Complaint Case Notes

編號: 0044/2013/IP

標題: Client’s data being transferred to the second processor

立案原因: Complaint


    Dispute over contractual fee was arisen between company A and the complainant X.  Company A has transferred X’s data to Company B for collecting the fee.
  X believed what Company A did has violated the Personal Data Protection Act (PDPA, or Law 8/2005), therefore he lodged a complaint with the Office for Personal Data Protection (GPDP).


    According to Articles 4(1)(1) and 3(1) of the PDPA, this Law governs the data processing of the current case.
  According to the contract X and Company A entered into, X agreed that he would be bound by the privacy terms therein.  Since the terms already listed that Company A could use the customer information for fee collection and may pass such information to its processor, as such X has already agreed that his personal information would be used for these two purposes.  As a consequence, under the conditions that the data subject has given his explicit consent and the data controller is one of the contractual parties, Company A has the legitimacy to pass X’s personal data to Company B for reminding and collecting from him the contractual fee.  This is in line with Article 6 of the PDPA. 
  At the same time, since Company A used X’s data for recovering the outstanding amount, which is within the contractual and privacy terms, the purpose is legitimate.  Such practice is also in line with the processing of customer data of those it served, as a consequence this did not violate the processing principles as laid down by the PDPA. 
  Company A has complied with the GPDP’s notification duty with regard the automatic processing and transfer of data.  Under conditions like “explicit consent of the data subjects” or “transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken in response to the data subject’s request”, customer data will be transferred, therefore the data receiver would also include Company B.  According to Article 20(1) of the PDPA, Company A is allowed to transfer X’s data to Company B.
  As Company B is the processor of Company A, according to paragraphs 2 and 3 of Article 15 and Article 17 of the PDPA, a controller is responsible to monitor its processor, as well as having the duties to choose a processor that could adopt adequate security measures and monitoring the measures adopted.  A controller should conclude regulatory documents with its processor, so that the latter could process in accordance with the requirements of the controller.  When a processor accesses the information without the guidelines from the controller, except in face of legal obligations, it should not process the data.  Based on the information provided, Company A asked Company B to call X to ask for the payment, along with the fact that X also pointed out Company B has clearly stated on the phone that it was representing Company A.  Under this circumstance, since no evidence has shown that Company B has not complied with Company A in the processing, and it does not appear that the client’s data has been arbitrarily used or leaked, hence, the above mentioned process did not violate the regulations governing processor of the PDPA.  
  In addition, the consumer dispute over the contractual fee between X and Company A did not fall within the scope of authority of the GPDP.  Furthermore, X has lodged a complaint with Department C, thus it is not within the processing scope of this case.
  To sum up, in considering that X has signed in the contract agreeing that he would be bound by the privacy terms and the nature thereof, X has provided consent to Company A to use his personal data for collecting the fee.  As such his personal data would be passed to Company A’s processor, which is line with the PDPA.  In addition, the data processing of the current case, both of Company A and Company B, was not found in violation of the other provisions of the PDPA.


    The GPDP has notified the investigation result to both Company A and X, and this case has been closed.

Please refer to "Personal Data Protection Act", articles 3, 4, 6, 15, 17 and 20.