Data Processing Agreement (Hong Kong)
DATA PROCESSING AGREEMENT
Personal Data (Privacy) Ordinance (Cap. 486), Hong Kong SAR
Effective Date: [Effective Date]
PARTIES
This Data Processing Agreement (“DPA”) is entered into between:
(1) [Controller Name] (CRN: [Controller CRN]), a company incorporated in Hong Kong with its registered office at [Controller Address] (“Data User”); and
(2) [Processor Name] (CRN: [Processor CRN]), a company incorporated in Hong Kong with its registered office at [Processor Address] (“Processor”).
The Data User and Processor are each a “Party” and together the “Parties”.
1. BACKGROUND
1.1 The Data User has engaged the Processor to provide services pursuant to which the Processor processes personal data on behalf of the Data User.
1.2 The Parties wish to set out the terms governing the Processor’s handling of personal data in compliance with the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”) and the Data Protection Principles (“DPPs”) set out in Schedule 1 thereof, and the guidance issued by the Office of the Privacy Commissioner for Personal Data (“PCPD”).
2. SCOPE AND NATURE OF PROCESSING
2.1 Purpose: [Processing Purpose]
2.2 Categories of Personal Data: [Data Categories]
2.3 Data Subjects: [Data Subjects]
2.4 Duration: [Processing Duration]
3. PROCESSOR OBLIGATIONS
3.1 The Processor shall process personal data only on documented instructions from the Data User and only for the purposes set out in clause 2.1 of this DPA, consistent with DPP 3 of the PDPO.
3.2 The Processor shall take all practicable steps to protect personal data against unauthorised or accidental access, processing, erasure, loss or use, in accordance with DPP 4 of the PDPO and the PCPD’s guidance on data security.
3.3 The Processor shall notify the Data User without undue delay upon becoming aware of any actual or suspected breach of security involving personal data processed under this DPA, providing sufficient information for the Data User to assess the impact and respond appropriately.
3.4 The Processor shall provide reasonable assistance to the Data User in responding to access and correction requests from data subjects under sections 18 and 22 of the PDPO (DPP 6).
3.5 Upon termination or expiry of this DPA, the Processor shall, at the Data User’s election, securely delete or return all personal data within 30 days and certify such deletion or return in writing, consistent with DPP 2.
3.6 The Processor shall ensure that all personnel authorised to process personal data under this DPA are subject to appropriate confidentiality obligations.
4. SUB-PROCESSORS
4.1 Sub-processor authorisation: [Allow Sub-processors].
4.2 Pre-approved sub-processors: [Sub-processor List]
4.3 The Processor shall ensure each sub-processor is bound by data protection obligations equivalent to those in this DPA. The Processor shall notify the Data User at least 14 days in advance of any intended changes to sub-processors. The Processor remains fully liable to the Data User for the performance of sub-processor obligations.
5. TRANSFER OF PERSONAL DATA OUTSIDE HONG KONG
5.1 Overseas transfer: [Overseas Transfer]. Countries: [Transfer Countries].
5.2 Any transfer of personal data outside Hong Kong shall only be made where the Data User is satisfied that the recipient jurisdiction provides a standard of protection for personal data comparable to that under the PDPO, consistent with DPP 3 and the PCPD’s guidance on cross-border data transfers.
6. DATA USER OBLIGATIONS
6.1 The Data User shall ensure it has a valid lawful purpose for the collection and use of all personal data provided to the Processor under this DPA, consistent with DPP 1 of the PDPO.
6.2 The Data User’s data protection contact is: [Controller DPO].
7. GOVERNING LAW
7.1 This DPA shall be governed by and construed in accordance with the laws of the Hong Kong Special Administrative Region of the People’s Republic of China. Any dispute arising from or in connection with this DPA shall be subject to the exclusive jurisdiction of the Hong Kong courts.
EXECUTION
IN WITNESS WHEREOF, the Parties have executed this Data Processing Agreement as of the Effective Date.
Data User (Authorised Signatory)
________________
Signature
Processor (Authorised Signatory)
________________
Signature
What Is a Data Processing Agreement (Hong Kong)?
