Thailand PDPA Its impact and the need to prepare

Thailand PDPA Its impact and the need to prepare



In May 2019, Thailand’s first comprehensive data privacy law- the Personal Data Protection Act or the PDPA- emerged amidst growing concerns regarding the collection and use of mass data by corporations. The PDPA is a prescriptive and detailed data security regime that sets high standards for protecting personal information. It grants individuals greater rights over how their data is collected and used and equips the regulators with the power to impose heavy fines on companies for non-compliance. The PDPA is modeled after the General Data Protection Regulation (679/2016/EU) or the GDPR which was implemented by the European Union in 2018. Since its inception, the GDPR has become the global standard for personal data protection and many other jurisdictions, including Thailand, have followed suit by introducing their own version of data privacy laws that were drafted based on the GDPR.


PDPA Impact


The impact of the PDPA on businesses operating in Thailand is significant as it requires them to make several changes within the organisation regarding their data-handling practices to comply with PDPA mandatory requirements regarding the collection, use and disclosure of personal data. The government has allowed a one-year transition period for businesses to make the necessary preparations and arrangements to comply with the PDPA requirements before they come into full force on 27 May 2020.


Territorial Reach 


The PDPA is far-reaching in its scope and applies extraterritorially. It applies to businesses located in Thailand if they collect, use and disclose personal data, regardless of whether such collection, use or disclosure takes place in or outside Thailand. The PDPA also applies to businesses located outside Thailand if they collect, use and disclose personal data from individuals located in Thailand, for purposes of offering products or services to them (irrespective of whether payment is required) or monitoring their behaviours.


Personal Data Definition


Personal data is broadly defined in the PDPA. Similar to the GDPR, it is defined to include “any information relating to an identified or identifiable natural person (“data subject”) either directly or indirectly”. This could include anything from a customer’s name, mobile phone number, shipping address, credit card information, information relating to a customer’s membership programs, HTTP cookies to comments made on social media. Often businesses with an online presence collect that information regardless of whether they are selling any products or services. This could also include the kind of information which, on its own, does not identify a specific person but when combined with information from other sources – whether from a third party or the public – could be used to identify a person.


Legal Obligation


But perhaps the most fundamental requirement under the PDPA is the call for businesses to ensure that their data privacy policy is legally compliant. Central to the PDPA is the issue of consent being obtained from data subjects prior to the collection, use and disclosure of their personal information. The PDPA sets out several mandatory requirements regarding how consent from the data subjects should be obtained, the manner in which consent is to be requested and additional requirements if the data to be collected is classified as sensitive personal data. Businesses that fail to comply with the requirements under the PDPA risk heavy civil and criminal liabilities and public reputation damage that could be irreparable.


Understanding PDPA Requirements 


The PDPA’s breadth of application and the adverse consequences for businesses do not comply with its terms make it crucial for all companies to fully understand the requirements and potential impacts on their businesses. Moreover, though there are similarities between the PDPA and the GDPR, compliance with one does not necessarily ensure compliance with the other as there are differing requirements under the two regimes. Now that the PDPA compliance deadline is looming, it is fundamental that all companies potentially affected by the PDPA spend the next few months formulating and strengthening their personal data privacy schemes to ensure successful implementation of its terms within the organisation and demonstrate they are compliant when the deadline arrives.

Relentless will be visiting Bangkok between 2nd to 12th of march Get in touch and book a meeting


Meet Us In Bangkok

Big Changes in Hong Kong’s PDPO As Discussion Paper is Released

Big Changes in Hong Kong’s PDPO As Discussion Paper is Released

In January , the Constitutional and Mainland Affairs Bureau (the CMAB)  released its discussion paper (LC Paper. No. CB(2) 512/19-20(03) (the Paper) seeking the Legislative Council’s Panel on Constitutional Affairs’ (the Panel) views on proposed changes to the Personal Data (Privacy) Ordinance (Cap.486) (the PDPO). The Paper was released on Monday 13th January, as part of an agenda for the Panel meeting which was held on Monday, 20th January, and follows proposals by the Privacy Commissioner for Personal Data (the Commissioner) to the government to amend the PDPO. The Paper sets out six proposed amendments to the PDPO:


Data Breach


  • Introduction of a mandatory breach notification mechanism. It is proposed that the mechanism should include:
    1. a definition of “personal data breach” along the lines of the GDPR definition, being “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”;
    2. a notification threshold so the mechanism will only apply to data breaches that have a “real risk of significant harm” taking into account factors such as the type and amount of data leaked and the security level of the data (encrypted or not);
    3. a time frame for notifying the breach to the Commissioner and individuals. An example of, “as soon as practicable and, under all circumstances, in not more than five business days” is included in the Paper; and
    4. details on the method of notification, as well as the content.


