Requesting WPRS personal data management info related to the “BUILT‑IN PRO” data leak, including data handling, retention, deletion, and customer safeguards.
To the Access to Information Officer, Environmental Protection Department:
Pursuant to the Code on Access to Information, I would be grateful for the disclosure of the following, concerning the personal-data governance arrangements applicable to the Waste Electrical and Electronic Equipment Producer Responsibility Scheme (WPRS) and EPD Contract EP/SP/69/12 (WEEE·PARK).
Context:
The Office of the Privacy Commissioner for Personal Data (PCPD) confirmed on 21 May 2026 that it had received 24 complaints and 7 enquiries regarding fraudsters impersonating the electrical appliance retailer "BUILT-IN PRO", with reported individual losses ranging from HK$6,000 to HK$17,000. Public reporting indicates that the fraudsters were already in possession of customers' personal data and purchase details, and that "preferential recycling" was one of the fraud hooks employed.
The Product Eco-responsibility Ordinance (Cap. 603) requires registered sellers of regulated electrical equipment (REE) to arrange a free statutory removal service, which by design entails an operational interface between sellers and the Contractor responsible for downstream collection. The Personal Data (Privacy) Ordinance (Cap. 486) further provides that a data user remains liable for any breach by its agent or contractor. The combination of these two statutory frameworks raises questions about whether personal data flows are documented, governed, and supervised at each handoff in the WPRS ecosystem.
The information sought below is framed as conditional questions, so as to capture either confirmation or absence of the data-handling arrangements concerned.
The information sought:
Registration and compliance status of BUILT-IN PRO under Cap. 603 and its subsidiary regulations: (a) Whether BUILT-IN PRO is a registered seller of regulated electrical equipment; if yes, the registration number, the REE categories covered, and the period of validity; (b) EPD inspection and enforcement records concerning BUILT-IN PRO for the period from January 2021 to the present quarter; (c) Whether the PCPD-disclosed 24-complaint case has any bearing on BUILT-IN PRO's registration status or compliance review.
Existence and governance of any data-transmission channel between registered electrical retailers and the Contractor (in connection with arranging the statutory free removal service): (a) Whether such a channel exists; (b) If yes: (i) The standard protocol or form governing the transmission; (ii) The complete list of personal data fields transmitted to the Contractor (e.g. customer name, telephone, address, email, device model or serial, purchase date, scheduled pickup window); (iii) Whether the protocol has been reviewed or audited for compliance with PDPO guidance issued by the Privacy Commissioner under Cap. 486; (iv) Whether a customer may elect anonymous handling, i.e. arrangement of removal without transmission of personal data; (c) If no such channel exists: (i) How the Contractor schedules removal without consumer-supplied details; (ii) How retailers' Cap. 603 statutory removal obligation is operationally fulfilled and supervised; (iii) Whether retailers are solely responsible for arranging removal logistics, with the Contractor entering only at a later stage.
Personal data retained by the Contractor in the course of WPRS operations: (a) Whether the Contractor receives or retains any personal data of consumers; (b) If yes: (i) The complete list of personal data fields received and/or retained; (ii) The retention period and the permitted purposes of use; (iii) The post-processing destruction protocol and any audit trail; (c) If no: (i) How the Contractor identifies, traces, or returns to a consumer where post-collection enquiries arise.
Cross-supply-chain personal data flow (registered retailer → the Contractor → downstream licensed recyclers): (a) Whether personal data and/or device residual data are transmitted between the parties at any handoff stage; (b) If yes: (i) Whether data sharing agreements or non-disclosure agreements exist between the parties; (ii) Whether EPD holds copies of such agreements as a supervisory record; (iii) The cross-entity audit and compliance check mechanism; (c) Any documented non-compliance cases involving personal data handling in the WPRS supply chain from January 2021 to the present quarter.
Customer-side notification and safeguards: (a) Whether customers are formally notified, at the point of handover, regarding (i) the flow of their personal data, (ii) retention periods, and (iii) processing purposes; (b) Whether an opt-out option (anonymous handling) is available to customers; (c) Enforcement records of WPRS-related personal data incidents from January 2021 to the present quarter; (d) Whether EPD is co-developing, with PCPD or otherwise, any industry-wide guideline addressing the personal-data governance gap surfaced by the BUILT-IN PRO case, and the current progress.
Where any item involves commercial sensitivities or personal privacy of third parties, partial redaction or anonymised aggregation would be acceptable. The remainder is sought as a matter of public-contract transparency and regulatory oversight under Cap. 603, Cap. 486, and the Code on Access to Information.
Yours sincerely,
peter ng
This is an auto-email for acknowledgement, please do NOT reply.
