In a statement, the commissioner’s office said it conducted a probe after receiving complaints, and found 11 restaurants which had used a registration form or book for diners.
Other restaurants didn’t have a collection box for the slips of paper customers filled out, or failed to cover a box that was in place.
“[The] practices had exposed the registered personal data to unauthorised or accidental access or use, and contravened the [Personal Data (Privacy)] Ordinance as regards the security of personal data,” the statement read.
It noted that the restaurants had taken remedial action, but said they should step up training for staff to prevent a recurrence of such violations.
The commissioner also reminded people to be mindful of the privacy risks that come with providing personal data to restaurants.