
Prescribed Matters
Whether the carrying out of the matching procedure is in the public interest...
Whether the carrying out of the matching procedure is in the public interest...
The name and address of the data user...
The Commissioner shall be exempt from taxation under the Inland Revenue Ordinance...
The Director of Audit may, in respect of any financial year, conduct an examination into the economy, efficiency and effectiveness with which the Commissioner...
The Commissioner shall cause proper accounts to be kept of all his financial transactions...
Subject to subsection (2), the Commissioner may invest money that is not immediately required to be expended...
Subject to subsection (2), the Commissioner may borrow by way of overdraft such money as he may require for meeting his obligations or performing his functions under this Ordinance....
The resources of the Commissioner shall consist of all money...
A data subject shall be entitled to ascertain whether a data user holds personal data of which he is the data subject...
All practicable steps shall be taken to ensure that a person can...
All practicable steps shall be taken to ensure that any personal data (including data in a form in which access to or processing of the data is not practicable)...
Personal data shall not, without the prescribed consent of the data subject, be used for a new purpose...
All practicable steps shall be taken to ensure that personal data is accurate having regard to the purpose...
Personal data shall not be collected unless the data is collected for a lawful purpose directly related to a function or activity of the data user who is to use the data...
The Chief Executive in Council may, by notice in the Gazette, amend Schedule 2, 4 or 6...
The Secretary for Constitutional and Mainland Affairs may make regulations for all or any of the following matters...
The Commissioner may make regulations to prescribe the fees to be paid in respect of any matter, service or facility in respect of which a prescribed fee is payable to the Commissioner...
A notice (howsoever described) which is required to be served under this Ordinance, or which may be served under this Ordinance, on a person (howsoever described) shall...
Subject to subsection (2), the Commissioner may specify the form of any document required under this Ordinance to be in the specified form and the form of such other documents...
A person who may institute proceedings to seek compensation under section 66 may make an application to the Commissioner for assistance in respect of those proceedings...
With a view to helping a person (the person aggrieved) to decide whether to institute proceedings under section 66 and, if the person does so...
Subject to subsection (4), an individual who suffers damage by reason of a contravention of a requirement under this Ordinance...
Any act done or practice engaged in by a person in the course of his employment shall be treated for the purposes of this Ordinance as done or engaged in by his employer...
Despite section 26 of the Magistrates Ordinance (Cap. 227), a complaint or information in respect of an offence under this Ordinance may be made to or laid before a magistrate within 2 years...
A data user who, without reasonable excuse, contravenes any requirement under this Ordinance commits an offence and is liable on conviction to a fine at level 3...
A person commits an offence if the person discloses any personal data of a data subject which was obtained from a data user without the data user’s consent, with an intent...
Personal data contained in records that are transferred to the Government Records Service is exempt from the provisions of data protection principle 3 when the records are used by...
Personal data is exempt from the provisions of data protection principle 1(3) and data protection principle 3 if the application of those provisions to the data would be likely to prejudice...
Personal data transferred or disclosed by a data user for the purpose of a due diligence exercise to be conducted in connection with a proposed business transaction that involves...
Personal data which consists of information showing that an identifiable individual was, or may have been, born in consequence of a reproductive technology procedure...
Where a data access request relates to personal data which is or, if the data existed, would be exempt from section 18(1)(b) by virtue of section 57 or 58, then the data is also exempt...
Personal data is exempt from the provisions of data protection principle 3 where the data is to be used for preparing statistics or carrying out research...
Personal data held by a data user whose business, or part of whose business, consists of a news activity...
Personal data is exempt from the provisions of data protection principle 3 if the use of the data is...
If, as a result of complying with a request under a provision of data protection principle 6 or section 18(1)(b) in relation to any personal data...
Personal data is exempt from the provisions of data protection principle 6 and section 18(1)(b) if the data consists of information...
Personal data in relation to a minor transferred or disclosed by the Hong Kong Police Force or Customs and Excise Department to a relevant person of the minor is exempt from the provisions...
