Complaint Case Notes

編號: 0076/2014/IP

標題: Sending unsolicited text message (SMS)

立案原因: Complaint


    The Complainant of the current case is not a customer of Company A, but he received unsolicited text messages (SMS), relating to estate sales, from this Company.  Even after the Complainant exercised his right to object, the unsolicited messages continued.  Therefore he lodged a complaint with the Office for Personal Data Protection (GPDP) as he believed that this was a suspected violation of the Personal Data Protection Act (PDPA).


    According to Article 4(1)(1) and 3(1) of the PDPA (Personal Data Protection Act or Law 8/2005), the data processing of the current case is subject to the same Law.
  According to Article 6 of the PDPA, a data controller has to fulfill any of the criteria of legitimate data processing before he starts to process any non-sensitive personal data.  Generally commercial enterprises for the purpose of marketing to process personal data should be based on the unambiguous consent of the data subject, or else the processing is not legitimate.  Since Company A failed to obtain consent from the Complainant for its marketing text messages, it failed to fulfill any of the legitimate criteria as laid down in Article 6. 
  On the other hand, since the Complainant has exercised his right to object by texting Company A, its staff accidentally added the Complainant’s phone number back onto the list of marketing subjects, and this caused the text messages to continue.  The GPDP is of the opinion that, since the staff was acting for Company A’s real estate business, in its interests and on its behalf, Company A has the duty to supervise its staff for being the data controller, it should provide respective trainings to the staff and formulate guidelines.  Company A, on the contrary, expressed that it has not established any guidelines or policies for its telemarketing.  This revealed that its staff members caused the current incident mainly because of lack of trainings or guidelines to refer to.  Company A, therefore, should be responsible for its staff members’ fault.  Company A’s failure to satisfy the Complainant’s right to exercise violated Article 12 of the PDPA.


    Considering that Company A neither established guidelines for its marketing, nor provided any staff trainings or supervision, but this was its first violation and its cooperativeness during the investigations, GPDP decided to impose a monetary penalty of MOP16000 in total.  The decision was based on the fact that Company A, without meeting any of the criteria of legitimate processing, sent unsolicited text messages to the Complainant and failed to satisfy his right to object, which correspondingly constituted administrative offences and led to the penalty of MOP10000 and MOP6000 according to Article 33 of the PDPA.  The GPDP has already informed Company A, in writing, the said decision and also reminded it to establish an “opt-out list”, in addition that it should stop sending unsolicited messages to those on the list.

Please refer to Article 3, 4, 6, 12 and 33 of the Personal Data Protection Act.