Thank you for your email dated 2026/05/22.We shall process it, where
appropriate, as soon as possible. For further enquiry, please address to
[Environmental Protection Department request email]
(This is a computer generated auto-reply)
這是一封用於確認的自動電子郵件,請不要回覆。
謝謝你 2026/05/22 的電郵。我們會盡快處理。如有其他查詢,請電郵
[Environmental Protection Department request email]
﹝這是由電腦系統發出的覆函﹞
Environmental Protection Department
環境保護署
Dear Sir/Madam,
Thank you for your email dated 22.5.2026.
Further to the auto-reply, we would like to inform you that we are
processing your enquiry.
Regards,
Isaac HAN
Environmental Protection Department
----- Forwarded by EPD_Enquiry/EPD/HKSARG on 26/05/2026 10:38 -----
From: "peter ng" <[ATI #1583 email]>
To: "ATI requests at Environmental Protection Department"
<[Environmental Protection Department request email]>
Date: 22/05/2026 22:14
Subject: *Restricted: E(26/4502)Access to Information request -
Requesting WPRS personal data management info related to the “BUILT‑IN
PRO” data leak, including data handling, retention, deletion, and customer
safeguards.
Sent by: [ATI #1583 email]
══════════════════════════════════════════════════════════════════════════
To the Access to Information Officer, Environmental Protection Department:
Pursuant to the Code on Access to Information, I would be grateful for the
disclosure of the following, concerning the personal-data governance
arrangements applicable to the Waste Electrical and Electronic Equipment
Producer Responsibility Scheme (WPRS) and EPD Contract EP/SP/69/12
(WEEE·PARK).
Context:
The Office of the Privacy Commissioner for Personal Data (PCPD) confirmed
on 21 May 2026 that it had received 24 complaints and 7 enquiries
regarding fraudsters impersonating the electrical appliance retailer
"BUILT-IN PRO", with reported individual losses ranging from HK$6,000 to
HK$17,000. Public reporting indicates that the fraudsters were already in
possession of customers' personal data and purchase details, and that
"preferential recycling" was one of the fraud hooks employed.
The Product Eco-responsibility Ordinance (Cap. 603) requires registered
sellers of regulated electrical equipment (REE) to arrange a free
statutory removal service, which by design entails an operational
interface between sellers and the Contractor responsible for downstream
collection. The Personal Data (Privacy) Ordinance (Cap. 486) further
provides that a data user remains liable for any breach by its agent or
contractor. The combination of these two statutory frameworks raises
questions about whether personal data flows are documented, governed, and
supervised at each handoff in the WPRS ecosystem.
The information sought below is framed as conditional questions, so as to
capture either confirmation or absence of the data-handling arrangements
concerned.
The information sought:
Registration and compliance status of BUILT-IN PRO under Cap. 603 and its
subsidiary regulations: (a) Whether BUILT-IN PRO is a registered seller of
regulated electrical equipment; if yes, the registration number, the REE
categories covered, and the period of validity; (b) EPD inspection and
enforcement records concerning BUILT-IN PRO for the period from January
2021 to the present quarter; (c) Whether the PCPD-disclosed 24-complaint
case has any bearing on BUILT-IN PRO's registration status or compliance
review.
Existence and governance of any data-transmission channel between
registered electrical retailers and the Contractor (in connection with
arranging the statutory free removal service): (a) Whether such a channel
exists; (b) If yes: (i) The standard protocol or form governing the
transmission; (ii) The complete list of personal data fields transmitted
to the Contractor (e.g. customer name, telephone, address, email, device
model or serial, purchase date, scheduled pickup window); (iii) Whether
the protocol has been reviewed or audited for compliance with PDPO
guidance issued by the Privacy Commissioner under Cap. 486; (iv) Whether a
customer may elect anonymous handling, i.e. arrangement of removal without
transmission of personal data; (c) If no such channel exists: (i) How the
Contractor schedules removal without consumer-supplied details; (ii) How
retailers' Cap. 603 statutory removal obligation is operationally
fulfilled and supervised; (iii) Whether retailers are solely responsible
for arranging removal logistics, with the Contractor entering only at a
later stage.
Personal data retained by the Contractor in the course of WPRS operations:
(a) Whether the Contractor receives or retains any personal data of
consumers; (b) If yes: (i) The complete list of personal data fields
received and/or retained; (ii) The retention period and the permitted
purposes of use; (iii) The post-processing destruction protocol and any
audit trail; (c) If no: (i) How the Contractor identifies, traces, or
returns to a consumer where post-collection enquiries arise.