Personal data relating to the physical or mental health of the data subject is exempt from the provisions of either or both of...
A personal data system is exempt from the provisions of this Ordinance to the extent that it is used by a data user for the collection, holding, processing or use of personal data...
Personal data held for the purposes of the prevention or detection of crime...
Personal data held by or on behalf of the Government for the purposes of safeguarding security, defence or international relations in respect of Hong Kong is exempt...
Personal data held by a data user which consists of a personal reference...
Personal data the subject of a relevant process is exempt from the provisions of data protection principle 6 and section 18(1)(b) until the completion of that process...
Personal data held by a data user immediately before the appointed day...
Personal data which consists of information relevant to any staff planning proposal to fill any series of positions of employment which are presently, or may become, unfilled...
Personal data held by an individual and concerned only with the management of his personal, family or household affairs...
Personal data held by a court, a magistrate or a judicial officer in the course of performing judicial functions is exempt from the provisions of the data protection...
Where any personal data is exempt from any provision of this Ordinance by virtue of this Part, then, in respect of that data and to the extent of that exemption...
A person commits an offence if the person without lawful excuse, obstructs, hinders or resists the Commissioner or a prescribed officer in performing the functions or exercising the powers of the Commissioner...
A data user who contravenes an enforcement notice commits an offence and is liable on a first conviction to a fine at level 5 and to imprisonment for 2 years...
If, following the completion of an investigation, the Commissioner is of the opinion that the relevant data user is contravening or has contravened a requirement under this Ordinance...
Where the Commissioner has completed an investigation (and whether or not the investigation was initiated by a complaint)...
Subject to subsection (3), the Commissioner may, after completing an inspection where section 36(b) is applicable, publish a report...
Where the Commissioner has completed an inspection, he shall, in such manner and at such time as he thinks fit, inform the relevant data user of...
Subject to subsections (2), (3), (7) and (8), the Commissioner and every prescribed officer shall maintain secrecy in respect of all matters that come to their actual knowledge...
Every person shall have the same privileges in relation to the giving of information, the answering of questions, and the production of documents and things...
Subject to subsection (2) and section 45, the Commissioner may, for the purposes of any investigation, summon before him any person who...
Subject to the provisions of this Ordinance, the Commissioner may, for the purposes of any investigation be furnished with any information...
Subject to subsections (3) and (8), the Commissioner may, for the purposes of an inspection where the personal data system, or any part thereof, the subject of the inspection is situated in...
The Commissioner shall, before carrying out an inspection or, subject to subsection (2), an investigation...
Where the Commissioner is of the opinion that it is in the public interest so to do, he may carry out or continue an investigation initiated by a complaint...
Notwithstanding the generality of the powers conferred on the Commissioner by this Ordinance, the Commissioner may refuse to carry out or decide to terminate an investigation initiated...
Where the Commissioner receives a complaint...
An individual, or a relevant person on behalf of an individual, may make a complaint to the Commissioner about an act or practice specified in the complaint...
Without prejudice to the generality of section 38, the Commissioner may carry out an inspection of any personal data system used by a data user...
Despite section 2(3), where a data user requires, under data protection principle 3, the prescribed consent of a data subject for providing any personal data of the data subject...
A data subject who has been provided with information by a data user under section 35J(2)(b) may, at any time, require the data user...
A data user who has complied with section 35J must not provide the data subject’s personal data to another person for use by that other person in direct marketing unless...
A data user who intends to provide a data subject’s personal data to another person for use by that other person in direct marketing must take each of the actions specified in subsection (2)...
This Division does not apply if a data user provides, otherwise than for gain, personal data of a data subject to another person for use by that other person in offering...
Despite section 2(3), where a data user requires, under data protection principle 3, the prescribed consent of a data subject...
A data subject may, at any time, require a data user to cease to use the data subject’s personal data in direct marketing...
A data user must, when using a data subject’s personal data in direct marketing for the first time, inform the data subject that the data user must...
A data user who has complied with section 35C must not use the data subject’s personal data in direct marketing unless...
If, before the commencement date a data subject had been explicitly informed by a data user in an easily understandable and...
