個人資料保護辦公室

Gabinete para a Protecção de Dados Pessoais

Office for Personal Data Protection

Complaint Case Notes
Print

No: 0036/2009/IP

Title: Access to information on credit card application form and surveillance video

Reason: Complaints

Brief:

    Resident X indicated that after she applied for a credit card, there was a dispute as to whether the “Welcome Gift” had been issued. Resident X then asked Bank A for a copy of the credit card application form and to review the surveillance video taken during the time of her application of the credit card. However, her requests were rejected by Bank A.
  Resident X filed a complaint with this Office (GPDP), claiming that Bank A had not observed the terms of Article 11 of the “Personal Data Protection Act” regarding her “Right of Access”. She also asked GPDP to obtain the relevant information for her.

Analysis:

    In accordance with the provisions in articles 4.1.(1) and 3.1 of the Personal Data Protection Act, the data processing involved in this case is within the scope of regulation by the said Act.
  The first issue was Resident X’s request to obtain a copy of the credit card application form from Bank A.
  Bank A has an agreement with Credit Card Company B (hereinafter referred to as Company B) to jointly provide credit card services. Bank A is responsible for the customer marketing services and Company B is responsible for tasks such as the maintenance of the credit card computer system and the management of credit cards transactions.
  GPDP believed that although Bank A and Company B were responsible for different areas of the credit card services, they are both data controllers.
With regards to Resident X’s request for a copy of the credit card application form, under the terms of Clause 22 of the “Company B Cardholder Agreement” and the “Company B Credit Card Application Form”, both parties of the contract agreed to apply the laws of Hong Kong. The GPDP considered that the target of such contract would be all non-specified credit card applicants, who could not arbitrarily change the terms of the contract and that it is governed by Law no. 17/92/M, “General Contractual Clauses”. In this case, Resident X’s request to obtain a copy of the credit card application form in no way damaged the rights of the data subjects under the terms of the Hong Kong Law and were not prohibited under the relevant terms in the “Personal Data (Privacy) Ordinance” of Hong Kong and the “Personal Data Protection Act” of Macau. Resident X is therefore entitled to request a copy of the credit card application form from Bank A.
  Bank A claimed that such a copy had been given to Resident X during the investigation process.
  The second issue was for Bank A to allow Resident X to review the surveillance video taken during the time of her application of the credit card.
  According to Resident X, image data of her applying for a credit card at Branch Y of Bank A, would have been recorded by the video camera system inside that branch. According to the “Video Data Management Requirements” issued by Bank A, the data controller for the processing of the personal data within the “Data Recorded by a Branch Video System managed by a Branch” is Branch Y of Bank A.
  GPDP believed that since such video data was not the object under the “Company B Cardholder Agreement”, the “Personal Data (Privacy) Ordinance” of Hong Kong was not applicable, while the “Personal Data Protection Act” of Macau was. Article 11 of the “Personal Data Protection Act” does not specifically require Bank A to allow the data subject to review specific image data or provide a copy of the respective images. Therefore, Bank A could decide how much information Resident X accessed, in accordance with its internal policy. Moreover, Bank A stated in its reply that its “Video Data Management Requirements” internal policy requires that Bank A explains its guidelines verbally when a customer made an access request.
  The third issue was Resident X’s request for GPDP to obtain the relevant information from Bank A.
  In GPDP’s opinion, under the terms of Article 11 of the “Personal Data Protection Act”, data subjects have the “Right of access” and should exercise their rights to the data controller directly. Only in the situations specified in Articles 11.2 and 11.3 of the Act, the rights should be exercised indirectly through GPDP. In this case, there were not situations requiring exercising “Right of Access” through GPDP, and Resident X had exercised her right according to the law and Bank A had performed all its obligations according to the law, no further processing was required.
  In summary, Bank A did not breach the “Personal Data Protection Act”.

Result:

    GPDP sent an official letter to Resident X, Company A and Credit Card Company B and informed them the above analysis and decision.

Reference:
Please refer to "Personal Data Protection Act", articles 3,4,11 .

Back

Avenida da Praia Grande, N.º 804, Edif. China Plaza, 17.º andar, Macau Tel:(853) 2871 6006 Fax:(853) 2871 6116