Complaint Case Notes

編號: 0083/2015/IP

標題: Restaurants suspected of showing photos of those “ate and dash”

立案原因: Report


    A citizen reported to the Office for Personal Data Protection that (GPDP) Restaurant A, in its area, put up photos of those ‘ate-and-dash” customers, and believed that it was a suspected violation of the Personal Data Protection Act (PDPA). 


    Given that the said photos included clear appearance of those aforesaid and identification was possible, such data should be considered as personal data as they relate to identified or identifiable natural persons, according to paragraph 1 of Article 4 and paragraph 1 of Article 3 of the Personal Data Protection Act (PDPA).  Therefore the data processing of the current case should be subject to the same Law. 
  The head of the Restaurant pointed out that very often they found “bill-dodgers” and thus they put up the photos of those skipped out on their bills.  In addition, he also indicated that the photos were put up to alert other customers, because from time to time there were people fallen victims of theft and lost their property inside the Restaurant.  Even the eyes of those appeared in the photos were covered with black strips, the GPDP is in the opinion that others (for instance, people lived nearby, the relatives of those in the photos, etc.) could possibly identify those who were in the photographs based on other characteristics (appearance, clothing, etc). 
  The GPDP considers that, the Restaurant originally installed the surveillance system in its business area for security purpose–to protect its property and other legal interests.  With this, the personal interests of the data subjects(those who were photographed) do not override the said interests of the restaurant, which made its data processing legitimate according to Article 6(5) of the PDPA.  However, the Restaurant captured the images of those suspected of slipping without paying and had them printed as photos, publicizing of which was not purely for internal security purpose.  On the contrary, the photos were used to inform the public that these people left without paying, which deviated from the said security purpose.
  To sum up, Restaurant A publicized the personal data of those making off without payment was a violation of Article 5(1)(2) of the PDPA.


    Restaurant A originally installed the surveillance system for security purpose, but later published the photos of those who skipping out on their bills–an obvious deviation of its original security purpose.  Therefore, it was a violation of Article 5(1)(2) of the PDPA and the GPDP decided to impose a penalty of MOP4000 to Restaurant A according to Article 33(1) and 35(1) of the PDPA.

Please refer to Article 3, 4, 5, 6, 33 and 35 of the Personal Data Protection Act.