個人資料保護辦公室

Gabinete para a Protecção de Dados Pessoais

Office for Personal Data Protection

Complaint Case Notes
Print

No: 0120/2015/IP

Title: Complete credit card numbers of customers were printed on order forms

Reason: Complaint

Brief:

    The Complainant of the current case reported to the Office for Personal Data Protection (GPDP) that when using credit card for his purchase from Electronics Company A, he found the credit card numbers were printed, in full, onto the order form.  Since the form was a multiplicate invoice, which means any staff participating the order process would have access to his card numbers.  Finding such process improper, he filed a complaint with the GPDP.

Analysis:

    Under Article 4(1)(1) and 3(1) of the PDPA (Personal Data Protection Act), the data processing of the current case is subject to the same Law. 
  Company A explained that the credit card numbers were registered onto the order forms so that its finance department could keep track of and verify the transactions.  In case credit card fraud is detected, the complete credit card numbers will assist the investigations.  Considering that the numbers were recorded to ensure credit card transaction security and to avoid credit card frauds that may harm its business interests, the interests or rights, freedom and safeguard of the cardholders did not precede the legitimate interests of Company A.  As a consequence Company A is legitimately processing the said data according to Article 6(5) of the PDPA. 
  Also printed on the order forms are the internal reference numbers, with which Company A’s finance department should be able to verify the transactions.On the other hand, since the current case involved a card-present transaction, during which the staff should be able to verify the authenticity of the cardholder’s identity and his credit card.If it was necessary to print the customers’ credit card numbers onto the order forms, concealing some of the numbers would be a better way to protect personal data.
  In the current case, Company A was processing data for its legitimate interests. In case of fraudulent transactions it would be able to hand over the information to the competent authorities to investigate.  On the other hand, order forms are customers’ proof to obtain warranted services, replacement, return of deposit, etc.  By the same token, the customers’ information registered on the order forms can also guarantee their interests.  If the order forms registered the credit card numbers, instead of also including other credit card information, such registration is relevant to its processing purposes.  Company A, in addition, has already improved the said practice during the investigation by only displaying the first and last four digits of credit cards on the order forms and the rest of the numbers are replaced with a string of “*”.  These showed that Company A’s practice was not contrary to the principle of proportionality as provided for in Article 5(3) of the PDPA.  
  As the Complainant pointed out that his credit numbers could have been accessed by the delivery staff, it has to point out that: Company A, after the collection of information, has the duty to differentiate the range of information accessible by different staff according to varied job duties, which is its internal policies.  In addition, as its staff is bound by professional secrecy with regard all the personal data that were accessible during work, and currently no information justified any leaks of personal data, Company A’s practices were not proved to be inappropriate.  

Result:

    Company A has improved its current operations by only recording the first and last four digits, while the rest are masked with “*”, of the credit card numbers. 

Reference:
Please refer to Article 3, 4, 5 and 6 of the Personal Data Protection Act.

Back

Avenida da Praia Grande, N.º 804, Edif. China Plaza, 17.º andar, Macau Tel:(853) 2871 6006 Fax:(853) 2871 6116