個人資料保護辦公室

Gabinete para a Protecção de Dados Pessoais

Office for Personal Data Protection

Complaint Case Notes
Print

No: 0023/2011/IP

Title: A notice sent by an insurance company in an envelope not sealed

Reason: Complaints

Brief:

    Resident X stated that Insurance Company A had sent him a notice for the renewal of his insurance policy by post. He realised that the envelope was not sealed and his personal data could have easily been seen by anybody. Resident X believed that Insurance Company A did not take adequate safety measures to protect his personal data and thereby breached the terms of the “Personal Data Protection Act”. He filed a complaint with this Office (GPDP).

Analysis:

    In accordance with the provisions in articles 4.1.(1) and 3.1 of the Personal Data Protection Act, the data processing involved in this case is within the scope of regulation by the said Act.
  According to Insurance Company A’s reply, it didn’t deny Resident X’s allegations and claimed that after it received Resident X’s complaint call, it started sealing all envelopes with letters to clients before sending it by post, including policy renewal notices for any type of insurance policy.
  In GPDP’s opinion, Insurance Company A collected client’s personal information with the objective of providing insurance services and sent them letters containing insurance policy renewal notices, to provide information regarding the renewal of their insurance policies. The objective in processing the personal information is legitimate, and the purpose is specific, clear, appropriate and directly related to the activities carried out by Insurance Company A. Their conduct was done all in line with Article 5.1,(2) of the “Personal Data Protection Act”.
  In the present case, there is a risk of leakage of personal data due to not sealing the envelope containing the notice. Insurance Company A did not take the appropriate security measures to ensure that the information contained in the letter could not be accessed by unauthorised persons from the time during its transmission. This omission breaches Article 15 of the “Personal Data Protection Act”. If it thereby caused Resident X’s losses, under the terms of Article 14 of the Personal Data Protection Act, Resident X can demand compensation from Insurance Company A.
  In summary, Insurance Company A did not observe the provisions in Article 15 of the Personal Data Protection Act. However, it has already amended its conduct after receiving the complaints. If Resident X suffered losses as a result of Insurance Company A’s conduct, Resident X is entitled to compensation.

Result:

    GPDP decided to close the case and sent letters to notify Resident X and Insurance Company A of the abovementioned assessment and decisions.

Reference:
Please refer to "Personal Data Protection Act", articles 3,4,5,14,15 .

Back

Avenida da Praia Grande, N.º 804, Edif. China Plaza, 17.º andar, Macau Tel:(853) 2871 6006 Fax:(853) 2871 6116