Skip to content


What is PDPO?

The Personal Data Protection Ordinance is Hong Kong’s privacy law. It also includes the Privacy Commissioner for Personal Data Guidelines. 


PDPO applies to “data users” – individuals or entities which are established in Hong Kong that process personal data (including amending, augmenting, deleting or rearranging the data, whether by automated means or otherwise). Note that unlike the GDPR, PDPO scope does not apply outside of Hong Kong. 

What is personal data under the PDPO?

Any data (a) relating directly or indirectly to a living individual; (b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (c) in a form in which access to or processing of the data is practicable

Individual rights under PDPO

Under PDPO individuals have the following rights:

  • Right to be informed whether or not it is obligatory to provide personal data, the consequences if they fails to do so, the purpose for which the personal data is processed, the classes of persons to whom the personal data will be transferred, 
  • Right to access personal data; and
  • Right to correct the personal data.

As a global company, Rapyd will provide additional rights for individuals under PDPO as further stipulated in our Site Privacy Policy which is applicable to you if you are our site visitor; or Product Privacy Policy – if you are our customer or otherwise use our services.

PDPO compliance in respect to using Rapyd Services

Rapyd usually collects the following categories of personal data: 

  • Contact information such (e.g., your name and email)
  • Financial information (e.g., transactions)
  • KYC information (such as identification or utility bills); 
  • Usage information (such information collected via our site)

All of these categories are personal data and therefore subject to the PDPO.  With a broad definition of personal data under the PDPO, device identifiers or network data such as IP addresses will be deemed personal data and thus the information collected by customers when using Rapys will also be subject to the PDPO requirements.

What is the legal basis for processing personal data? 

The PDPO is primarily a notification-based regime. Consent is only required where the data user seeks to use personal data for a “new purpose” outside the scope of the initial notification, or in relation to direct marketing. The following are potential/deemed legal bases for processing personal data:

  • appropriate notice has been provided to or made available to the data subject; 
  • the data subject has provided consent to the processing for the identified purposes; 
  • the personal data is necessary to perform a contract with the data subject; 
  • the personal data is necessary to comply with a legal obligation;   
  • the personal data is necessary to fulfill a legitimate interest of the data user or third party (provided that the interest is not overridden by the data subject’s privacy interests and the data subject has not made use of his/her right to object)

Transfers of personal data outside Hong Kong

According to a new change in the laws in Hong Kong, data users shall not transfer personal data to a place outside Hong Kong unless they have reasonable grounds for believing that there is in force in that place any law which is substantially similar to, or serves the same purposes as the PDPO and the data users have taken all reasonable precautions and exercised all due diligence to ensure that the data will not, in that place, be collected, held, processed or used in any manner which, if that place were Hong Kong, would be a contravention of a requirement under the PDPO. This can be achieved by data transfer agreements. Note that this change still has no effect. Nevertheless, Rapyd signs Data Processing Agreements when it transfers data to third parties.

How different is the PDPO compared to the GDPR

Overall, the 2 pieces of legislation are similar although the GDPR is more strict. Because Rapyd is subject to the GDPR and as we believe in an holistic approach towards our clients, their customers, and any other data subjects whose personal data we process, we will afford additional privacy safeguards where such safeguards might not necessarily be provided under PDPO. For example, additional data subject rights such as the right for deletion may be provided also to data subjects from Hong Kong.

Disclaimer: This document is for informational purposes only and should not be used as a legal advice, we strongly encourage that you work closely with legal and other professional advisors to determine exactly how the PDPO applies to you