A Data Processing Agreement (DPA) in Hong Kong is a legally binding contract between an organisation that controls personal data (the data user) and a third party that processes personal data on the data user's behalf (the data processor). The DPA is the primary contractual mechanism through which the data user extends its obligations under the Personal Data (Privacy) Ordinance (Cap. 486) to its processors, documenting the controls, restrictions, and security requirements governing the processor's handling of personal data.
Hong Kong's Personal Data (Privacy) Ordinance (Cap. 486), enacted in 1995 and effective from December 1996, is administered by the Office of the Privacy Commissioner for Personal Data (PCPD). The PDPO's six Data Protection Principles (DPPs) in Schedule 1 apply to data users — organisations that control personal data — but the practical enforcement of those principles frequently depends on what processors do with the data. Data Protection Principle 4 (DPP4) requires data users to take all practicable steps to protect personal data against unauthorised or accidental access, processing, erasure, loss, or use. Where a data user engages a processor, DPP4 compliance requires contractual controls on the processor's data handling conduct.
The 2021 amendments to Cap. 486 — the Personal Data (Privacy) (Amendment) Ordinance 2021 — significantly expanded the PCPD's powers in relation to data processors. The PCPD can now investigate data processors and issue enforcement notices against processors who contravene the PDPO. The 2021 amendments also introduced the doxxing offence under Section 64 of Cap. 486 and strengthened the PCPD's investigation and enforcement tools. These amendments increase the regulatory stakes for organisations that engage processors without adequate contractual safeguards.
The PCPD's Guidance on Data Processors recommends that data users enter into written contracts with processors specifying: the purposes for which personal data may be processed; the security measures required; the processor's obligations on breach notification; restrictions on sub-processing; data deletion obligations at contract end; and audit rights. While Cap. 486 does not prescribe a mandatory DPA format comparable to the EU GDPR's Article 28 requirements, the PCPD's guidance makes a written DPA the expected standard of good practice for any data user engaging a processor.
Data subject access and correction rights under Section 18 and Section 22 of Cap. 486 must also be addressed in the DPA — the processor must be contractually obligated to assist the data user in responding to access and correction requests within the 40-day statutory period. The PCPD may investigate failures by processors that result in the data user being unable to meet this statutory obligation.
Hong Kong organisations that also handle personal data of European Union individuals must comply with the GDPR's mandatory data processing agreement requirements under Article 28, which are more prescriptive than PDPO guidance. A DPA designed to satisfy GDPR Article 28 will also satisfy PDPO DPP4 requirements — organisations subject to both regimes should draft DPAs to the higher GDPR standard. forms-legal.com provides this Data Processing Agreement template for Hong Kong organisations compliant with PDPO DPP4 and aligned with GDPR Article 28 requirements.
When Do You Need a Data Processing Agreement (Hong Kong)?
A Data Processing Agreement in Hong Kong is needed whenever a data user engages a third party to process personal data on its behalf — any outsourcing arrangement where the service provider accesses, stores, analyses, or otherwise handles personal data belonging to the data user's customers, employees, or other data subjects.
Cloud computing and SaaS platform engagements are the most common trigger. When a Hong Kong organisation uploads personal data to a cloud storage service (AWS S3, Microsoft Azure Blob, Google Cloud Storage), a cloud-based CRM (Salesforce, HubSpot), an HR management system (Workday, SAP SuccessFactors), or any other SaaS platform, the cloud provider processes that personal data on the organisation's behalf. A DPA must be in place before the first data upload. The PCPD's guidance on cloud computing specifically addresses the obligations of data users when personal data is stored in cloud infrastructure, including infrastructure located outside Hong Kong.
Payroll and HR outsourcing engagements require a DPA because they involve processing of particularly sensitive employee personal data — HKID numbers, MPF account details, bank account numbers, salary records, tax filing data, and medical information. Payroll processors in Hong Kong frequently handle IRD tax reporting data and MPFA-related contribution records — the sensitivity of this data and its regulatory context make a written DPA with strong security and confidentiality obligations essential.
Marketing, analytics, and advertising technology engagements require a DPA when a marketing agency, analytics provider, or programmatic advertising platform processes customer personal data. DPP3 of Cap. 486 restricts use of personal data to the purpose of collection — a marketing processor must be contractually bound to use customer data only for the specific marketing purposes authorised by the data user, and not for the processor's own commercial use.
