個人資料保護辦公室

Gabinete para a Protecção de Dados Pessoais

Office for Personal Data Protection

Complaint Case Notes
Print

No: 0065/2014/IP

Title: Enclosing the monthly credit card statement with that of another person

Reason: Complaint

Brief:

    Citizen A complained that he received two bank statements from Bank X (monthly statement with the same statement date), one of which was his two-page statement that printed “PAGE 01” and “PAGE 02”.  Another statement included a one-page statement of A that printed “PAGE 02”, as well as a two-page statement of B, a client of the same bank, that printed “PAGE 01” and “PAGE 02”.  The information contained in these statements included the name, address, credit card number and other personal information.  A called Bank X and complained, but the bank staff responded that the staff only sent out the statements according to the established procedures of the Bank.  In addition, the staff requested B to return the statement(s).
  A believed that Bank X failed to adopt appropriate safety measures and violated the Personal Data Protection Act (PDPA, or Law 8/2005), and therefore asked the GPDP (Office for Personal Data Protection) to follow up.

Analysis:

    According to Article 4(1)(1) and (3)(1) of the PDPA, in this case the processing of information is subject to the same Law.
  The GPDP believed that A and B voluntarily submitted their credit card application forms, which was completed and contained the information needed for approval, to Bank X. As such, with the explicit consent of the data subjects the Bank processed their personal data, and thus established the legitimacy as laid down in Article 6 of the PDPA.  In addition, the credit card terms set forth in the application form were approved and signed by the applicants, this showed that once a credit card was issued and as long as the cardholder agreed to the terms and conditions of the card, contractual relationships will be established.  As a consequence the Bank was processing the cardholder’s personal data based on the credit card services, which was in compliance with the legitimacy that Article 6(1) of the PDPA governs.
  According to the Personal Information Collection Statement as found on Bank X’s website, as well as its Master Terms and Conditions –– Banking Service, the Bank is responsible to issue monthly statements to its cardholders, informing them the transactions, payment amount and payment date, which are all directly relating to the Bank’s business activities and are not beyond the scope of its credit card businesses.  As a consequence this is in line with the processing principles as given in Article 5(1)(2) and 5(1)(3) of the PDPA.
  According to the credit card statement A provided, each statement only contains the information of one cardholder. It could infer that the incident that the two statements happened to be put in one envelope only happened after the printings and before they were putting into the envelopes.  The focus of the case is the security measures introduced for the statements to be sent to its customers.
  Since credit card statement contains information on the cardholder’s transactions, which is regarded as information of higher importance and confidentiality, whereas a credit card is a lending tool and, according to Article 15 of the PDPA, Bank X is responsible to adopt appropriate safety measures for its system to avoid its customers’ credit card information accessed by unauthorized persons.  Bank X, however, due to internal problems and made non-cardholders accessed the credit card information without prior authorization, while inculpable circumstances or factors did not exist, Bank X was not in compliance with Article 15 of the PDPA.
  In terms of remedial measures, Bank X expressed that it has already informed B of the data leaks.  In addition to having the credit card numbers changed, B expressed his understandings to what happened.  To A, Bank X also had the intention to issue him a new credit card.  In addition, Bank X also introduced the envelope barcode recognition for its monthly statements, in order to avoid similar incidents in the future.
  In summary, even Bank X was not in compliance with Article 15 of the PDPA, which did not constitute administrative offense, but it has the obligation to adopt appropriate data security measures for its customers.

Result:

    The case has been closed, and the investigation result has been delivered to A and Bank X.  Due to the fact that this case related to the legal competence of the Monetary Authority of Macao, and thus it was also informed of the investigation outcomes.

Reference:
Please refer to “Personal Data Protection Act”, articles 3, 4, 5, 6 and 15.

Back

Avenida da Praia Grande, N.º 804, Edif. China Plaza, 17.º andar, Macau Tel:(853) 2871 6006 Fax:(853) 2871 6116