5. I provided my personal data to a service provider when subscribing to its service. Can I request it to delete my personal data?
There is no specific provision under the Ordinance which confers an individual the right to request a data user to delete his personal data as he may wish. Thus, the service provider would not have contravened the requirements under the Ordinance by refusing your request.
However, the service provider has to comply with the requirements under DPP2(2) and section 26(1) of the Ordinance:
- DPP2(2) stipulates that personal data shall not be kept longer than is necessary for the fulfillment of the purpose (including any directly related purpose) for which the data is or is to be used;
- Section 26(1) requires a data user to erase personal data held when the data is no longer required for the purpose (including any directly related purpose) for which the data was used unless (a) any such erasure is prohibited under any law; or (b) it is in the public interest (including historical interest) for the data not to be erased.
Thus, if your personal data held by that service provider can no longer be used to fulfill and/or has already fulfilled that purpose (including any directly related purpose) for which the data can be collected, the service provider should erase your data unless the retention of data is in accordance with the statutory requirements or is in the public interest.
You may also consider making enquiries with the service provider on its retention policy so as to understand if it has retained your personal data longer than necessary.