Legal, accounting, and professional services engagements where advisers are given access to personal data as part of their work — conducting due diligence, preparing tax returns, auditing financial records — should be governed by a DPA to document the purpose limitation and confidentiality obligations.
Healthcare IT system vendors and diagnostic laboratories that access or process patient health information on behalf of hospitals, clinics, or insurance companies require a DPA addressing the heightened sensitivity of health data under PCPD guidance and the Hospital Authority's data governance requirements.
The DPA should be executed and signed by both parties before any personal data is transferred to or accessed by the processor. Retroactive DPAs — executed after processing has commenced — leave the data user exposed to regulatory risk for the period of uncontrolled processing.
What to Include in Your Data Processing Agreement (Hong Kong)
A Data Processing Agreement for Hong Kong organisations under the Personal Data (Privacy) Ordinance (Cap. 486) must address the following essential elements to satisfy DPP4 obligations and PCPD guidance on data processor contracts.
Parties and Roles identifies the data user (the organisation that controls personal data and gives instructions to the processor) and the data processor (the third party that processes data on the data user's behalf), together with their Hong Kong business registration numbers, registered addresses, and designated data protection contacts. The distinction between data user and data processor should be clearly stated, as the 2021 amendments to Cap. 486 now enable the PCPD to directly regulate and enforce against data processors.
Scope and Purpose of Processing defines precisely what personal data the processor will handle — the categories of personal data (names, HKID numbers, financial records, health data), the categories of data subjects (customers, employees, patients), the purposes of processing (payroll administration, customer analytics, cloud storage), and the duration of processing. Processing outside the defined scope is prohibited without the data user's prior written instruction, consistent with DPP3 of Cap. 486.
Processor Obligations requires the processor to: process personal data only on the documented instructions of the data user; require all personnel with access to personal data to be bound by confidentiality obligations; implement and maintain appropriate technical and organisational security measures consistent with DPP4; assist the data user in complying with data subject access and correction requests under sections 18 and 22 of Cap. 486 within the 40-day statutory period; not engage sub-processors without the data user's prior written consent; and cooperate with PCPD investigations involving the processed data.
Security Requirements specifies the minimum security standards the processor must maintain — encryption of personal data in transit and at rest, role-based access controls, regular vulnerability assessments, staff security training, and physical security for data centres. The standards should reflect the sensitivity of the personal data involved and align with PCPD security guidance under DPP4 and, where applicable, HKMA technology risk management expectations.
Data Breach Notification requires the processor to notify the data user without undue delay — typically within 24 to 48 hours — upon discovering any actual or suspected personal data breach, providing sufficient detail for the data user to assess the breach and decide whether to voluntarily notify the PCPD and affected individuals under the PCPD's data breach guidance. As of 2026, PDPO does not mandate breach notification, but HKMA-regulated data users must report material incidents to the HKMA within specified timeframes.
Sub-Processing Controls specify whether the processor may engage sub-processors, the requirement for the data user's prior written approval, and the obligation to impose equivalent data protection obligations on sub-processors. The data user should maintain a current list of approved sub-processors.
Data Return and Deletion requires the processor to securely delete or return all personal data at the end of the agreement and certify in writing that deletion has been completed. Deletion must be by a method that prevents reconstruction of the data (for electronic records: secure erasure software, degaussing, or physical destruction of media; for paper records: cross-cut shredding).
Audit Rights entitle the data user to audit the processor's compliance with the DPA — by questionnaire, third-party audit report, or on-site inspection — at reasonable intervals and on reasonable notice. The processor must cooperate fully with audits and provide access to relevant records and systems.
Governing Law and Liability specifies Hong Kong law as the governing law, the data user's right to terminate the DPA and the underlying service agreement for material processor breach of the DPA, and the allocation of liability between the parties for PDPO enforcement costs and third-party claims arising from processor non-compliance. The forms-legal.com Data Processing Agreement (Hong Kong) template covers the mandatory elements under Personal Data (Privacy) Ordinance (Cap. 486).
Sources & Citations
Statutory citations link to official government sources.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Data Processing Agreement (Hong Kong) (Hong Kong) [Legal document template]. Forms Legal. https://forms-legal.com/hong-kong/business/services/data-processing-agreement-hong-kong
"Data Processing Agreement (Hong Kong) (Hong Kong)." Forms Legal, 2026, https://forms-legal.com/hong-kong/business/services/data-processing-agreement-hong-kong.
