Enquiry Case Notes

編號: 0120/2011/RP

標題: An insurance company intended to integrate the online insurance to a bank's personal online banking system


    Insurance Company A intended to integrate the online insurance to Bank B’s personal online banking system, and asked GPDP for advice about whether the process regarding online insurance breached the Personal Data Protection Act.


    In response, now GPDP only explained the general provisions regarding the personal data.
  The processing of personal data must be in strict compliance with the provisions of the Personal Data Protection Act, including: it can only be carried out with explicit consent of the data subject or in other situations permitted by law (for example, implementing anticipatory measures of the contract or for concluding the contract); personal data should be handled in a lawful manner, in the principle of good faith, proportionality, etc., and respecting the privacy of personal life;the data controller shall respect the rights of the data subject conferred by the above-mentioned law, such as the right to information, the right of access, etc;the data controller has the responsibility to take appropriate security measures to avoid the data being processed illegally; responsible entities shall fulfill the obligation to notify the parties in accordance with the provisions of the law, or make an application for permission, etc.
  According to the definition of “data controller” specified in Article 4.1.(5) of the Personal Data Protection Act, regarding the personal data processing of online insurance mentioned in the enquiry, it is necessary for Company A to first determine who is the data controller, Company A or Bank B, or both of them. Based on the provided information, the data processing owns the following possibilities: Bank B engages in the insurance business and processes the relevant information as an “insurance intermediary” on behalf of Company A, and Company A receives the relevant information that should be forwarded to it from Bank B (please refer to Decree-Law No. 38/89/M), including personal data. Therefore, in the preliminary analysis, GPDP considers Bank B may be the responsible entity of the data processing.
  According to the Dispatches Chief Executive No. 83/2007 and 6/2010, the duties of GPDP are supervising and coordinating the observance and implementation of the Personal Data Protection Act. GPDP can provide some opinions regarding whether the purpose, principle, legitimacy of personal data processing, the data subject’s rights and so on are in line with the provisions of the Act. Regarding the case that Company A enquired whether the operational issues such as the specific workflow and relevant security facilities are in compliance with the provisions of the Personal Data Protection Act, the company should seek legal advices from lawyers or other professionals.

Please refer to "Personal Data Protection Act", articles 4 .