Complaint Case Notes

編號: 0173/2016/IP

標題: Property management company registered clubhouse users’ personal data

立案原因: Complaint


      A building resident complained to the GPDP that Property Management Company A (hereinafter as Company A) failed to cover the clubhouse user register, as a consequence his personal data recorded thereon were visible to other clubhouse users of the building, where he also lived in. Therefore he requested the GPDP (Gabinete para a Protecção de Dados Pessoais/Office for Personal Data Protection) to follow up.


      The register as used by Company A required users to enter information like their name, residential unit, contact numbers, number of user(s), locker numbers, time of exit and entry, and the facilities used. These data qualify as personal data according to Article 4(1)(1) and 3(1) of the PDPA (Personal Data Protection Act).
    The mentioned registration of data aimed at collating statistics regarding the uses of the clubhouse facilities, and for future contacts, if necessary, say, to deal with urgent matters or in case of facilities destruction. In other words, the registration was adopted for management efficiency and for the interests of Company A and other clubhouse users; consequentially the data processing undertaken by Company A was legitimate as it satisfied Article 6(5) of the PDPA. In addition, if the registration data was voluntarily provided by the users, the processing of the said data by Company A was also legitimate as it was based on the “explicit consent given by data subject”, set out in Article 6 of the same Law.
    For the said purposes, the registration of the users’ personal data, by Company A, was lawful, specific and legitimate. Furthermore, the collected types of personal data were not excessive in relation to the said purposes. As a consequence, Article 5(1)(2) and 5(1)(3) were complied.
    With regard to the improperly covered data, as entered on the register, Company A explained that the clubhouse staff would use a paper to cover the entered information before handing the register to the next user to fill in. The investigation revealed no personal data leaks though, the GPDP already reaffirmed the importance of personal data processing security and thus requested the Company staff to conscientiously carry out its security measures.
    On the other hand, even the general regulations of the clubhouse were displayed at its reception, the GPDP, according to Article 10(2) of the PDPA, requested Company A to include the information, as set out in Article 10(1) of the same Law, on its user register. This will require detailing the data controller’s identity, processing purposes, etc., as a mean to safeguard the data subjects’ right to information.


      The GPDP has already informed Company A and the Complainant the investigation result and this case was closed.

Please refer to Article 3, 4, 5, 6 and 10 of the Personal Data Protection Act.