Data Retention


  • Certainty around data retention periodsIt is proposed that data users will be required to have clear retention policies. The Paper recognises that it is not practicable to set a uniform retention period applicable to all types of personal data held by various organisations for different purposes. As such, the Paper proposes requiring data users to have in place a clear retention policy that specifies:
    • a maximum retention period for different categories of personal data collected;
    • legal requirements that may affect the retention periods (for example, tax, employment and medical regulations); and
    • how the retention period will be counted. For example, from the date of collection of personal data, or from expiry of a data subject’s membership with the organisation.


Enhanced Powers


  • Changes to the Commissioner’s sanctioning powers. In order to enhance the deterrent effect of the PDPO and strengthen the Commissioner’s powers, the following changes are proposed:
    • increasing the relevant criminal level fines and potentially linking the fines to a percentage of annual turnover and a scale which would have different levels of fines depending on the turnover of the data user;
    • conferring powers on the Commissioner allowing him to directly impose administrative fines for breaches of the PDPO. Such fines should take into consideration a number of factors including the types of data compromised, severity of the data breach, whether the data user intended the breach to happen and its attitude towards the handling of the breach, remedial actions taken, track record etc. Data users should have the right to appeal the fines, and be given appropriate time to do so; and
    • a mechanism for the imposition of the administrative fine.


Accountability Enhancement 


  • Regulation of data processorsThe purpose of this amendment is to share responsibilities for data protection between data users and processors, and prevent data processors from neglecting the importance of preventing personal data leakage. Data processors would be held directly accountable for data retention and security, equal obligations would be imposed on data processors and they would be required to notify the Commissioner and the data user upon becoming aware of a data breach.

Personal Definition of Personal data 

  • Amendment to the definition of personal dataChanges to the definition would expand the current definition to include information that relates to an “identifiable natural person”, rather than an “identified person”. This change reflects the wide use of tracking and data analytic technology being used today and is in line with definitions adopted in other jurisdictions.




  • Regulation of disclosure of personal data of other data subjects. This change is proposed primarily to curb the effect of doxxing of which we have seen an increase recently in Hong Kong. Since 14 June, 2019,  the Commissioner has received over 4700 doxxing related complaints and enquiry cases since 14 June, 2019. Proposed measures include conferring statutory powers on the Commissioner allowing a request to remove doxxing content from social media platforms or websites, as well as criminal investigation powers and prosecution.


These changes are the first changes to the PDPO to be proposed in over 10 years. They are in response to recent data protection related events in Hong Kong and reflective of changes and new laws we have seen in other jurisdictions.


Relentless Privacy and Compliance Services advises clients on all Global data regulations 



Find Out More


How Thailand’s New Data Protection Act The PDPA Affects Foreign Service Providers

How Thailand’s New Data Protection Act The PDPA Affects Foreign Service Providers

The PDPA Act


The newly enacted PDPA has significant implications for foreign data controllers and data processors—even those who maintain no presence in Thailand.


Thailand’s Personal Data Protection Act (PDPA) has been enacted and became effective on May 28, 2019. However, all substantive requirements of the new law only become enforceable following a one-year grace period, on May 28, 2020. By that time, the Ministry of Digital Economy and Society and the Personal Data Protection Committee (“Committee”) shall have issued regulations prescribing further clarification and guidelines for the PDPA’s implementation.


Extraterritorial Effect,


The newly enacted PDPA has significant implications for foreign data controllers and data processors—even those who maintain no presence in Thailand.

The PDPA is made expressly applicable to all operators (data controllers and data processors) who are located in Thailand; but also provides for extraterritorial application to foreign operators who collect, use or disclose personal information belonging to persons in Thailand. .

PDPA Section 5 expressly provides for application to operators located outside Thailand, not only to protect the personal data of Thai nationals, but to protect the personal data of all persons “located in Thailand” regardless of nationality. Section 5’s extraterritorial application is, however, limited to foreign data controllers and data processors whose activities involve either (a) offering (free or paid) products or services to personal data owners located in Thailand; or (b) monitoring the behavior of personal data owners in Thailand.


Privacy Notice Language 


The PDPA does not mandate that required notices and consent requests under the law be issued in the Thai language. This means that such notices/consent requests can theoretically be in English or any other language. However, the PDPA does require that notices and consent requests be “in an intelligible and easily accessible form, using clear and easy-to-read language”. Ministerial regulations to be issued will clarify these requirements further. These regulations may yet specify a Thai-language requirement in order to fulfil the “easy-to-read language” directive.


