Requesting WPRS personal data management info related to the “BUILT‑IN PRO” data leak, including data handling, retention, deletion, and customer safeguards.
To the Access to Information Officer, Environmental Protection Department:
Pursuant to the Code on Access to Information, I would be grateful for the disclosure of the following, concerning the personal-data governance arrangements applicable to the Waste Electrical and Electronic Equipment Producer Responsibility Scheme (WPRS) and EPD Contract EP/SP/69/12 (WEEE·PARK).
Context:
The Office of the Privacy Commissioner for Personal Data (PCPD) confirmed on 21 May 2026 that it had received 24 complaints and 7 enquiries regarding fraudsters impersonating the electrical appliance retailer "BUILT-IN PRO", with reported individual losses ranging from HK$6,000 to HK$17,000. Public reporting indicates that the fraudsters were already in possession of customers' personal data and purchase details, and that "preferential recycling" was one of the fraud hooks employed.
The Product Eco-responsibility Ordinance (Cap. 603) requires registered sellers of regulated electrical equipment (REE) to arrange a free statutory removal service, which by design entails an operational interface between sellers and the Contractor responsible for downstream collection. The Personal Data (Privacy) Ordinance (Cap. 486) further provides that a data user remains liable for any breach by its agent or contractor. The combination of these two statutory frameworks raises questions about whether personal data flows are documented, governed, and supervised at each handoff in the WPRS ecosystem.
The information sought below is framed as conditional questions, so as to capture either confirmation or absence of the data-handling arrangements concerned.
The information sought:
Registration and compliance status of BUILT-IN PRO under Cap. 603 and its subsidiary regulations: (a) Whether BUILT-IN PRO is a registered seller of regulated electrical equipment; if yes, the registration number, the REE categories covered, and the period of validity; (b) EPD inspection and enforcement records concerning BUILT-IN PRO for the period from January 2021 to the present quarter; (c) Whether the PCPD-disclosed 24-complaint case has any bearing on BUILT-IN PRO's registration status or compliance review.
Existence and governance of any data-transmission channel between registered electrical retailers and the Contractor (in connection with arranging the statutory free removal service): (a) Whether such a channel exists; (b) If yes: (i) The standard protocol or form governing the transmission; (ii) The complete list of personal data fields transmitted to the Contractor (e.g. customer name, telephone, address, email, device model or serial, purchase date, scheduled pickup window); (iii) Whether the protocol has been reviewed or audited for compliance with PDPO guidance issued by the Privacy Commissioner under Cap. 486; (iv) Whether a customer may elect anonymous handling, i.e. arrangement of removal without transmission of personal data; (c) If no such channel exists: (i) How the Contractor schedules removal without consumer-supplied details; (ii) How retailers' Cap. 603 statutory removal obligation is operationally fulfilled and supervised; (iii) Whether retailers are solely responsible for arranging removal logistics, with the Contractor entering only at a later stage.
Personal data retained by the Contractor in the course of WPRS operations: (a) Whether the Contractor receives or retains any personal data of consumers; (b) If yes: (i) The complete list of personal data fields received and/or retained; (ii) The retention period and the permitted purposes of use; (iii) The post-processing destruction protocol and any audit trail; (c) If no: (i) How the Contractor identifies, traces, or returns to a consumer where post-collection enquiries arise.
Cross-supply-chain personal data flow (registered retailer → the Contractor → downstream licensed recyclers): (a) Whether personal data and/or device residual data are transmitted between the parties at any handoff stage; (b) If yes: (i) Whether data sharing agreements or non-disclosure agreements exist between the parties; (ii) Whether EPD holds copies of such agreements as a supervisory record; (iii) The cross-entity audit and compliance check mechanism; (c) Any documented non-compliance cases involving personal data handling in the WPRS supply chain from January 2021 to the present quarter.
Customer-side notification and safeguards: (a) Whether customers are formally notified, at the point of handover, regarding (i) the flow of their personal data, (ii) retention periods, and (iii) processing purposes; (b) Whether an opt-out option (anonymous handling) is available to customers; (c) Enforcement records of WPRS-related personal data incidents from January 2021 to the present quarter; (d) Whether EPD is co-developing, with PCPD or otherwise, any industry-wide guideline addressing the personal-data governance gap surfaced by the BUILT-IN PRO case, and the current progress.
Where any item involves commercial sensitivities or personal privacy of third parties, partial redaction or anonymised aggregation would be acceptable. The remainder is sought as a matter of public-contract transparency and regulatory oversight under Cap. 603, Cap. 486, and the Code on Access to Information.
Yours sincerely,
peter ng
This is an auto-email for acknowledgement, please do NOT reply.
Thank you for your email dated 2026/05/22.We shall process it, where
appropriate, as soon as possible. For further enquiry, please address to
[Environmental Protection Department request email]
(This is a computer generated auto-reply)
這是一封用於確認的自動電子郵件,請不要回覆。
謝謝你 2026/05/22 的電郵。我們會盡快處理。如有其他查詢,請電郵
[Environmental Protection Department request email]
﹝這是由電腦系統發出的覆函﹞
Environmental Protection Department
環境保護署
Dear Sir/Madam,
Thank you for your email dated 22.5.2026.
Further to the auto-reply, we would like to inform you that we are
processing your enquiry.