Subject to section 35D, a data user who intends to use a data subject’s personal data in direct marketing must take each of the actions specified in subsection (2)...
This Division does not apply in relation to the offering, or advertising of the availability, of social services run...
In this Part, consent (同意), in relation to a use of personal data in direct marketing or a provision of personal data for use in direct marketing...
A data user who has complied with the provisions of data protection principle 1(3) in respect of the collection of any personal data from the data subject (first collection)...
This section shall not apply to personal data other than personal data the collection, holding, processing or use of which...
The Commissioner shall determine a matching procedure request not later than 45 days after receiving the request...
A data user proposing to carry out, whether in whole or in part, a matching procedure may make a request in the specified form...
A data user shall not carry out, whether in whole or in part, a matching procedure...
Without prejudice to the generality of section 68, where pursuant to a data access request or data correction request a data user is required to...
A data user shall not impose a fee for complying or refusing to comply with a data access request or data correction request unless the imposition of the fee is expressly permitted...
A data user shall keep and maintain a log book for the purposes of this Part...
A data user must take all practicable steps to erase personal data held by the data user where the data is no longer required for the purpose...
A data user who pursuant to section 24 refuses to comply with section 23(1) in relation to a data correction request shall, as soon as practicable but...
Subject to subsection (2), a data user shall refuse to comply with section 23(1) in relation to a data correction request if the data user is not supplied...
Subject to subsection (2) and section 24, a data user who is satisfied that personal data to which a data correction request relates is inaccurate shall...
Subject to subsections (1A) and (2), where— (Amended 18 of 2012 s. 15) a copy of personal data has been supplied by a data user in compliance with a data access request...
Subject to subsection (2), a data user who pursuant to section 20 refuses to comply with a data access request shall...
A data user shall refuse to comply with a data access request if the data user is not supplied with such information as the data user may reasonably require...
Subject to subsection (2) and sections 20 and 28(5), a data user must comply with a data access request within 40 days after receiving the request by...
An individual, or a relevant person on behalf of an individual, may make a request...
Without limiting the definition of relevant person in section 2(1), in this Part...
For the avoidance of doubt, it is hereby declared that whether or not the register contains any particulars...
The Commissioner shall provide facilities for making the particulars contained in the register available for inspection....
The Commissioner must keep and maintain a register of data users who have submitted data user returns, using information in those returns and in any change notices....
For the purpose of verifying the accuracy of information in a data user return or change notice, the Commissioner may...
Subject to subsection (2), the Commissioner may, by notice in the Gazette, specify a class of data users to which this section shall apply...
A failure on the part of any data user to observe any provision of an approved code of practice shall not of itself render the data user liable to any civil or criminal proceedings...
Subject to subsections (8) and (9), for the purpose of providing practical guidance in respect of any requirements under this Ordinance imposed on data users, the Commissioner may...
No civil liability is incurred by the person appointed to be the Commissioner under section 5(3) or a prescribed officer in respect of anything done or omitted to be done by the person or...
There is hereby established a committee by the name of the Personal Data (Privacy) Advisory Committee for the purpose of advising the Commissioner...
Subject to subsection (2), the Commissioner may delegate in writing any of his functions or powers under this Ordinance to any prescribed officer subject to such terms and conditions...
The Commissioner may employ such persons (including technical and professional persons)...
The Commissioner shall monitor and supervise compliance with the provisions of this Ordinance...
Where the person appointed to be the Commissioner dies,resings,is removed from office...
The person appointed to be the Commissioner shall not, without the specific approval of the Chief Executive— (Amended 34 of 1999 s. 3)...
For the purposes of this Ordinance, there is hereby established an office by the name of the Privacy Commissioner for Personal Data...
A data user shall not do an act, or engage in a practice, that contravenes a data protection principle unless the act or practice, as the case may be, is required or permitted under this Ordinance...
This Ordinance binds the Government...
In this Ordinance, unless the context otherwise requires...
This Ordinance may be cited as the Personal Data (Privacy) Ordinance...