Hong Kong
  • Singapore
  • UK
  1. Osome Blog Hong Kong
  2. Is It Necessary for My Company To Have a Data Protection Officer

Is It Necessary for My Company To Have a Data Protection Officer

Hong Kong is also a fantastic place to base e-commerce businesses as it is well-connected with the rest of the world. This means that personal data will be collected, used and processed during the business transactions.

So what does that mean for new and existing businesses registered in Hong Kong? How does a business owner help to prevent data breach and protect an individual's personal data? Perhaps, many business owners who are planning to base their businesses in Hong Kong have this question in their mind: is it necessary for my company to appoint a data protection officer (DPO)? In this article, we will share about Personal Data (Privacy) Ordinance (PDPO) and General Data Protection Regulation (GDPR) and how these regulations affect Hong Kong companies.

How Does GDPR Apply to Hong Kong Companies?

In Hong Kong, individuals’ privacy is governed by the Personal Data (Privacy) Ordinance (PDPO). It is applicable to both private and public sectors. The purpose of PDPO is to protect the individuals’ personal data from being compromised, and at the same time, provide a framework for companies that are processing data. So how does GDPR apply to Hong Kong companies?

When the PDPO was first drafted, it drew references from OECD Privacy Guidelines 1980 and the EU Directive. As such, the PDPO and GDPR share similar features. Given that GDPR was adopted in 2016, significant developments have since been made towards the data protection law.

Even though GDPR is usually applied to EU countries, it has extended to companies in Hong Kong. In other words, it applies to non-EU companies that collect and process personal data relating to goods and services sold to individuals in EU countries.

With more companies trading globally, it is important for Hong Kong companies to check if GDPR is applicable to them. This means if your company has business clients or customers who are based in EU countries, you will need to comply with GDPR and keep informed of new developments of the regulations.

Oak Health Supplement Company sells their health supplements to their local residents and also supplies their products to overseas customers. Some of the customers who purchased their products are based in EU countries such as France and Germany. Since they offer products to customers in the EU countries, the personal data they have collected have to comply with the GDPR.

Likewise, if your e-commerce business has a website that allows customers to place orders and ships products to your customers in the EU, it will fall within the GDPR’s scope. But it will not fall within the GDPR’s scope if you explicitly explain on your website that you do not intend to ship goods to EU countries or are not applicable to people living in those countries.


At this point, you might be wondering if there is any major difference betweenPersonal Data (Privacy) Ordinance (PDPO) and General Data Protection Regulation (GDPR). To understand these regulations better, here are the major differences:

Companies that collect or process the data are based in the EU, or non-EU companies that offer services and goods to EU customers. Companies control the collection, processing and use of the personal data in Hong Kong.
Personal Data
Personal data refers to any information which relates to an identified or identifiable living person. Information also includes location, race, health and religion. Personal data refers to any information which relates to a living individual and can be used as identification. It must exist in a form that is accessible and practicable.
Accountability & Governance
Companies are required to implement technical and organisational measures to ensure compliance. They are also required to conduct data protection impact assessment (DPIA) for high-risk data processing. Appointment for Data Protection is mandatory for certain companies. It does not offer any accountability principle and privacy management tools. But they have issued a Privacy Management Programme to encourage Hong Kong companies to adopt accountability for data privacy compliance.
Sensitive Personal Data
There are different categories of sensitive personal data. Processing of such sensitive information is only allowed under special circumstances. There is no distinction between sensitive and non-sensitive personal data.
The GDPR has listed specific requirements for companies to obtain an individual’s consent before they can use their personal data. Getting consent should be separated from other terms, and in clear and plain language. Consent is not a prerequisite for the collection of personal data, unless the data is used for a new purpose. Aside from marketing, businesses need to provide notice of the purpose of collecting the data. There is also no requirement for parental consent. The PDPO allows parents or legal guardians to give consent on their child’s behalf if they are given proper evidence that the purpose of using the data might be in the child’s interest.
Data Breach Notification
Companies are required to notify the authority of any data breach. Subsequently, they need to inform affected individuals if it poses a high risk to their rights and privacy. If there is a data breach, companies are advised to notify the Privacy Commissioner and affected individuals.
Data Processors
Data processors who are processing data on behalf of the companies are obliged to maintain records of processing. They have to ensure the security and report data breaches and designate Data Protection Officers. Data processors are not directly regulated, and they are required to adopt contractual or other means to ensure data compliances.

