Privacy Complaint Letter (Hong Kong)

A Privacy Complaint Letter in Hong Kong is a formal written complaint submitted to the Privacy Commissioner for Personal Data (PCPD) — an independent statutory office established under the Personal Data (Privacy) Ordinance (Cap. 486) — reporting a breach of data protection law by a data user and requesting official investigation, enforcement action, and where applicable, criminal prosecution.

The Personal Data (Privacy) Ordinance (Cap. 486) is Hong Kong’s primary data protection legislation, first enacted in 1996 and most recently amended by the Personal Data (Privacy) (Amendment) Ordinance 2021 which significantly strengthened the regime by introducing criminal doxxing offences, expanding the PCPD’s enforcement powers, and requiring data processors to implement specified security measures. Cap. 486 establishes six Data Protection Principles (DPPs) in Schedule 1 governing how personal data must be collected, held, processed, and used by all organisations and individuals operating as data users in Hong Kong. The PCPD is empowered under Section 37 and Part VIA of Cap. 486 to receive complaints from data subjects, conduct investigations on complaint or own motion, issue enforcement notices requiring remedial action under Section 50, and initiate criminal prosecution — including for the new doxxing offences under Section 64(3A) and for non-compliance with enforcement notices.

The PCPD’s jurisdiction covers both public and private sector data users operating in Hong Kong, including corporations registered under the Companies Ordinance (Cap. 622), government departments and public bodies, hospitals and clinics (both public Hospital Authority facilities and private hospitals under Cap. 165), banks regulated by the HKMA under Cap. 155, insurance companies under the Insurance Ordinance (Cap. 41), employers collecting employee personal data, educational institutions, and individuals. The PCPD also exercises jurisdiction over data users outside Hong Kong who collect personal data from persons physically present in Hong Kong — giving Cap. 486 significant extraterritorial reach relevant to overseas technology companies, e-commerce platforms, social media operators, and app developers.

Complaints to the PCPD may concern a wide range of data protection breaches across all six DPPs: unauthorised or excessive collection of personal data (DPP1); improper retention of personal data beyond the necessary period (DPP2); use of personal data for an unauthorised purpose without consent (DPP3); data security failures resulting in a breach exposing personal information (DPP4); lack of transparency about data practices (DPP5); and failure to comply with a data access or correction request within the prescribed 40-day period (DPP6). Doxxing complaints under Section 64 of Cap. 486 have become increasingly prevalent since the 2021 amendments.

The PCPD’s office is located at 12/F, Office Tower Convention Plaza, 1 Harbour Road, Wan Chai, Hong Kong. The complaint enquiry hotline is 2827 2827. Filing a complaint is free of charge and does not require legal representation. The PCPD offers both English and Chinese language services. Forms-legal.com provides a Privacy Complaint Letter template for Hong Kong designed to include all elements required for the PCPD’s initial complaint screening and acceptance process.

A Privacy Complaint Letter in Hong Kong addressed to the Privacy Commissioner for Personal Data (PCPD) is needed whenever a person believes that an organisation or individual has breached the Personal Data (Privacy) Ordinance (Cap. 486) in handling their personal data, and informal approaches to the data user have not produced an adequate remedy.

Data breach complaints are among the most common and urgent categories received by the PCPD. Where an organisation — a bank regulated by the HKMA under the Banking Ordinance (Cap. 155), a retailer, employer, medical clinic, online platform, social media operator, or government department — suffers a data breach exposing the complainant’s personal information (full name, HKID number, financial account data, medical records, or contact details), a formal complaint to the PCPD under Data Protection Principle 4 (DPP4) in Schedule 1 to Cap. 486 is appropriate. The PCPD may investigate the organisation’s security measures, issue an enforcement notice under Section 50 of Cap. 486 requiring corrective action within a specified period, and refer serious cases for criminal prosecution.

