Skip to content

PCPD e-Newsletter

Facebook Youtube

A conversation with Mr Bernard Tan from SAP on securing personal data privacy at personal and organisational levels

In the digital age, advancement and development of new digital technologies not only revolutionise our daily lives but also raise concerns about data privacy and cybersecurity. Both individuals and organisations are faced with ever-increasing challenges in data protection. 

In this third episode of this special interview series, the editor of PCPD e-Newsletter talked with Mr Bernard Tan, Chief Legal Counsel for Data and Cybersecurity of SAP. He shared with us his perspectives on the main cause that jeopardises personal data privacy in organisations and how individuals and organisations could respond to the potential risks arising from digital advancement.

E: Editor of PCPD e-Newsletter
B: Mr Bernard Tan, Chief Legal Counsel for Data and Cybersecurity of SAP

E: In your experience, what are the most damaging security vulnerabilities which had jeopardised personal data privacy? 

B:  Any security vulnerability can seriously jeopardise personal data privacy. Some people may say the weakest link is the internal users, or the IT security practices, or the lack of the latest and greatest technical security measures. But to me, the root cause is whether the senior management of an organisation regards security and privacy as a top business priority, and acts accordingly when allocating resources and funding. If the senior management does not regard security and privacy as “core” to its business, then probably the next best thing would be to outsource (at least part of) the security and privacy work to reputable vendors with the capacity and expertise to properly support security and privacy. Today’s global multinational corporate environment is too complex for any legal, privacy or security practitioner to support as an “add-on” responsibility to his or her daily job.
E: With the development of technologies, such as artificial intelligence , big data etc., how should an individual anticipate the potential risks of digital footprints?

B: Good digital hygiene such as data minimisation, use of password manager, use of encryption, and so on can help somewhat on a personal level. But to truly move the needle in terms of protecting the public’s privacy without hampering technological progress, regulators may have to help establishing best practices and market norms in consultation with the market players and stakeholders. It may be in the form of an ethical accountability framework, as PCPD has so ably done. Or it may be a voluntary standard like the NIST Cybersecurity Framework. Mainland China has actually made huge progress in establishing norms for Cloud Computing, IoT, mobile internet, Big Data and industrial control systems through its Cybersecurity Classified Protection Scheme. Since it is almost Chinese New Year, my one wish is for regulators across the world to try to harmonise their practices and norms, much like in the protection of intellectual property rights, so that businesses would be able to implement uniform global policies and procedures to comply!


The last but not least interview will be out in the next issue. Please stay tuned.

To review the first episode of “Special Interview Series” - A conversation with the Privacy Commissioner on regulations and laws on personal information protection in the mainland of China:

Click here

To review the second episode of “Special Interview Series” - A conversation with Ms Barbara Li from Norton Rose Fulbright on recent development of personal data privacy Law in the mainland of China:

Click here

To promote the culture of protecting and respecting personal data, we are launching a series of publicity initiatives on the ground and on air in the city. You will catch our messages on bus bodies, at West Kowloon High Speed Railway Station, on TV and on radio. Here are a preview of some of them.







Privacy Commissioner Responds to Public Concern about Disclosure of a Reporter’s ID Card Data (12 January 2020)


Read media statement

Privacy Commissioner Mr Stephen Wong delivered a presentation titled "Enhancing Cybersecurity - a Prerequisite for eLearning" at the Seminar on Cybersecurity and Safeguarding for Schools organised by the eLearning Consortium (13 January 2020)

Read more

Privacy Commissioner Mr Stephen Wong attended the "2nd Finance Summit" organised by the "Master Insight" (8 January 2020)

Read more

Two Groups Submit Open Letter to PCPD (30 December 2019)


Read more



Introduction to the Personal Data (Privacy) Ordinance Seminar (Free)
Jan - Jun 2020 seminars are now open for enrolment!

To raise the public's awareness and understanding of the Personal Data (Privacy) Ordinance, the PCPD organises introductory seminars on the Ordinance regularly. You will get to know the key elements of the Ordinance, in particular your obligations as data users and your rights as data subjects.

- A general introduction to the Personal Data (Privacy) Ordinance
- The six data protection principles
- Direct marketing
- Offences & compensation

Enrol now!

Placing Conspicuous CCTV Surveillance Notice to Protect Personal Data

PCPD has recently designed a sticker notice listing out essential information that should be conveyed to persons under surveillance. Organsations which operate CCTV systems may fill in relevant information on the notice and stick it at the entrance to the area under surveillance and inside the area under surveillance.

If you would like to get copies of the sticker notice, please email your name and address to We will send the sticker notices to you by post. Click here to read the Personal Data Collection Statement. The sticker notices are available while stock lasts.

You may also download and print it by clicking here.

Data Breach Handling and Notifications

Data users such as companies or organisations have to collect and keep the personal data of data subjects for administration or business purposes. Once a data breach has occurred, what appropriate actions may data users  take? This guidance note aims to assist data users in handling data breaches, and to mitigate the loss and damage caused to the data subjects concerned, particiularly when sensitive personal data is involved.

Read publication

US and EU Enforcers Target Big Tech, Children’s Privacy in 2020

Privacy regulators of Europe and United States are likely to ramp up enforcement of privacy laws this year, especially children’s online privacy, and wrap up probes of big technology companies.

