory Data Protection Principles (DPPs) into practical operational rules.
Hong Kong’s Personal Data (Privacy) Ordinance (Cap. 486), enacted in 1995 and effective from December 1996, is one of Asia’s oldest complete data protection statutes. The Ordinance is administered and enforced by the Office of the Privacy Commissioner for Personal Data (PCPD), established under Part V of Cap. 486. The PCPD investigates complaints from data subjects, conducts Commissioner-initiated investigations, issues enforcement notices, and in serious cases refers matters for criminal prosecution. Contravention of an enforcement notice is a criminal offence under Cap. 486 carrying a fine of HK$50,000 and imprisonment for two years on first conviction.
The six Data Protection Principles in Schedule 1 to Cap. 486 form the legal backbone of the policy: DPP1 (purpose and manner of collection), DPP2 (accuracy and duration of retention), DPP3 (use of personal data), DPP4 (security of personal data), DPP5 (information to be generally available), and DPP6 (access to personal data). A Data Protection Policy maps each principle to the organisation’s specific data handling activities and assigns responsibility for compliance to named roles.
Data Protection Principle 5 (DPP5) specifically requires data users to take all practicable steps to make available their policies and practices with respect to personal data — including the kinds of personal data held, the main purposes for which data is used, and how data access and correction requests can be made. A written Data Protection Policy is the primary mechanism for satisfying DPP5. The PCPD’s enforcement decisions consistently cite the absence of a written policy as an aggravating factor in DPP compliance failures.
The 2021 amendments to Cap. 486 — the Personal Data (Privacy) (Amendment) Ordinance 2021 — strengthened the PCPD’s enforcement powers significantly, introducing the doxxing offence under Section 64, expanding powers to investigate data processors, and enhancing the PCPD’s ability to issue enforcement notices. These amendments make a strong, current Data Protection Policy more important than ever for organisations operating in Hong Kong. Forms-legal.com provides this Data Protection Policy template covering all six DPPs, direct marketing obligations, and PCPD enforcement guidance.
For organisations operating across multiple jurisdictions, a Hong Kong Data Protection Policy must address the interaction between the PDPO and other data protection regimes. Hong Kong subsidiaries of EU-based multinationals must comply with both Cap. 486 and the General Data Protection Regulation (GDPR) where EU personal data is processed. The PCPD has observed that Hong Kong organisations increasingly adopt GDPR-inspired standards as a baseline, since GDPR requirements are generally more stringent than the PDPO — meaning GDPR compliance typically satisfies PDPO requirements as well. The PCPD's guidance on cross-border data transfers references the Section 33 provisions of Cap. 486 that, when brought into force, will restrict transfers to jurisdictions without comparable data protection.
When Do You Need a Data Protection Policy (Hong Kong)?
A Data Protection Policy in Hong Kong is needed by every organisation that collects or handles personal data — which, given the PDPO’s broad definition of personal data, means virtually every business, non-profit, educational institution, and government body operating in Hong Kong.
A newly incorporated company should adopt a Data Protection Policy at the start of operations, before collecting any employee or customer personal data. Collecting personal data without a policy that satisfies DPP5 (openness) exposes the organisation to PCPD enforcement from day one. The PCPD has investigated start-ups and small businesses as well as large corporations — there is no size exemption under Cap. 486.
An established business that has been operating without a formal Data Protection Policy should adopt one immediately. Many Hong Kong businesses have historically collected personal data informally without documented policies. As PCPD enforcement activity has intensified — particularly following the 2021 amendments — the absence of a written policy creates material compliance risk.
An organisation that has suffered a data breach or received a PCPD complaint should adopt or update its Data Protection Policy as part of the remediation required by any PCPD enforcement notice. The PCPD’s enforcement notices routinely require the subject organisation to implement a written data protection policy within a specified period.
An organisation engaged in data-intensive activities — e-commerce, digital marketing, financial services, healthcare, property management, or hospitality — should have a complete policy that specifically addresses each category of personal data collected (customer data, employee data, CCTV footage, website analytics) and the specific data protection measures applied to each.
A Hong Kong subsidiary of a multinational group should align its Data Protection Policy with the group’s global data governance framework while addressing Hong Kong-specific requirements — the PDPO’s DPP6 access and correction timeline of 40 days, the direct marketing consent requirements under Part VIA of Cap. 486, and the voluntary PCPD breach notification guidance. Where the group’s global policy is based on GDPR standards, the Hong Kong policy should be a localised supplement addressing PDPO-specific obligations.
Organisations tendering for government contracts or business with major corporations increasingly face data protection due diligence requirements. A documented, current Data Protection Policy is frequently requested as part of supplier qualification processes.
What to Include in Your Data Protection Policy (Hong Kong)
A Data Protection Policy for a Hong Kong organisation must address the following core elements to comply with each of the six Data Protection Principles in Schedule 1 to the Personal Data (Privacy) Ordinance (Cap. 486) and the PCPD’s guidance on data governance.