Cross-supply-chain personal data flow (registered retailer → the
Contractor → downstream licensed recyclers): (a) Whether personal data
and/or device residual data are transmitted between the parties at any
handoff stage; (b) If yes: (i) Whether data sharing agreements or
non-disclosure agreements exist between the parties; (ii) Whether EPD
holds copies of such agreements as a supervisory record; (iii) The
cross-entity audit and compliance check mechanism; (c) Any documented
non-compliance cases involving personal data handling in the WPRS supply
chain from January 2021 to the present quarter.
Customer-side notification and safeguards: (a) Whether customers are
formally notified, at the point of handover, regarding (i) the flow of
their personal data, (ii) retention periods, and (iii) processing
purposes; (b) Whether an opt-out option (anonymous handling) is available
to customers; (c) Enforcement records of WPRS-related personal data
incidents from January 2021 to the present quarter; (d) Whether EPD is
co-developing, with PCPD or otherwise, any industry-wide guideline
addressing the personal-data governance gap surfaced by the BUILT-IN PRO
case, and the current progress.
Where any item involves commercial sensitivities or personal privacy of
third parties, partial redaction or anonymised aggregation would be
acceptable. The remainder is sought as a matter of public-contract
transparency and regulatory oversight under Cap. 603, Cap. 486, and the
Code on Access to Information.
Yours sincerely,
peter ng
-------------------------------------------------------------------
Please use this email address for all replies to this request:
[ATI #1583 email]
Is [Environmental Protection Department request email] the wrong address for Access to Information requests
to Environmental Protection Department? If so, please contact us using
this form:
[1]https://accessinfo.hk/change_request/new...
Disclaimer: This message and any reply that you make will be published on
the internet. Our privacy and copyright policies:
[2]https://accessinfo.hk/help/officers
If you find this service useful as an ATI officer, please ask your web
manager to link to us from your organisation's ATI page.
-------------------------------------------------------------------
References
Visible links
1. https://accessinfo.hk/change_request/new...
2. https://accessinfo.hk/help/officers
Dear Peter Ng,
Code on Access to Information
Re: Application No.: EPD1454/66/2026
Our department has received your application for access to information on
22 May 2026. Your application is now under processing. According to
paragraph 1.16 of the Code on Access to Information, our department will
inform you of the latest progress of the case on or before 11 June 2026.
Regards,
Beatrice Wong
Environmental Protection Department
----- Forwarded by EPD_Enquiry/EPD/HKSARG on 26/05/2026 11:38 -----
From: EPD_Enquiry/EPD/HKSARG
To: "peter ng" <[1][ATI #1583 email]>
Date: 26/05/2026 10:38
Subject: *Restricted: Fw: E(26/4502)Access to Information request -
Requesting WPRS personal data management info related to the “BUILT‑IN
PRO” data leak, including data handling, retention, deletion, and customer
safeguards.
══════════════════════════════════════════════════════════════════════════
Dear Sir/Madam,
Thank you for your email dated 22.5.2026.
Further to the auto-reply, we would like to inform you that we are
processing your enquiry.
Regards,
Isaac HAN
Environmental Protection Department
----- Forwarded by EPD_Enquiry/EPD/HKSARG on 26/05/2026 10:38 -----
From: "peter ng" <[2][ATI #1583 email]>
To: "ATI requests at Environmental Protection Department"
<[3][Environmental Protection Department request email]>
Date: 22/05/2026 22:14
Subject: *Restricted: E(26/4502)Access to Information request -
Requesting WPRS personal data management info related to the “BUILT‑IN
PRO” data leak, including data handling, retention, deletion, and customer
safeguards.
Sent by: [4][ATI #1583 email]
══════════════════════════════════════════════════════════════════════════
To the Access to Information Officer, Environmental Protection Department:
Pursuant to the Code on Access to Information, I would be grateful for the
disclosure of the following, concerning the personal-data governance
arrangements applicable to the Waste Electrical and Electronic Equipment
Producer Responsibility Scheme (WPRS) and EPD Contract EP/SP/69/12
(WEEE·PARK).
Context:
The Office of the Privacy Commissioner for Personal Data (PCPD) confirmed
on 21 May 2026 that it had received 24 complaints and 7 enquiries
regarding fraudsters impersonating the electrical appliance retailer
"BUILT-IN PRO", with reported individual losses ranging from HK$6,000 to
HK$17,000. Public reporting indicates that the fraudsters were already in
possession of customers' personal data and purchase details, and that
"preferential recycling" was one of the fraud hooks employed.
