PDPO Compliance for Hong Kong Startups – A Practical Legal Guide

Introduction

Most Hong Kong startups think about data privacy after a problem arises — a user complaint, a breach, or a due diligence request from a potential investor. By then, the gaps are usually expensive to fix.

The Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) applies to virtually every business that collects data about identifiable individuals. For startups, that means from day one: from the first sign-up form on your landing page, the first employee you hire, and the first marketing email you send.

This guide sets out what the PDPO requires, where startups most commonly fall short, and what you should have in place before you scale.

Who Is a “Data User” Under the PDPO?

The PDPO imposes obligations on “data users” — persons who, either alone or jointly with others, control the collection, holding, processing, or use of personal data. If your startup collects names, email addresses, phone numbers, IP addresses, payment details, or any other information that could identify a living individual, you are a data user and the PDPO applies to you.

A “data processor” is a different concept — a person who processes personal data on behalf of a data user without exercising control over the data’s use. If you outsource data processing to a third-party vendor (such as a CRM provider, cloud storage service, or payroll processor), that vendor may be acting as your data processor. The PDPO imposes direct obligations on data users in relation to how they engage their data processors, including contractual safeguards.

The Six Data Protection Principles

The PDPO’s core obligations are set out in six Data Protection Principles (DPPs). Every startup should understand what each one requires in practice:

DPP1 — Purpose and Collection

Personal data should be collected for a lawful purpose directly related to the function or activity of the data user. The collection must be necessary for or directly related to that purpose, and data should not be excessive relative to what is needed. Before collecting data, ask: what is the specific, legitimate purpose? Is this data actually needed for that purpose?

DPP2 — Accuracy and Retention

Personal data should be accurate and not retained longer than is necessary for the purpose for which it was collected. Startups frequently overlook retention — keeping years of user data “just in case” is not compliant. You should have a written data retention policy specifying how long each category of data is kept and the process for secure deletion.

DPP3 — Use

Personal data should only be used for the purpose for which it was collected, or a directly related purpose, unless the data subject consents to a different use. This means you cannot collect email addresses for account registration and then use them for marketing campaigns without a separate basis for doing so (such as explicit consent or the direct marketing provisions of the PDPO).

DPP4 — Security

Practicable steps must be taken to ensure that personal data held by the data user is protected against unauthorised or accidental access, processing, erasure, loss, or use. For startups, this means: access controls, encryption (at rest and in transit), regular security assessments, and a plan for what to do when something goes wrong.

DPP5 — Openness

Data users must make available to data subjects information about their policies and practices in relation to personal data. This is the basis for your privacy policy. It should be accurate, up to date, written in plain language, and actually accessible (not buried in a footer no one reads).

DPP6 — Data Access and Correction

Data subjects have the right to request access to their personal data held by the data user, and to request corrections if the data is inaccurate. You must respond to a data access request (DAR) within 40 days of receiving it and charge no more than a prescribed fee. Failing to respond, or refusing without justification, is a breach of the PDPO.

Privacy Notices: What Your Startup Must Tell Users

Before or at the time of collecting personal data, you are required to inform the data subject of the purpose for which the data is collected, the classes of persons to whom the data may be transferred, and their rights to access and correct their data. This is the “PICS” obligation — Personal Information Collection Statement.

In practice, your PICS should be incorporated into your sign-up forms, onboarding flows, and wherever data is collected. It is not sufficient to have a privacy policy on your website if users are never directed to it at the point of collection. For apps and SaaS products, this means surfacing the key privacy information clearly before users submit their data — not just linking to a 3,000-word policy in small print.

Common startup mistakes include: having a generic privacy policy that doesn’t reflect actual data practices, forgetting to update the policy when new data types are collected or new vendors are engaged, and failing to include the PICS at every collection point (not just the registration form).

Consent and Purpose Limitation

The PDPO does not require consent for all uses of personal data — but it does require that data is only used for the purpose it was collected (or a directly related purpose), and consent is required to use data for other purposes.