@misc{formslegal-data-processing-agreement-hong-kong,
author = {{Forms Legal}},
title = {Data Processing Agreement (Hong Kong) (Hong Kong)},
year = {2026},
howpublished = {\url{https://forms-legal.com/hong-kong/business/services/data-processing-agreement-hong-kong}},
note = {Free legal document template. Based on Personal Data (Privacy) Ordinance (Cap. 486)}
}
Frequently Asked Questions
Hong Kong's Personal Data (Privacy) Ordinance (Cap. 486) does not use the term 'Data Processing Agreement' explicitly, but it imposes obligations on organisations that engage third parties to process personal data on their behalf. Under DPP 4, a data user must take all practicable steps to protect personal data against unauthorised or accidental access, processing, erasure, loss, or use. Where a data user engages a processor, this security obligation extends to contractual controls on the processor's conduct.
The Office of the Privacy Commissioner for Personal Data (PCPD) has consistently recommended in its published Guidance on Data Processors that organisations enter into written agreements specifying the purposes for which data may be processed and the security measures required. The PCPD Guidance is issued under Cap. 486 and sets out the expected contractual provisions for processor arrangements.
While Hong Kong's PDPO does not have the prescriptive mandatory DPA requirement found in the EU GDPR (Article 28), the absence of a written agreement significantly increases the data user's regulatory risk. If a processor misuses personal data without a written agreement limiting its use, the data user may be held responsible for the breach by the PCPD under Section 50 of Cap. 486, which gives the PCPD power to issue enforcement notices.
The PCPD recommends that Data Processing Agreements be reviewed annually and updated whenever there are material changes to the data processing arrangements or applicable law under Cap. 486.
The Personal Data (Privacy) Ordinance (Cap. 486) Schedule 1 sets out six Data Protection Principles (DPPs) that govern the collection, holding, processing, use, and transfer of personal data in Hong Kong. These principles apply to all data users — organisations that control the collection, holding, processing, or use of personal data.
DPP 1 (Purpose and Manner of Collection): Personal data must be collected for a lawful purpose directly related to a function or activity of the data user. The collection must be necessary for, or directly related to, that purpose. Data subjects must be informed of the purpose of collection and the classes of persons to whom the data may be transferred.
DPP 2 (Accuracy and Retention): Data users must take all practicable steps to keep personal data accurate, and must not retain it longer than is necessary for the purpose for which it was collected.
DPP 3 (Use of Personal Data): Personal data must not be used for any purpose other than the purpose for which it was collected, or a directly related purpose, without the data subject's voluntary and express consent.
DPP 4 (Security): Data users must take all practicable steps so that personal data is protected against unauthorised or accidental access, processing, erasure, loss, or use.
DPP 5 (Openness/Transparency): Data users must take all practicable steps to make available their policies and practices with respect to personal data.
DPP 6 (Access and Correction): Data subjects have the right to request access to and correction of their personal data held by a data user.
A Data Processing Agreement for Hong Kong must address the following key elements to achieve PDPO compliance under Cap. 486.
Scope and purpose of processing must be clearly defined — specifying what categories of personal data will be processed, for what purposes, and for what duration. The DPA should prohibit the processor from processing personal data outside the agreed scope, consistent with DPP 3 of Schedule 1 to Cap. 486.
Security obligations should require the processor to implement and maintain appropriate technical and organisational measures consistent with DPP 4. The PCPD's Security guidance recommends encryption, access controls, regular security audits, and staff training.
Data breach notification procedures are important even though Hong Kong has no mandatory breach notification requirement under the PDPO as of 2026. The DPA should require the processor to notify the data user promptly upon discovering any actual or suspected data breach.
Sub-processing restrictions should address whether the processor may engage sub-processors. The data user's written consent should be required, and sub-processors must be bound by equivalent data protection obligations.
Data return and deletion obligations should specify what happens to personal data at contract end — the processor should return or securely delete data and provide written confirmation. Section 26 of Cap. 486 governs the data user's obligations on this point.
