個人資料保護辦公室

Gabinete para a Protecção de Dados Pessoais

Office for Personal Data Protection

Enquiry Case Notes
Print

No: 0471/C/2011

Title: Authorizing a bank to access data on the chip in his ID card

Content:

    When Resident X was opening an account in Bank A (hereinafter as “the Bank”), he was asked to sign an authorization allowing the Bank to access his data stored on the chip implanted into his identity card.
  X enquired whether Bank A’s practice was in compliance with the Personal Data Protection Act.

Result:

    According to the information received from X, the GPDP provide the following opinions:
  In accordance with Articles 4(1)(1) and 3(1) of the Personal Data Protection Act (Law 8/2005), it regulates the data processing found in the current case.
In accordance with Article 5 of the Law aforementioned, personal data shall be processed for given, specific and legitimate purposes directly relevant to the data controller’s activities, and the processing shall be appropriate, reasonable and limited to the collection purposes of the data controller.
  After analyzing the current case, the GPDP found that the Identification Bureau (DSI) has installed ID card readers for a number of banks, allowing them to lawfully access the data on the chips implanted into the identity cards. This arrangement was aimed to facilitate these banks to accurately register and process their clients’ identification information. In certain cases, such access saves their clients the trouble of submitting the Personal Data Certificate that has to be applied from DSI.
  It is voluntary to authorize a bank to access the data aforementioned. Clients could decide whether to authorize their banks to access the data on his identity chips, which banks should not force their clients to consent. However, banks may lawfully require clients to provide the necessary personal data and identification documents to assure data accuracy. For example, they may ask their clients to provide the Personal Data Certificate issued by the DSI. If data was not provided by a client, to whom this bank may, according to laws, refuse to conclude a contract or provide certain services.

Reference:
Please refer to "Personal Data Protection Act", articles 3,4,5 .

Back

Avenida da Praia Grande, N.º 804, Edif. China Plaza, 17.º andar, Macau Tel:(853) 2871 6006 Fax:(853) 2871 6116