Complaint Case Notes

編號: 0031/2016/IP

標題: Visitor registration

立案原因: Complaint


    The Complainant of the current case filed a complaint with the Office for Personal Data Protection (Gabinete para a Protecção de Dados Pessoais/Office for Personal Data Protection), reporting that the security guard of a building asked visitors to register their names, contact numbers and ID numbers.  However, the register log was spread out at the reception desk and registered information was available for anyone to see.  Therefore he requested the GPDP to follow up.


    The investigations found out that Company A was commissioned for the building management, and before it introduced the visitor registration system it had already gained the Building Management Committee’s approval.  The mentioned register log recorded the name, type and numbers of ID, visiting reason, and the date and time of the visitors entering and leaving the building.  Under Article 4(1)(1) and 3(1) of the Personal Data Protection Act (PDPA) the mentioned processing of the visitors’ data is subject to the same Law. 
  Since Company A has the duty to carry out the building management, it registered the visitors’ personal data for security purpose and aimed at securing the personal and property safety of the building residents.  As such, the interests it intended to protect were legitimate, and therefore the visitors’ rights, freedom and safeguard did not override.  The mentioned measures complied with Article 6(5) of the PDPA, which governs one of the criteria of legitimate data processing. 
  The visitors’ registration implemented by Company A within the building area was for lawful, specified and legitimate purposes.  Besides, the types of data registered are also aimed at identifying the visitors.  However, the available information showed that visitors could still gain access to the building if they refused to register, but in such case the security guard would ask for further visiting information.  In addition, they could also refuse registering certain types of information onto the log and the GPDP, for this, informed Company A in writing that it should comply with the principles of appropriateness and proportionality as laid down in Article 5(1)(3) of the PDPA.  These principles require the collection and processing of personal data be reduced to the minimum, and unnecessary visitor data should not be asked from visitors, plus specifying what types of information must be provided, or as provided on voluntary basis. 
  With regard to the uncovered register log the Complainant mentioned, it revealed the insufficient security measures that Company A introduced.  For that, the GPDP has, ordered Company A to ensure data security and confidentiality, in accordance with Article 15 of the PDPA, to introduce improvement, namely to properly cover up the registered information on the log and which must also be placed properly. 


    The GPDP has asked Company A to introduce improvement, and the investigation results were informed to the Complainant and this case was closed. 

Please refer to Article 3, 4, 5, 6, and 15 of the Personal Data Protection Act.