Doxxing complaints require urgent action and should be filed with the PCPD immediately. Where a person’s personal information — home address, workplace, daily routine, photographs, or family details — has been maliciously published online on social media platforms, LIHKG, Telegram groups, or other discussion forums without consent and with intent to intimidate, harass, or cause psychological harm, a Privacy Complaint Letter to the PCPD triggers the doxxing investigation mechanism and the PCPD’s power to issue a cessation notice under Section 66M of Cap. 486, requiring the platform or individual to remove the doxxing content. A simultaneous report to the Hong Kong Police Force under the Crimes Ordinance (Cap. 200) should also be made where threats accompany the doxxing.

Direct marketing complaints are needed where an organisation sends unsolicited marketing communications — including emails, SMS messages, telephone calls, or direct mail — without having obtained the required explicit opt-in consent under Section 35C of Cap. 486, or where an organisation has failed to honour a valid opt-out request within 10 business days under Section 35G of Cap. 486. The PCPD actively enforces the direct marketing provisions of Cap. 486.

Data access request (DAR) complaints arise where an organisation has failed to respond to a valid written Data Access Request within the 40-day statutory deadline under DPP6 and Sections 18 to 22 of Cap. 486, has provided incomplete records, or has refused access without a valid statutory exemption.

Complaints about improper use of personal data arise under DPP3 where an organisation uses data for a purpose different from the purpose for which it was collected — for example, sharing customer data with a third party for marketing without consent, or providing employee data to a debt collector without authority.

All complaints must be submitted to the PCPD within 2 years of the date on which the alleged breach occurred, under Section 37 of Cap. 486.

A Privacy Complaint Letter in Hong Kong addressed to the Privacy Commissioner for Personal Data (PCPD) under the Personal Data (Privacy) Ordinance (Cap. 486) should include the following key elements to confirm the PCPD can assess jurisdiction, screen the complaint for admissibility, and conduct a thorough investigation.

Complainant’s identity: Full legal name, Hong Kong identity card number or passport number, current contact address, daytime and evening telephone numbers, and email address. The PCPD requires the complainant’s identity to investigate a complaint and will serve investigation notices and communicate findings to the named complainant. Anonymous complaints are given limited investigation weight. The PCPD treats complainant information with discretion and will not disclose the complainant’s identity to the respondent data user without consent where this can be avoided.

Data user complained against: The full legal name and registered or principal address of the organisation or individual data user complained against. For corporate data users registered under the Companies Ordinance (Cap. 622), the Companies Registry registration number assists identification. For foreign organisations, the registered address in their home jurisdiction or their principal place of business in Hong Kong. For government departments and Hospital Authority facilities, the official department name. The PCPD has jurisdiction over data users established in Hong Kong and those outside Hong Kong who collect personal data from persons in Hong Kong.

Personal data involved: Precise identification of the specific personal data that is the subject of the complaint — what data was collected, disclosed, used, retained, or denied access to improperly. The complaint should specify whether the data concerned includes sensitive categories such as health and medical records, financial account data, HKID numbers, biometric data (photographs, fingerprints, facial recognition data), or location data, as these categories attract heightened protection under Cap. 486 and PCPD guidance.

Data Protection Principle(s) alleged to be breached: Identification of the applicable DPP(s) under Schedule 1 to Cap. 486 — DPP1 (excessive or unlawful collection), DPP2 (improper retention beyond necessary period), DPP3 (use for unauthorised purpose), DPP4 (inadequate data security measures), DPP5 (failure to provide privacy policy), or DPP6 (failure to comply with data access or correction request). For doxxing complaints, the relevant provisions are Section 64(3A) and Part VIA of Cap. 486 (inserted by the 2021 Amendment Ordinance).

Chronological account of events: A factual, date-specific account — when the personal data was collected from the complainant, the specific event constituting the breach (data breach, doxxing publication, direct marketing without consent, refusal of access request), when the complainant discovered the breach, and what steps were taken to bring it to the data user’s attention before filing with the PCPD.

Previous correspondence with the data user: Copies of all written communications with the respondent data user — the complainant’s initial complaint or request letter, any acknowledgement received, and the data user’s substantive response or non-response within the relevant period. The PCPD expects evidence that the data user was given an opportunity to address the matter before formal complaint.

