3

Exercising Your Data Access Rights under the Personal Data (Privacy) Ordinance (Frequently Asked Questions and Answers) / June 2016

Q7 Must my data access request be complied with by the data user?

Generally speaking, the data user shall comply with your data access request, otherwise it may commit an

offence under the Ordinance and is liable on conviction to a fine at level three (currently at HK$10,000). However,

there are circumstances specified in the Ordinance under which the data user

shall

refuse to comply with a data

access request. These are:

(a) in the case where the data user is not supplied with sufficient information to identify you;

(b) if the personal data sought under the data access request comprises personal data of another individual and

the data user cannot comply with the request without disclosing the personal data of that other individual.

On the other hand, if the data user is satisfied that the other individual has consented to the disclosure;

or it can comply with the request without disclosing the identity of that other individual, for example by

omitting the names or other identifying particulars, it should comply with the request; or

(c) in any other case, if compliance with the request is for the time being prohibited under the Ordinance or

any other ordinance.

There are also circumstances under which the data user

may

refuse to comply with a data access request. These

are:

(a) the request is not made in writing in Chinese or English;

(b) the data user is not provided with sufficient information to locate the data requested;

(c) the request follows two or more similar requests, and it is unreasonable for the data user to comply with the

request in the circumstances;

(d) another party controls the use of the data requested in a way that prohibits the data user receiving the

request from complying with it;

(e) the request is not made in the DAR Form specified by the Commissioner;

(f) the data user is entitled under the Ordinance or any other ordinance not to comply with the request;

(g) there is an applicable exemption from the requirement to comply with a data access request provided for

in the Ordinance, e.g. if the personal data is held for the purpose of detection of crime and compliance with

the request would likely prejudice that purpose; or

(h) the data user has not yet received the fee charged for complying with the data access request.

Q8 How long will it take for my data access request to be processed by the data user?

In general, the data user is required to comply with your data access request not later than 40 days after

receiving it. If the data user has valid grounds to refuse to comply with your request, it should also reply to you

with reasons within 40 days. If the data user is unable to comply with the request within 40 days of its receipt due

to certain reasons, it should also inform you of the situation within the same 40-day period and comply with the

request as soon as practicable thereafter.

Q9 I do not know whether the data user holds the data requested by me. Does the data user

have to reply to me after receiving my data access request?

Choices are provided in Part VI of the DAR Form for you to request the data user:

(i) to inform you if it holds the data requested;

(ii) to supply you with a copy of the data requested; or

(iii) to comply with both (i) and (ii).

You just need to tick your choice and the data user will reply to you accordingly. If the data user does not hold

any personal data which is the subject of the request, it must inform you in writing that it does not hold the data.