Enquiry Case Notes

編號: 0011/2014/PA

標題: Transparency of the Privacy Policy


    Based on the rules agreed by the Global Privacy Enforcement Network (GPEN) and the actual situation of Macao, the Office for Personal Data Protection (GPDP) evaluated the transparency of personal data processing policies of a number of local websites, including that of Company A.  The evaluation also aimed at the right to information, right of access enjoyed by the data subjects and data transfer.  To this, Company A provided its revised Privacy Policies to the GPDP for review.


    The GPDP’s reply mainly centred on whether the said new policies satisfied the data subjects’ right to information and right of access, exclusive of the lawfulness of Company A’s other policies regarding data processing (those laid down in the Privacy Policies that aimed at data processing) and the legitimacy established for data processing.
  According to Article 10 and Article 11 of the PDPA (Personal Data Protection Act, or Law 8/2005), data subjects have the right to information and right of access. Generally, a data controller may satisfy such rights of the data subjects through establishing its privacy policies, personal data collection statement or personal data processing policies.
  With regard the type of data recipients, a data controller should be reasonably clear when specifying the type of organizations or persons to whom the data will be transferred and should avoid any vague or excessively expressions [in its policies], for instance, business partner or third party.
  When collecting person data through websites, a data controller should, according to Article 10(4) of the PDPA, remind the data subjects of the risks involved if data is transferred through public networks.
  Company A should ensure that its Privacy Policies are in compliance with the above provisions.
  In addition, when processing personal data for different purposes (including for marketing), Company A should have the corresponding legitimacy established as Article 6 to 8 of the PDPA required. The transfer of personal data should comply with Article 19 or Article 20 of the same Law.
  If Company A requires any opinions regarding the lawfulness of its data processing from the GPDP, it could provide the information according to Article 23 idem

Please refer to “Personal Data Protection Act”, articles 6, 7, 8, 10, 11, 19, 20 and 23.