Complaint Case Notes

編號: 0001/2007/IP

標題: A month statement without envelop was sent by post

立案原因: Complaints


    Resident X was a client of Financial Institution A, and claimed that Financial Institution A delivered a monthly statement to him by post without envelop, in which it contained his personal data such as name, contact address and transaction records. Resident A claimed that Financial Institution A violated the Personal Data Protection Act and filed a complaint with this Office (GPDP).


    In accordance with the provisions in articles 4.1.(1) and 3.1 of the Personal Data Protection Act, the data processing involved in this case is within the scope of regulation by the said Act.
  According to Institution A, the incident was the result of an accidental malfunction of the mail processing machine. It stressed that it was an isolated case and it had not affected other clients.
  In GPDP’s opinion, Article 15 of the “Personal Data Protection Act” provides that “the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, …” So Institution A had the obligation to carry out in full the provision mentioned above and avoid undue leakage of personal data. Institution A did not manage to put the letter delivery process strictly under control and has failed to give adequate protection to its client’s personal data. Thus it violated Article 15 of the “Personal Data Protection Act” but it did not constitute an administrative offence.
  In summary, Institution A violated Article 15 of the “Personal Data Protection Act” but it did not constitute an administrative offence, but there was room for improvement.


    GPDP sent a letter to Institution A and required it to make improvement that can help it effectively avoid having the same thing happen again.
  Institution A took it very seriously. Besides apologizing to Resident X, Institution A also reviewed relevant procedures and strengthened quality control and process procedure control, including double checking if the number of letters matches the number of envelopes, to make sure letters will only be posted after they have gone through the entire inspection procedure.

Please refer to "Personal Data Protection Act", articles 3,4,15 .