![Show Menu](styles/mobile-menu.png)
![Page Background](./../common/page-substrates/page0003.png)
3
Exercising Your Data Access Rights under the Personal Data (Privacy) Ordinance (Frequently Asked Questions and Answers) / June 2016
Q7 Must my data access request be complied with by the data user?
Generally speaking, the data user shall comply with your data access request, otherwise it may commit an
offence under the Ordinance and is liable on conviction to a fine at level three (currently at HK$10,000). However,
there are circumstances specified in the Ordinance under which the data user
shall
refuse to comply with a data
access request. These are:
(a) in the case where the data user is not supplied with sufficient information to identify you;
(b) if the personal data sought under the data access request comprises personal data of another individual and
the data user cannot comply with the request without disclosing the personal data of that other individual.
On the other hand, if the data user is satisfied that the other individual has consented to the disclosure;
or it can comply with the request without disclosing the identity of that other individual, for example by
omitting the names or other identifying particulars, it should comply with the request; or
(c) in any other case, if compliance with the request is for the time being prohibited under the Ordinance or
any other ordinance.
There are also circumstances under which the data user
may
refuse to comply with a data access request. These
are:
(a) the request is not made in writing in Chinese or English;
(b) the data user is not provided with sufficient information to locate the data requested;
(c) the request follows two or more similar requests, and it is unreasonable for the data user to comply with the
request in the circumstances;
(d) another party controls the use of the data requested in a way that prohibits the data user receiving the
request from complying with it;
(e) the request is not made in the DAR Form specified by the Commissioner;
(f) the data user is entitled under the Ordinance or any other ordinance not to comply with the request;
(g) there is an applicable exemption from the requirement to comply with a data access request provided for
in the Ordinance, e.g. if the personal data is held for the purpose of detection of crime and compliance with
the request would likely prejudice that purpose; or
(h) the data user has not yet received the fee charged for complying with the data access request.
Q8 How long will it take for my data access request to be processed by the data user?
In general, the data user is required to comply with your data access request not later than 40 days after
receiving it. If the data user has valid grounds to refuse to comply with your request, it should also reply to you
with reasons within 40 days. If the data user is unable to comply with the request within 40 days of its receipt due
to certain reasons, it should also inform you of the situation within the same 40-day period and comply with the
request as soon as practicable thereafter.
Q9 I do not know whether the data user holds the data requested by me. Does the data user
have to reply to me after receiving my data access request?
Choices are provided in Part VI of the DAR Form for you to request the data user:
(i) to inform you if it holds the data requested;
(ii) to supply you with a copy of the data requested; or
(iii) to comply with both (i) and (ii).
You just need to tick your choice and the data user will reply to you accordingly. If the data user does not hold
any personal data which is the subject of the request, it must inform you in writing that it does not hold the data.