Complaint Case Notes

編號: 0046/2009/IP

標題: Student Card of University A with “X stored value” function

立案原因: Complaints


    Student Y had finished his master’s degree in University A before he was a doctorate Student at the same university. Upon applying for his new doctorate Student Card, he was asked to return his master’s degree Student Card first, as the company which issues the stored-value cards ‘C’ (hereinafter referred to as Company B) had a policy which required that all old cards (hereinafter referred to as “Campus Cards”) be returned prior to the issue of a new one.
  Student Y refused to hand in his master’s degree Campus Card and requested that a new Campus Card be issued without the “X stored value” function. Student Y defended his actions, stating that he was a student of University A and not a client of Company B. As such, he did not want to subscribe to the “X stored value” service provided by Company B. In addition to this he had already refused the service two years before, when he had enrolled in the master’s degree course and asked University A not to transfer his personal information to Company B. He therefore could not understand why Company B was in possession of his data.
  Student Y thought that the submission of his personal data by University A to Company B was wrong and potentially a breach of the “Personal Data Protection Act”. He therefore filed a complaint with this Office (GPDP).


    In accordance with the provisions in articles 4.1.(1) and 3.1 of the Personal Data Protection Act, the data processing involved in this case is within the scope of regulation by the said Act.
  According to the information available in Company B’s official website, and in accordance with the written terms and conditions regarding the cards, if a card is found by someone who is not the owner, it should be returned to the university A. From this, GPDP can conclude that the university Campus Card with customized “X stored value” function is essentially a student card with a value storage function and was therefore different from the stored value cards issued by Company B.
  According to the information provided by University A, the University A Campus Card is issued by University A’s Information Department, instead of by Company B. To apply for the customized “X stored value service”, students must personally fill in the respective form and sign it, and then after University A would pass the card and the form to Company B, which would then enter the first six digits of the student’s identity card number into the Campus Card, turning it into a customized “X stored value card”. If a student did not wish to subscribe to the service, Campus Card issued by University A was only a normal student card with a not- customized “X stored value function”.
  In GPDP’s opinion, University A and Company B have different purposes regarding the collection of the students’ personal data. The data processing of University A is for administrative and academic purposes, whereas that of Company B is for its own commercial purposes. Both University A and Company B have their own rights to process the personal data that they obtain independently, in accordance with their own objectives. In addition to this, there is no relation of outsourcing or commission between Company B and University A. They are independent data controllers.
  University A is a private institution of tertiary education based in Macau. In accordance with article 19.1 of the “Regulation for the Attribution of Master’s and Doctorate degrees in University A” approved by Executive Order no. 37/2000, “those who wish to enrol in a doctorate degree course must submit an application to the Academic and Education Committee to formalize their application”. From this, GPDP can conclude that, in order to enrol in a doctorate degree course provided by University A, students must individually submit an application. In accordance with article 3.1 of the “University Charter”, approved by Executive Order no. 20/2000, the university has scientific and pedagogic autonomy, under the terms of the law. As such, the university can process students’ personal data as such a conduct is executed with academic or teaching purposes.
  In the case at hand, Student Y voluntarily enrolled in a doctorate degree course offered by University A, and University A has teaching autonomy, therefore University A had obtained Student Y’s consent and processed his personal data, in accordance with the terms of article 6 of the “Personal Data Protection Act”. In addition to this, University A provides education services in exchange for the tuition fees paid by the students, which is a contractual relation. The personal data was processed for the purposes of “executing the contract or contracts which the subject of the personal data is party to”, as per the terms of article 6.(1) of the “Personal Data Protection Act”. University A had therefore had got two conditions of legitimacy of data processing.
  In the case at hand, Student Y did not want the “X stored value card” and the university was therefore prohibited from transferring his personal data to Company B, as Student Y did not give his consent. However, Student Y failed to understand the differences between a customized Campus Card with the “X stored value function” – which students need to apply for personally - and a generic student card with the “X stored value function”.
  Student Y’s insistence on receiving a new campus card without applying for an “X stored value card” and without returning his master’s degree student card was a matter pertinent to the internal management of the University and therefore outside the scope of GPDP’s competence.
  Under the terms of articles 10 and 11 of the “Personal Data Protection Act”, University A must fulfil its obligations to ensure that the “rights to information” and “right of access” of Student Y are being observed. Should Student Y wish to exercise these rights, University A should explain its relation with Company B and the ways in which his personal data is processed in a clear manner, so as to avoid misunderstandings.
  In summary, GPDP believed that neither University A nor Company B breached articles 5 and 6 of the “Personal Data Protection Act”, but there was room for improvement, namely in regards to protecting the “right to information” and the “right of access” of the data subjects.


    GPDP sent letters to University A and Student Y containing analysis and opinion referenced above. GPDP also recommended that University A should observe all the terms regarding the “right to information” and the “right of access” determined in the “Personal Data Protection Act”, prepare a “Personal Information Collection Statement”, and establish an effective communication channel with students, so as to eliminate doubts and misunderstandings.

Please refer to "Personal Data Protection Act", articles 3,4,5,6,10,11 .