Audit rights should allow the data user to audit the processor's compliance with the DPA and PDPO obligations under Cap. 486.
Hong Kong's PDPO (Cap. 486) and the EU General Data Protection Regulation (GDPR) share the objective of protecting individuals' personal data but differ significantly in approach, scope, and enforcement.
The PDPO is principles-based and technology-neutral, enacted in 1995 and effective 1996. The six DPPs provide a flexible framework but are less prescriptive than the GDPR's detailed requirements. The PDPO does not impose mandatory data breach notification (unlike GDPR's 72-hour rule under Article 33) and does not require a legal basis for processing beyond the DPP 1 lawful purpose requirement.
The GDPR under Article 28 requires mandatory written data processing agreements specifying the processor's obligations in detail. The PDPO has no equivalent mandatory written DPA requirement under Cap. 486, though the PCPD strongly recommends one. Section 50 of Cap. 486 empowers the PCPD to issue enforcement notices for DPP contraventions.
Enforcement: the PCPD may investigate complaints, issue enforcement notices, and refer cases for prosecution. Administrative fines under the PDPO are significantly lower than GDPR fines (up to 4% of global turnover). Proposed PDPO amendments to introduce administrative fines and mandatory breach notification remain on hold as of 2026.
Organisations subject to both PDPO and GDPR should draft DPAs to the higher GDPR standard — a GDPR-compliant DPA will typically exceed PDPO requirements. Cross-border transfers from Hong Kong to EU jurisdictions require compliance with both PDPO's DPP 3 transfer restrictions and the GDPR's transfer mechanisms.
When a data processor in Hong Kong suffers a security breach involving personal data it holds on behalf of a data user, the consequences and obligations flow through both the contractual DPA and the regulatory framework under the Personal Data (Privacy) Ordinance (Cap. 486).
Contractual notification: A well-drafted DPA requires the processor to notify the data user within 24 to 48 hours of discovering an actual or suspected breach. The notification must include the nature of the breach, the categories and approximate number of data subjects affected, the categories and approximate volume of personal data records affected, the likely consequences of the breach, and the measures taken or proposed to address it.
Regulatory exposure: Although Cap. 486 imposes no mandatory breach notification requirement as of 2026, the PCPD may investigate breaches reported voluntarily or through complaints. Under Section 50 of Cap. 486, the PCPD can issue an enforcement notice against the data user for DPP4 non-compliance if the processor breach was the result of inadequate contractual controls. The 2021 amendments to Cap. 486 allow the PCPD to also investigate and issue enforcement notices against processors directly.
HKMA-regulated entities: Data users subject to Hong Kong Monetary Authority (HKMA) supervision under the Banking Ordinance (Cap. 155) must additionally report material cybersecurity incidents to the HKMA within one business day under the Supervisory Policy Manual TM-G-1.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Privacy Policy (Hong Kong)
A Privacy Policy Statement for Hong Kong organisations compliant with the Personal Data (Privacy) Ordinance (Cap. 486). Addresses the six Data Protection Principles, data subject rights, direct marketing consent, cookies, and data breach handling as recommended by the PCPD.
Data Protection Policy (Hong Kong)
A Data Protection Policy for Hong Kong organisations ensuring compliance with the Personal Data (Privacy) Ordinance (Cap. 486) and its six Data Protection Principles. Establishes rules for collecting, holding, processing, and using personal data, and addresses data subject rights under the PDPO.
Service Agreement (Hong Kong)
A general service agreement governing the provision of services between a service provider and client under Hong Kong law, including the Supply of Services (Implied Terms) Ordinance (Cap. 457) and the Personal Data (Privacy) Ordinance (Cap. 486). Suitable for professional, technology, creative, and commercial service engagements. No GST or VAT applies in Hong Kong. HKIAC arbitration clause included.
Non-Disclosure Agreement (Hong Kong)
A confidentiality agreement binding parties to protect proprietary information under Hong Kong common law of confidence and the Personal Data (Privacy) Ordinance (Cap. 486). Suitable for employment, business partnerships, technology licensing, and M&A due diligence contexts in Hong Kong.
Terms of Service (Hong Kong)
A comprehensive Terms of Service agreement for Hong Kong businesses, covering user obligations, liability limitations, intellectual property, and PDPO compliance.