Scope and Application defines who is bound by the policy — all employees, temporary workers, contractors, consultants, and agents who handle personal data on the organisation’s behalf — and what personal data the policy covers: any data relating to a living individual from which it is practicable to ascertain the individual’s identity and which is accessible (as defined in Cap. 486).
Data Collection and PICS (DPP1) sets out the requirement that personal data may only be collected for a lawful purpose directly related to the organisation’s functions, that only the minimum data necessary for that purpose is collected, and that a Personal Information Collection Statement (PICS) is provided to every data subject before or at the time of collection. The policy should specify who is responsible for preparing and issuing PICS documents and the approved PICS templates for different collection contexts (customer onboarding, employee recruitment, event registration).
Data Accuracy and Retention (DPP2) establishes the organisation’s obligation to take reasonably practicable steps to confirm personal data is accurate and up-to-date, and to retain personal data only for as long as necessary. The policy should reference the organisation’s Data Retention Schedule — which sets retention periods by data category consistent with statutory requirements under the Inland Revenue Ordinance (Cap. 112), the Limitation Ordinance (Cap. 347), and Employment Ordinance (Cap. 57) — and the secure deletion or anonymisation procedures applied when retention periods expire.
Use Limitation (DPP3) prohibits use of personal data for any purpose other than the purpose for which it was collected or a directly related purpose, without the data subject’s explicit consent. The policy must address the consent requirements for direct marketing under Part VIA of Cap. 486 — including the obligation to obtain written opt-in consent before sending marketing communications and to honour opt-out requests promptly.
Data Security (DPP4) requires the organisation to implement and maintain technical and organisational security measures appropriate to the sensitivity and volume of personal data held. The policy should specify the security measures in place — encryption, access controls, two-factor authentication for systems holding personal data, staff vetting, physical security for records rooms — and the procedures for reviewing security measures periodically.
Transparency and Openness (DPP5) requires the organisation to make its data protection policies and practices available. The policy should specify where the privacy policy is published (website, customer-facing documents, employee handbook), the mechanism for data subjects to obtain information about the kinds of data held and the purposes of use, and who is responsible for maintaining and updating the published privacy policy.
Data Subject Rights — Access and Correction (DPP6) establishes the procedures for handling data access requests under Section 18 of Cap. 486 and correction requests under Section 22. The policy must specify: the designated contact for receiving requests; the 40-day response deadline; the fee structure (if any, up to the reasonable cost of compliance); how the identity of the requester is verified; and the escalation path if access is refused. forms-legal.com also provides a Cybersecurity Incident Response Plan and a Data Processing Agreement as companion documents for a complete PDPO compliance framework.
Sources & Citations
Statutory citations link to official government sources.
- Personal Data (Privacy) Ordinance (Cap. 486)HK official
- Inland Revenue Ordinance (Cap. 112)HK official
- Limitation Ordinance (Cap. 347)HK official
- Employment Ordinance (Cap. 57)HK official
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Data Protection Policy (Hong Kong) (Hong Kong) [Legal document template]. Forms Legal. https://forms-legal.com/hong-kong/business/policies/data-protection-policy-hong-kong
"Data Protection Policy (Hong Kong) (Hong Kong)." Forms Legal, 2026, https://forms-legal.com/hong-kong/business/policies/data-protection-policy-hong-kong.
@misc{formslegal-data-protection-policy-hong-kong,
author = {{Forms Legal}},
title = {Data Protection Policy (Hong Kong) (Hong Kong)},
year = {2026},
howpublished = {\url{https://forms-legal.com/hong-kong/business/policies/data-protection-policy-hong-kong}},
note = {Free legal document template. Based on Personal Data (Privacy) Ordinance (Cap. 486)}
}Also available for these jurisdictions:
Frequently Asked Questions
The Personal Data (Privacy) Ordinance (Cap. 486) is Hong Kong’s comprehensive data protection law, enacted in 1995 and effective from December 1996. It is one of the oldest data protection laws in Asia and governs the collection, holding, processing, and use of personal data by data users in Hong Kong.
The PDPO applies to every “data user” — defined as a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing, or use of personal data. This includes companies, sole traders, partnerships, government departments, and any other organisation that handles personal data. The PDPO applies to data users in Hong Kong regardless of where the data is processed.
“Personal data” is defined broadly as any data relating to a living individual from which it is practicable to ascertain the identity of the individual, and in a form in which access to or processing of the data is practicable. This includes names, HKID numbers, contact details, financial information, health records, photographs, and any other data from which an individual can be identified.
The PDPO is administered and enforced by the Office of the Privacy Commissioner for Personal Data (PCPD), established under Part V of the Ordinance. The PCPD investigates complaints, issues enforcement notices, publishes guidance, and promotes compliance.
The six Data Protection Principles (DPPs) in Schedule 1 of the Personal Data (Privacy) Ordinance (Cap. 486) form the core of Hong Kong’s data protection framework.
DPP 1 — Purpose and Manner of Collection: Personal data must be collected for a lawful purpose directly related to the data user’s function or activity. The data collected must be necessary for or directly related to that purpose. The means of collection must be lawful and fair. Data subjects must be informed of the purpose of collection and the classes of persons to whom the data may be transferred.
