Skip to content

PCPD e-Newsletter

Facebook Youtube

Registration and Electoral Office’s Loss of Register of Electors Incident; Sensitive Data Lost Amidst Unfavourable Timings, Localities and Human Factors (29 August 2019)


Read media statement

Privacy Commissioner Strongly Condemns Doxxing and Bullying; Arrest Already Made; Promotion and Education in Schools Strengthened (28 August 2019)


Read media statement

A survey reveals that people are becoming more reluctant to share personal data

A report by the Advertising Research Foundation suggests that Americans are increasingly less likely to share their personal information with companies. It could be a sign that marketers should focus not just on regulatory compliance but also on explaining how and why data is collected in the first place. 

Read more

Office of the Privacy Commissioner of Canada launches tips about staying safe on social media

Social media can help people connect with friends and family, share personal interests with others, or get the latest news. But it can also put personal safety at risk as people are sharing personal information online. Read more to know the 10 helpful tips to stay safe on social media.

Read more

Mainland China’s internet regulator warns app operators over data privacy

The internet regulator from Mainland China said that a large number of mobile apps need to take rectification measures for the over-collection of personal data, clamping down on the practice as the country’s over 800 million mobile users increasingly shop and order services exclusively online.

Read more

Mainland China issued rules on the protection of children's personal information online

The Cyberspace Administration of China issued regulation on network protection of children's personal information, making it the first legislation specifically aimed at children's internet protection in Mainland China.  

Read more

Sharing pet photos can reveal personal information

While people are becoming more vigilant about sharing personal information about themselves, particularly on social media, they routinely forget to block their contact information when sharing pet photos, which is a key identifier in public databases containing relevant information about the pet owner, including name, address and even the names of family members.

Read more

Giovanni Buttarelli, the European Data Protection Supervisor, passed away on 20 August 2019. He was a leading figure in European data protection, spearheaded data protection law and policy, especially in overseeing the introduction of EU General Data Protection Regulation (GDPR).

To mourn the passing away of Mr Giovanni Buttarelli, Privacy Commissioner for Personal Data, Hong Kong Mr Stephen Wong shares his condolences message below:

It is with deep sorrow to learn of the passing away of a remarkable privacy leader, who was also a supportive and kind friend, European Data Protection Supervisor Mr Giovanni Buttarelli.
My memories of Giovanni date back to years ago when I started to closely work with him in the Executive Committee of the International Conference of Data Protection and Privacy Commissioners. My fond memories and feeling of indebtedness especially go to the time when he contributed as a VIP speaker in the Conference we hosted here in Hong Kong. With his wisdom and foresight, he had supportively helped Hong Kong elevated to the global privacy arena after the Conference.

The passing away of Giovanni is indeed an immeasurable loss to the privacy world. I am sure the data protection tradition will always bear his imprint of his significant contribution to the EU and the development of the GDPR, as well as his incredible achievement to serve as a guiding light for the development of personal data protection policies and laws in EU and beyond.

On behalf of my office, I wish to convey our heartfelt condolences to Giovanni’s family, friends and all of his colleagues at EDPS. He will be dearly missed.

PCPD e-Newsletter readers' survey
Let us know your thoughts and feedback on the contents of the e-newsletter so that we can do better. Please take a few minutes to answer the questions by clicking the button below and email the completed form to We look forward to receiving your valuable feedback  for continuous improvement.

Leave your comment



The 41st International Conference of Data Protection and Privacy Commissioners (ICDPPC)  is now open for enrolment!

The premier annual world conference in data protection arena - the 41st ICDPPC will be held from 21 to 24 October 2019 in Tirana, Albania. Hundreds of global thought-leaders and industry experts will gather together to share their insights on the latest development of data privacy protection with the theme "Convergence and Connectivity: Raising Global Data Protection Standards in the Digital Age".

Check out the Conference details by visiting the Conference website at:  




Professional Workshops on Data Protection (September - December 2019) are now open for enrolment!

The Professional Workshops organised by the PCPD are specifically designed for various practitioners to get up to speed on how to comply with the requirements under the Personal Data (Privacy) Ordinance in handling personal data.

Course details



Practical Workshop on Data Protection Law (9 September 2019)

The numerous massive data breach incidents involving various sectors in 2018 and this year once again remind us of the importance of understanding the Personal Data (Privacy) Ordinance and the compliance with it. For those who are charged with the responsibility in advising on compliance with the Personal Data (Privacy) Ordinance, or simply would like to find out more about it, this is the workshop you should go for. Data Protection Principles, court cases such as Chan Yim Wah Wallace v New World First Ferry Services Limited [HCPI 820/2013] and recent Administrative Appeals Board cases would be discussed.

Enrol now!



Data Protection in Insurance (19 September 2019)

Insurance practitioners handle a large amount of customers' personal data in their daily work. This workshop would talk about what insurance practitioners should do to protect customers' personal data when providing insurance services. Core concepts of data protection compliance illustrated by specific scenarios such as collection of customers' medical data, engagement of private investigators in insurance claims and use of customers' data for internal training etc. will be examined.


