個人資料保護辦公室

Gabinete para a Protecção de Dados Pessoais

Office for Personal Data Protection

Complaint Case Notes
Print

No: 0108/2014/IP

Title: Cold calls continued after exercising the right to object

Reason: Complaint

Brief:

    A complaint was lodged with the Office for Personal Data Protection (GPDP) wherein the Complainant stated that he was not a customer of Company A, but received cold calls from it.  The Complainant later called the customer service centre of Company A to exercise his right to object, but cold calls continued.  The Complainant believed that this was a suspected violation of the Personal Data Protection Act (PDPA or Law 8/2005).

Analysis:

    GPDP’s investigation revealed that Company A generated sequences of random numbers for cold calling, and since the Complainant had already exercised his right to object during the call, he was already put onto the company’s “opt-out list”.  A staff of Company A, however, did not screen the list before calling the Complainant on another occasion.  
  Company A insisted that it only knew the Complainant’s phone number, and expressed that it did have an opt-out list established.  In other words, it has established a database for registering those phone number users who had refused to accept further telemarketing calls.  From another point of view, a data subject can express his wishes of joining the opt-out list in order to refuse further cold calls.    This justified that Company A knew that the Complainant’s number was actually in use.  In addition, since the numbers on the opt-out list will not be repeated, and one could search through the numbers therein simply with names or emails, which created an identifier of a data subject that allows a data subject to be distinguished from other target marketing subjects.  As such, information of the current case should be regarded as personal data according to Article 4(1)(1) of the PDPA.  
  The guidelines provided by Company A specified that when approaching a telemarketing subject, the staff member is required to explain that he could request to be added onto the opt-out list.  Since the Complainant failed to provide records of the telemarketing calls that Company A had made, in addition that the calls were made long time ago, no sufficient information justified that Company A made the calls without the consent of the Complainant.  In regard the opt-out list, since personal data was volunteered to Company A by the Complainant, in a bid to refuse further telemarketing calls, Company A had no other options but to retain the number in order to ensure the right to object the Complainant exercised.  In other words, Company A has obtained an unambiguous consent from the Complainant for the data processing for the opt-out list.
  According to Article 12(2) of the PDPA, once the data subject exercised his right to object, Company A is no longer allowed to call him for telemarketing purpose.  In practice, Company A has the obligations to establish an opt-out list and to ensure its staff would call according to the most updated list.
  The policy documents provided by Company A revealed that it has established a mechanism for exercising the right to object, and its staff members are required to check with the opt-out list before making telemarketing calls; anyone on this list should not be contacted.  If this mechanism was fully functional, in principle no data subjects who had exercised the right to object would be contacted.  In the current case, Company A explained that since a staff member failed to observe the said regulation, he called the Complainant without first screening the opt-out list.  Despite the fact that an internal investigation mechanism has been established, with which staff proved violating regulations will be disciplined, Company A expressed that it failed to identify the staff member that called the Complainant.
  The number used by the staff to call the Complainant was a general number shared by all the phone consoles, but none of which were reachable when one called back with the same number. Company A, knowingly configured its console connections as such, allowed its staff to call for marketing purposes by using a general phone number, which allowed staff identities concealed, obviously it is a flaw of the said mechanism. 
  To sum up, Company A produced documents to proof its opt-out mechanism though, it allowed its staff members to use a general number to call for marketing purposes, which, in most cases, staff might find it possible to hide their violations.  As a consequence, the reduced effectiveness of the mechanism could make staff less prudent when making telemarketing calls and, unavoidably, it would weaken Company A’s regulations and procedures and thus created a mechanism flaw.  In view of the above, Company A failed to introduce feasible measures to facilitate the right to object enjoyed by the Complainant and thus violated Article 12(2) of the PDPA.

Result:

    Considering that it was the first violation of Company A and its cooperativeness during the investigation, in addition to its established mechanism for the right to object, the GPDP imposed to it a monetary penalty of MOP 4,000 according to Article 33(1) of the PDPA.

Reference:
Please refer to Article 4, 12 and 33 of the Personal Data Protection Act.

Back

Avenida da Praia Grande, N.º 804, Edif. China Plaza, 17.º andar, Macau Tel:(853) 2871 6006 Fax:(853) 2871 6116