Complaint Case Notes

編號: 0118/2014/IP

標題: Asking customers to provide personal data for their tickets

立案原因: Complaint


    Complainant reported to the Office for Personal Data Protection (GPDP) that, while purchasing tickets with his credit card from Company A, a box office, asked him to produce his ID card for the reason that this was his first purchase.  Later, the ticket seller registered his ID card number, name and contact number.  The Complainant believed that as he was purchasing the tickets with a credit card, verifying his credit card and ID card information would be sufficient, and registration of his personal data was unnecessary.  He believed that it was an excessive collection of personal data and asked the GPDP to follow up. 


    Under Article 4(1)(1) and 3(1) of the Personal Data Protection Act (PDPA or Law 8/2005), the personal data processing of the current case should be regulated by the same Law.
  Company A responded that whenever a customer purchases tickets, with credit card or cash, in its shop, it would collect exactly the same types of information.  As long as it is a first time purchase, the Company will collect the customer’s name, ID card number and contact information.  For any purchases afterwards, only his name and contact information will be asked for, but not his ID card number. 
  Company A expressed that collecting the said data aims to verify customer identity.  If a ticket is lost or a customer asked another person to collect his ticket, the said data will be used for re-issuing the ticket or for verifying the third party that picked up the ticket.  In addition, in case of program change such data could be used to contact the customers.  No matter a customer purchased his ticket with cash or credit card, he could complete his purchase without revealing his name.  But in case his ticket was lost, it will not be re-issued as no personal data had been provided for verifying identity. 
  Due to the fact that the tickets sold by Company A cost a considerable amount and the huge number of audience attended each show, inasmuch as a customer lost his ticket, it would not be possible to verify his identity simply with his name and verification could be confusing when people share the same name.  In fact, customers are allowed to purchase tickets without revealing their names; the collection of name and ID card number would, indeed, assists re-issuing tickets, as well as future contacts in case of program change.  All these justified that the principle of proportionality was not violated.  
  When selling tickets, Company A, instead of revealing its data processing purposes (re-issuing tickets or in case the ticket is picked up by a third party), only explained to the Complainant that collection of ID card number was aimed to prevent credit card fraud.  In addition, it also failed to explain to the Complainant the consequences if he refused to provide his ID card number and it was optional to provide data.  Even if the terms and conditions (of the ticket purchased) specified that Company A had the rights to refuse re-issuing tickets when it found impossible to verify a customer’s identity, it failed to illustrate its data processing purposes and whether it is mandatory, or optional, for a customer to provide his personal data.
  For the above, the GPDP provided its recommendations to Company A, in writing, suggesting it to explain clearly to customers its data processing purposes, whether it is mandatory or optional for customers to provide his personal data, and the consequences of not providing such information.  These measures would prevent similar incidents in the future.


    For re-issuing tickets it is necessary for Company A to verify customer identity, therefore collecting customers’ name, ID card number, and contact information in case of program change, all these did not violate the principle of proportionality.  The GPDP also recommended Company A explain clearly to its customers its data processing purposes, in order to satisfy their right to information.

Please refer to Article 3 and 4 of the Personal Data Protection Act.