Complaint Case Notes

編號: 0019/2015/IP

標題: Security guard collecting ID numbers from visitors

立案原因: Complaint


    A complaint was received by the Office for Personal Data Protection (GPDP) in regard the security guard of Building A collected visitors’ information, including name and ID card number.  The Complainant reported to the GPDP that during his earlier visits, he only had to inform the security guard the floor that he intended to access.  But during another visit afterwards, he was asked to provide the mentioned information.  He believed that this was an excessive collection of personal data, in addition that he was not disclosed with the purposes of the collection.  While filling in his personal data for the registration log, the security guard also failed to cover the personal data already registered therein.  He therefore lodged a complaint with the GPDP.


    According to Article 4(1)(1) and 3(1) of the Personal Data Protection Act (PDPA or Law 8/2005), this Law applies to the data processing of the current case. 
  Information showed that Building A is an affordable housing, which has yet to establish its own management committee.  When the current case happened, Company B was carrying out the building management services for Building A.  Company B was also found as the entity that decided to adopt the visitor registration for the visitors to Building A.    In view of Decree Law 41/95/M, Regulations for the Administration of Buildings through Housing Development Contract, as well as Article 1357 of the Civil Code, approved by Decree Law 39/99/M of August 3rd, before an administrative committee is set up for an affordable housing, a management company will act as the de facto administrator (gestor) to carry out the management functions.  As a consequence, Company B has the rights to decide for and control the form and purposes of the processing of the visitors’ personal data, and thus it should be considered as the data controller according to Article 4(1)(5) of the PDPA. 
  For the purposes of security and management of Building A, it was lawful for Company B to request visitors to provide their information, and conformed to Article 6(5) of the PDPA that governs the criteria of legitimate data processing.  In most cases, visitors would provide their information for registration voluntarily in order to access a premises, this demonstrated that Company B, on the basis of the data subjects’ unambiguous consent, fulfilled the criteria of legitimate data processing as laid down in Article 6 of the PDPA. 
  Taking into account of Authorization No. 04/2008 (Data Registration and Processing Relating to Registration of Entries and Exits of Visitors) and Opinion No. 0011/P/2014/GPDP, Building B has been authorized to collect name, ID number and other information from visitors and exempted from notifying its data processing to the GPDP.  These showed that the collection of data for security did not violate Article 5(1)(3) of the PDPA, which governed the principle of proportionality.  Despite the above, during investigations Company B was found asking visitor to register their ID numbers onto the log, but some visitors provided phone number instead.  To this, the GPDP has requested Company B, in writing, to review the necessity of collecting ID document number.  If unnecessary, complete ID number should be avoided. 
  On the other hand, Company B has already posted notices in conspicuous places informing the registration of visitors’ information, in addition to having formulated its own Personal Data Collection Statement.  These justified that it was providing the safeguard of the right to information as laid down in Article 10 of the PDPA.  To comply with Article 10(2) of the PDPA, the GPDP has written to Company B to request it to specify its data processing information in the registration log.  Moreover, the GPDP also requested Company B to have its Personal Data Collection Statement prepared in Building A, so that the security guard can provide it to visitors in case they exercise their right of access based on Article 11 of the PDPA. 
  Company B also pointed out that when visitors register their information on the log, it would cover or conceal the information that had already been registered therein properly, and the log was also securely placed.  These all showed that Company B did not violate the security of processing as Article 15 of the PDPA governed.   
  To sum up, the GPDP did not find Company B violated the PDPA.


    This case was closed and the investigation results have been informed to Company B and the Complainant.  

Please refer to Article 3, 4, 5, 6, 10, 11 and 15 of the Personal Data Protection Act.