Cross Border Transfers 


PDPA Section 28 also provides express requirements for cross-border transfers of relevant personal data to foreign recipients outside Thailand. The foreign recipient entity or country must ensure adequate protection for any personal data received in accordance with rules to be prescribed by the Committee. Such rules are expected before the grace period for enforcement expires in May, 2020.

Cross-border transfers of personal data also require compliance with applicable notice and consent requirements of the PDPA on each occasion. However, PDPA Section 28 provides exceptions to the notice/consent requirement for cross-border transfers when such transfers are in compliance with a contract obligation of the data controller “for the benefit of the data owner” or otherwise necessary “to comply with the data owner’s request” before entering into such a contract.

PDPA Section 29 provides further exceptions for cross-border transfers of personal data from Thailand if such transfers are made by a Thai data controller as part of either (a) an affiliated undertaking; or (b) an affiliated business, with the foreign entity receiving such personal data abroad. Such “affiliated” cross-border transfers must be in accordance with a written intra-group/affiliate data protection policy which must be certified by the office of the Committee. By obtaining such certification, international group companies may avoid the need for specific notice and consent of data owners in order to share personal data with foreign affiliates outside Thailand.

In the absence of a certified personal data protection policy, personal data may still be transferred abroad if the foreign data controller or data processor provide data protection measures that afford legally enforceable remedies to data owners in Thailand. While no guidance has been provided for what such “legally enforceable remedies” would need to be, we should expect this exception to be linked to Section 36(5)’s requirement that all foreign data controllers and data processors appoint in writing a local representative in Thailand which would be liable (without limitation) to ensure the lawful collection, use and disclosure under the PDPA.

Note, Section 37 provides an exception to the Section 36(5) requirement for appointing a locally responsible Thai representative in cases where (a) the affected personal data does not include sensitive data (defined as ethnicity, race, political opinions, doctrinal, religious or philosophical beliefs, sexual behavior, criminal records, health records, labor union information, hereditary information, and biological information); and (b) does not involve large volumes of data (which limits will be prescribed by the Committee when regulations are announced in May 2020).

Finally, Section 80 provides a final catch-all exception to notice and consent requirements, as well as the cross-border data transfer requirements of Section 28, in cases of disclosure of personal data to lawfully authorized foreign government agencies (analogous to required disclosures contained in banking and anti-money laundering laws).

Breach of the PDPA exposes foreign operators, and their authorized directors, to fines and potential imprisonment.


Relentless privacy and Compliance Services provides expert PDPA  and representative services for international organisations offering services in Thailand


Find Out More

India’s Draft Personal Data Protection Bill PDPB Your Guide

India’s Draft Personal Data Protection Bill PDPB Your Guide

On 27 July 2018, the Srikrishna Committee published a draft bill for a new, comprehensive data protection law, the Personal Data Protection Bill 2018 (PDPB) in response to a mandate the Indian government received from the Indian Supreme Court the previous year following its ruling that recognized privacy as a fundamental right. While the bill has not yet been passed it, Telecom and IT minister Ravi Shankar Prasad has made it a priority to take the data protection bill to Parliament during his current term.

Heavily influenced by the EU’s General Data Protection Regulation, the new bill would grant Indian data subjects extensive data protection rights while imposing limitations on the collection and processing of personal and sensitive data. The Bill came under fire from the international tech community because of the data localisation policy included in it that would require any company processing the personal data of Indian data subjects to store a copy of that data on Indian territory.

While the draft bill may suffer some amendments before it will be submitted to Parliament, which in turn may request further changes, it will serve as the basis for the final bill.


What is personal information?


The draft bill makes reference to three categories of data: personal data that refers to any data about or relating to a natural person (named data principal in the bill); sensitive personal data which includes health and genetic data, biometrics, caste or tribe data, passwords etc. and critical personal data which remains undefined but can be notified by the central government.  The processing of data relating to children is also restricted while irreversibly anonymized data is exempt from the law.


Who will it apply to?


The bill would apply to government as well as private entities whether they are data collectors (named data fiduciaries in the bill) or data processors that collect, store, disclose, share or otherwise use personal data connected to any business carried out in India or as a result of systematic offering of goods and services to data principals in India, or profiling of data principals within India.

This means that the bill would have an extraterritorial reach and any company processing the personal data of Indian data principals would have to comply with the new law.

