Enquiry Case Notes

編號: 0015/2014/PA

標題: Online reservation system


    Bureau A consulted the Office for Personal Data Protection (GPDP) for the Online Reservation System (hereinafter as Online System), the Authorization X and Authorization Y, for making its reservations, to be added for its websites.


    According to Article 4(1)(1) and Article 3(1) of the Personal Data Protection Act (Law 8/2005, or PDPA), processing of the personal data found in the current enquiry is also subject to the same Law.
  According to the related administrative regulation, when Bureau A exercises its authority to process application information, processing of the personal data thereof should, in principle, fulfill Article 6 of the PDPA, which governs that consent from the data subjects should be obtained and the processing legitimacy is based on the legal competence it has. 
  According to the same administrative regulation, when collecting the ID number and date of birth of applicants of Authorization X, as well as the ID number of the applicants of Authorization Y, through the Online System, the collection of Bureau A does not go beyond the types of data to be collected as legally specified, therefore the principle of proportionality as indicated in Article 5(1)(3) of the PDPA is not violated.
  When collecting personal data through the Online System, Bureau A should satisfy the rights of the data subjects as specified in Article 10 to 14 of the PDPA.
  In addition, according to Article 15 of the PDPA, Bureau A should adopt proper technical and organizational measures to protect the personal data processed by the Online System and avoid any accidental or illegal damage, accidental loss, unauthorized alteration, spreading or access of such data. In particular, when the data involved is transferred via networks, encrypted transmission should be taken into consideration. 
  Finally, if Bureau A wishes the GPDP to offer its opinions for the current case, it should provide the information as specified in Article 23 of the PDPA.

Please refer to "Personal Data Protection Act", articles 3, 4, 5, 6, 10, 11, 12, 13, 14, 15 and 23.