Complaint Case Notes

編號: 0048/2010/IP

標題: Receiving the photos taken by video surveillance camera inside the lift of the building

立案原因: Complaints


    Citizen A expressed that Department A where he worked received a letter sent by Person B containing the number of his rental parking space in Building B, the license plate number of his car and six black and white photos taken by the video surveillance camera inside the lift of Building B.
  As Citizen A believed that the aforementioned six photos were disclosed by the security guard of Company C working in Building B and a consequent invasion of privacy, he asked for a follow-up to the situation from the Office for Personal Data Protection (GPDP).


    The data processing of the current case is regulated by the Personal Data Protection Act under its Article 4(1)(1) and 3(1).
  According to a statement made by Person C, the ex-chairman of the Management Committee of Building B, the surveillance system in Building B was managed by Company C. Person B had formerly been a director of the Management Committee and Building B currently had no Management Committee.
  According to the information provided by Company C, the surveillance system was controlled and processed by Company C. Although the security guard of the building would monitor for any suspicious characters or situations via the screen of the said system, he would not provide any CDs or image data to anyone without permission.
  GPDP considered that since Company C was entitled to personal data processing captured by the video surveillance camera installed in building B, Company C was the controller.
  Person B did not send the letter on behalf of the Management Committee of Building B. Under Article 3(2) of the Personal Data Protection Act. Person B was not the controller; therefore the Personal Data Protection Act was not applicable to the aforementioned processing.
  The surveillance system of Building B was collectively owned by all individual proprietors in the building, and Company C was hired by these proprietors to manage the building and maintain the safety and normal operation of the building, therefore we could conclude that the installation of the respective video surveillance camera by Company C was for security purposes in the building and thereby had legitimacy in accordance with Article 6(5) of the Personal Data Protection Act.
  After investigation by GPDP, the authority of the security guard of Building B was only limited to the surveillance of the relevant images and there was only one screen and one surveillance system controller on the scene. Thus, the residents of the building were not able to view relevant images through the surveillance system located inside the building. However, the corresponding screen was located next to the window of the building entrance that the window was always open. Person B might have captured the display image without the safety guard’s awareness (for example, due to said safety guard being temporarily absent). As such, the security measures Company C was adopting presently were insufficient and did not conform to Article 15 of the Personal Data Protection Act.
  If Citizen A suffered damages due to the behavior of Company C, he could exercise his right to indemnification as envisioned in the Personal Data Protection Act.
  In summary, Company C breached Article 15 of the Personal Data Protection Act.


    GPDP informed both Citizen A and Company C, in writing, of the aforesaid analysis and decision and requested Company C to improve his security measures in regard to the personal data processing from the video surveillance cameras. Company C also had to create the relevant “Personal Data Collection Statements”, and make the respective declarations to GPDP. The case was closed.
  Company C had made corresponding improvement measures according to GPDP’s request.

Please refer to "Personal Data Protection Act", articles 3,4,6,15,21 .