Complaint Case Notes

編號: 0055/2012/IP

標題: Transfer of personal data to offshore company without obtaining consumer’s consent

立案原因: Complaint


    Resident X complained that, without obtaining his consent and notifying him Company A transferred his personal data (including his name and identity card number) to other companies (including a company in the Mainland China) for consumer researches.
  Later, Bureau B transferred another case to the Office for Personal Data Protection (GPDP), in which Resident Y pointed out without obtaining his consent Company A passed his contact number to another company for consumer researches.  To these cases, the GPDP initiated an investigation (case no. 0105/2012/IP), in which the two incidents as mentioned were included.
  Both Resident X and Y believed that Company A violated their privacy and required the GPDP to follow up.


  According to Articles 4(1)(1) and 3(1) of the PDPA (Law 8/2005), the data processing of the current case is regulated by the same Law.
  Company A indicated that it has entrusted Company C to conduct a telephone research (aimed at the three categories of customers, namely the consumers, SMEs customers and corporate customers).  Company A only transferred to Company C a list of customers’ contact, along with their category information and internal reference codes.  
  The GPDP believed that Company C is able to contact the applicants based on the said customer information, and it is also able to segregate them from other customers.  On behalf of Company A, Company C contacted the targeted customers to collect their opinions.  Therefore, the customer contact list transferred by Company A could identify the customers’ identities, and the contact numbers, along with their categories and reference codes, are customer information.  These are both considered as the customer personal data pursuant to Article 4(1)(1) of the PDPA .
  The purposes and means of processing the concerned customers’ personal data are at Company A’s discretion, including transferring the information to other companies. Company A, thereby, is the data controller. Company C is entrusted by Company A, following its instruction to conduct customer researches. So it is only the subcontractor of Company A.
  Telecommunication service providers process customers’ personal information based on the telecommunication service contracts.  In order to understand the customers’ satisfaction and to optimize its service, Company A achieved the legitimacy prescribed by Article 6(1) of the PDPA. X and Y found Company A’s transferring their personal data to a third party, without their consent, dissatisfactory.  However, Company C, the recipient of the data, is entrusted by Company A and processes the concerned customers’ personal data on behalf of Company A.  Therefore, Company A is not necessary to obtain the data subjects’ consent for its entrust contract with Company C.
  Company A indicated that the concerned list of telephone numbers was first uploaded to the server of Company C in Hong Kong, followed by the staff members of the latter’s Guangzhou office logging in the server to select certain numbers for the research.  This showed that Company A has already transferred the concerned customers’ personal data to Hong Kong and Mainland China.  For this case, the GPDP has never declared that the legal systems in any places that received personal data can ensure an appropriate level of legal protection.  In addition, Company A has not applied to the GPDP for an authorization pursuant to the PDPA under its Article 20(2).  As a result, Company A’s act might not be in compliance with Articles 19, 20(2) or 20(3) of the PDPA.  After investigation, no evidence shows Company A’s transferring of customers’ information has obtained the data subjects’ consent and for the contract performance.  According to Law 14/2001, the Basic Telecommunications Law, its Article 5 provides that telecommunication service is achieved for public interests.  The purpose of Company A’s transferring of data is to collect customers’ opinions so as to optimize the service, as well as entrusting an overseas company to collect opinions is not an inevitable or the only means of achieving such a purpose.  In GPDP’s view, Company A’s act is not considered as safeguarding important public interests.  Therefore, Company A’s transferring of the concerned customers’ information does not comply with Articles 20(1)(1), 20(1)(2), and the first half of 20(1)(3).  Moreover, the current case could not be considered as situation of the latter half of Article 20(1)(3), as well as Articles 20(1)(4) and 20(1)(5), which data transfer is allowed after notification to the GPDP. 
  According to the Personal Data Collection Statement provided by Company A, it did not clearly indicate the types of data recipients as stipulated by Article 10 of the PDPA.
  Summing the above, Company A’s transferring of customers’ personal data to places outside the Macao SAR violated Article 20 of the PDPA.


    Taking into account that only a few types of personal data are transferred, which also did not involve sensitive personal data, according to Article 33(2) of the PDPA, the GPDP decided to impose to Company A a fine of MOP 10,000.  In addition that under Article 43(1) idem, Company A has to ask Company C to immediately destroy the personal data obtained from Company A.
  The GPDP has informed Resident X, Resident Y, Company A and Bureau B of the aforementioned analysis and decisions, as well as suggesting Company A to optimize its Personal Data Collection Statement.

Please refer to "Personal Data Protection Act", articles 3, 4, 6, 10, 19, 20, 33 and 43 .