Regards,
Isaac HAN
Environmental Protection Department
Dear Peter Ng,
Code on Access to Information
Re: Application No.: EPD1454/66/2026
Our department has received your application for access to information on
22 May 2026. Your application is now under processing. According to
paragraph 1.16 of the Code on Access to Information, our department will
inform you of the latest progress of the case on or before 11 June 2026.
Regards,
Beatrice Wong
Environmental Protection Department
Dear Peter Ng,
This Department received your enquiry on 22 May 2026. You requested
information on the registration and compliance records of an electrical
appliance retailer, and personal data handling under WPRS and EPD Contract
EP/SP/69/12 (WEEE·PARK).
2. BUILT-IN PRO is a seller under the Producer Responsibility Scheme on
Waste Electrical and Electronic Equipment (WPRS) with an endorsed removal
service plan (RSP, registration no.: EP-R18-1217) to carry on a business
of distributing the following regulated electrical equipment (REE):
air-conditioner, washing machine, tumble dryer, refrigerator, television,
dehumidifier, computer, printer and monitor. There is no validity end
date of the endorsed RSP unless sellers cease their business on REE
distribution. Under the WPRS, sellers with endorsed RSP are not required
to submit any information on their sale business or interactions/contacts
with consumers, and therefore no any such information is being kept by the
WEEE·PARK operator and the EPD.
3. In accordance with the internal guidelines and routine practice, the
EPD conducts regular inspections of the sellers under the WPRS to ensure
compliance with the statutory obligations stipulated under Cap. 603 and
its subsidiary regulations. According to EPD’s records, there is no
conviction history for BUILT-IN PRO under the WPRS.
4. Upon the consumer's request, registered sellers are required to
arrange for the free statutory removal service. When a seller distributes
REE to a consumer, the seller must notify the consumer of the arrangements
of the statutory removal service and the relevant terms of service so that
the consumer can make a choice according to his/her own needs and can opt
out of having the free statutory removal service. There is no standard
form or protocol for requesting the removal services provided by the
WEEE·PARK operator, the seller could request the WEEE·PARK operator to
provide the statutory removal service by different means including email,
telephone or through the web portal provided by the WEEE·PARK operator.
For proper carrying out of the collection service, contact information
(title, contact phone number, pick-up address, preferred time of
collection and the type of waste REE to be collected) provided by the
consumer is necessary for the WEEE·PARK operator, while information
including the REE purchased, purchase date, and delivery address is not
required. The information obtained for carrying out collection of waste
REE would not be passed to downstream recyclers. Upon receipt of the
collection request placed by the seller, the WEEE·PARK operator would
arrange to collect the waste REE accordingly. The consumer, upon
collection of the waste REE at the designated location, would be notified
that contact information provided by him/her could be used for one or more
of the following purposes:
(a) Activities relating to processing this application;
(b) Delivering services to him/her;
(c) Enquiry or complaint investigations;
(d) Statistical analysis; and
(e) To facilitate communications between the collection contractor and
himself or herself.
5. EPD does not have information regarding data sharing agreements or
non-disclosure agreements and non-compliance cases involving personal data
handling in the WPRS supply chain. The WEEE.PARK operator will retain the
basic contact information provided by sellers and consumers to deliver the
collection service until the end of the contract for the permitted
purpose. According to EPD’s record, the WEEE.PARK operator does not have
any conviction record under any Ordinances of Hong Kong including the
Personal Data (Privacy) Ordinance (Cap.486). The EPD will continue to
monitor the WEEE·PARK operator’s performance to ensure it operates in
accordance with the Contract requirement and in compliance with the
legislations in Hong Kong.
6. Regarding the inspection records you requested, after careful
consideration, we regret to inform you that this Department is unable to
provide you the requested information pursuant to Paragraph 2.9(c) of the
Code on Access to Information which is excerpted as follows for your
reference:
“Paragraph 2.9 (c) Information the disclosure of which would harm or
prejudice the proper and efficient conduct of the operations of a
department.”
7. If you are not satisfied with the above decision or you consider
that the department has failed to comply with any provision of the Code,
you may ask the department to review the situation by writing to Director
of Environmental Protection at 12/F, North Tower, Tseung Kwan O Government
Offices, 30 Tong Yin Street, Tseung Kwan O, Sai Kung, New Territories.
Alternatively, you may complain to The Ombudsman, whose address is-
30/F, China Merchants Tower
Shun Tak Centre
168-200 Connaught Road Central
Hong Kong
Telephone : 2629 0555
Fax : 2882 8149
Regards,
Beatrice Wong
Environmental Protection Department
From: Beatrice HL WONG/EPD
Sent: Friday, May 29, 2026 5:41 PM
To: '[ATI #1583 email]'
<[ATI #1583 email]>
Subject: Fw: Application under the Code on Access to Information –
Registration and compliance records of an electrical appliance retailer,
and personal data handling under WPRS and EPD Contract EP/SP/69/12
(WEEE·PARK) [Ref. no.: EPD1454/66/2026]
Dear Peter Ng,
Code on Access to Information
Re: Application No.: EPD1454/66/2026
Our department has received your application for access to information on
22 May 2026. Your application is now under processing. According to
paragraph 1.16 of the Code on Access to Information, our department will
inform you of the latest progress of the case on or before 11 June 2026.
Regards,
Beatrice Wong
Environmental Protection Department