The bill also specifies that the Data Protection Authority enforcing it can classify certain types of data fiduciaries as significant or high risk data controllers. These would be organisations that process sensitive data or large volumes of personal data or have a high turnover rate which would pose a risk of harm to data subjects. Additional requirements would apply to these significant data controllers: they would need to appoint a Data Protection Officer, conduct data protection impact assessments, data audits and comply with record keeping requirements.


New Rights for Indian Data Principals


Taking a leaf from the GDPR’s book, the bill grants Indian data principals the right to confirm, access and correct their data as well as the right to be forgotten and to data portability. However, there are a few marked differences in the enforcement of these rights. In order for an Indian data principal to have his data forgotten for example, he would first have to submit a request to an adjudicating authority under the bill which would need to take several factors into consideration before granting it.


Cross-border Data Transfers


Transfers of Indian data principals’ personal data to third countries would follow rules similar to those laid out in the GDPR. The bill introduces European Commission-style adequacy decisions which the Indian government would grant to countries it believes have an adequate level of data protection, similar to that existent in India.

Cross border data transfers would also be permissible if standard contractual clauses, as defined by the Data Protection Authority, would be applied. The bill under its current form does not clarify whether additional data principal consent would be required in either of these two cases.


The Data Localisation Policy


The most controversial requirement of the draft bill is a data localisation policy which demands that a copy of all personal data falling under the incidence of the bill be stored in India by the data controller. Additional copies can be stored outside of India, but the government can choose to make it mandatory to store certain categories of data only in India.

The bill was a hot topic during the Indo-US bilateral talks earlier this year: the PDPB along with another draft bill on e-commerce were criticised by US secretary of commerce Wilbur Ross as containing proposals that were discriminatory and trade distortive. He further expressed his doubts that India possesses the infrastructure to be able to save its companies’ data. In response, the Indian government expressed its sovereign right over the data produced within the country.

A group of associations that included the US Chamber of Commerce, the US-India Business Council (USIBC), the Japan Electronics and Information Technology Industries Association (JEITA) and DIGITAL EUROPE also expressed their belief that the data localisation policy would deter global tech companies from continuing their business in India as storing data locally would raise company costs by 30-60% while not guaranteeing data security.


Data breach notifications


The bill includes mandatory data breach notifications for all data controllers. The Data Protection Authority would have to be informed of any breaches that are likely to harm data principals. While the bill does not specify a deadline for the notification, the Data Protection Authority can clarify this point and set a time limit within which a data breach notification must be made.

It is also up to the Data Protection Authority to decide whether data subjects must be notified of the breach, what remediation actions should be taken and whether details concerning the data breach would be published on its website.




The bad news for companies is that the bill’s penalties are also inspired by its European cousin, the GDPR. Organisations failing to notify data breaches or to meet their obligations as a significant data controller would be fined up to approximately USD 730,000 or 2% of a company’s global turnover.

Unlawful cross-border data transfers, failure to provide notices to data principals along with a legitimate basis for processing or processing the data of children in contravention of the bill would lead to even more serious fines: up to approximately USD 2.7 million or 4% of a company’s global turnover.

The penalties are not only financial: the sale of personal data that results in the significant harm of a data principal or the re-identification of anonymized data would result in criminal penalties.


Relentless Privacy and Compliance Services delivers expert global data privacy services 


Find Out More


Hong Kong Data Protection The PDPO Your Guide

Hong Kong Data Protection The PDPO Your Guide

The Ordinance at a Glance


The PDPO is applicable to both the private and the public sectors. It is technology-neutral and principle-based. The Data Protection Principles (“DPPs” or “DPP”), which are contained in Schedule 1 to the PDPO, outline how data users should collect, handle and use personal data, complemented by other provisions imposing further compliance requirements.

Before going into the details of the compliance requirements, it is important to first get familiar with a few key definitions under the PDPO:Personal Data means information which relates to a living individual and can be used to identify that individual. It must also exist in a form which access to or processing of is practicable.

Data Subject is the individual who is the subject of the personal data.

Data User is a person who, either alone or jointly with other persons, controls the collection, holding, processing or use of personal data.

Data Processor is a person who processes personal data on behalf of another person (a data user), instead of for his/her own purpose(s). Data processors are not directly regulated under the PDPO. Instead, data users are required to, by contractual or other means, ensure that their data processors meet the applicable requirements of the PDPO.

The collective objective of DPPs is to ensure that personal data is collected on a fully-informed basis and in a fair manner, with due consideration towards minimising the amount of personal data collected. Once collected, the personal data should be processed in a secure manner and should only be kept for as long as necessary for the fulfillment of the purposes of using the data. Use of the data should be limited to or related to the original collection purpose. Data subjects are given the right to access and make correction to their data.


