Complaint Case Notes

編號: 0032/2011/IP

標題: Public Department allowed Management Company to handle social housing rental contracts

立案原因: Complaints


    Citizen A stated that Bureau A had posted notices in Building B, asking all the tenants to hand in a photocopy of their rental contracts to the management office so as to allow the Bureau to issue the door access cards.
  Citizen A felt that his personal data would be disclosed as Bureau A, which allowed Management Company C to handle his rental contract that contained with personal data such as his name, identity card number, date of birth and marital status, might breach the “Personal Data Protection Act”.


    The data processing of current case is regulated by the “Personal Data Protection Act” under its Article 4(1)(1) and 3(1).
  According to the information provided by Bureau A, he agreed to let Management Company C follow the issuance of door access cards of Building B. That company had drawn up relevant application, issuance procedures as well as application form and noted that if any of the tenants had handed in a photocopy of the rental contract, it would immediately refuse to accept and return the contract photocopy.
  Under Article 1 and 40 (1) of Administrative Regulation No. 25/2009, Bureau A possesses the right of decision concerning the management of social housing. GPDP considered that Bureau A was the controller responsible for the personal data processing of Building B’s tenants. As regards the issuance of door access cards in Building B, Company C was an outsourced company and did not possess the right of decision on the personal data processing. Therefore Company C was the processor of Bureau A.
  According to Article 7 of Administrative Regulation No. 25/2009, the submission of personal data voluntarily by the social housing applicants is considered an “explicit consent”, as determined in Article 6 of the “Personal Data Protection Act”. Also, according to the Article 9 of the same Administrative Regulation, the rental contract containing the data of Citizen A is based on legal provisions and belongs to Article 6(2) of the “Personal Data Protection Act”.
  As no evidence showed that Company C caused Citizen A’s personal data to be leaked, Bureau A did not breach the security of processing specified in Article 15 of the “Personal Data Protection Act”.
  Bureau A expressed that the Management Company would not collect a photocopy of the resident’s rental contract. There seemed to be contradiction between Citizen A and the aforesaid circumstance; meanwhile Citizen A was unable to provide any evidence to this end.
  Furthermore, the Management Company, as processor, was commissioned by Bureau A to process the revelant personal data on its behalf. According to Article 4 (1) titled “Social Housing Application Form” of the “Social Housing Application Regulations” issued by Executive’s Order No. 296/2009, applicants must fill in the personal information of the familiy representatives and members, which must be consistent with the family structure data contained within the rental contract. Therefore, it was clear that the data contained in the photocopy of the relevant rental contract was already in the possession of Bureau A, which was a party to the Contract. In this case, even if the photocopy of the rental contract had been collected by the management company, as Citizen A described, it would not be considered an additional collection of personal data, but an simplification of the administrative procedures.
  In summary, Bureau A did not breach the provisions of of the “Personal Data Protection Act”.


    GPDP informed both Citizen A and Company A, in writing, of the above-mentioned analysis and decision. The case was closed.

Please refer to "Personal Data Protection Act", articles 3,4,6,15 .