Skip to main content

PDPO

logo

Summary

The Personal Data Privacy Ordinance (PDPO) is the main legislation in Hong Kong which aims to protect the privacy of individuals in relation to personal data, and to regulate the collection, holding, processing or use of personal data based on a set of data protection principles. The version used in this section is the PDPO 2021 update.

Definitions

DefinitionRequirements
5_18. Data access request229. Request access credentials
264. Request authentication
5_19. Compliance with data access request331. Guarantee legal compliance
5_22. Data correction request316. Allow rectification requests
5_23. Compliance with data correction request316. Allow rectification requests
318. Notify third parties of changes
5_26. Erasure of personal data no longer required183. Delete sensitive data securely
317. Allow erasure requests
360. Remove unnecessary sensitive information
5_27. Log book to be kept by data user085. Allow session history queries
377. Store logs based on valid regulation
378. Use of log management system
6_31. Matching procedure request025. Manage concurrent sessions
088. Request client certificates
189. Specify the purpose of data collection
9A_66G. Powers exercisable in relation to premises and electronic devices350. Enable memory protection mechanisms
351. Assign unique keys to each device
352. Enable trusted execution
S1_1. Purpose and manner of collection of personal data189. Specify the purpose of data collection
310. Request user consent
S1_2. Accuracy and duration of retention of personal data315. Provide processed data information
316. Allow rectification requests
318. Notify third parties of changes
360. Remove unnecessary sensitive information
S1_3. Use of personal data310. Request user consent
315. Provide processed data information
S1_4. Security of personal data062. Define standard configurations
096. Set user's required privileges
122. Validate credential ownership
176. Restrict system objects
181. Transmit data using secure protocols
183. Delete sensitive data securely
185. Encrypt sensitive information
229. Request access credentials
232. Require equipment identity
238. Establish safe recovery
264. Request authentication
300. Mask sensitive data
321. Avoid deserializing untrusted data
329. Keep client-side storage without sensitive data
375. Remove sensitive data from client-side applications
S1_5. Information to be generally available225. Proper authentication responses
315. Provide processed data information
331. Guarantee legal compliance
S1_6. Access to personal data229. Request access credentials
264. Request authentication
316. Allow rectification requests