個人資料保護辦公室

Gabinete para a Protecção de Dados Pessoais

Office for Personal Data Protection

Complaint Case Notes
Print

No: 0004/2010/IP

Title: Disclosure of personal data of a party involved in a traffic accident

Reason: Complaints

Brief:

    Resident A injured Pedestrian B while driving a taxi. Resident A did not pay the mutually agreed compensation to Pedestrian B’s principal. Resident A had asked Bureau C not to provide his address to Pedestrian B. However, when Resident A went to Insurance Company B to learn more about the status of the compensation, he discovered that Pedestrian B had obtained a certificate containing Resident A’s personal data from Bureau C.
  Resident A believed that:
  (1) Pedestrian B had no reason to ask for A’s personal data from Bureau C;
  (2) Bureau C had improperly provided A’s personal data to Pedestrian B; and
  (3) Bureau C had improperly handed over the personal data of other witnesses of the traffic accident to Pedestrian B.
  Resident A filed a complaint with this Office (GPDP), claiming that the “Personal Data Protection Act” had been breached as a result of Pedestrian B and Bureau C’s conduct.

Analysis:

    In GPDP’s opinion, the first complaint should be resolved by Bureau C, under the terms of the law, and the third complaint is merely based on personal assumption of Resident. As the subject of these complaints could not be addressed here, GPDP would only deal with second complaint, namely the issue of Bureau C providing Pedestrian B with the personal data of Resident A.
  In accordance with the provisions in articles 4.1.(1) and 3.1 of the Personal Data Protection Act, the data processing involved in this case is within the scope of regulation by the said Act.
  According to the information provided by Bureau C, the relevant certificate contained Resident A’s personal data, which included his name, address, driver’s license, serial number of the car being driven, the name of the insurance company and the insurance policy number, along with the remarks “This certificate was issued upon Pedestrian B’s request to be handed over to the judicial authorities for the purposes of a civil claim for compensation” and “This certificate may only be used within the confines of a civil suit.”
  In GPDP’s opinion, under the terms of Article 2.1.(6) and Article 3.1.(7) of Administrative Regulation No. 22/2001, Bureau C is responsible for regulating and monitoring the circulation of vehicles and pedestrians and for enforcing road and traffic laws. Furthermore, in accordance with the regulations of Article 120.1 of Law No. 3/2007 (“Road Traffic Ordinance”): “Whenever a police officer responsible for the enforcement of the traffic rules on public rights of way becomes aware of any traffic accident, he or she should prepare a written statement containing the identification of the driver(s), victim(s), vehicle(s) and their respective owners …” (Translation). Therefore, Bureau C’s conduct in preparing a statement of the traffic accident and subsequently collecting and processing the personal data of the data subjects of the accident were tasks carried out in the public interest and in line with the requisites for legitimacy in processing personal data specified in Article 6.(4) of the “Personal Data Protection Act”.
  Bureau C issued a certificate to Person B so that Person B could file a civil suit. This objective was clear, legitimate, and compatible with the act of registering the incidents in the traffic accident and did not deviate from its original purpose.
  Pedestrian B could file a civil suit for the traffic accident against Resident A, Insurance Company B or both. If he decided to sue Resident A, Pedestrian B would have to, in accordance with the terms of Article 389 of the “Civil Procedure Code”, clearly list name and address of the data subject (including Resident A in this case) within the Statement of Claim. In addition, as the complaint involved a traffic accident with Resident A as the driver who caused the accident, the claim would also need to include his driver’s license number for identification purposes. Furthermore, in accordance with the relevant provisions of Decree Law No. 57/94/M, which state that the insurance of vehicles is compulsory, Resident A’s insurer (Insurance Company B) must participate in the respective civil proceedings. Therefore, the provision of Resident A’s relevant personal data, including his name, address, driver’s license, serial number of the car being driven, name of the insurance company and insurance policy number to Pedestrian B was done in accordance with the terms of Articles 5.1.(2) and 5.1.(3) of the “Personal Data Protection Act”.
  In summary, Bureau C did not breach Articles 5 and 6 of the “Personal Data Protection Act”.

Result:

    GPDP sent official letters to Bureau C and Resident A, informing them of the present analysis.

Reference:
Please refer to "Personal Data Protection Act", articles 3,4,5,6 .

Back

Avenida da Praia Grande, N.º 804, Edif. China Plaza, 17.º andar, Macau Tel:(853) 2871 6006 Fax:(853) 2871 6116