DPP1 Purpose and Manner of Collection


DPP1 provides that personal data shall only be collected for a lawful purpose directly related to a function or activity of the data user. The data collected should be necessary and adequate but not excessive for such purpose. The means of collection should be lawful and fair.

If you collect personal data from data subjects directly, you should inform the data subjects whether it is obligatory or voluntary to supply the data, the purpose of using their data and the classes of person to whom their data may be transferred. You should also inform them of the right and means to request access to and correction of their data.


DPP2 Accuracy and Duration of Retention


DPP2 requires data users to take all practicable steps to ensure that personal data is accurate and is not kept longer than is necessary for the fulfillment of the purpose for which the data is used. If you engage a data processor for handling personal data of other persons, you should adopt contractual or other means to ensure that the data processor comply with the mentioned retention requirement.

Section 26 of PDPO requires data users to take all practicable steps to erase personal data that is no longer required for the purpose for which the data is used, unless erasure is prohibited by law or is not in the public interest. Section 26 could be engaged when a data user fails to respond to a complaint or request from a data subject for erasure of personal data. This situation attracts a heavier criminal gravity than just keeping the data longer than is necessary under DPP2. Contravention of the requirement under section 26 is an offence, punishable by a fine of up to HK$10,000.


DPP3 Use of Data


DPP3 prohibits the use of personal data for any new purpose which is not or is unrelated to the original purpose when collecting the data, unless with the data subject’s express and voluntary consent. A data subject can withdraw his/her consent previously given by written notice.

Regarding restrictions on use of personal data, Part 6A of the PDPO further requires that data users must obtain informed consent before using a data subject’s personal data for direct marketing or transferring the data to a third party for direct marketing. The consent must be an explicit indication by the data subject and broadly covers an indication of no objection. In other words, silence cannot constitute consent.

Besides, the consent must be an informed one. The data user must inform the data subject of the intention to use his/her personal data for direct marketing, the fact that the data user cannot so use the data unless with consent of the data subject, the kinds of personal data to be used, the classes of marketing subjects to be involved. The data user must also notify the data subject of the right to opt out. If the data user intends to transfer the data to a third party for direct marketing, he/she should inform the data subject of such intention, the classes of transferees, the classes of marketing subjects to be involved and the fact that the transfer is for a gain, etc. Failure to comply with the direct marketing requirements is an offence and can result in a fine of $500,000 and imprisonment for 3 years, or up to a fine of $1,000,000 and imprisonment for 5 years if data was provided to a third party for gain.

There is another noteworthy offence in section 64 of the PDPO regarding disclosure by a person of personal data of a data subject obtained from a data user without the data user’s consent. To constitute this offence, either the disclosing person has an intent to obtain gain or cause loss to the data subject or the disclosure causes psychological harm to the data subject. Although this kind of acts may be already covered under DPP3 (restriction against using personal data for a new purpose), this section was enacted to make it an offence due to the seriousness of the privacy intrusion and gravity of harm that may be caused to data subjects arising from such kind of acts. The maximum penalty is a fine of $1,000,000 and imprisonment for 5 years.


DPP4 Data Security


DPP4 requires that data users take all practicable steps to protect the personal data they hold against unauthorised or accidental access, processing, erasure, loss or use. Data users should have particular regard to the nature of the data, the potential harm if those events happen, measures taken for ensuring the integrity, prudence and competence of persons having access to the data, etc. If you engage a data processor to process the personal data held, you must adopt contractual or other means to ensure that the data processor comply with the mentioned data security requirement.


DPP5 Openness and Transparency


DPP5 obliges data users to take all practicable steps to ensure openness of their personal data policies and practices, the kind of personal data held and the main purposes for holding it.


DPP 6 Access and Correction


DPP6 provides data subjects with the right to request access to and correction of their own personal data. A data user should give reasons when refusing a data subject’s request to access to or correction of his/her personal data.

DPP6 is supplemented by detailed provisions in Part 5 of the PDPO which cover the manner and timeframe for compliance with data access requests and data correction requests, the circumstances in which a data user may refuse such requests, etc. Data users are also required to maintain a log book to record all refusals made.




While data privacy is an important right, the interests protected under PDPO have to be balanced against other important rights or public interest. PDPO provides a number of exemptions from some compliance requirements under particular circumstances. Examples include crime prevention or prosecution, security and defence, statistics and research, news activity, protecting a data subject’s health etc. There is also an exemption if the use of personal data is required or authorised by law or court order or is required for exercising or defending legal rights in Hong Kong. A table summarising the exemption provisions can be found here.