Is It a Mandatory Requirement To Appoint a Data Protection Officer for My Company?

Under the PDPO, there is no mandatory requirement for companies to appoint a data protection officer in Hong Kong. However, in March 2019, PCPD revised and released a guide entitled, Privacy Management Programme: A Best Practice Guide (PMP). This guide encourages companies to develop their own Privacy Management Programme, based on these three important components:

  • Organisational commitment
  • Programme controls
  • Ongoing assessment and revision

It also encourages companies to appoint a designated DPO to oversee the company's compliance with the PDPO and the implementation of PMP. For big companies, the DPO should be a senior executive. For a smaller company, such as a small medium enterprise (SME), the officer should be the owner.

Adrian runs a training consultancy firm in Hong Kong, which has an approximately 15 full-time staff. His customer base is mainly based in Hong Kong, and others are from other countries. Since his company is considered a SME, Adrian will be the DPO for his company.

What Are the Main Responsibilities of a DPO if I Were To Appoint One?

The job of a DPO is to ensure that companies comply with PDPO and GDPR, if they have customer bases in the EU.

Aside from the above, their main responsibilities include:

  1. Establish and implement the PMP programme controls such as:
  • Keep a record of the company’s personal data inventory, conduct periodic risk assessment to all departments and handle data breach incidents.
  • Initiate the periodic risk assessment to all departments.
  • Monitor, review and provide advice to all risk assessment reports and privacy impact reports.
  • Conduct training and promote staff awareness on data protection by circulating data privacy policies, guidelines and privacy-related information.
  • Coordinate and monitor the handling of data breach incidents and provide advice to departments on conducting investigations.
  • Monitor, review and provide advice on preparing Personal Information Collection Statement.
  1. Review the effectiveness of the PMP.
  1. Prepare oversight plans and review plans for PMP, and revising the programme controls, if necessary.
  1. Report to senior management periodically about the company’s compliance issues, problems encountered and any complaints received regarding an individual’s personal data privacy.

What Qualifications Does My Data Protection Officer Need?

Though the PDPO does not indicate any specific qualification needed for a DPO, the designated officer should have a clear understanding of the company’s business industry and the methods of handling the personal data. He or she is also required to have some knowledge of PDPC and GDPR. The officer must be an excellent communicator who is able to work with various departments to report potential compliance issues and handle complaints from the public.

What if My Company Fails To Comply With the PDPO or GDPR?

We understand that sometimes companies may get too overwhelmed with work that they neglect on improving their data processing system. Likewise, there are some companies that may not consider appointing a DPO to oversee the implementation of PMP. Given the amount of data handled by a company, it is important to ensure that your company complies with PDPO or GDPR to prevent any data breach. Failure to comply with PDPO or GDPR will lead to heavy fines.

If your company fails to comply with the PDPO, the Office of the Privacy Commissioner for Personal Data (PCPD) will first issue an enforcement notice to the affected company to provide information requested by PCPD during the investigation. However, if the company fails to comply with the enforcement notice, the statutory fine will be from HK$50,000 to HK$100,000. For direct marketing offences, the penalties are much higher with fines up to HK$1 million, and five years imprisonment.

On the other hand, if your company fails to comply with GDPR, the fines for infringements will be 4% of annual worldwide turnover or €20 million.

In June 2017, a director of a Hong Kong company was found transferring personal data without consent after a complaint was filed against the company. Despite repeated requests to get necessary information that was required for the investigation, the director failed to supply sufficient information. The PCPD then issued an enforcement notice to the director, asking him to attend the office for examination. However, the director failed to attend the office without any lawful excuse. As a result, the director was fined HK$3,000.

