個人資料保護辦公室

Gabinete para a Protecção de Dados Pessoais

Office for Personal Data Protection

Complaint Case Notes
Print

No: 0041/2013/IP

Title: Careless destruction of client data

Reason: Complaint

Brief:

    Citizen X entrusted Organization A to submit his application information on his behalf to Department B, but Organization A carelessly destroyed X’s application information.
  X believed that Organization A has violated the Personal Data Protection Act (PDPA) and thus lodged a complaint to the Office for Personal Data Protection (GPDP).

Analysis:

    According to Article 4(1)(1) and Article 3(1) of the PDPA, the processing of the data involved in this case should be governed by the PDPA.
  According to related legal provisions, Department B has the right to decide for the processing of application information of Citizen X (including the processing method and types of data to be processed), so the Office for Personal Data Protection (GPDP) is in the opinion that Department B is the controller as specified in Article 4(1)(5) of the PDPA.  Being the organization that entrusted by X to submit, on his behalf, his application information to Department B, Organization A cannot decide for the processing of the information, processing method and the types of information.  As a consequence Organization A is not the data controller. 
  Organization A was entrusted by Citizen X to submit his application information, on his behalf, to Department B, this falls within the scope of Article 251 and the subsequent articles of the Civil Code.  When Organization A was entrusted by X himself to handle his information, it could be regarded as X’s own handling.
  Under Article 15(1) of the PDPA, the controller must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction.  The GPDP takes the opinion that it is Department B who should guarantee the safety of X’s data.  However, the current complaint was lodged against Organization A, who only carelessly destroyed the personal data of Citizen X instead of being the data controller, in addition that its handling of the personal data is equivalent to X’s handling of the data.  As a consequence, Organization A should be liable to meeting the obligations of secure data processing governed by the PDPA.  If X believes that Organization A should be liable for destroying his personal data, he should proceed civil proceedings. 
  Considering that Organization A handles huge quantity of personal data of citizens in its daily operation, it should be responsible for processing such personal data.  Organization A should review its procedures of personal data processing (including the destruction of personal data), as well as increasing supervision and staff trainings.   
  In conclusion, Organization A does not have to undertake any liability specified in the PDPA for the destruction of the data as commissioned by X to handle.

Result:

    The GPDP has sent the investigation result to Citizen X and Organization A and the case has been closed.

Reference:
Please refer to "Personal Data Protection Act", articles 3, 4 and 15.

Back

Avenida da Praia Grande, N.º 804, Edif. China Plaza, 17.º andar, Macau Tel:(853) 2871 6006 Fax:(853) 2871 6116