Complaint Case Notes

編號: 0092/2015/IP

標題: Petrol station staff recorded customers’ license plate number on credit card receipts

立案原因: Report


    An individual informed the Office for Personal Data Protection (GPDP) that Petrol Station A, without informing its customers, asked its staff to record customers’ license plate number on credit card receipts.  He believed that it was an excessive collection of personal data and therefore asked the GPDP to follow up. 


    Under Article 4(1)(1) and 3(1) of the Personal Data Protection Act (PDPA), the data processing of the current case should be subject to this Law. 
  GPDP’s investigation revealed that Company B was the operator of Petrol Station A.  To avoid fraudulent credit card transactions, its staff was requested to ask the customers to include their license plate number onto the credit card receipt, Company B explained.  If a customer forgets to do so, the staff would record such information.  This revealed that Company B decides and controls the purposes for which and the manner in which the concerned personal data are processed.  Under Article 4(1)(5) of the PDPA, Company B should be the data controller. 
  Generally when customers voluntarily recorded their license plate number onto the receipt, Company B can rely on the data subjects’ unambiguous consent to legitimize its data processing, laid down in Article 6 of the same Law.  Furthermore, the license plate numbers were only collected from customers who used credit card for payments, which were aimed at the lawful interests arising from preventing fraudulent transactions.  For this reason, customers’ interests or rights, freedom and safeguard do not prevail.  Company B, as a consequence, can also base on this to legitimize its data processing according to Article 6(5) of the PDPA. 
  In the current case, the practice of company B aimed at preventing fraudulent use of credit cards, which could harm its interests, and its collection of data was for specified, explicit, legitimate purposes and for purposes directly related to its activities.  The above justified that it was acting in compliance with Article 5(1)(2) of the PDPA. 
  However, credit cards are normally used to conduct card-present transaction in petrol stations and do not involve high value, so staff can verify a cardholder’s identity and credit card authenticity, which means that dubious transactions could be refused.  In this sense, if Company B finds it necessary to collect more personal data, it should only focus on suspicious fraudulent users instead of all credit card users.  On one hand, collecting license plate numbers will not have much impact on the data subjects, and, on the other, Company B was collecting such data for  lawful interests and for submitting to the enforcement authorities and card issuers for investigations of fraudulent transactions, if any.   These justified that its practices did not violate the principle of proportionality as laid down in paragraph 1(3) of Article 5 of the PDPA.  However, to better implement the principle of proportionality with a minimum degree of interference, Company B has improved its practices, after GPDP’s investigation, by not collecting license plate number from all those that paid with credit card. 
  Furthermore, in the future if under special circumstances where collection of customers’ personal data is necessary, Company B may provide the cardholder with clear information in accordance with Article 10(1) of the PDPA.  In addition, Company B should formulate its own Personal Data Collection Statement and clear data policies as soon as possible, which should be available at the petrol station for data subjects to access to should they exercise the right to information. 


    This case was closed because Company B has stopped collecting the license plate number from those paid with credit cards. 

Please refer to Article 3, 4, 5, 6 and 10 of the Personal Data Protection Act.