Supporting evidence: Screenshots (with visible URL and date/time) of doxxing content published online; emails, SMS messages, or instant messaging records demonstrating unlawful direct marketing or data sharing; the data breach notification letter received (if any); a log of data access request correspondence including proof of submission and date; and any other documents evidencing the alleged breach.

Relief sought: Whether the complainant seeks PCPD investigation and enforcement under Section 37 of Cap. 486, issuance of a cessation notice for doxxing content under Section 66M, issuance of an enforcement notice under Section 50 requiring the data user to remedy the breach, referral for criminal prosecution (particularly for doxxing under Section 64(3A) or non-compliance with an enforcement notice), or compliance with a data access request under DPP6.

Forms-legal.com provides the complete Privacy Complaint Letter template for Hong Kong PCPD submissions under Cap. 486.

A Privacy Complaint Letter in Hong Kong is submitted to the Office of the Privacy Commissioner for Personal Data (PCPD) under the Personal Data (Privacy) Ordinance (Cap. 486). Follow these steps to complete and file the complaint correctly.

1. Approach the data user first. Before filing with the PCPD, send a written complaint or data access request to the organisation or individual that breached Cap. 486 and allow at least 30 days for a response. Retain copies of your letter, any acknowledgement, and the data user's substantive reply or non-reply. The PCPD expects evidence that the data user had an opportunity to remedy the matter.

2. Check the two-year time limit. Under Section 37 of Cap. 486, complaints must be submitted to the PCPD within two years of the breach. Identify the precise date on which the breach occurred — for example, the date a data breach notification was received, the date doxxing content first appeared online, or the date a data access request deadline passed without response. Act promptly if the two-year window is approaching.

3. Complete the complainant identification section. Enter your full legal name, Hong Kong identity card or passport number, current address, daytime telephone number, and email address. Anonymous complaints receive limited investigation weight under Cap. 486.

4. Identify the data user complained against. State the full legal name and address of the organisation or individual. For companies registered under the Companies Ordinance (Cap. 622), include the company registration number. For government departments, state the official department name. For overseas organisations, provide their principal place of business in Hong Kong or their registered address abroad.

5. Specify the personal data involved. Describe precisely what personal data was affected — for example, full name and HKID number disclosed in a doxxing post, financial account data exposed in a data breach, or health records shared without consent. Sensitive categories such as biometric data, medical records, and financial information attract heightened attention from the PCPD.

6. Identify the Data Protection Principle(s) breached. State which of the six DPPs in Schedule 1 to Cap. 486 was violated: DPP1 (excessive collection), DPP2 (improper retention), DPP3 (unauthorised use), DPP4 (inadequate security), DPP5 (failure to maintain an accessible privacy policy), or DPP6 (failure to comply with a data access request within 40 days). For doxxing, cite Section 64(3A) of Cap. 486 as inserted by the 2021 Amendment Ordinance.

7. Write a chronological account. Set out, in date order, when and how the data was collected from you, when the breach occurred, when you discovered it, and the steps taken to contact the data user before filing. Precision about dates is essential for the PCPD's jurisdiction assessment under Section 37.

8. Attach supporting evidence. For doxxing complaints, include screenshots of the offending content showing the URL, platform, and date/time of posting. For data breach complaints, attach the breach notification letter. For DPP6 complaints, attach copies of the data access request letter and proof of submission. For direct marketing complaints, retain the unsolicited communications received.

9. State the relief sought. Specify whether you seek a PCPD investigation, issuance of an enforcement notice under Section 50 of Cap. 486, a doxxing cessation notice under Section 66M requiring platform removal of content, referral for criminal prosecution under Section 64(3A), or compliance with a data access request.

10. File with the PCPD. Submit the signed complaint in writing to the Office of the Privacy Commissioner for Personal Data, 12/F, Office Tower Convention Plaza, 1 Harbour Road, Wan Chai, in person, by post, or through the PCPD's online complaint portal. Call the complaint hotline 2827 2827 for guidance. Filing is free.

11. Retain all records. Keep a copy of the complete complaint, all attachments, and the PCPD's acknowledgement with the case reference number for use in any subsequent enforcement proceedings or civil claim.