個人資料保護辦公室

Gabinete para a Protecção de Dados Pessoais

Office for Personal Data Protection

Complaint Case Notes
Print

No: 0002/2007/IP

Title: Application forms without envelop were delivered by others

Reason: Complaints

Brief:

    Resident X lived in Building B was a client of Company A. Company A distributed some “Data Alteration Forms” containing data such as its clients’ names, ID numbers and addresses by simply handing them to the Management Company C looking after the Building B where its clients live, without putting them in sealed envelopes. Company C simply distributed the forms without putting them in envelopes.
  Resident A claimed that they violated the Personal Data Protection Act and filed a complaint with this Office (GPDP).

Analysis:

    In accordance with the provisions in articles 4.1.(1) and 3.1 of the Personal Data Protection Act, the data processing involved in this case is within the scope of regulation by the said Act.
  Company A explained that the reason why they distributed the forms that way was because they wanted to simplify the application procedure and save its clients the trouble of applying in person, emphasizing that it had signed a “service contract” with the management company, which obligates the management company to keep the data of its clients strictly confidential.
  In GPDP’s opinion, It is stipulated in Article 5.1 of the “Personal Data Protection Act” that “personal data must be processed lawfully and with respect for the principle of good faith and the general principle in Article 2”. The Office believes that “the principle of good faith” means the purpose of collecting personal data must be legitimate and the data collected must not exceed what is necessary for the purposes for which they were collected. So the principles of moderation and minimum intervention should be observed during the process. And the controller should comply with the data protection principles to ensure maximum safety as the data collected is being processed and unless it is absolutely necessary, the data should not be disclosed to a third party.
  Company C managing Building B was processing the data of Company A’s clients as the data processor under the “service contract”. Company A had the obligation to make sure the data processor was processing its clients’ data in a secure and confidential manner. Company C only acted as the processor between Company A and its clients. Its responsibility was to pass the forms on to the residents of the building, so as to provide convenience to the residents (clients) and facilitate Company A’s operation. Thus, Company C should not and did not need to know the clients’ data. Company A should have put the forms in sealed envelopes before handing them to Company C for distribution. Having failed to do that, Company A went against the principle of minimum interference and the principle of providing maximum protection for personal data. Moreover, as data controller, Company A was obligated to pay close attention to the data it has collected and it has a responsibility to remind the processor of matters needing attention in data processing, for example, how the forms should be delivered, how to carry out the proper procedures and so on.
  The data processing by Company A and Company C violated Articles 5.1.(5) and 15.1 of the “Personal Data Protection Act” but did not constitute administrative offences. However, there was room for improvement.

Result:

    GPDP sent letter to Company A and Company C and asked them to make improvement.
  Company A and Company C took improvement measure according to GPDP’s recommendation and apologized to their clients.

Reference:
Please refer to "Personal Data Protection Act", articles 3,4,5,15 .

Back

Avenida da Praia Grande, N.º 804, Edif. China Plaza, 17.º andar, Macau Tel:(853) 2871 6006 Fax:(853) 2871 6116