Enrol now!

Guidance on CCTV Surveillance and Use of Drones

The use of CCTV covering public places or common areas of a building for security reasons or for monitoring illegal acts has become increasingly widespread. The unmanned aircraft systems (also known as “drones”) are becoming more popular in photography, surveying and surveillance. The use of CCTV and drones may capture extensive images of individuals or information relating to individuals, which should be properly controlled to avoid intrusion into the privacy of individuals.

The Guidance provides practical tips to data users on using CCTV and drones from the perspective of protecting personal data privacy.

Read publication

Q: You found a list of professionals’ contact information from a public register on the Internet. Can you call these professionals to promote your organisation’s latest products?

The answer is No. One’s personal data can be obtained from the public domain shall not be taken to mean that he has given blanket consent for the use his personal data for whatever purposes. Data provider’s original purpose of making the personal data available in the public domain should be considered. The restrictions, if any, imposed by the data providers on further uses and the reasonable expectation of personal data privacy of the data subjects must be observed.

Q: When should you provide a Personal Information Collection Statement (PICS) to your customers when they do online shopping?

A. After they have placed the order
B. Before they provide their personal data for transaction
C. After the customer has received the goods

The correct answer is B. Your organisation must provide the individuals with online PICS before collecting personal data through the Internet. PICS should be displayed in a clear and conspicuous manner (e.g. accessible on the same web page or through a well described link). It should be easy to read and understand, and its content must be consistent with any printed version distributed offline. 

Q: Which of the following is a correct approach if personal data will be collected through mobile apps?

A. Provide only the declaration for data accessing right and no need to provide PICS
B. Provide a hyperlink to an organisation’s existing website privacy policy statement (PPS)
C. Ensure the PICS and PPS are specific for the individual mobile apps

The correct answer is C. Your organisation must clearly display its PPS to its customers before they install the app. The declaration for data accessing rights of the app cannot substitute the PICS and PPS. The PPS should address consumers’ right and obligations, describe what information is collected, for that purposes it is used and with whom it is shared.

Extended Reading:
Guidance on Preparing Personal Information Collection Statement and Privacy Policy Statement
Guidance on Use of Personal Data Obtained from the Public Domain

Data Protection Principle 6 - Access to personal data

A data subject submitted a request to Organisation B for accessing his personal data originated from Organisation A

The Complaint

With the consent of the complainant, Organisation A provided a copy of a report in relation to the complainant to Organisation B. The complainant later submitted a data access request to Organisation B for accessing the report. However, in the written reply of Organisation B they only stated that the report was not composed by them and suggested the complainant to request the same from Organisation A. The complainant hence complained to this office against Organisation B for not complying with his data access request.


Section 19(1) of the Personal Data (Privacy) Ordinance (the Ordinance) requires a data user to comply with a data access request within 40 days after receiving it, unless there is a ground of refusal permissible under section 20 of the Ordinance. Under section 2(1) of the Ordinance, “data user” means a person who controls the collection, holding, processing or use of the personal data.

According to sections 20(3)(d) and 21(1)(c) of the Ordinance, if a data user has imposed restriction on another data user on further disclosure when personal data was transferred from the first-mentioned “data user” to the second-mentioned “data user” in the first place, the second-mentioned “data user” may use this as a reason to refuse compliance with a data subject’s data access request, as long as the second-mentioned “data user” has provided the name and address of the first-mentioned “data user” to the data subject.

In response to our inquiries, Organisation B confirmed that they were neither an agent nor a data processor appointed by Organisation A (i.e. Organisation B is an independent “data user”). Organisation B further confirmed that no restriction on further disclosure was imposed on them when they obtained the report from Organisation A.

Not being the composer of the report is not a reason permissible under the Ordinance to refuse compliance with a data access request. As long as no restriction of disclosure was imposed on Organisation B and there is no other reason of refusal permissible under the Ordinance, Organisation B as a “data user” of the report in question has a duty to provide the complainant with a copy of his personal data contained therein.

This office explained relevant provisions under the Ordinance to Organisation B, which had subsequently complied with the complainant’s data access request.

Extended Reading:

Proper Handling of Data Access Request and Charging of Data Access Request Fee by Data Users


Administrative Appeals Board's Decisions

The Administrative Appeals Board (AAB) hears and determines appeals lodged against PCPD’s enforcement decisions. AAB may confirm, vary or reverse PCPD’s decisions. It has given PCPD its permission to publish on PCPD website its decisions delivered after open hearings.

View the AAB case notes

Be SMART Online Fan Page 

Stay tuned for latest data protection issues, news and trends, by visiting PCPD's one-stop portal.

Learn More

For enquiry, please contact us.
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong         Tel: (852) 2877 7179

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.



The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.