個人資料保護辦公室

Gabinete para a Protecção de Dados Pessoais

Office for Personal Data Protection

Complaint Case Notes
Print

No: 0030/2010/IP

Title: Customer refused to receive bank transaction records by post

Reason: Complaints

Brief:

    When Resident X opened a securities trading account in Bank A, he verbally asked not to receive transaction documents by mail but instead, by email or SMS. Bank A refused his request and indicated that Resident X could only refuse to receive promotional materials by mail.
  Resident X stated that he had previously opened a securities trading account with Bank B and that they used SMS instead of mail to transmit the relevant transaction information. Therefore, Resident X filed a complaint with this Office (GPDP), claiming that Bank A’s conduct had breached the “Personal Data Protection Act”.

Analysis:

    In accordance with the provisions in articles 4.1.(1) and 3.1 of the Personal Data Protection Act, the data processing involved in this case is within the scope of regulation by the said Act.
  According to Resident X’s statements, although he had requested Bank A not to send account transaction records by mail, he did not provide any reasons for this request.
  Resident X’s declaration and notification also indicated that he had never used above account in Bank A to carry out any transaction and moreover at the present time, that account had already been cancelled.
  In GPDP’s opinion, in this case, Resident X had provided his personal data to Bank A in order to apply for a securities trading account. From this, it can be seen that Bank A had obtained the consent for the implementation of the contract prior to processing Resident X’s personal data. Therefore, Bank A legitimately processed Resident X’s personal data, in accordance with Article 6 of the “Personal Data Protection Act”.
  Under the terms of the “Personal Data Protection Act”, data subjects enjoy different kinds of rights including the “Right to Information”, the “Right of Access” and the “Right to Object”. Regarding the “Right to Object”, Article 12.1 of the “Personal Data Protection Act” states that if the data subject has compelling legitimate justifications related to his situation, he would be entitled to exercise his “Right to Object” in regards to his personal data and before Bank A. Although Resident X had exercised his “Right to Object”, he had not provided any justifications regarding his particular situation. As such, GPDP felt that there was not enough evidence to assess whether Resident X’s objection to Bank A processing his personal data was compelling and legitimate.
  Actually, different banks in Macao operate and provide services in different ways under the relevant provisions of the local financial system. For example, in situations such as the “account transaction notification measures for applicants”, where the law does not provide specific provisions, each individual bank defines its own notification measures. Sending such notifications by post tends to be the most common notification method. Of course, some banks may offer other means of notification to clients such as by e-mail or SMS. This shows that each bank can set distinct notification measures according to their own policies and conditions. There is no obligation which requires all banks to serve customers the same way. In the present case, Bank A’s transmission of Resident X’s account transaction records by mail did not deviate from or exceed the objectives of the data processing. There was no invasion of privacy as alleged by Resident X, and no other incidents which could be construed as a breach of the “Personal Data Protection Act” were found. Therefore, when applying for the respective services, Resident X should have considered beforehand whether the bank would be able to provide the appropriate support services.
  As Resident X had never carried out any transactions with the above mentioned account in Bank A, and as the account had already been cancelled, there was no need to follow up on the relevant complaint any further.
  In summary, since Bank A had obtained Resident X’s consent for the implementation of the contract, in accordance with Article 6 of the “Personal Data Protection Act”, Bank A legitimately processed Resident X’s personal data. Furthermore, Bank A’s transmission of Resident X’s account transaction records by mail had not deviated from or exceeded the objectives of data processing and as such Bank A in no way breached the “Personal Data Protection Act”.

Result:

    GPDP sent a letter to Resident X informing him of the relevant analysis and decision.

Reference:
Please refer to "Personal Data Protection Act", articles 3,4,6,12 .

Back

Avenida da Praia Grande, N.º 804, Edif. China Plaza, 17.º andar, Macau Tel:(853) 2871 6006 Fax:(853) 2871 6116