To the Access to Information Officer, Environmental Protection Department:

Pursuant to the Code on Access to Information, I would be grateful for the disclosure of the following, concerning the personal-data governance arrangements applicable to the Waste Electrical and Electronic Equipment Producer Responsibility Scheme (WPRS) and EPD Contract EP/SP/69/12 (WEEE·PARK).

Context:

The Office of the Privacy Commissioner for Personal Data (PCPD) confirmed on 21 May 2026 that it had received 24 complaints and 7 enquiries regarding fraudsters impersonating the electrical appliance retailer "BUILT-IN PRO", with reported individual losses ranging from HK$6,000 to HK$17,000. Public reporting indicates that the fraudsters were already in possession of customers' personal data and purchase details, and that "preferential recycling" was one of the fraud hooks employed.

The Product Eco-responsibility Ordinance (Cap. 603) requires registered sellers of regulated electrical equipment (REE) to arrange a free statutory removal service, which by design entails an operational interface between sellers and the Contractor responsible for downstream collection. The Personal Data (Privacy) Ordinance (Cap. 486) further provides that a data user remains liable for any breach by its agent or contractor. The combination of these two statutory frameworks raises questions about whether personal data flows are documented, governed, and supervised at each handoff in the WPRS ecosystem.

The information sought below is framed as conditional questions, so as to capture either confirmation or absence of the data-handling arrangements concerned.

The information sought:

Registration and compliance status of BUILT-IN PRO under Cap. 603 and its subsidiary regulations: (a) Whether BUILT-IN PRO is a registered seller of regulated electrical equipment; if yes, the registration number, the REE categories covered, and the period of validity; (b) EPD inspection and enforcement records concerning BUILT-IN PRO for the period from January 2021 to the present quarter; (c) Whether the PCPD-disclosed 24-complaint case has any bearing on BUILT-IN PRO's registration status or compliance review.
Existence and governance of any data-transmission channel between registered electrical retailers and the Contractor (in connection with arranging the statutory free removal service): (a) Whether such a channel exists; (b) If yes: (i) The standard protocol or form governing the transmission; (ii) The complete list of personal data fields transmitted to the Contractor (e.g. customer name, telephone, address, email, device model or serial, purchase date, scheduled pickup window); (iii) Whether the protocol has been reviewed or audited for compliance with PDPO guidance issued by the Privacy Commissioner under Cap. 486; (iv) Whether a customer may elect anonymous handling, i.e. arrangement of removal without transmission of personal data; (c) If no such channel exists: (i) How the Contractor schedules removal without consumer-supplied details; (ii) How retailers' Cap. 603 statutory removal obligation is operationally fulfilled and supervised; (iii) Whether retailers are solely responsible for arranging removal logistics, with the Contractor entering only at a later stage.
Personal data retained by the Contractor in the course of WPRS operations: (a) Whether the Contractor receives or retains any personal data of consumers; (b) If yes: (i) The complete list of personal data fields received and/or retained; (ii) The retention period and the permitted purposes of use; (iii) The post-processing destruction protocol and any audit trail; (c) If no: (i) How the Contractor identifies, traces, or returns to a consumer where post-collection enquiries arise.
Cross-supply-chain personal data flow (registered retailer → the Contractor → downstream licensed recyclers): (a) Whether personal data and/or device residual data are transmitted between the parties at any handoff stage; (b) If yes: (i) Whether data sharing agreements or non-disclosure agreements exist between the parties; (ii) Whether EPD holds copies of such agreements as a supervisory record; (iii) The cross-entity audit and compliance check mechanism; (c) Any documented non-compliance cases involving personal data handling in the WPRS supply chain from January 2021 to the present quarter.
Customer-side notification and safeguards: (a) Whether customers are formally notified, at the point of handover, regarding (i) the flow of their personal data, (ii) retention periods, and (iii) processing purposes; (b) Whether an opt-out option (anonymous handling) is available to customers; (c) Enforcement records of WPRS-related personal data incidents from January 2021 to the present quarter; (d) Whether EPD is co-developing, with PCPD or otherwise, any industry-wide guideline addressing the personal-data governance gap surfaced by the BUILT-IN PRO case, and the current progress.

Where any item involves commercial sensitivities or personal privacy of third parties, partial redaction or anonymised aggregation would be acceptable. The remainder is sought as a matter of public-contract transparency and regulatory oversight under Cap. 603, Cap. 486, and the Code on Access to Information.

Yours sincerely,

peter ng