個人資料保護辦公室

Gabinete para a Protecção de Dados Pessoais

Office for Personal Data Protection

Complaint Case Notes
Print

No: 0017/2013/IP

Title: Installation of recording cameras in customer changing/locker rooms and bathing areas

Reason: Complaint

Brief:

    Some citizens found recording cameras were installed by Organization A in its customer changing rooms, which should be able to record images when customers changing their clothes.
  X believed that the installation of Organization A was suspected of violating the Personal Data Protection Act (PDPA, or Law 8/2005) and thus lodged a complaint with this office.

Analysis:

 

  According to paragraph 1(1) of Article 4 and Article 3(1) of the PDPA, handling of the mentioned data is subject to the same Law.
  B, the person in charge of Organization A, indicated that the purpose for installing the recording cameras was aimed to protect the customers’ personal belongings and the organization’s property.  In our investigations, the GPDP found that, in the images taken by the recording cameras installed by Organization A in the customer changing/locker rooms and bathing areas, not only the appearance of the customers could be clearly identified, but also recorded were customers changing their clothes.  The GPDP is in the opinion that such data is the sensitive data given in Article 7 of the PDPA.  Generally, the explicit consent given by the customers is the only condition for conferring Organization A the legitimacy to process the data relating to customers’ privacy.  Organization A failed to provide any evidence demonstrating the explicit consent to the GPDP.  Therefore, Organization A failed to establish the legitimacy and thus violated in Article 7 of the PDPA. B indicated that the data taken by the recording system would be stored for about one month and the data in question should have been deleted.
  In addition, as shown in our investigations, the recording cameras that Organization A installed in places other than the customer changing/locker rooms and bathing areas would not record any data concerning customer privacy.  Generally, surveillance systems are installed for security purposes — to protect properties inside premises or other legal rights and benefits, which is legal and legitimate. Therefore, Organization A established the legitimacy of Article 6(5) of the PDPA.  However, the covering range of the cameras installed by Organization A in the last mentioned areas did not exceed the purpose of security and does not violate Paragraph 1(II), Article 5 of the PDPA.
  In terms of organizational measures, the information provided by Organization A is not sufficient for us to analyze whether Organization A has taken appropriate organizational measures to protect personal data.  In terms of technical measures, the display screens of the said recording surveillance systems are located in the General Manager’s office and only a few managers are allowed to enter there, while the mainframe and storage devices of the system are located in another room locked up.  No information shows any disclosure of personal data.  Therefore, the technical measures which Organization A adopts at present do not violate Article 15 of the PDPA.
  In terms of the right to information, Organization A has displayed notices in some recording areas, which does not violate Paragraph 1 of Article 10 of the PDPA.
  After the GPDP followed up, Organization A provided active support.  Apart from removing the recording cameras involved, it also planned to establish explicit regulations on the operations of the surveillance system in its business premises.
  To sum up, Organization A has not established the legitimacy to process sensitive data and, as a result, the recording cameras installed in the customer locker rooms and bathing areas violated Article 7 of the PDPA.

Result:

    In consideration of the following factors: 1. Organization A has removed the recording cameras installed in the customer changing rooms and bathing areas after required by the GPDP and decided to establish regulations for the surveillance system inside its premises and to put up notices to inform the customers of such regulations; 2. Organization A was found, for the first time, in violation of the PDPA; and 3. Organization A provided support in the course of investigation. According to Paragraph 2, Article 33 of the PDPA, the GPDP imposed a fine of MOP$8,000 to Organization A for the foregoing.

Reference:
Please refer to "Personal Data Protection Act", articles 3, 4, 5, 6, 7, 10, 15 and 33.

Back

Avenida da Praia Grande, N.º 804, Edif. China Plaza, 17.º andar, Macau Tel:(853) 2871 6006 Fax:(853) 2871 6116