Right to Be Forgotten Request (Hong Kong)

A Right to Be Forgotten Request in Hong Kong records the formal step a party takes to assert, decline, or protect a legal interest.

Under Cap. 486, Data Protection Principle 3 restricts data users — organisations that control the collection, holding, processing, or use of personal data — to using personal data only for the purpose for which it was originally collected or a directly related purpose. Where data is no longer needed for the original collection purpose, continued retention constitutes a breach of DPP 3 and an erasure request has strong legal foundation under the Ordinance. Section 22 of Cap. 486 gives every data subject the express statutory right to request correction of inaccurate personal data, and the data user must comply within 40 days of receiving a correction request or provide written reasons for refusal.

The PCPD — established under Part VI of Cap. 486 and headed by the Privacy Commissioner for Personal Data — has issued detailed guidance encouraging organisations to respect erasure requests where data is no longer required for the original purpose and no overriding legal obligation requires its retention. In its guidance on recommended model data retention periods, the PCPD states that data should not be kept longer than necessary for the purpose for which it was collected. Persistent retention of data well beyond its operational purpose can constitute breaches of Data Protection Principle 2 (accuracy and retention) and DPP 3 (use limitation), exposing the organisation to enforcement action.

The 2021 amendments to Cap. 486 — implemented through the Personal Data (Privacy) (Amendment) Ordinance 2021 — significantly strengthened the PCPD's enforcement powers, including new provisions on doxxing offences under Section 26A and increased penalties for data breaches. These amendments have raised public awareness of data rights and encouraged individuals to assert their rights under the Ordinance more actively, including through formal erasure requests.

Common situations where a Right to Be Forgotten Request is used in Hong Kong include: requesting removal of outdated adverse information from credit reference databases operated by licensed credit reference agencies such as TransUnion or Equifax under the PCPD's Code of Practice on Consumer Credit Data; requesting deletion of personal data from company websites, alumni directories, professional networking platforms, and social media accounts operating in Hong Kong; requesting correction or erasure of inaccurate medical or financial records held by hospitals, clinics, or financial institutions; requesting removal of personal data held by former employers after termination of employment where the retention period has expired; and requesting removal of personal data from direct marketing lists after exercising the opt-out right under Section 35C of Cap. 486.

A well-drafted Right to Be Forgotten Request creates a formal record of the demand, cites the specific legal basis under Cap. 486, specifies the data to be erased or corrected, and sets a deadline for response — creating the documentary evidence needed to file a PCPD complaint under Section 37 of Cap. 486 if the organisation fails to respond appropriately. Generate this document free at forms-legal.com.

A Right to Be Forgotten Request (Hong Kong) is needed when an individual wishes to formally demand that an organisation delete, erase, correct, or cease processing their personal data. Several circumstances call for this document under the Personal Data (Privacy) Ordinance (Cap. 486).

When an organisation holds personal data that was collected for a specific purpose that has since concluded — for example, a former employer retaining employee health records, performance appraisals, or disciplinary records after termination of employment; a lender retaining detailed financial and credit data after a loan has been fully repaid; or a school retaining a former student's personal records long after graduation — the individual can invoke Data Protection Principle 3 under Cap. 486 to demand erasure. The written request creates a formal record and triggers the 40-day response obligation under Section 22.

When personal data appearing online causes reputational harm — for example, outdated court records on legal information websites, news articles naming an individual in connection with resolved civil or criminal proceedings, inaccurate business directory listings that persist after a company dissolution, or old social media content that the individual no longer wishes to be associated with — an erasure request directed to the website operator or search engine can invoke DPP 2 (accuracy and retention) and DPP 3 (purpose limitation) grounds. The PCPD has power to engage with overseas regulators under international cooperation frameworks for globally operated platforms, including major search engines and social media companies.

When a direct marketing organisation holds an individual's personal data after the individual has exercised their opt-out right under Section 35C of Cap. 486, the organisation must cease use of that data for direct marketing. A formal written erasure request reinforces the opt-out demand and creates documentary evidence for a PCPD complaint under Section 37 of Cap. 486 if the organisation persists in sending marketing communications.

