Complaint Case Notes

編號: 0081/2015/IP

標題: An online shop published the personal data of a customer who did not pick up and pay his order

立案原因: Complaint


    The Complainant ordered some goods from A, who runs an online shop, and later did not pick up and pay for his order online.  Later A disseminated the Complainant’s profile photo, which revealed both his appearance and those of his family members, as he used for his account with a social networking site.   In addition, the online dialogues between A and the Complainant had been captured as images and were also publicized along with the mentioned photo in two groups of the same networking site. 
  The Complainant believed that this was a violation of the Personal Data Protection Act (PDPA) and thus asked the Office for Personal Data Protection (GPDP) to investigate. 


    The photo and captured images as mentioned, which had been disseminated by A, must be treated as personal data according Article 4(1)(1) of the PDPA.  Furthermore, A was using an account on the networking site for selling his products, which showed that his dissemination of the mentioned personal data would not be a case of “processing of personal data carried out by a natural person in the course of a purely personal or household activity”.  His dissemination, on the contrary, intended to alarm other customers with outstanding orders, as a way to avoid customers who did not pay and pick up their orders.  Clearly A had the intention to publicize the said personal data, and therefore Article 3(2) of the PDPA should not apply.  As such, the processing of the Complainant’s personal data by A is subject to Article 3(1) of the PDPA. 
  With regard to the data processing in this case, A should have fulfilled any of the conditions as given in Article 6 of the PDPA, should the data processing be legitimate.  As such, he should have either obtained unambiguous consent from his data subject, or the situation fulfilled any of those laid down in Paragraph 1 to 5 of Article 6 of the PDPA.  According to the Complainant, A had not obtained his unambiguous consent before posting the said personal data onto the social networking site – which failed to legitimize his data processing on the basis of data subject’s consent – and such dissemination of personal data on the social networking site was, in fact, never a situation justifiable according to Article 6(1) to 6(4) of the PDPA.  
  The truth was A might have suffered financial losses due to fact that the Complainant did not pay and pick up his online order, but he may exercise his right to compensation (o direito à indemnização), if legally possible, with the available legal remedies.  Publicizing the Complainant’s personal data on a social networking site not only would not satisfy his legal interests, but also would lead to ungovernable access or transfer of such data, which may incur damages to the Complainant’s right to reputation (o direito à honra).  Having considered the interests of both parties, the GPDP is in the opinion that the Complainant’s interests prevail that of A, and therefore the latter failed to legitimize his data processing as required by Article 6(5) of the PDPA. 
  To sum up, the dissemination of the Complainant’s personal data on a social networking site by A is a violation of Article 6 of the PDPA.


    A publicized the Complainant’s personal data in two different groups of a social networking site and led to uncontrollable transfer of personal data; in addition, it was impossible to request anyone to delete the Complainant’s personal data that he stored.  Taking into account that it was A’s first violation and his cooperativeness during the investigations, the GPDP decided impose a penalty of MOP$8000, according to Article 33(2) of the PDPA. 

Please refer to Article 3, 4, 6 and 33 of the Personal Data Protection Act.