Read more

How to Spot Data Breach Warning Signs to Protect Your Business

A New York City area retail technology consultant and managed services provider offered five steps to detect data security breaches earlier to save millions of dollars while protecting sensitive data and business reputation.

Read more

You Need to Master Data Privacy, Security and Consumer Trust to Succeed in 2020

In 2019 , there was an increased focus on data privacy laws around the world. Data breaches climbed to an all-time high and the erosion of people’s trust in marketing and advertising to only 3%, the lowest of any industry or practice. If your business wants to survive in 2020, you need to master data privacy, security and gain consumer trust.

Read more

Q. What is a Data Access Request (DAR)?

A: A DAR is a request made by an individual to request the data user:
a. to inform him whether the data user holds personal data of which the individual is the data subject; and
b. if the data user holds such data, to supply him with a copy of such data.

Common examples of DARs include requests by employees for copies of their performance appraisal reports, requests by patients for copies of their medical records and requests by consumers for copies of their service application forms.

Q: How to comply with a DAR?

A: Except where there are valid grounds for refusal falling within section 20 of the Personal Data (Privacy) Ordinance, a data user is required to supply a copy of the requested data to the requestor within 40 calendar (not working) days after receiving it.

A data user is not obliged to provide nor to create personal data that it does not have. However, it is still required to inform the requestor in writing within the 40-day time limit that it does not hold the data.

If a data user is unable to comply with a DAR within 40 days (e.g. the requested data is voluminous or if the DAR fee was received close to the expiry of the 40 days so that more time is required for the data user to comply with the DAR), the data user should give the requestor a written notification of the situation with reasons within the 40-day period and comply with the DAR to the extent, if any, that the data user is able to comply with the DAR. The data user is required to comply fully with the DAR as soon as practicable thereafter.

Q: Can a data user impose a fee for complying with a DAR?

A: A data user may impose a fee for complying with a DAR which should not be excessive. The data user should clearly inform the requestor what fee, if any, will be charged as soon as possible and in any event not later than 40 days after receiving the DAR.

A data user is entitled to refuse to comply with a DAR unless and until the fee imposed has been paid. A data user should not charge a fee on a commercial basis. Any fee that exceeds the costs of compliance will be considered excessive. A data user should refrain from imposing an excessive fee to deter an individual from making a DAR so as to avoid its statutory obligation to comply with the DAR.

The costs of compliance may vary with the scope and complexity of the DAR in question. In most circumstances, the costs of compliance will be nominal.

Extended Reading:
Proper Handling of Data Access Request and Charging of Data Access Request Fee by Data Users

Data Protection Principle 1 (DPP1) – Collection of personal data

A company unfairly collected a job applicant’s personal data

The Complaint

According to the information given in a recruitment advertisement, the complainant applied to Company A for a clerical post. However, when the complainant attended the selection interview, the interviewer persuaded him to fill in an application form for a sales position of Company B. The complainant considered that Company A used the recruitment for clerk as a pretext for recruiting sales representative by Company B. He therefore made a complaint to this office.


As revealed in the investigation, the selection interview was conducted in the office of Company B by a sales agent of Company B. Job descriptions given in the interview were related to the sales vacancy of Company B, not the clerical post of Company A. DPP 1(2) under the Personal Data (Privacy) Ordinance requires a data user to collect personal data by lawful and fair means. After the PCPD’s intervention, Company B issued a written warning to its staff member conducting the selection interview, and confirmed that he had destroyed the relevant personal data. In addition, Company B also reminded its staff to clearly state the vacancy to be filled and Company B’s identity as the employer when posting job advertisements. Consequently, the PCPD issued a warning letter to Company B, urging it to take practicable measures to ensure that its staff would not recruit sales agent through misleading means, so as to strictly comply with the requirements of the Ordinance.

Lesson learnt
Job applicants provide their personal data in response to the information detailed in job advertisements. They naturally expect their personal data to be used only for the purpose of processing their applications for the advertised posts. If the advertised post does not actually exist, such collection of personal data may constitute unfair collection under the Ordinance. It is beyond job applicants’ reasonable expectation if the personal data collected from them is subsequently used for persuading them to apply for other companies’ jobs. Recruitment is the first contact between job applicants and employers. Employers should proactively protect job applicants’ personal data, and embrace respecting personal data privacy as an indispensable part of corporate governance. It helps employers portrait themselves as ethical corporates and attract high calibre talents.

Data Privacy at the Workplace : Bring-Your-Own-Device

Bring-your-own-device is a growing trend as the use of personal mobile devices for both personal and work purposes is ubiquitous. Misuse or mishandling of mobile devices increases risk of data breach such as leakage or loss.

Learn more

Administrative Appeals Board's Decisions

The Administrative Appeals Board (AAB) hears and determines appeals lodged against PCPD’s enforcement decisions. AAB may confirm, vary or reverse PCPD’s decisions. It has given PCPD its permission to publish on PCPD website its decisions delivered after open hearings.

View the AAB case notes

For enquiry, please contact us.
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong         Tel: (852) 2877 7179

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.



The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.