Complaint Case Notes

編號: 0006/2015/IP

標題: Direct marketing

立案原因: Complaint


      The Complainant of the current case was not a customer of Company A, but received an unsolicited promotional text message from this Company. He believed that this was a violation of the Personal Data Protection Act (PDPA), and therefore requested the Office for Personal Data Protection to follow up.


      Company A expressed that it had built a database with the mobile numbers that were published in newspaper real-estate sections. Later, this database was given to a company in Mainland China, Company B, which was commissioned by Company A to send out promotional messages to the mobile numbers contained therein. The processing of the Complainant’s numbers by Company A should be regulated by the PDPA, according to its Article 4(1)(1) and 3(1).
    Even though the Complainant’s numbers were originally published in newspaper real-estate sections and later processed for its direct-marketing, as Company A explained, the processing of these numbers, which qualify as personal data, should only take place after fulfilling the legitimate data processing criteria as set out in Article 6 of the PDPA. Normally speaking, commercial institutions should only process personal data for marketing and sales after the concerned data subjects have given their explicit consent; or else the institutions failed to satisfy the criteria for legitimate data processing. Given that Company A had not obtained the Complainant’s explicit consent for receiving promotional text messages, in addition that the circumstances of the current case were not those where paragraph 1 to 5 of Article 6 of the PDPA should apply, Company A, as a consequence, failed to satisfy the criteria for legitimate data processing of Article 6 of the same Law.
    On the other hand, Company A provided to Company B the access of the mobile number database, which also contained the Complainant’s numbers. In addition, Company B locates in the Mainland of China and therefore the personal data, namely the mobile numbers contained in the mentioned database, were transferred to a location outside the Macao SAR by Company A. Under Article 19 and 20 of the PDPA, for its data transfer a controller should, according to its own circumstances, make a notification to, or received an authorization from or a decision by, the GPDP before transferring any data outside the Macao SAR. The investigations found that Company A failed to complete the mentioned formalities before transferring the mentioned data outside the Macao SAR. As a consequence, it contravened Article 19 and 20 of the PDPA.


      In the current case Company A only processed one type of personal data, i.e. mobile numbers, and it only sent one unsolicited promotional message to the Complainant. Additionally, this was Company A’s initial offence and it was cooperative during the investigations. For its two administrative offences—namely the data processing for its marketing without satisfying the legitimate processing criteria, and the data transfers to a location outside the Macao SAR in the absence of notification, authorization or decision of the GPDP—the GPDP decided to impose, according to Article 33(2) and 34(2) of the PDPA, to Company A a penalty of MOP $8000 for each of the said offences. These two offences led to a total penalty of MOP$16000.
    The GPDP already informed Company A the investigation result and this case was closed.

Please refer to Article 3, 4, 6, 19, 20, 33 and 34 of the Personal Data Protection Act.