Complaint Case Notes

編號: 0091/2017/IP

標題: Building visitors are required to register personal data

立案原因: Report


    The current case stemmed from the registration of personal data required by a building reception.  The reception staff of Company A required the Complainant, while entering the building after office hours , to register his name, contact numbers, ID numbers, time of entering and leaving the building and the floor he intended to visit.  When entering such information, he was shown with those recorded by other visitors, he believed that this was a breach of the PDPA (Personal Data Protection Act) and therefore asked the GPDP (Gabinete para a Protecção de Dados Pessoais/Office for Personal Data Protection) to follow up.


    According to Article 4(1)(1) and 3(1) of the PDPA, the data processing as mentioned is subject to the same Law. 
  For building facility management and security, Company A required its staff to collect visitors’ personal data, aiming to safeguard its lawful and legitimate interests.  These interests also preceded those who had registered their data, as well as their freedom and safeguard.  Such act is legitimate according to Article 6(5) of the PDPA.   On the other hand, when visitors attempted to enter a building, most of them would register their personal data on a voluntary basis; the property management company, therefore, was processing their data legitimately, upon the explicit consent of the data subjects, as laid down in Article 6 of the PDPA. 
  According to Authorization No. 04/2008, Data Registration and Processing Relating to Registration of Entries and Exits of Visitors, and Opinion No. 0011/P/2014/GPDP, controllers are exempted from the obligation of notifications of automatic data processing according to the PDPA, given that they process the personal data, including their names, ID numbers, et al, of those visitors who attempted to enter controlled buildings.  In the current case, the property management company, during particular time period of the day, collected the visitors’ personal data, including their visiting date, name, contact numbers, the address of the company or individual(s) they intended to visit, the time they entered and exited the building, signature, and the last four digits of their ID numbers.  Such personal data were collected for ensuring the owners’ and tenants’ safety, and their property interests.  The collected data can be used to verify their identities and to maintain record traceability—both are in line with the purposes of ensuring security and legitimate, fulfilling Article 5(1)(2) and 5(1)(3) of the PDPA. 
  Etiam according to the Complainant, the personal data as registered by other visitors were unconcealed, and the property management company claimed that it had established guidelines to ensure proper storage of visitors’ data, and they were only accessed when new visitors attempted to register data.  The registered data, contrarily, were concealed during other visitors’ registration.  During on-site investigations, the allegations of the Complainant against Company A were not proved though, the GPDP also reminded Company A to strictly implement security measures by ensuring the recorded personal data are properly concealed before the next visitor’s registration.  The registered data should also be handled safely to prevent data leaks. 


    The GPDP already reminded Company A to strictly implement security measures.  This case was closed.

Please refer to Article 3, 4, 5, 6 and 15 of the PDPA.