DPP 2 — Accuracy and Duration of Retention: Data users must take all practicable steps to ensure personal data is accurate, and must not retain personal data longer than necessary for the purpose for which it was collected.
DPP 3 — Use of Personal Data: Personal data must not be used for any purpose other than the purpose for which it was collected, or a directly related purpose, without the voluntary and express consent of the data subject.
DPP 4 — Security of Personal Data: Data users must take all practicable steps to protect personal data against unauthorised or accidental access, processing, erasure, loss, or use.
Individuals (data subjects) have several important rights under the Personal Data (Privacy) Ordinance (Cap. 486).
Right of access (Section 18): A data subject has the right to request a data user to inform them whether the data user holds personal data about them. If the data user does hold such data, the data subject can request a copy of the data. The data user must respond within 40 days of receiving the request. The data user may charge a reasonable fee to cover the cost of complying with the request.
Right of correction (Section 22): If a data subject believes their personal data held by a data user is inaccurate, they have the right to request correction. The data user must, within 40 days, either make the correction or inform the data subject why the correction has not been made.
Right to be informed (DPP 1): When collecting personal data, the data user must inform the data subject of the purpose of collection, the classes of persons to whom the data may be transferred, whether provision of the data is obligatory or voluntary, and the consequences of not providing the data.
Right to object to direct marketing (Part VIA): The PDPO (as amended in 2012) requires data users to obtain the data subject’s consent before using their personal data for direct marketing. The data user must inform the data subject that they intend to use the data for direct marketing, the types of data to be used, and the classes of marketing subjects.
The PDPO provides for both enforcement notices and criminal penalties for non-compliance.
Enforcement notices: The PCPD may, upon investigation, issue an enforcement notice directing a data user to remedy a contravention of the PDPO. An enforcement notice specifies the contravention and the steps the data user must take to remedy it. Contravention of an enforcement notice is a criminal offence.
Criminal penalties: Contravention of an enforcement notice carries a fine of HK$50,000 and imprisonment for 2 years on first conviction, and a fine of HK$100,000 and imprisonment for 2 years on subsequent conviction. A continuing offence carries a daily penalty of HK$2,000.
Direct marketing offences (Part VIA): Using personal data for direct marketing without consent or failing to comply with an opt-out request is a criminal offence. First offence: fine of HK$500,000 and imprisonment for 3 years.
While the Personal Data (Privacy) Ordinance (Cap. 486) does not currently mandate breach notification, the Office of the Privacy Commissioner for Personal Data (PCPD) strongly recommends that organisations notify the PCPD and affected data subjects promptly when a data breach occurs involving personal data. The PCPD published a Data Breach Handling and Notifications Best Practice Guide that sets out the recommended steps for breach response in Hong Kong.
Upon discovering a data breach, the organisation should immediately contain the breach — isolating affected systems, revoking compromised credentials, and preserving evidence. A breach response team should be convened to assess the nature and scope of the breach, the categories and volume of personal data affected, the likely consequences for affected individuals, and the steps taken or planned to address the breach.
Notification to the PCPD should be made as soon as reasonably practicable after the organisation becomes aware of the breach. The PCPD's recommended notification form requests details of the breach, the personal data affected, the number of individuals affected, and the remedial steps taken. Notification to affected data subjects is recommended where the breach poses a real risk of harm — for example, where financial account data, HKID numbers, or health information has been exposed.
The 2021 amendments to Cap. 486 expanded the PCPD's investigative powers and introduced the doxxing offence under Section 64.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Privacy Policy (Hong Kong)
A Privacy Policy Statement for Hong Kong organisations compliant with the Personal Data (Privacy) Ordinance (Cap. 486). Addresses the six Data Protection Principles, data subject rights, direct marketing consent, cookies, and data breach handling as recommended by the PCPD.
Data Processing Agreement (Hong Kong)
A Data Processing Agreement (DPA) governing the processing of personal data by a third-party processor on behalf of an organisation, compliant with the Personal Data (Privacy) Ordinance (Cap. 486) and its six Data Protection Principles. Establishes processor obligations, data handling standards, and security requirements under Hong Kong's PDPO framework.
Data Breach Notification Policy (Hong Kong)
A Data Breach Notification Policy for Hong Kong organisations establishing procedures for identifying, assessing, and notifying data breaches under the Personal Data (Privacy) Ordinance (Cap. 486). Addresses voluntary notification to the PCPD and affected individuals as recommended by the Office of the Privacy Commissioner.
Cybersecurity Incident Response Plan (Hong Kong)
A Cybersecurity Incident Response Plan for Hong Kong organisations establishing procedures for detecting, responding to, and recovering from cybersecurity incidents. Addresses data breach handling under the Personal Data (Privacy) Ordinance (Cap. 486) and PCPD guidance on voluntary breach notification.
BYOD Policy (Hong Kong)
A Bring Your Own Device (BYOD) Policy for Hong Kong organisations governing the use of personal devices to access company systems and data. Addresses data protection under the Personal Data (Privacy) Ordinance (Cap. 486), security requirements, and employee privacy considerations.