個人資料保護辦公室

Gabinete para a Protecção de Dados Pessoais

Office for Personal Data Protection

Complaint Case Notes
Print

No: 0097/2018/IP

Title: Unauthorized publicizing of personal data on social networking site

Reason: Complaint

Brief:

      This case stemmed from an argument between the Complainant and A’s husband, and A later gave her account of it, with the former’s photo, in a posting of a social networking site. A publicly criticized the personality issues of the Complainant and pointed out his personality disorder on the site. In the photo one of the Complainant’s eyes were concealed and his full name was not revealed though, such information can be combined to identify the Complainant. Therefore the Complainant believed that this could have violated the PDPA (Personal Data Protection Act or Law 8/2005) and asked the GPDP (Gabinete para a Protecção de Dados Pessoais, or Office for Personal Data Protection) to investigate.

Analysis:

      Under Article 4(1)(1) and 3(1) of the PDPA, the processing of the current case is subject to this Law.
    In the online posting, A publicly criticized the Complainant and revealed his private life and mental health, which are sensitive data pursuant to Article 7(1) of the PDPA. As a consequence, A should have fulfilled any of the conditions laid down in paragraph 2 to 4 of Article 7, which are derogations for processing sensitive data legitimately, and processing is illegitimate otherwise. The current case was caused by an argument of private nature, and A, before processing the Complainant’s sensitive data, failed to obtain his unambiguous consent. In such case, A violated Article 7(2)(3) of the PDPA, which requires sensitive data to be processed “when the data subject has given his explicit consent for such processing”. In addition, the current case is neither a situation where sensitive data can be exceptionally processed.
    Based on the above, A’s public online posting, which contained the Complainant’s sensitive data, is a violation of Article 7 of the PDPA — legitimate processing of sensitive data — and constituted an administrative offense.

Result:

      The GPDP, taking into account of the negative nature of the posting and where personal data and sensitive data were involved, which impacted the Complainant significantly, the GPDP decided to impose a penalty of MOP$ 10000, according to Article 33(2) of the PDPA. This decision also considered the cooperativeness of A during the investigations.

Reference:
Please refer to Article 3, 4, 7, and 33 of the PDPA.

Back

Avenida da Praia Grande, N.º 804, Edif. China Plaza, 17.º andar, Macau Tel:(853) 2871 6006 Fax:(853) 2871 6116