What is, and which organizations have to appoint a DPO?
A Data Protection Officer (DPO) is a person in charge of verifying the compliance of personal data processing with the applicable law. The DPO communicates information on processing personal data such as its purposes, interconnections, types, categories of data subjects, length of retention and department(s) in charge of implementing processing. DPOs may be required by law or recommended.
Hong Kong’s Personal Data (Privacy) Ordinance (Cap. 486) includes specific responsibilities for data users (defined as anyone who alone or jointly controls the collection, holding, processing and/or use of personal data), and all data users are expected to comply with the requirements outlined in the Ordinance. Employers processing personal data (as well as other data users) must appoint someone with the responsibility of handling access and correction requests. In addition, data subjects, such as employees and job applicants, must be informed of the name or job title, and address of such person.