Complaint Case Notes

編號: 0002/2014/IP

標題: Uploaded clients’ photos by mistake

立案原因: Complaint


    When A was pregnant, she and her husband, B, took some family photos.  The photos were taken by Company X and were uploaded to the company’s account on a social networking website afterwards.  The photos were accessible by everyone on the website.  A and B phoned Company A for several times, but nobody answered. In addition, they also sent several private messages to Company X through the networking website, asking the latter to immediately delete their photos but no response was received.
  A and B had never given their consent to Company X for publishing their pictures on the website, nor had the company specified in its contracts, receipts, and website pages that the photos they took would be published.
  A and B believed that Company X might have violated the Personal Data Protection Act (PDPA, or Law 8/2005), and therefore filed a complaint with the Office for Personal Data Protection (GPDP), in a bid to have the photos deleted.


    According to Article 4(1)(1) and Article 3(1) of the PDPA, the data processing of this case shall be governed by the same Law.
  In addition, according to Article 7(1) idem, the said pictures concerned the private life of A and B and thus they should be regarded as sensitive data.
  Company A, in its written response, pointed out that its staff immediately deleted the photos after receiving the said private messages.
  In GPDP’s opinion, after taking the photos for A and B, Company X published the photos on the social networking website, which elaborated that it has the right to decide for the processing purposes and methods of the photo data.  According to Article 4(1)(5) of the PDPA, Company X shall be regarded as the data controller of the respective data processing.
  In this case, Company X is a commercial organization and published the photos for its promotion, but without the legitimacy as required by Article 6(2) to 6(4) of the PDPA.  Company X admitted that it published the photos without obtaining prior consent from A and B, nor the publishing was based on a contract the two parties concluded; therefore legitimacy was not established according to Article 6(1) nor based on A and B’s explicit consent.  In addition, the commercial interests of Company X did not precede the legitimate interests of A and B, thus the company lacked the legitimacy under any of the conditions governed by Article 6 of the PDPA. According to Article 7 of the PDPA, Company X could process the sensitive data of A and B only with their explicit consent, in other words, the Company had not established the legitimacy for publishing their photos.
  According to Article 21(1) of the PDPA, when personal data is processed by automatic means, the data controller is obliged to notify its processing to the GPDP. After being reminded by the GPDP, Company X had sent the said notification for application to this office.
  To sum up, Company X did not established the legitimacy for processing A and B’s personal data, including sensitive data, as provided for by Articles 6 and 7 of the Personal Data Protection Act.


    After taking into account of: 1. The said website pages of Company X were open to the public, which meant anyone may access the photo data and leave comment, which might have caused greater influence to both A and B; 2. Company X immediately deleted the photos after mistakenly uploaded them; 3. This was only an individual complaint; 4. Company X did not intentionally upload the photos; 5. It was the first violation of the PDPA by this Company; 6. Company X was cooperative during the investigation and admitted its violation of the PDPA, the GPDP, according to Article 7, which is a more stringent provision, and Article 33(2) of the PDPA, imposed a fine of MOP8,000 to Company X.

Please refer to “Personal Data Protection Act”, articles 3, 4, 6, 7, 21 and 33.