Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
EU - Hong Kong: GDPR v. PDPO
In this report, OneTrust DataGuidance provides a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and Personal Data (Privacy) Ordinance (Cap. 486) as amended in 2012 (PDPO).
The report examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of the PDPO with the GDPR.
You can access the latest version of the report here.
What is the PDPO?
The PDPO, initially enacted in 1996 and significantly updated in 2012, focuses on data protection and telemarketing regulation. Key amendments took effect on February 1, 2021, along with subsidiary regulations like the Personal Data Protection Regulations 2021, reinforcing the PDPO's role in safeguarding personal data rights and privacy in the digital age.
Key highlights
The PDPO and the GDPR share some similarities, both laws:
share similar definitions for 'data controller,' 'data users,' and 'data processor;'
- provide similar requirements for accountability;
- share common elements in terms of the information to be provided to data subjects; and
- granting supervisory authorities with investigatory, corrective, and advisory powers.
However, despite their similarities, the PDPO and the GDPR also differ sometimes in their approach, such as:
- the PDPO does not specifically clarify its applicability based on the nationality or place of residence of a data subject;
- the GDPR defines special categories of personal data, which the PDPO does not;
- the PDPO does not require or refer to Data Protection Impact Assessments (DPIA);
- the PDPO does not mention anonymisation or pseudonymisation; and
- the PDPO does not require the maintenance of general data processing records.