個人資料保護辦公室

Gabinete para a Protecção de Dados Pessoais

Office for Personal Data Protection

Complaint Case Notes
Print

No: 0068/2012/IP

Title: Company A transferred to United States the data stored in the computer used by its former CEO

Reason: Active intervention

Brief:

    The Personal Data Protection Office (GPDP) was earlier informed that, Company A was suspected of transferring the data stored in the computer used by its former CEO to United States without notifying or obtaining an authorisation from the local competent authority. Given this might relate to Company A’s processing of personal data, which is subject to the Personal Data Protection Act (Law 8/2005), GPDP decided to launch an investigation.

Analysis:

    The data processing of the current case is regulated by the Personal Data Protection Act under its Articles 4(1)(1) and 3(1).
  Company A admitted that it had transferred to Company B in United States the data stored in the computer used by its former CEO X. This was claimed, on one hand, to prepare for the counter argument of a possible lawsuit to be initiated by X against Company A. On the other, this was prepared for suing X over his suspected theft of confidential information and violation of professional secrecy. The above, as Company A claimed, were to achieve its legitimate interests.
  In GPDP’s views, the data was transferred when X had not initiated any lawsuits. In other words, only on the basis of its subjective speculation of a possible lawsuit Company A transferred the data to America. In fact, even if X filed the lawsuit in a US court against Company A, the concerned data, when necessary, should be provided to a judicial authority instead of another private entity. Moreover, since Company A has registered and operated locally, in conjunction that the person involved is its former CEO, it could actually prepare the lawsuit in Macao and transferring the data to the United States was not necessary.
  With regard to the second reason given by Company A, i.e., to prepare for a lawsuit against X over his suspected theft of confidential information and violation of professional secrecy, it should be pointed out that no one would expect Company A, being a locally registered company, to take its legal action in a US court after finding out its former CEO’s suspected theft and secrecy violation. Furthermore, once a lawsuit is filed, very likely the personal data would be transferred to a US court for legal proceedings. In fact, for the aforesaid suspected information theft and secrecy violation that happened in Macao, as no evidence has shown the infeasibility of a local lawsuit, whereby seeking the intervention of a foreign court lacked a reasonable basis.
  On the other hand, Company A’s batch transfer of data to America was unselected or unfiltered, in which included the data of those third parties who have no relations to the lawsuit. In addition, as these data could be used as supporting evidence in the proceedings and were provided by Company A, without the data subjects’ knowing, to another US private entity, evidently the above showed Company A was only trying to achieve and maintain its own interests. The indulgence and ignorance of the data subjects’ interests and safeguards, as well as the consequence ensued, are indeed against the principle of bona fides.
  In GPDP’s views, Company A’s data processing, including its data transferred to America, did not demonstrate its inevitability, thus failing to meet any legitimacy conditions given in Article 6 of the Personal Data Protection Act. Pursuant to Article 33(2) of the said Law, Company A’s act already constituted an administrative infraction.
  In addition, Company A’s transfer of data to America is actually a transfer of personal data outside Macao, which is bounded by Articles 19 and 20 of the same Law. Given a situation as such a controller should, according to its own circumstances, transfer the data only after notifying GPDP, having received a decision or obtained an authorisation from GPDP. As proven is Company A, when the transfer took place, had not notified, nor obtained a decision or authorisation from GPDP, therefore leading to a violation of Articles 19 and 20. According to Article 33(2) of the same law this act also constituted administrative infraction.

Result:

    Taking into account the factors including the subjective fault of Company A, the amount of transferred data, the uncertain number of data subjects and the uncertain consequences caused to them, destination of the data transfer and the recipient entity of the transfer thereafter, GPDP decided:
  to impose a fine in an amount of MOP $20000 (twenty thousand Macao dollars) according to Article 33(2) of the Personal Data Protection Act, as Company A, while processing the data, failed to meet any legitimacy conditions given in Article 6 of the same Law; and
  to impose a fine in an amount of MOP $20000 (twenty thousand Macao dollars) according to Article 33(2) of the Personal Data Protection Act, for Company A’s violation of Articles 19 and 20 as it transferred personal data outside Macao to a foreign destination (United States) without notifying GPDP, having received a decision or obtained an authorisation from GPDP.
  To sum up, these administrative infractions led to a total fine of MOP$40000 (forty thousand Macao dollars) under Article 34(2) of the Personal Data Protection Act. These sanctions have been implemented.

Reference:
Please refer to "Personal Data Protection Act", articles 3,4,6,19,20,33,34 .

Back

Avenida da Praia Grande, N.º 804, Edif. China Plaza, 17.º andar, Macau Tel:(853) 2871 6006 Fax:(853) 2871 6116