Complaint Case Notes

編號: 0066/2017/IP

標題: Collecting members’ personal data

立案原因: Report


    A citizen (hereinafter as B) reported to the GPDP (Gabinete para a Protecção de Dados Pessoais/Office for Personal Data Protection) that Company A, when recruiting members, required participants to provide their Chinese and English full names, complete ID numbers, date of birth, region, phone number, and email address. B believed that this was an excessive collection of personal data and therefore asked the GPDP to follow up.


      The data processing of the current case, according to Article 4(1)(1) and 3(1) of the PDPA (Personal Data Protection Act), should be subject to this Law.
    According to Company A, its membership application form required an applicant to provide various types of information, which, however, were not on mandatory basis. The applicant was asked to provide his name, gender, date of birth, region, contact numbers and to indicate whether he would like to receive further information. These information qualify as personal data since they can be used to identify natural persons, consequently being subject to the Personal Data Protection Act (PDPA).
     Generally, when applicants voluntarily provided their personal data for membership application, the respective processing of personal data complied with the conditions of legitimate processing—explicit consent given by the data subjects—laid down in Article 6 of the PDPA.
    Company A explained that members could enjoy membership benefits and discounts when quoting their membership. Bonus points can be redeemed as gifts or cash coupons. To protect the members’ interests and its own, Company A expressed that it is necessary to collect members’ personal data in order to differentiate them from other customers. This showed that the collection was not disproportional and was in compliance with Article 5(1)(3) of the PDPA.
    A reported to the GPDP that he was asked to provide all the information as required by the application form, otherwise the application would be rejected. This was unjustified as A failed to provide concrete evidence. After the GPDP investigated the case, ID numbers were no longer asked by the application form. In addition, it also specified that contact numbers and email address were subject to mandatory or arbitrary provision, as a bid to prevent excessive personal data collection, in compliance with Article 10(1)(3) of the PDPA.


  Company A has introduced measures to improve its data collection.  The current case was closed. 

Please refer to Article 3, 4, 5, 6, and 10 of the PDPA.