個人資料保護辦公室

Gabinete para a Protecção de Dados Pessoais

Office for Personal Data Protection

Complaint Case Notes
Print

No: 0018/2011/IP

Title: Check-in services commissioned to a third party

Reason: Referral

Brief:

    The present case was referred by SAFP to GPDP. In this case, when Y went to Venue A to exercise, he checked in with his X Card issued by Bureau B and found the procedures changed from self-service check in to security guards, from Company C, scanning his membership card in a place hidden from the sight. Information contained on the X Card included the photo, name, membership number, and so forth.
  In Y’s views, staff from Bureau B should be responsible for the check-ins, in addition that Company C was suspected to process his personal data without authorization, which could lead to violations of the Personal Data Protection Act.

Analysis:

    In accordance with Articles 4(1)(1) and 3(1) of the Personal Data Protection Act (Law 8/2005), the data processing of the present case is within the regulatory scope of the same Law.
  Bureau B, in its written reply, expressed that it had entrusted the work of checking the X Cards to Company C. However, Bureau B remains to supervise the work carried out by Company C, in addition to issuing guidance for bookings of sports facilities.
  In GPDP’s opinion, Bureau B approves the applications of the X Card memberships, i.e., for the X Cards, of which the Bureau has the right to decide the purposes and means to process the personal data. Thus, Bureau B was the data controller. While Company C was only entrusted by Bureau B to assist the check-ins, as a result, the former was a “processor” for the processing of member cards.
  The X Card members voluntarily provided their personal data during the application, with which, in GPDP’s opinion, submitting one’s own personal data already signified agreeing Bureau B to process his personal data. While applying for membership, a citizen has already agreed to the “terms of use” and “additional information” therein. After Bureau B accepted an application, it has to provide to its members the related services (e.g. points record) and, therefore, there existed a contractual relationship between Bureau B and its X Card members. Thus, Bureau B processed the personal data of the members after obtaining their explicit consent and based on the performance of its contracts, which met the legitimacy stipulated in Article 6 of the Personal Data Protection Act.
  In GPDP’s opinion, in regard the X Card member check-ins, as a processor, Company C only performed the work entrusted by the its data controller, Bureau B. In other words, checking the identity of X Card members is in line with Article 15(3) of the Personal Data Protection Act. Moreover, Bureau B has formulated guidelines for the work it entrusted, which is in line with the supervision to processor as governed by Articles 15(2) and 15(3) of the Law last mentioned.
  In summary, Company C’s processing of the personal data of the X Card members did not violate the Personal Data Protection Act.

Result:

    GPDP already notified Bureau B of the analysis and opinion above. This case is closed.

Reference:
Please refer to "Personal Data Protection Act", articles 3,4,6,15 .

Back

Avenida da Praia Grande, N.º 804, Edif. China Plaza, 17.º andar, Macau Tel:(853) 2871 6006 Fax:(853) 2871 6116