Complaint Case Notes

編號: 0055/2010/IP

標題: Hotel A collected the personal data of Play Facilities B users

立案原因: Complaints


    When Resident X took Child Y to play facilities B of Hotel A, Resident X was asked to fill in an “Entry Terms” form before entering the facilities, which required that he fill in the name and date of birth or age of Child Y and a contact number. Resident X had to sign the form before purchasing the ticket.
  Resident X believed the Hotel A’s conduct breached the “Personal Data Protection Act”, and filed a complaint with this Office (GPDP).


    In accordance with the provisions in articles 4.1.(1) and 3.1 of the Personal Data Protection Act, the data processing involved in this case is within the scope of regulation by the said Act.
  According to Hotel A’s reply, it collected the personal data of Play Facilities B users in order to keep contact them in case of emergencies. With names of the minors and the contact numbers of the parents or guardians, Hotel A could notify said parents or guardians in emergency situations based on the relevant data. They also collected the date of birth or age of minors to verify whether or not they met the age requirements. They asked a parent or guardian to sign the form in order to inform them of the “Entry Terms” and ask them to authorize Hotel A to carry out appropriate treatment measures when the hotel could not reach them in the event of an accident. After this complaint, Hotel A amended the processing measures. If the parents or guardians of the minors do not leave the play area, only the names of the minors, instead of all the information on the form, will be collected. This was to guarantee that parents or guardians of the minors can immediately be notified, and to seek medical assistance, in the event of an accident.
  In GPDP’s opinion, under the terms of the “Civil Code”, any person under age eighteen is defined as a minor. Minors do not have the legal capacity to make certain decisions, which shall need to be made by a parent or guardian. In filling in the personal data in the form, the parents or guardians of the minors are giving Hotel A their consent. Hotel A therefore legitimately processed the personal data in accordance with the terms of Article 6 of the “Personal Data Protection Act”.
  In this case, the relevant data was collected and subsequently processed for a specific, explicit and legitimate purpose which was directly related to the hotel activities. Therefore, they acted in line with Article 5.1.(2) of the “Personal Data Protect Act”. The data Hotel A formerly asked people to provide was entirely related to the purpose of avoiding accidents. The data of the play facility users and of their parents or guardians collected by Hotel A served to verify the entry qualifications and guarantee the safety of minors. The data processing complied with the principle of proportionality provided in Article 5.1.(3) of the “Personal Data Protection Act”.
  Based on its assessment of the “Entry Terms” for play facilities B, GPDP confirmed that the “Entry Terms” state that Hotel A was the data controller of processing personal data of the Play Facilities B users and that the processing was for emergency purposes. The “Entry Terms” contained the information required in Articles 10.1.(1) and 10.1.(2) of the “Personal Data Protection Act”, which meant that Hotel A adequately protected Resident X’s right to information.
  In summary, Hotel A’s processing of the personal data of the users of play facilities B was carried out in accordance with Articles 5, 6 and 10 of the “Personal Data Protection Act”, and in no way breached this law.


    GPDP sent letters to Resident X and Hotel A, informing them of the abovementioned analysis and decisions.

Please refer to "Personal Data Protection Act", articles 3,4,5,6,10 .