個人資料保護辦公室

Gabinete para a Protecção de Dados Pessoais

Office for Personal Data Protection

Complaint Case Notes
Print

No: 0052/2013/IP

Title: Privacy policies contained bundled agreement clauses

Reason: Report

Brief:

    Citizen K reported that, when he tried to purchase air tickets from the website of Airline Company A, the terms and conditions of the transaction (including privacy policies) came up and he was asked to decide whether to agree or not.  If disagree is chosen, the transaction will not continue.  The privacy policies specified that the customers’ personal data would be provided to Company A, as well as its associate companies and other contractors. The data would be used in matters concerning “marketing and / or the issues relating the products or services provided by Company A”.
  Citizen K believed that, during the transaction, customers were not allowed to choose whether to agree Company A using their personal data for the purpose of promotion. Therefore he asked the GPDP (Office for Personal Data Protection) to follow up.

Analysis:

    According to Article 4(1)(1) and Article 3(1) of the Personal Data Protection Act (PDPA, or Law 8/2005), the data processing involved in this case shall be governed by this Law.
  Company A indicated in its reply that the purpose that it collects the personal data of those customers who purchased air tickets online is to avoid a number of passengers that have the same name on the same flight, as many countries and regions have required airline companies to avert. With regard collecting telephone numbers and email addresses, the Company intends to improve the service quality and to contact the customers promptly in case of flight changes. In practice, the Company will not use the customers’ personal data for its direct marketing or that of other companies. The word “marketing” in its privacy policies was not what the Company intended to, and thus it has been changed to “assurance of service quality”.
  In GPDP’s opinions, customers provided their data because they wanted to obtain the service of Company A and, therefore, the latter established the legitimacy as Article 6 of the PDPA specified, which is based on the data subjects’ unambiguous consent. In addition, the online ticket booking system of Company A showed that “during the online ticket booking, a customer has entered into a carriage contract (contrato de transporte) with Company A.” According to the Commercial Code, as approved by Decree Law 40/99/M, carriage contract provides that one concluding party undertakes to deliver goods or passengers, for carriage fare, from a place to the other (contrato de transporte é aquele pelo qual alguém se obriga a conduzir pessoas ou bens de um lugar para outro, mediante retribuição). Therefore, when processing personal data of customers for the performance of a contract, Company A established the legitimacy as specified in Article 6(1) of the PDPA.
  On the other hand, Company A has amended the wording of its privacy policies, but referring to the aforementioned provision of the Commercial Code, no matter the expressions of “marketing” or “supervision and improvement of service quality” are purposes radically different from carriage services.  Generally, the legitimacy for a private organization to process personal data aimed at direct marketing or marketing only originates from the consent of data subjects. This extrapolated that the PDPA adopted the opt-in principle (“prior consent” or “opt-in”). According to Article 4(1)(9) idem, a data subject’s consent shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed. Among others, the element of “freedom” shall mean the concerned party is free not only to make his decision but also his consent is valid if based on his freedom to decide. Therefore, Company A should take out the mentioned activities [marketing, and monitoring and improvement of service quality] from its privacy policies so that customers could make their decisions.
  In addition, Company A, as a company that provides airline services, in order to guarantee carriage safety and to verify passenger identities, is obliged to confirm that the passengers on board are those who bought their tickets and to contact them in case of flight changes.  Therefore, by collecting the personal data of customers during their purchase of tickets online, Company A did not violate the principle of proportionality as specified in Article 5(1)(3) of the PDPA.
  Considering that when customers decide whether to agree to the terms and conditions of the amended privacy policies of Company A, they are still faced by the bundled clauses, to which one may question whether customer consent is freely given, the GPDP has written to Company A to require improvement of policies.  Afterwards improvements were made accordingly.
  To sum up, no evidence supported that Company A had violated the PDPA.

Result:

    Company A and Citizen K were informed of the investigation result and this case was closed.

Reference:
Please refer to “Personal Data Protection Act”, articles 3, 4, 5 and 6.

Back

Avenida da Praia Grande, N.º 804, Edif. China Plaza, 17.º andar, Macau Tel:(853) 2871 6006 Fax:(853) 2871 6116