Complaint Case Notes

編號: 0045/2018/IP

標題: mobile promotional messages

立案原因: report


      The GPDP(Gabinete para a Protecção de Dados Pessoais/Office for Personal Data Protection) received a report earlier, which mentioned Company A sent out promotional messages to a number of mobile numbers, but without the number users’ prior consent. The GPDP was asked to follow up the case.


      Under Article 4(1)(1) and 3(1) of the PDPA (Personal Data Protection Act or Law 8/2005), the data processing of the current case shall be subject to the same Law.
    During investigations, Market B, the online supermarket found in the current case, is a subsidiary of Company A, and it was the latter that sent out the messages, through a telecomm platform, to the users’ numbers, which have been assigned to different telecomm operators and have been uploaded to the CTT (Direcção dos Serviços de Correios e Telecomunicações/Macao Post)’s webpages. Some of the users have registered to use Company A’s mobile app.
    A data controller can process data as long as it has fulfilled any of the conditions for legitimate data processing, set forth in Article 6 of the PDPA. Normally speaking, commercial entities shall first obtain a data subject’s unambiguous consent, in order to process his personal data for marketing purpose. On the contrary, his processing is illegitimate. Company A sent out the promotional messages but failed to obtain the data subjects’ unambiguous consent in advance, despite some of them have registered using Company A’s mobile app. When registering users were, however, unable to choose whether to receive promotional messages or not. In other words, Company A failed to obtain unambiguous consent from its app users prior to sending them promotional messages. In short, Company A did not fulfill any of the legitimate data processing conditions as laid down in Article 6 of the PDPA.
    On the other hand, during its app registration, Company A’s app users were not provided with user’s agreement. The promotional messages also failed to specify Company A’s information, which signified that users were not aware of its data processing. This showed that Company A did not fulfill the obligation to provide information to its concerned data subjects, as required by Article 10(1) and 3 of the PDPA.


      In regard to Company A’s non-compliance of Article 6 and 10 of the PDPA, which constituted two administrative offenses, the GPPD decided to impose, according to Article 33 of the PDPA, a penalty of MOP$40000.  According to Article 43 of the PDPA, the GPDP decided to impose an additional penalty, requiring Company A to delete all the information of the non-registered app users, which were processed without the compliance of Article 6 of the PDPA, and to stop sending promotional messages to the registered users. Both these shall not apply if a data subject has given his unambiguous consent otherwise. 
    On the other hand, the GPDP also required, according to Article 31 of the PDPA, Company A to include a user’s agreement in its app registration process, as a move to comply with Article 10 of the PDPA. 

Article 3, 4, 6, 10, 31, 33 and 43 of the PDPA.