Privacy Policy (Hong Kong)

A Privacy Policy in Hong Kong documents the organisation's approach and the obligations placed on those it covers.

The Personal Data (Privacy) Ordinance (Cap. 486), first enacted in 1996 and substantially amended in 2012 and 2021, is administered by the Office of the Privacy Commissioner for Personal Data (PCPD). The PCPD is an independent statutory body established under Section 8 of Cap. 486 with powers to investigate complaints, conduct compliance audits, issue enforcement notices, and prosecute offences. The 2021 amendments to Cap. 486 introduced doxxing provisions (Sections 26K–26T), expanded the PCPD's investigation powers, and strengthened enforcement against non-compliant data users.

The six Data Protection Principles (DPPs) under Schedule 1 of Cap. 486 form the backbone of Hong Kong's data protection framework. DPP 1 (Purpose and Collection) requires that personal data be collected for a lawful purpose directly related to the data user's function, with the data subject informed of the purpose at the time of collection. DPP 2 (Accuracy and Retention) requires data to be accurate and not kept longer than necessary. DPP 3 (Use Limitation) prohibits using personal data for a new purpose without consent. DPP 4 (Security) requires appropriate security measures to protect personal data against unauthorised access, processing, erasure, loss, or use. DPP 5 (Openness) is the provision most directly implemented through a privacy policy — it requires data users to make their data policies and practices openly available. DPP 6 (Access and Correction) gives data subjects the right to access their personal data and to request correction of inaccurate data under Sections 18 and 22 of Cap. 486.

A Hong Kong Privacy Policy is distinct from a Personal Information Collection Statement (PICS), which is a shorter, point-of-collection notice provided to individuals at the time their personal data is collected (required by DPP 1). The privacy policy provides a full overview of all data handling practices across the organisation, while a PICS is transaction-specific. Both documents are required for full PDPO compliance.

For organisations subject to international data protection laws — including the EU General Data Protection Regulation (GDPR), Singapore's Personal Data Protection Act (PDPA), or the California Consumer Privacy Act (CCPA) — the Hong Kong privacy policy may need to be supplemented or adapted to meet those additional requirements. Hong Kong's PDPO does not have an equivalent of GDPR's lawful basis requirements, but organisations handling EU residents' data must comply with GDPR regardless of where they are based.

Forms-legal.com provides a structured Privacy Policy template reflecting Hong Kong's PDPO (Cap. 486) framework, the PCPD's Model Data Protection Framework, and current PCPD guidance on data breach notification, direct marketing consent, and cookies. Related documents that complement a Privacy Policy include a Data Processing Agreement (for data processor relationships), a Personal Information Collection Statement (for point-of-collection notices), and a Data Breach Notification Letter (for reporting breaches to the PCPD and affected individuals).

A Privacy Policy in Hong Kong is needed by every organisation that collects personal data about individuals — a legal obligation under Data Protection Principle 5 of the Personal Data (Privacy) Ordinance (Cap. 486) that applies to businesses of all sizes, non-profit organisations, professional practices, and government bodies.

Online businesses and e-commerce operators in Hong Kong must publish a privacy policy on their website before collecting any personal data through account registration, order forms, newsletter subscriptions, or cookies. The PCPD's guidance on website privacy policies recommends that the policy be linked from every page of the website, particularly pages where personal data is collected. Hong Kong does not have a specific cookie consent law comparable to the EU ePrivacy Directive, but cookies that collect personal data fall within the scope of Cap. 486, and the privacy policy must disclose their use.

Financial institutions, insurance companies, and professional services firms in Hong Kong — including solicitors, accountants, and medical practitioners — must publish a privacy policy meeting PDPO requirements because they routinely collect sensitive personal data including financial records, HKID numbers, medical histories, and legal correspondence. The PCPD's sector-specific guidance for financial services and healthcare provides additional recommendations beyond the baseline DPP requirements.

