Complaint Case Notes

編號: 0105/2015/IP

標題: Management company collected excessive personal data

立案原因: Complaint


    The Complainant of the current case reported to the Office for Personal Data Protection (GPDP) that Management Company A requested the flat owners, or their proxies (procuradores), of Building B, to produce their IDs, management fee receipts, contact numbers to prove their identities, while collecting their new building access cards.  In addition, Company A also recorded the ID numbers of the said persons on its registers, and the personal data that had been registered were also visible to others when the Company staff made new entries.  The Complainant believed that it was an unnecessary collection of ID card numbers and an excessive collection of personal data.


    Pursuant to Article 4(1)(1) and 3(1) of the Personal Data Protection Act (PDPA), the personal data processing of the current case should be subject to the same Law. 
  Company A alleged that it was asked by the Management Committee of Building B to distribute the access cards, and the said data were also collected under Company A’s instructions.  Moreover, the internal working guidelines were also formulated according to Company A’s requirements.  These revealed that it was the Management Committee to decide for the data processing purposes and means of processing.  Under Article 4(1)(5) of the PDPA, the Management Committee is the data controller and Company A is the processor. 
  With regard the processing of personal data, a data controller should fulfill the conditions laid down by Article 6 in order to legitimize its data processing.  If the flat owners or the proxies provided their personal data to the Management Committee voluntarily in order to collect the access cards, then the data processing was carried out with the unambiguous consent given by the data subjects.  On the other hand, if the ID numbers were asked in order to ensure that the access cards were collected by the flat owners or the proxies, for management and security reasons, then the legitimate interests of the Management Committee preceded those of the said persons.  By the same corollary, the registration also fulfilled the conditions of legitimate data processing as laid down in Article 6(5) of the PDPA. 
  On the other hand, registering the personal data of those individuals collected the access cards should also be in compliance of the processing principles laid down in Article 5 of the PDPA.  In fact, the Management Committee was trying to ensure that the cards were only collected by the flat owners or the proxies and therefore registered their personal data.  Such purpose is specified, explicit, and legitimate. In addition, flat owners or proxies sharing the exact same names are also possible.  As such, for identity verification to collect ID numbers is in line with the purpose to identify those who collected the access cards and, consequently, it was insufficient to prove that Article 5 of the PDPA was violated.  To better protect personal data, the GPDP has already recommended the Management Committee review whether it is necessary to register ID numbers, and collect those personal data that would have slighter impact to the data subjects or replace the ID card registration with other measures. 
  Although the Complainant mentioned that other flat owners’ personal data, already established on the register, were able to be seen by others, Company A pointed out that the personal data remained confidential when distributing the access cards.  In addition, Company A expressed that the personal data would be completely blocked after the card collection is completed.  To these, the GPDP reminded the Committee of the processing security requirements as governed by Article 15 of the PPDA.  In addition, the Committee was also requested to ensure the registered data had been concealed when a new entry was being made and to formulate its own personal data processing guidelines for its processor to comply with.  Pursuant to Article 10(2) of the PDPA, the GPDP already requested the Committee to specify the information as required by Article 10(1) of the PDPA on its registration forms, in a bid to protect the data subjects’ right to information. 


    The GPDP has already informed the Complainant, Management Company A and the Management Committee of Building B the investigation result.  Also a reminder was given to the Management Committee.  The current case was closed. 

Please refer to Article 3, 4, 5, 6, 10 and 15 of the Personal Data Protection Act.