Key Takeaways

  1. In Hong Kong, individuals’ privacy is governed by the Personal Data (Privacy) Ordinance (PDPO).
  2. The GDPR might apply to EU countries, but it has extended to companies in Hong Kong. It also applies to non-EU companies that handle the amount of data collected relating to goods and services sold to individuals in EU countries.
  3. Although the GDPR and PDPO regulations share certain similarities, there are major differences between the two of them.
  4. Under the PDPO, there is no mandatory requirement for companies to appoint a data protection officer in Hong Kong. But in 2019, PDPC revised and released a Privacy Management Programme (PMP), which encourages companies to appoint DPO to oversee the company’s compliance and develop their own PMP.
  5. For big companies, a DPO should be a senior executive. For a smaller company such as SME, the DPO should be the owner.
  6. Your DPO should have a clear understanding of the company’s industry and the amount of sensitive personal data the company handles. The DPO should also have some knowledge of PDPC and GDPR.
  7. If your company fails to comply with PDPO, the statutory fines will be from HK$50,000 to HK$100,000.
  8. Likewise, if your company fails to comply with GDPR, the fines for infringements will be 4% of annual worldwide turnover or €20 million.

This clearly shows that the Hong Kong government takes individuals’ personal data and holds companies accountable for the amount of data they handle daily. As such, it is important to appoint a DPO to oversee and review data protection policies.

Have more questions about other aspects of compliance that a company has to maintain in Hong Kong? Get in touch with our experienced Corporate Secretaries today!

Share this post:

Tips to run your business smarter.
Delivered to you monthly.

You'll receive a verification email you'll have to open and confirm the subscription.

You might like it


10 Tips To Sell Digital Products Online

Considering starting an e-commerce business but you do not want to hold inventory? Do you have a special talent or skill that is marketable? Turn your strengths into profits by selling digital products online!


A Guide to Keeping Business Financial Records

Good business record keeping is crucial for managing costs, or regulatory reasons. If you are just starting up your business, it might not be the first thing that comes to your mind, but it can help you build a strong foundation.

Running My Business

Paper Work & Hidden Costs When Finding Office Space in Hong Kong

There are many reasons to rent an office space for company operations, even though many companies have reduced their employee’s time working in an office ever since COVID-19 hit.


How To Create an Invoice on Amazon

Selling on Amazon? Whether you’re expanding your e-commerce business in Hong Kong, a startup in the UK or setting up shop in Singapore, listen up. Create, access and share invoices on one of the world largest online retailers to make a big thing out of your small business.


12 Ideas To Get More Traffic to Your Online Store

When your website is finally live, you may want to look at these marketing strategies to bring potential customers to your online store.


Cost of Living as a Foreign Business Owner in Hong Kong

You’ve decided on setting up your company’s base in Hong Kong. The next step then would be to find out how much it costs to live there before you make the jump.


How To Design Your Website To Attract Buyers

If you’re looking to improve your e-commerce page and improve sales, you might want to learn the fundamentals of how to design a good website.

Entrepreneur's Bootcamp

Best Practice Invoicing Tips for SMEs

Want to know how to improve your invoicing? We’ve unpacked a few best practice tips that are ideal for business owners in Hong Kong like you, So if you need a little guidance, and a recap on writing commercial invoices as a newbie, we can help.


Paypal vs Stripe: Comparing Pros & Cons of 2 Payment Gateways

As an e-commerce business owner, you would have heard of payment gateways PayPal and Stripe. With these two big platforms being the most popular online payment gateways, you may face a dilemma when it comes to deciding which payment gateway to use.

Entrepreneur's Bootcamp

What Is a Compliance Calendar?

The repercussions of missing crucial deadlines extend beyond non-compliance and can even include hefty fines, lost revenues and opportunities, as well as decreased productivity.


An Online Seller's Guide to E-commerce Fulfillment & Shipping

Here’s a guide to e-commerce fulfilment and shipping for new sellers in Hong Kong looking to drive revenue from online sales. Find out more about the methods, models and software that’ll help you scale the business you’ve worked hard to build.


Tips For Amazon Sellers To Better Manage Your Inventory

Brand owners and sellers of all scales struggle to seek a well-balanced supply chain. Additionally, Amazon has its own inventory management rules, which makes everything even tougher.

Tips to run your business smarter. Delivered to you monthly.

You'll receive a verification email you'll have to open and confirm the subscription.

We’re using cookies! What does it mean?