個人資料保護辦公室

Gabinete para a Protecção de Dados Pessoais

Office for Personal Data Protection

Complaint Case Notes
Print

No: 0046/2013/IP

Title: Sending promotional text messages

Reason: Complaint and report

Brief:

    Many citizens reported that they have received promotional text messages sent by Company A. Some of them are not customers of this Company.
  11 citizens believed what Company A did was violating the Personal Data Protection Act (PDPA) and thus filed complaints to the Office for Personal Data Protection (GPDP).
  (Note: another 11 cases have been incorporated into the current case)

Analysis:

    As indicated by Company A, they might have sent messages to both customers and noncustomers. 
  First, with regard customers, Company A pointed out that, for promotions, it had collected customer data, including names, passport or ID card numbers, addresses and telephone numbers, by asking them to fill in the forms.  According to Article 4(1)(1) and Article 3(1) of the PDPA, since the said information relates to customers whose identities are confirmed, therefore it is regarded as personal data.  When Company A processes such information by automatic means, it has to be in compliance with the PDPA.
  With regard to non-customers, Company A would first, by random, select a list of mobile phone numbers that are possibly in use in Macau through a computer program, then filter the selected numbers with a mobile instant messaging application.  The numbers filtered, as proved to be currently in use, will be used for sending the text messages.  To this, Company A indicated that they did not know the users of these numbers and did not have other identification information.  The GPDP is in the opinion that, as Company A confirmed that the said mobile phone numbers were in use in Macau, every mobile number in its database is not repeated, which help identify its users and confirm the identity of each user, as a consequence the numbers of the noncustomers are also regarded as personal data.  According to PDPA, Company A’s automatic processing is also subject to same Law. 
  Company A processed the said data for the purpose of promotion and the purpose and method of such processing were determined by it independently, so Company A shall be deemed as the data controller as specified in Article 4(1)(5) of the PDPA.
  With regard to sending commercial electronic information, in order to respect and safeguard the rights of the data subjects, the OPT-IN mechanism has been adopted by the PDPA, that is, data can be processed only when data subjects have agreed to.  According to Company A, customers should complete a form when opening accounts and as long as their consent has been obtained then their personal data will be collected.  However, if a customer refuses to receive any promotional text messages, generally Company A will not collect his information.  The GPDP is in the opinion that, Company A for promotion processes personal data–including filtering the number in use in Macao through the mobile instant messaging application in order to collect those Macao numbers that are currently in use–and then send out text messages after consent has been obtained, which is in line with the conditions establishing legitimacy as laid down in Article 6 of the PDPA.
  Company A, however, filtered the numbers in use in Macao through mobile instant messaging application also involved noncustomers’ information.  The terms and conditions of the mobile instant messaging application specify that it forbids users to use it to collect non-users’ personal information (including mobile number), for instance, for promotions to attract customers.  In addition, Company A did not aware that the said mobile phone numbers were also personal data, moreover, it failed to inform the mobile phone users or obtain their consents before sending out the promotional text messages.  Therefore, as Company A failed to obtain the explicit consent of the mobile users, it has not established the legitimacy as given in Article 6 of the PDPA.
  To sum up, Company A did not satisfy the condition for the legitimacy of processing the noncustomers’ personal data.

Result:

    Considering that Company A, before obtaining the consent of the noncustomers, collected their personal data and sent out text messages, which affected quite a number of data subjects whose preference was ignored, along with the fact that the messages were for promotions and the Company might benefit from it, this is a violation of the PDPA.  Since this is a first violation of the PDPA and Company A was cooperative during GPDP’ investigations, so a fine of MOP20,000 was imposed to Company A.  According to Article 43 of the same Law, Company A should delete and destroy all mobile phone numbers of the noncustomers filtered by the mobile instant messaging application.  Based on the principle of good faith, Company A is recommend not collect personal data through the mentioned method.

Reference:
Please refer to "Personal Data Protection Act", articles 3, 4, 6, 33 and 43.

Back

Avenida da Praia Grande, N.º 804, Edif. China Plaza, 17.º andar, Macau Tel:(853) 2871 6006 Fax:(853) 2871 6116