Employers in Hong Kong must have a privacy policy covering employee personal data, including recruitment records, employment contracts, payroll, performance reviews, and disciplinary records. The Employment Ordinance (Cap. 57) requires employers to maintain certain employment records, and the PDPO requires those records to be handled in compliance with the DPPs. A separate Employee Personal Data Policy or Privacy Notice for Employees may be needed in addition to the customer-facing privacy policy.

Organisations that engage in direct marketing in Hong Kong must have a privacy policy that specifically addresses their direct marketing practices and complies with Part VIA of Cap. 486, introduced by the 2012 amendment. Part VIA requires organisations to obtain consent before using personal data for direct marketing, provide a clear opt-out mechanism, and not provide personal data to third parties for direct marketing without written consent. Non-compliance with Part VIA carries criminal penalties of up to HKD 500,000 and three years' imprisonment for a first offence.

Organisations that transfer personal data outside Hong Kong must address cross-border data transfers in their privacy policy. Section 33 of Cap. 486 restricts the transfer of personal data to jurisdictions that do not provide a level of protection substantially similar to Hong Kong's — though this provision has not yet been brought into force. Nevertheless, the PCPD's guidance strongly recommends that organisations implement contractual safeguards (such as data processing agreements with overseas processors) and disclose these arrangements in their privacy policy.

Organisations that have suffered a data breach must notify affected individuals and report to the PCPD under the PCPD's non-statutory data breach notification framework, and the privacy policy should describe the organisation's breach notification procedure. The PCPD's Model Data Protection Framework recommends that organisations appoint a data protection officer and describe this role in the privacy policy.

A Hong Kong Privacy Policy must be reviewed and updated whenever there is a material change in data handling practices — including adoption of new technologies, introduction of new products or services, changes in third-party service providers, or changes in applicable law. The PCPD recommends annual privacy policy reviews as a minimum.

A Privacy Policy for a Hong Kong organisation under the Personal Data (Privacy) Ordinance (Cap. 486) should include the following key elements, reflecting the six Data Protection Principles and the PCPD's Model Data Protection Framework.

Organisation Identity and Contact Details: The full legal name of the data user organisation, its principal place of business in Hong Kong, and contact details for privacy-related enquiries. If the organisation has appointed a Data Protection Officer (DPO) or Privacy Officer, this role and contact information should be identified. The PCPD recommends designating a responsible officer for data protection compliance.

Scope of the Policy: A statement of which individuals and data the policy covers — for example, customers, website visitors, business contacts, and employees. If separate privacy notices apply to specific groups (such as employees or job applicants), these should be cross-referenced.

Types of Personal Data Collected: A clear description of the categories of personal data collected, such as: names, HKID card numbers, passport numbers, contact details (email, phone, address); financial information (bank account details, credit card numbers, transaction history); usage data (IP addresses, cookies, browsing behaviour, device identifiers); health or medical information; professional credentials or employment history; and any sensitive personal data such as biometric data. For each category, the data user should explain whether collection is voluntary or mandatory and the consequences of not providing the data.

Purposes of Collection (DPP 1): Specific, clear statements of the purposes for which each category of personal data is collected. DPP 1 requires purposes to be lawful and directly related to the data user's function or activity. Vague purposes such as "improving our services" are insufficient — the policy should specify, for example, "to process your online purchase and arrange delivery" or "to assess your eligibility for a loan product." Where multiple purposes apply, each should be listed.

Use Limitation and New Purposes (DPP 3): A statement that personal data will not be used for purposes beyond those disclosed without the data subject's consent. If the organisation wishes to use data for a secondary purpose — such as using customer transaction data for internal analytics or product development — this must either be disclosed upfront or consented to separately.

Third-Party Transfers and Processors: Identification of the classes of persons to whom personal data may be transferred — including service providers (IT systems, cloud platforms, payment processors), professional advisers (auditors, solicitors), group companies, and regulators or law enforcement agencies. For each transfer, the basis for the transfer and any safeguards (such as data processing agreements) should be described. For transfers outside Hong Kong, the policy should address the cross-border transfer implications under Section 33 of Cap. 486 and the PCPD's guidance.

