🇭🇰 Live Privacy & Data Protection

Hong Kong Personal Data (Privacy) Ordinance (Cap. 486)

Governs the collection, use, and transfer of personal data by data users in Hong Kong.

View official source document

14

Rules extracted

155

Obligations decomposed

11.1x

Avg obligations per rule

🇭🇰 Hong Kong SAR

Jurisdiction

About this regulation

The PDPO was enacted in 1995 and took effect on 20 December 1996, making it one of Asia's earliest comprehensive data protection laws. Modelled on the OECD Privacy Guidelines (1980), the Ordinance is technology-neutral and principle-based. It establishes six Data Protection Principles (DPPs) in Schedule 1, regulates cross-border data transfers, imposes direct marketing controls (amended 2012), creates data access and correction rights, and empowers the Privacy Commissioner for Personal Data (PCPD) as regulator. Major amendments in 2021 introduced anti-doxxing provisions with criminal penalties. The PDPO applies to both public and private sectors in Hong Kong.

What AuditDSS covers

Source

1

Regulation

Extracted

14

Rules

Decomposed

155

Obligations

11.1x

Decomposition ratio

Each rule is decomposed into an average of 11.1 atomic obligations — the smallest testable units that can be independently violated.

Fully extracted & scored

All 155 obligations have been decomposed, titled, risk-scored, and embedded for semantic matching.

Risk scoring

Every obligation in PDPO is scored across independent risk dimensions:

W

Obligation Weight

How critical within the regulatory framework

L

Violation Likelihood

How often breached in practice

E

Enforcement Evidence

Regulator enforcement history and penalties

C

Cascade Dependency

How many obligations depend on this one

Regulatory details

Full title
Hong Kong Personal Data (Privacy) Ordinance (Cap. 486)
Regulatory body
Privacy Commissioner for Personal Data
Jurisdiction
🇭🇰 Hong Kong SAR
Document type
ordinance
Effective date
December 20, 1996
Issuing authority
Legislative Council of Hong Kong
Industry
Privacy & Data Protection
Official source
View source document ↗

Who this applies to

data usersdata processorspublic sectorprivate sector

Key requirements

  • 6 Data Protection Principles
  • data access and correction rights
  • cross-border transfer restrictions
  • direct marketing controls
  • anti-doxxing provisions

Frequently asked questions about PDPO

What is PDPO?
The PDPO was enacted in 1995 and took effect on 20 December 1996, making it one of Asia's earliest comprehensive data protection laws. Modelled on the OECD Privacy Guidelines (1980), the Ordinance is technology-neutral and principle-based. It establishes six Data Protection Principles (DPPs) in Schedule 1, regulates cross-border data transfers, imposes direct marketing controls (amended 2012), creates data access and correction rights, and empowers the Privacy Commissioner for Personal Data (PCPD) as regulator. Major amendments in 2021 introduced anti-doxxing provisions with criminal penalties. The PDPO applies to both public and private sectors in Hong Kong.

Who does PDPO apply to?
PDPO applies to data users, data processors, public sector, private sector.

How many obligations does PDPO contain?
AuditDSS has decomposed PDPO into 155 atomic obligations from 14 rules. Each obligation is independently testable and risk-scored.

What are the key requirements of PDPO?
The key requirements include: 6 Data Protection Principles, data access and correction rights, cross-border transfer restrictions, direct marketing controls, anti-doxxing provisions.

How can I assess my PDPO compliance?
Upload your compliance policy to AuditDSS. The platform maps your document against all 155 PDPO obligations using deterministic AI scoring — not checklists or LLM summaries. You get a risk-scored gap analysis showing exactly which obligations are covered, partially covered, or missing.

Which jurisdiction enforces PDPO?
PDPO is enforced in Hong Kong SAR by Privacy Commissioner for Personal Data.

When did PDPO come into effect?
PDPO became effective on December 20, 1996.

What industry does PDPO apply to?
PDPO is primarily relevant to the Privacy & Data Protection industry. AuditDSS covers 71 regulations in this industry sector.

Build a PDPO compliance pack

Don't have a compliance policy yet? AuditDSS generates a complete compliance pack for PDPO — alone or combined with other regulations your business needs. Every clause is mapped to specific obligations.

Policy

High-level commitments and governance framework covering PDPO requirements.

Procedures

Step-by-step operational procedures to implement each policy commitment.

Forms & checklists

Ready-to-use forms, registers, and checklists for day-to-day compliance operations.

Multi-regulation

Combine PDPO with other regulations into a single unified compliance pack for your business.

Build PDPO compliance pack

Already have a policy? Assess it against PDPO

1

Upload your document

Upload your compliance policy, program manual, or operational document. AuditDSS accepts any text-based document.

2

AI maps against 155 obligations

Your document is scored against every obligation in PDPO. Each claim is mapped to the obligation tree and evaluated for coverage.

3

Risk-scored gap report

Receive every gap ranked by risk priority with remediation guidance, enforcement evidence, and cascade impact analysis.

Related regulations in Privacy & Data Protection

🇦🇺 Live

Fair Work Act 2009

16 rules, 260 obligations
🇦🇺 Live

Modern Slavery Act 2018

9 rules, 135 obligations
🇦🇺 Live

Privacy Act 1988

29 rules, 203 obligations
🇦🇺 Live

SOCI Act 2018

10 rules, 32 obligations
🇦🇺 Live

Model WHS Act

10 rules, 41 obligations
🇧🇷 Live

LGPD

19 rules, 200 obligations
🇺🇸 Live

CCPA/CPRA

46 rules, 572 obligations
🇨🇳 Live

CSL

8 rules, 201 obligations

Assess your PDPO compliance

Upload your document and get a risk-scored gap analysis against 155 PDPO obligations in under 5 minutes.

Start assessment Browse all regulations