個人資料保護辦公室

Gabinete para a Protecção de Dados Pessoais

Office for Personal Data Protection

Complaint Case Notes
Print

No: 0126/2015/IP

Title: Publishing the personal data of someone who cancelled order without payment

Reason: Complaint

Brief:

    The Complainant of the current case earlier pre-ordered some clothing items, through an instant messaging application, from an online shop, Shop A, but later he cancelled his order without payment.  Later, he found his profile picture and user name, used for the application, were captured and published on the application pages by this shop. 
  The Complainant believed that this was a violation of the Personal Data Protection Act (PDPA) and therefore filed a complaint with the Office for Personal Data Protection (GPDP). 

Analysis:

    Shop A captured the Complainant’s profile picture, which revealed his clear appearance, and published it with his username and mobile numbers. Under Article 4(1)(1) of the PDPA, the said information is the Complainant’s personal data.  On the other hand, according to K, the owner of Shop A, he opened a user account for sale of products and publishing the said information was his intention to alert other customers not to cancel their orders without payment.  Such revealed that the publishing of the said data by K was a data processing not carried out in the course of a purely personal or household activity.  The intentional publishing of data by K did not fulfil the condition laid down by Article 3(2) of the PDPA.  Therefore, according to Article 3(1) of the same Law, the current case should be governed by the PDPA.
  Under Article 6, K should fulfill any of the conditions laid down therein in order to process the Complainant’s personal data.   However, K had never obtained the Complainant’s consent before the publishing of data and therefore the processing condition that is based on the data subject’s consent was not fulfilled.  Other conditions for legitimate data processing, regulated by paragraph (1) to (4) of Article 6, were also not fulfilled in the same vein. 
  Even though the order cancelled by the Complainant could have caused financial damages to the K, civil recourse is available to recoup his losses.  K’s publishing of the said personal data on the application pages, on the one hand, might not guarantee his legally protected interests.  On the other, he could hardly control other users of the application their access and forwarding of the said data.  This could bring possible damages to the rights of personality (direitos de personalidade) of the Complainant as well as his reputation.  After balancing the interests of the Complainant and K, the latter was found not having any prevailing interests and therefore failed to achieve the condition of legitimate processing as governed by Article 6(5) of the PDPA. 
  To sum up, K’s publishing of the Complainant’s personal data on the application pages was not legitimate according to Article 6 of the said Law.

Result:

    In this case, K published the personal data on the application pages would lead to uncontrollable forwarding of such data by other users and unmanageable impact to be created.  In addition, it is impossible to ask those users to delete the said data which they had stored.  Considering the above, as well as this was an initial violation of the PDPA by K and his cooperativeness during the investigations, the GPDP decided to impose a penalty of MOP$8,000 according to Article 33(2) of the PDPA.  In addition, K was ordered to remove the said data from the application pages, according to Article 43(1) of the same Law.  

Reference:
Please refer to Article 3, 4, 6, 33 and 43 of the Personal Data Protection Act.

Back

Avenida da Praia Grande, N.º 804, Edif. China Plaza, 17.º andar, Macau Tel:(853) 2871 6006 Fax:(853) 2871 6116