An exemption is a defence for a data user to avoid liability when he/she fails to comply with certain compliance requirements under PDPO. As a data user, you should not routinely rely on exemptions. Instead, you should consider them on a case-by-case basis and you have to prove that an exemption applies in your case to defend a contravention of PDPO. On the other hand, the fact that a data user can rely on an exemption does not impose an obligation upon him/her to rely on such exemption. Nor does it empower any other person to compel the data user to rely on such exemption.




The Office of the Privacy Commissioner for Personal Data (“the Commissioner”) was established under PDPO as the dedicated data privacy regulator. If you find a possible breach of PDPO by a particular data user in relation to the handling of your personal data, you may lodge a complaint with the Commissioner. Depending on the facts involved and the evidence available, the Commissioner may carry out, refuse to carry out or terminate an investigation of the complaint.

When the Commissioner receives a complaint or has reasonable grounds to believe there may be a contravention of PDPO, the Commissioner may conduct an investigation of the suspected contravention and publish a report setting out the investigation results and recommendations if it is in the public interest to do so. If, upon completion of an investigation, it is found that the relevant data user is contravening or has contravened PDPO, the Commissioner may issue an enforcement notice to the data user directing remedial and/or preventive steps to be taken.

Contravention of a DPP is not an offence. However, contravention of certain provisions of PDPO is an offence. Examples include section 26 regarding erasure of personal data that is no longer required for the purpose for which it is used, section 64 regarding disclosure of personal data obtained from a data user without the data user’s consent and the direct marketing provisions, etc..

Contravention of an enforcement notice issued by the Commissioner is also an offence which may result in a maximum fine of $50,000 and imprisonment for 2 years, with a daily penalty of $1,000. Subsequent convictions can result in a maximum fine of $100,000 and imprisonment for 2 years, with a daily penalty of $2,000. A table summarising the various offences under PDPO and the respective penalties can be found here.

Data subjects may also seek compensation by civil action from data users for damage caused by a contravention of the PDPO. The Commissioner may provide legal assistance to the aggrieved data subjects if the Commissioner thinks fit to do so.

In addition, the Commissioner may proactively carry out an inspection of a personal data system of a data user or a class of data users for the purpose of making recommendations on how compliance may be enhanced by the data user(s). The Commissioner is also empowered to issue codes of practices to provide practical guidance on how to comply with the requirements under PDPO. Non-compliance with a code of practice itself is not an offence but can be a proof of contravention of the relevant requirement under PDPO.


Other Statutory Responsibilities


The Commissioner also has other responsibilities to promote public awareness and understanding of PDPO, examine proposed legislation with impact on data privacy, undertake research and monitor development in information technology that may affect personal data protection, etc. In addition to the role of an enforcer, the Commissioner also serves as an educator in promoting public understanding of PDPO and a facilitator in engaging with organisations to advocate the inclusion of personal data privacy protection in their businesses’ practices and operation in Hong Kong.


Relentless Privacy and Compliance Services delivers expert global data privacy services 


Find Out More

Big Changes in Hong Kong’s PDPO As Discussion Paper is Released

6 Data Protection Principles of the Hong Kong PDPO

The Personal Data (Privacy) Ordinance (the “PDPO”) was passed in 1995 and took effect from December 1996 (except certain provisions). It is one of Asia’s longest standing comprehensive data protection laws.Here we look at the six data protection principles


 The six data protection principles


Any person or organization collecting, holding, processing or using personal data must comply with the six data protection principles laid down in section 4 and schedule 1 of the Personal Data (Privacy) Ordinance . (Note: The person from whom personal data are or will be collected is called the “data subject” , and the person or organization that is collecting the personal data is called the ” “data user” .)

The Privacy Commissioner’s Office (PCO) may issue an enforcement notice to the person or company who committed the breach, with intent to direct that wrongdoer to stop violating the data collection principles and take any necessary remedial action. Non-compliance with the PCO’s enforcement notice is an offence and is liable to a fine or imprisonment. The victim who suffers damage, including injury to feelings, as a result of such violation may also be entitled to compensation from the wrongdoer through civil proceedings.


Principle 1 – purpose and manner of collection of personal data


Personal data must be collected for a lawful purpose. The purpose of collection must be directly related to a function or activity of the data user. The data collected should be adequate but not excessive in relation to that purpose.

Personal data should also be collected by lawful and fair means. Unauthorized access to another person’s bank account records or credit card information is an example of unlawful means of collecting personal data. If a person/organization intentionally uses a misleading way to collect personal data, this amounts to an unfair means of data collection. A company collecting the personal data of job applicants by means of recruitment activities when in fact they are not really recruiting any one is an example of unfair means of collecting personal data.

