Personal Data (Privacy) Law in Hong Kong – A Practical Guide on Compliance

use contractual or other means to ensure that the personal data that was transferred to

the data processors was not kept longer than is necessary and to take reasonably

practical steps for the security of the data. For details on how these new obligations are

to be observed by the data user, readers may refer to Chapters 6 (on DPP2) and 8 (on

DPP4).

Section 4

4.33

If a person falls within the definition of “data user”, section 4 of the Ordinance applies to

govern his act and conduct:

4. A data user shall not do an act, or engage in a practice, that contravenes a data

protection principle unless the act or practice, as the case may be, is required or

permitted under this Ordinance.

4.34

The six data protection principles set out in Schedule 1 of the Ordinance are of vital

importance to guide the act or practice in handling personal data. For this reason, they

are the topics for discussion in the subsequent Chapters.

Section 64A(1) which makes

contravention of a requirement under the Ordinance an offence, specifically excludes

data protection principles. Although non-compliance with any of the data protection

principles does not per se attract criminal sanction, when coupled with other provisions

in the Ordinance that are relevant to the application of the data protection principles,

the wrongful act or practice may constitute an offence under the Ordinance. For

instance, section 19 of the Ordinance obliges the data user to comply with a data

access request and it is a statutory requirement in relation to compliance with DPP6.

Similarly, section 26 provides for the erasure of personal data no longer required and it is

also a statutory requirement applicable to compliance with DPP2(2). In addition, where

contravention of a data protection principle is found after an investigation, the

Commissioner may issue an enforcement notice to the data user directing them to take

steps to remedy and, if appropriate, prevent any recurrence of the contravention.

Failure to comply with the enforcement notice is an offence.

Moreover, under the

Amendment Ordinance, a data user may be considered as committing an offence if,

having complied with an enforcement notice, he intentionally does the same act or

makes the same omission in contravention of the requirement under the Ordinance.

4.35

Certain acts are permitted in Part 8 (“the exemption provisions”) under the Ordinance

which would otherwise be a contravention of the data protection principles. The

application of these exemption provisions are discussed in detail in Chapter 12.

A checklist for data users in ensuring compliance with the requirements under the Ordinance is found in Appendix V of

this Book. The remedies that a data subject may resort to if his personal data privacy right is infringed are summarized in

Appendix VI.

See section 50(1).

See section 50A(1)(a). A data user is liable, on first conviction, to a fine at level five and to imprisonment for two years;

and if the offence continues after the conviction, to a daily penalty of $1,000. Under section 50A(1)(b), a data user is

liable on a second and subsequent conviction to a fine at level six and to imprisonment for two years; and if the offence

continues after the conviction, to a daily penalty of $2,000.

See section 50A(3). A person is liable on conviction, to a fine at level five and to imprisonment for two years; and if the

offence continues after the conviction, to a daily penalty of $1,000.