個人資料保護辦公室

Gabinete para a Protecção de Dados Pessoais

Office for Personal Data Protection

Complaint Case Notes
Print

No: 0073/2019/IP

Title: Correspondences mailed to old address after address amendment

Reason: Complaint

Brief:

      The case stemmed from the Complainant’s financing plan with Company A. Afterwards, the Complainant updated his new postal address through the latter’s online system. However, a correspondence was still mailed to his old address. The Complainant requested the GPDP (Gabinete para a Protecção de Dados Pessoais/Office for Personal Data Protection) to investigate since these correspondences contained his full name, address, account numbers, and other personal data.

Analysis:

      The data processing of the current case is subject to the PDPA, according to its Article 4(1)(1) and 3(1).
    Company A expressed that the Complainant opened an account with the appointed bank for his new financing plan, for which he also signed a “direct debit authorization (DBA)”, in order to allow the bank to transfer funds from his account every month. His address, therefore, was respectively stored in two databases—one for the DBA and another for his financing plan. Later, the Complainant amended his postal address through the online system. Instead of updating the address in both the said two databases, Company A only updated the one that stored in its financing plan database. Since the bank was unable to carry out the direct debit, Company A sent a correspondence to the Complainant to inform the situation, but it was mistakenly mailed to his old address. After the incident, its respective internal procedures have been improved, according to Company A, in bid to prevent reoccurrence of similar cases.
    In the GPDP’s view, the Complainant signed a contract for the financing plan and voluntarily provided his personal data to Company A, which is legitimate to process his data, according to Article 6 of the PDPA, based on the consent of the data subject and for concluding contract.
    With respect to legitimacy for personal data processing, a controller has to comply with the principles laid down in Article 2 and 5 of the PDPA. According to the Complainant, Company A was not in compliance with Article 5(1)(4) of the PDPA, which specifies that “personal data shall be accurate and, where necessary, kept up to date; adequate measures must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified”. The investigations by the GPDP revealed that the new address has been valid following the Complainant’s amendment, which Company A also confirmed, and the correspondences that wrongly sent to the old address were due to the failure of synchronization between the two databases.
    In sum, Company A violated the accuracy principle for personal data, set forth in Article 5(1)(4) of the PDPA, and therefore constituted an administrative offence.

Result:

      In spite of the fact that it is not the first time Company A violated the PDPA, the GPDP, considering that Company A was cooperative during the investigations and the current case did not lead to any data leaks, decided to impose a penalty of MOP$8000 according to Article 33(1) of the PDPA.

Reference:
Please refer to Article 3, 4, 5, 6, and 33 of the PDPA.

Back

Avenida da Praia Grande, N.º 804, Edif. China Plaza, 17.º andar, Macau Tel:(853) 2871 6006 Fax:(853) 2871 6116