Complaint Case Notes

編號: 0084/2016/IP

標題: Prohibition of the right of access

立案原因: Complaint


    This case stemmed from the unsolicited marketing text messages sent by Company A to the Complainant. According to the latter, he never provided his personal data to the former and therefore he tried to call, and also sent text messages to, Company A, which, however, never responded. The Complainant believed that this was a violation of the PDPA (Personal Data Protection Act) and therefore asked the GPDP (Gabinete para a Protecção de Dados Pessoais) to investigate.


    According to Article 4(1)(1) and 3(1) of the PDPA, the data processing of this case should be subject to the same Law.
  The GPDP’s investigations revealed that the numbers of the text messages were registered by Company A. B is the sole administrator and shareholder of this Company. B denied that he had provided a list of numbers for Company A’s staff to send out messages, and it was the Company’s staff who generated the numbers for their telemarketing. However, the messages were sent out according to Company A’s order, in addition to the equipment used was provided by the Company. This revealed that Company A has the right to decision over the processing purposes and processing methods, and it should be regarded as the data controller of the processing of the case.
  In terms of the lawfulness requirements of data processing, a data controller must at least rely on one of the conditions laid down in Article 6 of the PDPA. Before sending out unsolicited text of marketing purpose, a commercial entity should have obtained the explicit consent from the data subjects, as a sign of respect and safeguards to their rights. Unlawful personal data processing is constituted otherwise. Given that Company A failed to demonstrate that it had obtained the consent from the Complainant before sending him marketing text messages, this might violate Article 6 of the PDPA.
  In addition, the right of access, laid down in Article 11 of the PDPA, specifies that data controller is obliged to allow his data subject(s) to exercise such right. In this case, the Complainant had on several occasions called, or sent messages to, Company A, trying to find out how it obtained his personal data, but this Company was beyond reach. B alleged that it might have missed the calls or text messages, but failed to provide proof demonstrating possible connection problems. Since the messages were sent out by Company A and normally a message recipient would directly reply to, or call the numbers shown on, the message, in order to reach the sender. As long as foreseeing the high likelihood of precluded direct contacts, Company A should have specifically noted other means of contact in the message. The declaration of B was apparently unwarranted.
  The central issue at play was, in the GPDP’s opinion, Company A in its processing of personal data had not obtained the Complainant’s consent and did not satisfy his lawful rights. Consequently it violated Article 6 and 11 of the PDPA.


    Considering that the mobile numbers was the only type of information processed in the current case and it was the first time that Company A violated the PDPA, the GPDP, for the administrative offense governed by Article 6 of the PDPA, decided to impose a fine of MOP$8000 according to Article 33 and 36 of the same Law. On the other hand, a penalty of MOP$4000 is imposed for the administrative offense in violation of Article 11 of the PDPA.

Please refer to Article 4, 6, 11, 33 and 36 of the PDPA.