In the startup context, this most commonly arises with:

• Product analytics: Collecting usage data to improve your product is generally within the scope of what users would expect when they sign up for your service — but be explicit about this in your PICS.
• Marketing: If you want to send marketing emails to existing users (beyond transactional communications), you need either their consent or to comply with the direct marketing provisions of the PDPO (see below).
• Selling or sharing data: You cannot sell user data, share it with partners for their own marketing, or use it for purposes unrelated to your product without separate consent.

Direct Marketing Rules

The PDPO contains specific provisions on direct marketing (Sections 35A to 35J) that apply to every startup sending marketing communications — emails, SMS, push notifications, or any other form of marketing addressed to identifiable individuals.

The key rules are:

• You must have the consent of the data subject before using their personal data for direct marketing, unless the data was collected from the individual directly in the context of a sale or likely sale of goods or services, in which case you can market your own similar products to them without prior consent, provided you gave them an opt-out opportunity at collection and they have not opted out.
• Every marketing communication must include an opt-out mechanism. Once a person opts out, you must stop using their data for marketing within a reasonable time (in practice, immediately).
• You cannot transfer data to third parties for their direct marketing use without the explicit consent of the data subject.

For startups using growth hacking tactics, referral programmes, or purchased email lists, these rules have significant implications. Purchased lists or scraped contacts without a valid consent basis are a PDPO compliance risk.

Employee and HR Data

The PDPO applies to employee data just as it applies to customer data. When you hire your first employee, you are collecting personal data: HKID numbers, bank details, salary information, performance records, and more.

For startups, key HR data obligations include:

• Having a clear purpose for each category of employee data collected and not retaining data beyond the employment relationship (subject to legal retention requirements).
• Ensuring employee data is accessible only to those with a legitimate need (e.g., payroll, HR) and is stored securely.
• Responding to employee data access requests promptly and accurately.
• Not disclosing employee data to third parties (including potential acquirers in due diligence) without appropriate safeguards.

Data rooms for M&A due diligence involving employee records require particular care. Anonymisation or aggregation of employee-level data is often appropriate in early-stage due diligence. If personal data is shared, it should be governed by a confidentiality agreement that addresses data protection obligations.

Cookies, Analytics, and Website Tracking

If your website uses cookies, analytics tools (such as Google Analytics, Mixpanel, or similar), session recording, or retargeting pixels, you are collecting personal data from visitors. The PDPO applies to this collection.

Best practices for startups:

• Display a clear and informative cookie notice explaining what data is collected and for what purpose.
• For non-essential cookies (analytics, marketing), obtain user consent before placing them — a banner that states “by continuing to use this site, you consent” is generally not compliant. Affirmative consent (clicking “Accept” or equivalent) is the more defensible approach.
• Review the privacy settings on your analytics tools to minimise data collection to what is genuinely needed.
• Where analytics providers process data outside Hong Kong, consider your cross-border transfer obligations (see below).

PDPO and AI or Data-Driven Products

Startups building AI or data-driven products face heightened PDPO exposure, particularly if personal data is used to train models, generate insights about individuals, or drive automated decisions.

Key issues include:

• Repurposing data for AI training: Using customer data collected for one purpose (e.g., providing a service) to train a machine learning model may constitute a use for a different purpose, which requires consent or a fresh collection basis.
• Profiling and automated decisions: The PDPO’s DPP3 (use limitation) is particularly relevant where AI systems generate individual-level outputs (credit scores, recommendations, risk assessments) that are used to make decisions about individuals.
• Data from third parties: Using datasets purchased from data brokers or scraped from public sources may involve personal data. Ensure the source had a lawful basis to collect and transfer the data before using it in your product.

Startups should build data governance into their AI products from the start, not as an afterthought. This includes data lineage documentation, consent mechanisms appropriate to the use case, and a process for handling individual requests to access or correct AI-derived inferences.

