個人資料保護辦公室

Gabinete para a Protecção de Dados Pessoais

Office for Personal Data Protection

Complaint Case Notes
Print

No: 0039/2012/IP

Title: Asking members to update personal data

Reason: Reports

Brief:

    Citizen A called the Office for Personal Data Protection (GPDP) to report that Foundation A sent a letter requiring all those members involved in a particular system to update their personal data which included a form containing the personal data of the member and his family members, as well as a document titled “Statement of the Collection and Processing Personal Data Policy by Foundation A”. The Policy Statement mentioned that, after collecting and processing the personal data, it would be sent to the actuarial research institutions within or outside Macau SAR and at the bottom of the statement, it contained the wording “I acknowledge and agree with the above content”, which members were required to sign. As Citizen A felt that he could not give the consent on behalf of his or her family members and because the Foundation had no right to process the personal data of his or her family members, he felt that the Foundation had breached the “Personal Data Protection Act”.

Analysis:

    According to Articles 4(1)(1) and 3(1) of the Personal Data Protection Act, data processing involved in this case is within the scope of regulation by the said Act.
  Foundation A in its written reply stated that according to the Articles 3(1)(1) and (4), Articles 17 (1)(2) and (16) of Administrative Regulation No. 16/2006, it has always, in the performance of its duties, conducted actuarial research in accordance with the law. For more accurate results, it is necessary to collect its members’ up-to-date information. As the types of data contained in the form of this case were the same as those collected by Foundation A in 2002, no additional personal data was requested to be provided by the members. In addition, it was not mandatory to provide the data and the data that was transferred to the actuarial companies did not include the data such as the names, identity card numbers, addresses and phone numbers etc., that could identify the member and his or her family members.
  Upon analysis, GPDP believes that the collection and updating personal data of its members and their family members by Foundation A for the abovementioned purposes served to perform its own statutory responsibilities, which in line with the legitimacy requirement indicated in Article 6(4) of the “Personal Data Protection Act”. Regarding the policy statement enclosed with Foundation A’s letter, it showed that the information provided was insufficient and might cause the members have some misunderstandings. . The content of the relevant policy was drawn up by the controller according to its own specific situation of how to process the personal data and there is no law requiring the data subject has to give his or her consent. Finally, as the data transferred did not contain those that could identify the members or their family members, they cannot be considered as personal data and therefore, there is no issue regarding the transfer of personal data.

Result:

    Based on the above, GPDP decided to close this case and sent a letter to the Foundation, reminding it needs to establish a personal data processing policy or Personal Data Collection Statement for the data subject to access according to its actual situations that included the information specified in Article 10(1) of the “Personal Data Protection Act”.

Reference:
Please refer to "Personal Data Protection Act", articles 3,4,10 .

Back

Avenida da Praia Grande, N.º 804, Edif. China Plaza, 17.º andar, Macau Tel:(853) 2871 6006 Fax:(853) 2871 6116