Direct Marketing (Part VIA, Cap. 486): If the organisation uses personal data for direct marketing, the policy must: identify the types of personal data used; specify the classes of marketing subjects (products, services, or topics promoted); explain the consent mechanism (opt-in checkbox, response facility); and provide a simple, free opt-out mechanism. The policy must state whether personal data will be provided to third parties for their direct marketing, and if so, that written consent is required before any such transfer.

Cookies and Tracking Technologies: A description of the cookies and tracking technologies used on the organisation's website or app, including: essential/functional cookies (required for the site to operate); analytical cookies (e.g. Google Analytics, which collects anonymised usage data); advertising and targeting cookies (which may be linked to personal data); and third-party cookies from social media plugins or embedded content. For each type, the purpose, retention period, and how users can manage or disable cookies through browser settings should be explained.

Security Measures (DPP 4): A description of the technical and organisational measures implemented to protect personal data against unauthorised access, loss, destruction, or disclosure. Examples include encryption of data in transit and at rest, access controls, staff training, and incident response procedures. The policy should not disclose specific security configurations that could be exploited, but should give individuals sufficient information to understand that appropriate measures are in place.

Data Retention (DPP 2): The organisation's data retention schedule — how long different categories of personal data are kept, and the criteria used to determine retention periods. For example, customer transaction records may be retained for seven years to comply with the Limitation Ordinance (Cap. 347), while marketing consent records are retained until the data subject opts out. Data that is no longer needed for any lawful purpose must be anonymised or securely deleted.

Data Subject Rights (DPP 6): Clear information about data subjects' rights under Cap. 486, including: the right to request access to personal data held about them under Section 18; the right to request correction of inaccurate data under Section 22; the right to opt out of direct marketing under Part VIA; and (once Section 33 is brought into force) the right to object to certain transfers. The policy must provide the name and contact details of the person to whom access and correction requests should be addressed, and state the applicable fee (under the Personal Data (Privacy) (Access Request Fee) Regulation (Cap. 486B), a fee not exceeding HKD 100 may be charged for access requests).

Data Breach Notification: The organisation's procedure for notifying the PCPD and affected individuals in the event of a data breach, consistent with the PCPD's non-statutory data breach notification guidance. While notification is currently non-statutory in Hong Kong, the PCPD strongly recommends prompt notification and may issue an enforcement notice if the failure to notify is found to constitute non-compliance with DPP 4.

Policy Review and Updates: A statement that the privacy policy will be reviewed periodically and updated as needed, with the effective date of the current version clearly displayed. The PCPD recommends annual reviews and prompt updates when material changes occur. Individuals should be notified of significant changes through the organisation's usual communication channels.

Contact and Complaints: Contact details for privacy enquiries, including a postal address and email address. Information on how to make a complaint to the PCPD if the individual believes the organisation has contravened the PDPO — including the PCPD's address at 12/F, 248 Queen's Road East, Wan Chai, Hong Kong, and the PCPD's complaint hotline. The Privacy Policy template at forms-legal.com reflects Hong Kong PDPO (Cap. 486) requirements and current PCPD guidance on data protection, direct marketing consent under Part VIA, and breach notification. Section 18 of Cap. 486 grants data subjects the right to access personal data; Section 22 grants the right to correction. The Privacy Commissioner for Personal Data publishes the Model Data Protection Framework and sector-specific guidance for the financial services industry, healthcare sector, and human resources management. The Personal Data (Privacy) (Amendment) Ordinance 2021 introduced doxxing offences under Sections 26K to 26T of Cap. 486, administered by the Office of the Privacy Commissioner for Personal Data. Organisations regulated by the Hong Kong Monetary Authority (HKMA), Insurance Authority (IA), or Securities and Futures Commission (SFC) must also comply with sector-specific data governance requirements issued by those regulators in addition to Cap. 486.