個人資料保護辦公室

Gabinete para a Protecção de Dados Pessoais

Office for Personal Data Protection

Complaint Case Notes
Print

No: 0004/2007/IP

Title: Terms in a Lucky Draw

Reason: Complaints

Brief:

    Company A held a lucky draw. However, as it collected data from its customers, it also delivered to them “Terms and Details” and a “Notice to Customers (hereafter referred to as “the Notice”). These documents stated that as soon as the customer provided his/her personal data to the company, he/she was regarded as providing to Company A to use data on the ground of the “Notice” and transfer the data to entities irrelevant to the lucky draw outside Macao.
  Resident X believed that Company A’s conduct violated the Personal Data Protection Act, and filed a complaint with this Office (GPDP).

Analysis:

    In accordance with the provisions in articles 4.1.(1) and 3.1 of the Personal Data Protection Act, the data processing involved in this case is within the scope of regulation by the said Act.
  GPDP confirmed after investigation that Company A collected names, BIR number, telephone number and address of clients in this Lucky Draw. The documents stated that as soon as the customer provided his/her personal data to the company, he/she was regarded as providing to Company A to use data on the ground of the “Notice” and transfer the data to entities irrelevant to the lucky draw outside Macao.
  In GPDP’s opinion, Article 5.1 of the “Personal Data Protection Act” provides that personal data must be collected for specified, explicit, legitimate purposes and for purposes directly related to the activity of the controller and not further processed in a way incompatible with those purposes; and must be kept in a form which permits identification of their subjects for no longer than is necessary for the purposes for which they were collected or for which they are further processed. Company A collected its customers’ data for the purpose of holding a lucky draw. So the data collected should be used for this lucky draw only and must be destroyed after the event. If the company collected personal data for a lucky draw and subsequently used the data for purposes unrelated to the lucky draw, or even as stated in the “Notice”, disclosed or transferred relevant data to individuals or organizations of which places of registration can be anywhere and there is no way of informing the data subjects of the nature of business of these organizations, it would go against the regulation mentioned above. So the abovementioned deeds of the company could have violated Article 5 of the “Personal Data Protection Act”.
  In summary, the data processing of Company A did not comply with Article 5.1 of the Personal Data Protection Act, but did not constitute an administrative offence. However, there was room for improvement.

Result:

    GPDP sent a letter to Company A, asked it to improve, stop distributing those lottery tickets, put up at eye-catching places notices telling customers to destroy the lottery tickets they have obtained, destroy immediately those tickets it had retrieved as well as relevant personal data stored at the company, work out a new “Notice to Customers” for the lucky draw and submit it to GPDP for assessment.
  Company A followed GPDP’s request, made improvement, and produced new tickets for the lucky draw that conform to the “Personal Data Protection Act”.

Reference:
Please refer to "Personal Data Protection Act", articles 3,4,5 .

Back

Avenida da Praia Grande, N.º 804, Edif. China Plaza, 17.º andar, Macau Tel:(853) 2871 6006 Fax:(853) 2871 6116