Complaint Case Notes

編號: 0041/2012/IP

標題: A shop published the personal data of its customers through a social network website account

立案原因: Complaint


    Citizen A mentioned that he had ordered clothes from Shop Z, which is a seller on Website X.  A once left his contact number to this seller.  Later, he received a message from Shop Z, which mentioned that the clothes ordered were ready for payment and pick up, but A did not pick up even having been reminded for several times.  Afterwards Shop Z, through its account on Website X, published the username of A and his mobile phone number and mentioned that A gave up the order and insulted the shop owner intentionally.  For this, Shop Z blacklisted A.
  A believed that Shop Z violated the Personal Data Protection Act (PDPA, or Law 8/2005), thus filed a complaint to the GPDP.


    According to Article 4(1)(1) and Article 3(1) of the PDPA, the processing of the related data of the current case shall be governed by the same Law.
  After investigations, the GPDP confirmed that Shop Z, in its “About” section of its account with Website X, stated that ‘…… those gave up their orders will be blacklisted and their data will be published here……’ This post, however, is not accessible to everyone.   
  B, the person in charge of Shop Z, indicated that A’s personal data was published on Website X through its account.  The data was made public, according the terms of the Shop as published on the Website, in order to maintain the goodwill of the Shop.  The GPDP is in the opinion that, as the personal data of A was published in the name of Shop Z, according to Article 4(1)(5) of the PDPA, the latter is regarded as the data controller.
  Shop Z admitted that, before publishing the data it has not obtained A’s consent nor he has been notified.  It, however, insisted that legitimacy has been established according to Article 6(1) of the PDPA before publishing the data.  Under Law 17/92/M, the validity of the general terms of a contract shall be determined by a court during a litigation. The GPDP, therefore, does not have the legal competence to do so.  With regard A failed to settle the contract (prestação), Shop Z could ask A to compensate according to laws; contrarily, laws did not allow it to publish A’s data.  Even if Shop Z wanted to refute the false claims of A, it was unnecessary to publish A’s website username and mobile number.  The fact that Shop Z published the data was unnecessary, irrelevant, and violated Article 5(1)(3) of the PDPA that may lead to penalty. 
  According to Article 93 of the Administrative Procedural Code, approved by the Decree 57/99/M of October 11th, the GPDP performed a hearing on Shop Z for the above suspected violation.
  During the hearing, Shop Z expressed that as long as A decided to purchase from it, this indicated that the latter agreed to the terms that his data would be published.  In addition that A is the one that started to insult Shop Z on the Website and even attached the logo of Shop Z.
  The GPDP does not have the competence to determine the validity of the contractual terms of Shop Z that have been published on Website X.  As the terms only specified that anyone failed to perform the contract his data would be published on the website, but the types of data to be published was not specified. It could not, therefore, expect A prepared his username and mobile number to be published.  Even the contractual terms are valid, before the data is published it is necessary to consider the types of personal data and the impact caused to the data subjects.  B, however, failed to consider the impact and published A’ data, therefore, it violated the principle of proportionality as given in the PDPA.  On the other hand, as shown in the texts posted by A, Shop Z published the complete mobile phone number of A. Obviously what A mentioned is inconsistent with the facts.
  To sum up, Shop Z published the username and the mobile phone number of A on Website X, which violated Article 5(1)(3) of the Personal Data Protection Act and constituted an administrative offense.


    Shop Z violated the Personal Data Protection Act for the first time though, it modified the contractual terms later and ceased to publish the data of those who did not perform the purchase contract.  Moreover, the aim that Shop Z published the data is to protect its goodwill; based on the above and under Article 33(1) of the same Law, Shop Z is imposed with a penalty of MOP 4,000.

Please refer to “Personal Data Protection Act”, articles 3, 4, 5, 6, and 33.