Complaint Case Notes

編號: 0013/2016/IP

標題: A bank suspected of disclosing lottery participants’ personal data to third parties

立案原因: Complaint


    The current case stemmed from a complaint against Bank A, who was alleged to have disclosed its lottery participants’ personal data, including their names, contact numbers and email addresses, to a third party.  According to the Complainant, after he provided the mentioned information to Bank A, he received unsolicited, promotional email sent by Application B.  Therefore, he requested the Office for Personal Data Protection (GPDP) to investigate.


    According to Article 4(1)(1) and 3(1) of the PDPA, the data processing of the current case is subject to the same Law. 
  In its reply, Bank A pointed out that the lottery was co-organized with Company C.   Due to the fact that both these entities processed the participants’ personal data, and could decide for the purposes and form of processing; therefore they are the data controller of the current case, according to Article 4(1)(5) of the PDPA. 
  Generally speaking, personal data are provided voluntarily by the participants, when joining a lottery, to the activity organizers.  Bank A and Company C, therefore, achieved the conditions of legitimate data processing as governed by Article 6 of the PDPA, which is based on the data subjects’ unambiguous consent. 
  On the other hand, Bank A and Company C collected the participants’ names, contact numbers, email addresses and the last four digits of their ID numbers, in order to verify the winners’ identities and for future contact.  The data collection did not exceed such purposes that the data controllers intended to achieve.  Moreover, no evidence revealed that the personal data had been used for non-related purposes and therefore no violations against Article 5(1), namely the purpose limitation principle and the principle of proportionality, were found. 
  On the other hand, the Complainant suspected that the organizers handed over the participants’ personal data to third parties, both Bank A and Company C stressed that they never handed over their data and also they had no relations with Mobile Application B.  Due to the fact that the Complainant refused to have his identity revealed to the involved the parties, the GPDP was unable to obtain further information from the operator of the said application. 
  Despite the fact that both Bank A and Company C did not violate the PDPA, but the investigations revealed that the activity could have been better organized.  For example, even the activity information specified that Company C was involved in the activity, but the participants might not have a clear idea that it was also one of the organizers (also the Complainant only filed his complaint against Bank A).  In view of this, the GPDP has already informed Bank A and Company C, in writing, that the all the involved data controllers should be identified clearly, if any similar activities are organized in future.  In addition, the co-organizing agreement should also set down the scope of involvement and responsibilities of each party. 


    The GPDP has already notified both the Complainant, Bank A and Company C of the investigation results.  This case was closed. 

Please refer to Article 3, 4, 5 and 6 of the Personal Data Protection Act.