Cross-Border Data Transfers

If your startup transfers personal data outside Hong Kong — to cloud servers in the US, a development team in another jurisdiction, or an overseas analytics provider — you need to consider the PDPO’s cross-border transfer framework.

Although Section 33 of the PDPO (which restricts cross-border transfers) has not yet been brought into force, the Office of the Privacy Commissioner for Personal Data (PCPD) has issued guidance recommending that data users incorporate model data transfer clauses into their vendor agreements. These clauses impose obligations on the overseas recipient that mirror the PDPO’s protections.

As a practical matter, startups should include data protection provisions in all vendor and processor agreements, regardless of whether the vendor is in Hong Kong. This is also increasingly expected by investors and enterprise customers during due diligence.

What Happens When You Receive a Data Access Request?

A data access request (DAR) is a formal request from an individual to access the personal data you hold about them. Any individual whose data you hold can submit a DAR — this includes users, former employees, or any other person whose data you have collected.

When you receive a DAR:

• You must respond within 40 days of receiving the request.
• You may charge a prescribed fee (currently HK$30 for a standard DAR).
• You must provide the data in a form that is intelligible to the requestor.
• You can refuse to provide data in limited circumstances (e.g., where disclosure would reveal data about another individual, or where the data is subject to legal professional privilege).
• If you cannot comply within 40 days, you must notify the requestor within 40 days and provide a reasonable estimate of when you can comply.

Many startups have no process for handling DARs. If you receive one and do not respond correctly, the data subject can complain to the PCPD, which may issue an enforcement notice or refer the matter for prosecution.

Data Breach Response

The PDPO does not currently impose a mandatory breach notification requirement (unlike the EU’s GDPR or some other jurisdictions). However, the PCPD has published guidance on data breach handling and expects data users to take reasonable steps to contain breaches and notify affected individuals where appropriate.

In practice, startups should have a written data breach response plan that covers:

• How to detect and assess a breach (systems access logs, monitoring tools).
• Internal escalation procedures.
• Steps to contain the breach and prevent further loss or unauthorised access.
• Assessment of the risk of harm to affected individuals.
• Communication with affected individuals where there is a real risk of harm.
• Notification to the PCPD in cases involving significant risk.

Even without a legal mandate, voluntary notification to affected individuals following a breach is generally the right approach. Data subjects who find out about a breach from a third party rather than from you are significantly more likely to complain to the PCPD or seek legal advice.

PDPO Compliance Checklist for Startups

Before you launch (or as a catch-up exercise if you’re already operating), work through the following:

• Data inventory: Map every category of personal data you collect, where it is stored, who has access to it, and what it is used for.
• Privacy policy: Draft a clear, accurate privacy policy that reflects your actual practices. Update it whenever your data practices change.
• PICS: Ensure you provide a Personal Information Collection Statement at every point of data collection, not just on your main sign-up form.
• Consent mechanisms: Where you rely on consent (for marketing, non-essential cookies, or uses beyond the original purpose), ensure consent is freely given, specific, informed, and affirmative.
• Data retention policy: Define how long you keep each category of data and implement a process for secure deletion.
• Vendor contracts: Include data protection clauses in all agreements with processors and overseas vendors.
• Direct marketing opt-out: Ensure every marketing communication includes a clear opt-out mechanism and that opt-outs are honoured promptly.
• DAR process: Designate who is responsible for handling data access requests and document your process.
• Security measures: Implement appropriate technical controls (encryption, access controls, MFA) and document your security posture.
• Breach response plan: Have a written plan ready before you need it.

How Alan Wong LLP Can Help

Alan Wong LLP advises Hong Kong startups on PDPO compliance at every stage — from pre-launch privacy architecture to due diligence preparation for a fundraise or acquisition. We draft and review privacy policies, PICS, direct marketing consents, and data processing agreements. We advise on the PDPO obligations applicable to AI and data-driven products, cross-border transfers, and breach response.

If you are building a startup in Hong Kong and want to get your data privacy framework right from the start, we can help you do so efficiently and at a cost that makes sense for an early-stage company.

Book a free consultation →