When personal data are collected from an individual, that person (the data subject) must be provided with the following information, which includes:

  • the purpose for which the data are to be used;
  • the classes of persons to whom the data may be transferred;
  • whether it is obligatory or voluntary for the data subject to supply the data;
  • the consequences arising if the data subject fails to supply the data; and
  • the data subject has the right to request access to and correction of the data.


Principle 2 – accuracy and duration of retention of personal data


Data users must ensure that the data held are accurate and up-to-date. If there is doubt as to the accuracy of the data, data users should stop using the data immediately. They should not keep the data any longer than is necessary for the purpose for which the data were collected.


Principle 3 – use of personal data


Unless personal data are used with the prescribed consent of the data subject, the data must not be used for any purpose other than the one mentioned at the time the data were collected (or a directly related purpose). “Prescribed consent” means the express consent given voluntarily by the data subject.


Principle 4 – security of personal data


Data users must take appropriate security measures to protect personal data. They must ensure that personal data are adequately protected against unauthorized or accidental access, processing, erasure, or use by other people without authority.


Principle 5 – information to be generally available


Data users must publicly disclose the kind (not the content) of personal data held by them and their policies and practices on how they handle personal data.

The best practice is to formulate a “Privacy Policy Statement” that encompasses information such as the accuracy, retention period, security and use of the data as well as measures taken regarding data access and data correction requests.


Principle 6 – access to personal data


A data subject is entitled to ask a data user whether or not the data user holds any of his/her personal data, and to request a copy of such personal data held by that user. If it is found that the data contained therein is inaccurate, the data subject has the right to request the data user to correct the record.

The data user must accede to the access and correction requests within a statutory period of 40 days. If the data user could not process the request within the period specified, it must provide a reply and state its reasons within 40 days.

Individuals/data subjects who wish to make data access requests may download the Data Access Request Form (OPS003) from the Privacy Commissioner’s Office and send the completed form to the company which holds the personal data. It should be noted that the Ordinance permits data users, in complying with the data access requests, to charge a reasonable fee. However, the data users concerned should not charge more than the direct cost of complying with the requests.

For more details of the six principles, please go to the Personal Data Privacy Liberal

Relentless Privacy and Compliance Services provides expert global privacy services.

Find Out More

Using CRM to Improve Customer Engagement and Maintaining Data Regulation Compliance

Using CRM to Improve Customer Engagement and Maintaining Data Regulation Compliance

Your employees are uniquely positioned to help boost your customer engagement. You will have key staff members who are your front-line ‘face of the company’ members that deliver and enhance your customer experience. These key members of staff need to be chosen carefully for their positive mental attitude because customers cannot help but to respond positively to upbeat, warm and friendly treatment.


From a manager’s point of view, these ‘front-line’ members of your team are in a position to observe and monitor your customers experience on a regular basis. They are in the best position to feed back to you any subtle changes in customer attitude and opinion to any changed to the products or services you offer.


CRM, or customer relationship management, is a very important factor for the success or ultimate failure of your business. Customers are key, and you want to ensure that each and every individual customer has a positive and pleasant experience while dealing with you. It is the thought and care that goes into the customer experience that will keep your customers loyal, and encourage them to come back for more.


Switched on company leaders understand the influence that their employees have on their customer experience, and will actively seek out ways to improve and build even more quality into customer engagement. It is in their best interests to build a winning team that can deliver great service every time through CRM.


There is an ever present danger that inexperienced company leaders will become so detached from their customer base that their focus becomes company-centric, and will put into place working schemes that better for the leaders, investors and shareholders. But without a solid and loyal customer base, there really will be no business!


A customer-centric business on the other hand is built through good customer relationship management. Listening to what the customer wants via regular feedback will enable a good manager to tweak their customer experience for the better, and the customer will feel important that they were part of the mission to improve your customer services.


To start off with, you will need to understand your customer inside and out, and be able to build a full 360 degree picture of your customer to be able to fully meet their needs and requirements. You can help this task by using good CRM software, and there are a few good systems available that can be tailored to suit your needs.


By conducting regular customer feedback sessions, implementing positive changes within your service, and then feeding back to your customers the results of their involvement, you will be building good levels of customer engagement.


You should always reward your front-line employees when they serve customers well, especially when customers are taking the time to leave positive feedback about individual staff members. This will not only encourage employees to keep up the good work, but compliments are infectious, and will boost overall team morale.


