Complaint Case Notes

編號: 0069/2011/IP

標題: Bank A opened a credit card without customer’s consent

立案原因: Complaints


    Resident X claimed that he provided Bank A with his personal data after signing a credit card application form. Afterwards, when calling Bank A to inquire, X was transferred to Credit Card Company B (hereinafter as Company B) and was informed that a credit card had been confirmed and opened for him. Later, he called Bank A again, but was notified that no credit card was opened and confirmed for him. Then, he asked Bank A to reopen a new credit card.
  X believed Bank A, not having his consent and opened the first credit card for him, might have violated the Personal Data Protection Act (Law 8/2005), thus he asked GPDP to follow up his case.


    In accordance with Articles 4(1)(1) and 3(1) of the Personal Data Protection Act, the data processing involved in this case is within the regulatory scope of the said Law.
  X pointed out that Bank A, prior to his consent, opened and confirmed a credit card for him. However, X’s account of the incidence was in contradiction to that of Bank A’s clerk, in addition that the former has not provided any evidence to GPDP.
  After investigation, Bank A was found having signed an agreement with Company B, with which they would jointly provide a credit card service. Under this Agreement, Bank A is responsible for the customer marketing services, and Company B for the maintenance of the credit card computer system and the management of credit cards transactions, etc. In accordance with the Credit Card Application Form of Company B, the said credit card applicant had authorized Company B to disclose any personal data of his account to Bank A and its subsidiaries. Therefore, Bank A handled X’s credit card application and processed his personal data based on the above-mentioned form he earlier signed.
  According to the information provided by X, Bank A was not found using his personal data for purposes other than applying credit card (such as marketing of financial products, etc.). In addition, X reopened a credit card, and no evidence showed that any damage was caused or any data was disclosed due to the opening of the first credit card.
  GPDP believed that it was, instead of an issue of personal data processing governed by Article 4(1)(3) of the Personal Data Protection Act, it was about how Bank A opened its credit cards and as a security issue of card transactions, thus the said Law was not applicable. In addition, the security of credit card application could possibly be related to the Legal Regime of Financial System, as approved by Decree-Law 32/93/M, which has not relation to the legal competence of GPDP.
  In summary, no objective evidence supported the claim from X, and no indication showed that Bank A violated the Personal Data Protection Act.


    GPDP already informed X, in writing, of the above analysis and opinions. The case was closed.

Please refer to "Personal Data Protection Act", articles 3,4,6 .