The Product Eco-responsibility Ordinance (Cap. 603) requires registered
sellers of regulated electrical equipment (REE) to arrange a free
statutory removal service, which by design entails an operational
interface between sellers and the Contractor responsible for downstream
collection. The Personal Data (Privacy) Ordinance (Cap. 486) further
provides that a data user remains liable for any breach by its agent or
contractor. The combination of these two statutory frameworks raises
questions about whether personal data flows are documented, governed, and
supervised at each handoff in the WPRS ecosystem.
The information sought below is framed as conditional questions, so as to
capture either confirmation or absence of the data-handling arrangements
concerned.
The information sought:
Registration and compliance status of BUILT-IN PRO under Cap. 603 and its
subsidiary regulations: (a) Whether BUILT-IN PRO is a registered seller of
regulated electrical equipment; if yes, the registration number, the REE
categories covered, and the period of validity; (b) EPD inspection and
enforcement records concerning BUILT-IN PRO for the period from January
2021 to the present quarter; (c) Whether the PCPD-disclosed 24-complaint
case has any bearing on BUILT-IN PRO's registration status or compliance
review.
Existence and governance of any data-transmission channel between
registered electrical retailers and the Contractor (in connection with
arranging the statutory free removal service): (a) Whether such a channel
exists; (b) If yes: (i) The standard protocol or form governing the
transmission; (ii) The complete list of personal data fields transmitted
to the Contractor (e.g. customer name, telephone, address, email, device
model or serial, purchase date, scheduled pickup window); (iii) Whether
the protocol has been reviewed or audited for compliance with PDPO
guidance issued by the Privacy Commissioner under Cap. 486; (iv) Whether a
customer may elect anonymous handling, i.e. arrangement of removal without
transmission of personal data; (c) If no such channel exists: (i) How the
Contractor schedules removal without consumer-supplied details; (ii) How
retailers' Cap. 603 statutory removal obligation is operationally
fulfilled and supervised; (iii) Whether retailers are solely responsible
for arranging removal logistics, with the Contractor entering only at a
later stage.
Personal data retained by the Contractor in the course of WPRS operations:
(a) Whether the Contractor receives or retains any personal data of
consumers; (b) If yes: (i) The complete list of personal data fields
received and/or retained; (ii) The retention period and the permitted
purposes of use; (iii) The post-processing destruction protocol and any
audit trail; (c) If no: (i) How the Contractor identifies, traces, or
returns to a consumer where post-collection enquiries arise.
Cross-supply-chain personal data flow (registered retailer → the
Contractor → downstream licensed recyclers): (a) Whether personal data
and/or device residual data are transmitted between the parties at any
handoff stage; (b) If yes: (i) Whether data sharing agreements or
non-disclosure agreements exist between the parties; (ii) Whether EPD
holds copies of such agreements as a supervisory record; (iii) The
cross-entity audit and compliance check mechanism; (c) Any documented
non-compliance cases involving personal data handling in the WPRS supply
chain from January 2021 to the present quarter.
Customer-side notification and safeguards: (a) Whether customers are
formally notified, at the point of handover, regarding (i) the flow of
their personal data, (ii) retention periods, and (iii) processing
purposes; (b) Whether an opt-out option (anonymous handling) is available
to customers; (c) Enforcement records of WPRS-related personal data
incidents from January 2021 to the present quarter; (d) Whether EPD is
co-developing, with PCPD or otherwise, any industry-wide guideline
addressing the personal-data governance gap surfaced by the BUILT-IN PRO
case, and the current progress.
Where any item involves commercial sensitivities or personal privacy of
third parties, partial redaction or anonymised aggregation would be
acceptable. The remainder is sought as a matter of public-contract
transparency and regulatory oversight under Cap. 603, Cap. 486, and the
Code on Access to Information.
Yours sincerely,
peter ng
-------------------------------------------------------------------
Please use this email address for all replies to this request:
[5][ATI #1583 email]
Is [6][Environmental Protection Department request email] the wrong address for Access to Information
requests to Environmental Protection Department? If so, please contact us
using this form:
[7]https://accessinfo.hk/change_request/new...
Disclaimer: This message and any reply that you make will be published on
the internet. Our privacy and copyright policies:
[8]https://accessinfo.hk/help/officers
If you find this service useful as an ATI officer, please ask your web
manager to link to us from your organisation's ATI page.
-------------------------------------------------------------------
References
Visible links
1. mailto:[ATI #1583 email]
2. mailto:[ATI #1583 email]
3. mailto:[Environmental Protection Department request email]
4. mailto:[ATI #1583 email]
5. mailto:[ATI #1583 email]
6. mailto:[Environmental Protection Department request email]
7. https://accessinfo.hk/change_request/new...
8. https://accessinfo.hk/help/officers