Research has proven that staff who work for a customer-centric company are six times more likely to be fully engaged with their work, which in turn leads to much higher levels of customer engagement. At the end of the day every company needs to delight their customers, and establishing good CRM practices is the key to all this.


You can use specialist’s tools such as CRM programmes to conduct market research campaigns, manage social media interaction, and help to build a 360 degree profile of your customer, but this is only one piece of the puzzle. Your employees on the ground who are customer-facing in their job every single day are the ones who can actively engage with customers, listen to their needs, and feedback to you about their experiences.


Employees should be encouraged to feedback to their managers about customer engagement and reaction to new promotions, products, marketing techniques etc. This can be easily done via access to an online company forum for example, where they can discuss feedback and ideas with other staff members and managers. Or if using a CRM programme, granting access to the system to allow them to make notes.


Most modern CRM programmes can be tailored to suit your individual company needs, so provision should be built within your system to allow for input from customer-facing staff, especially while trying out a new service being offered, or when a new product is being launched to customers. It is a great way to get real-time, honest customer reactions and opinions.


CRM software packages, whether online or stand-alone, can be a great tool for a growing business, and an essential piece of kit for large companies, but the most valuable customer relationship tool a business owner can possess is their own staff that are in a unique position with direct involvement with customers. It is the human touch that provides great customer service, be that face-to-face, over the telephone, or via online interaction.

Relentless Privacy and Compliance Services  provides expert consulting on CRM and data privacy regulations. Our award winning GDPR assessment  services are available and competitively priced.


 Find Out More

Data Collection and Data Processing Under the Brazil LGPD

Data Collection and Data Processing Under the Brazil LGPD

On December 28, 2018, the Provision Measure no. 869/2018 was published, which amended certain LGPD provisions and created the National Data Protection Authority (ANPD). Among other modifications, the LGPD will go into full force in August 2020, rather than February 2020 as required when the LGPD was first published. The LPGD, as amended, will take effect in August 2020.


Data Collection and Processing 


Under LGPD collection and processing is referred to as data treatment, and defined as all operations carried out with personal data, such as:

  • Collection
  • Production
  • Reception
  • Classification
  • Utilisation
  • Access
  • Reproduction
  • Transmission
  • Distribution
  • Processing
  • Filing
  • Storage
  • Elimination
  • Evaluation
  • Control
  • Modification
  • Communication
  • Transfer
  • Diffusion, or
  • Extraction

The treatment of personal data may only be carried out based on one of the following legal bases, which largely align to the GDPR:


  • With data subject consent
  • To comply with a legal or regulatory obligation by the controller
  • By the public administration, for the processing and shared use of data which are necessary for the execution of public policies provided in laws or regulations or contracts, agreements or similar instruments
  • For carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data
  • For the execution of a contract or preliminary procedures related to a contract of which the data subject is a party
  • For the regular exercise of rights in judicial, administrative or arbitration procedures
  • As necessary for the protection of life or physical safety of the data subject or a third party
  • For the protection of health, in a procedure carried out by health professionals or by health entities
  • To fulfil the legitimate interests of the controller or a third party, and
  • For the protection of credit


Notwithstanding the above, personal data processing shall be done in good faith and based on the following principles:

  • Purpose
  • Suitability
  • Necessity
  • Free access
  • Quality of the data
  • Transparency
  • Security
  • Prevention
  • Nondiscrimination, and
  • Accountability


As for the processing of sensitive personal data, the treatment can only occur when the data subject or her or his legal representative consents specifically and in highlight, for specific purposes; or, without consent, under the following situations:

  • As necessary for the controller’s compliance with a legal or regulatory obligation
  • Shared data processed as necessary for the execution of public policies provided in laws or regulations
  • For studies carried out by a research entity
  • For the regular exercise of rights, including in a contract or in a judicial, administrative and arbitration procedure
  • Where necessary to for the protection of life or physical safety of the data subject or a third party
  • The protection of health, carried out by health professionals or by health entities, or
  • ensuring the prevention of fraud and the safety of the data subject

The controller and operator must keep records of the data treatment operations they carry out, mainly when the processing is based on a legitimate interest.

In this sense, the ANPD may determine that the controller must prepare an Impact Report on Protection of Personal Data, including sensitive data, referring to its data processing operations, pursuant to regulations, subject to commercial and industrial secrecy. The report must contain at least a description of the types of data collected, the methodology used for collection and for ensuring the security of the information, and the analysis of the controller regarding the adopted measures, safeguards and mechanisms of risk mitigation.

The Relentless Privacy and Compliance Services  provide  a wide range of LGPD, GDPR  services



Find Out More


Privacy Preference Center