When personal data has been collected without a lawful basis — for example, where the organisation failed to provide proper data collection notification under Data Protection Principle 1, collected data far beyond what was necessary for the stated purpose in breach of DPP 1(b), or used data for a purpose entirely unrelated to the original collection purpose in breach of DPP 3 — the individual can demand erasure on the grounds that the original collection and continuing retention are unlawful.

When sensitive personal data such as medical records, financial information, or criminal history is being retained by organisations that no longer have a legitimate need for it — including healthcare providers after a patient relationship ends, financial advisers after a client relationship terminates, or credit reference agencies holding stale adverse information — an erasure or correction request under Sections 22 and 26 of Cap. 486 can compel the organisation to update or delete the records. The PCPD's recommended model data retention periods provide a benchmark for when retention becomes unjustifiable.

A Right to Be Forgotten Request for use in Hong Kong should include the following elements to comply with the Personal Data (Privacy) Ordinance (Cap. 486) and maximise the prospect of a successful outcome without needing to escalate to a formal PCPD complaint.

Data subject identification: Full legal name, HKID number (or passport number for non-residents and overseas nationals), current residential address, email address, and any account numbers, customer reference numbers, employee numbers, or other identifiers that the organisation uses in its systems to locate the data subject's records. Accurate and complete identification is essential — the organisation must be able to locate and verify the relevant data before it can comply with or refuse the request. Insufficient identification is a common ground for organisations to delay or refuse compliance.

Identification of data held: A specific and detailed description of the personal data the data subject wants erased, corrected, or de-identified. Vague or general requests — such as 'please delete all my data' — are more likely to be refused or only partially complied with. Where possible, identify the specific database, platform, system, file, or record that contains the data — for example, a licensed credit reference database operated under the Code of Practice on Consumer Credit Data issued by the PCPD, an HR file, a CCTV archive, a website page, a social media post, or a direct marketing database.

Legal basis for the request: Express reference to the specific legal basis under Cap. 486. Data Protection Principle 3 (purpose limitation) — data should not be used for purposes beyond the original collection purpose — applies where the organisation no longer has a legitimate basis to retain or use the data. Data Protection Principle 2 (data accuracy and retention) applies where the data is inaccurate, out of date, or retained beyond the necessary period. Section 22 of Cap. 486 provides the explicit statutory right to request correction of inaccurate data. Section 35C provides the right to opt out of direct marketing use. Citing the specific legal basis demonstrates the data subject's knowledge of their rights and strengthens the legal foundation of the request.

Factual grounds for the request: A clear factual explanation of why the data should be erased or corrected — for example, the employment relationship has ended and the employer has no continuing legal obligation to retain the data; the loan or credit facility has been repaid in full; the court proceedings concluded without conviction; the marketing opt-out has been properly exercised under Section 35C; the data was collected without proper purpose notification under DPP 1; or the retention period recommended by the PCPD for this category of data has expired.

Requested action and scope: A precise specification of what the data subject is requesting — complete erasure (permanent deletion from all systems and backups), de-identification (anonymisation removing all identifying elements), correction of specific inaccurate fields under Section 22 of Cap. 486, or cessation of use for a specific purpose such as direct marketing under Section 35C while retaining the data for other lawful purposes. Requesting both correction and erasure in the alternative gives the organisation more options to achieve a compliant outcome.

Deadline for response and escalation notice: Under Section 22 of Cap. 486, a data user must comply with a correction request within 40 days. For erasure requests, request written confirmation of the action taken within 30 days. State that if no satisfactory response is received within the specified period, the data subject will file a complaint with the Office of the Privacy Commissioner for Personal Data (PCPD) under Section 37 of Cap. 486. The threat of PCPD complaint is a significant incentive for organisations to comply promptly. Generate this Right to Be Forgotten Request document free at forms-legal.com in PDF or Word format.