Complaint Case Notes

編號: 0222/2016/IP

標題: Shopping centre failed to adopt sufficient security measures to protect the personal data of lucky draw participants

立案原因: Report


      An individual, P, reported to the GPDP (Gabinete para a Protecção de Dados Pessoais/Office for Personal Data Protection) that, the shopping centre of Company A requested its customers, who wished to participate in its luck draw, to show their IDs and then its staff would input the personal data on the ID into their computer. However, the monitor of this computer was facing the queue, and was visible to and able to be photographed by those queued up. On the other hand, P was unsatisfied that the staff did not provide any copies to the participants after they signed the Terms and Conditions of the luck draw.


      The investigations showed that Company A used a computer to register the name, date of birth, gender, ID numbers, the area they live, and the contact information of the participants. Under Article 4(1)(1) and 3(1) of the PDPA (Personal Data Protection Act), the processing of such data should be subject to the same Law.
    Company A explained that the participants voluntarily provided their personal data for the shopping centre’s activity and therefore its processing fulfilled one of the criteria of legitimate data processing of Article 6 of the PDPA, i.e., the data subjects’ explicit consent.
    Since the prizes had fair value and Company A, therefore, pointed out that the mentioned personal data were collected for verifying the prize winners’ identities and to ensure the participants were acting in accordance with the mentioned Terms and Conditions including participants were allowed to participate only once while the activity was underway, eligible participants must be 18 years of age or above, and employees of Company A and of companies that were in the same group were not allowed to participate in the activity. Company A, for the mentioned purposes, collected the said personal data was reasonable and did not violate the principle of appropriateness as governed by Article 5(1)(3) of the PDPA. Despite the above, considering that ID numbers were unique personal data and thus they should not be used along with names and dates of birth, the GPDP, consequently, already informed Company A, in writings, that it should carefully consider the types of personal data to be collected for any similar future activities. Personal data collection should be reduced to the minimum, for instance, only collect certain digits of the participants’ ID numbers.
    Article 10(1) of the PDPA safeguards data subjects’ right to information; in other words, data controllers, while collecting personal data from any individuals, must provide statutory information as set out in the same provision, namely, identity of the controller (entity); processing purposes; and whether there would be any data recipients. This provision did not specify how the information should be communicated but, on the other hand, requiring data subjects to be informed of such information. The staff of Company A, before registering the data, had also asked the participants to read the Terms and Conditions before signing it. The identity of the controllers, the types of data to be collected, processing purposes and the information regarding the data recipients, etc. were all laid down in the Terms and Conditions. The information specified there was communicated, in writings, to the data subjects and, concurrently, they had the duty to understand before signing the Terms and Conditions. Even if no written copies of the Terms and Conditions were given to the participants, this would not be a violation of Article 10(1) of the PDPA. For best practice, however, the GPDP still recommend improvement and therefore informed, in writings, Company A to allow participants to access the Terms and Conditions through other means after their registration at the scene (for example, the activity Terms and Conditions are accessible online).
    With regard to where the computer screen was placed facing the queue and whether the queuing individuals could easily peek at or take a photograph of the screen information, Company A explained that it was placed to allow the participants to verify whether their personal data were correctly input. The monitor at the scene was only facing participants, instead of facing all the passersby. In addition, protection screen filter was used to black out screen side-views and prevent sideways glances. Moreover, the monitor was placed at some distance from the queuing individuals, and staff had been arranged to maintain order and to keep the queue from being too close to the reception desk. Company A believed that it was not easy for the queue to peek at the data that was shown on the screen. Due to the lack of further evidence given by the Complainant, the available information was inadequate to justify leaks of personal data caused by the improper placing of the screen. Furthermore, to address the concern, the screen had been removed from the reception desk and Company A also adopted other measures to allow the participants to verify their registered data.


      The GPDP informed both the Complainant and Company A of the investigation result and also recommended the latter to collect appropriate types of personal data, as well as allowing extra means for participants to access the activity Terms and Conditions. This case was closed.

Please refer to Article 3, 4, 5, 6 and 10 of the PDPA.