Ms Chan Hoi Fan, coordinator of the Office for Personal Data Protection
The number of investigation procedures launched by the Office for Personal Data Protection (GPDP) increased by 19.5 percent last year when compared with 2012. In its annual report, published early this month, GPDP revealed that sanctions were applied only in 7.8 percent of 103 investigated cases.
In 2013, the office opened a total of 141 investigations, representing a 19.5-percent increase in comparison with the previous year. The number of cases relating to a lack of legitimacy in treating data amounted to 62.4 percent, whereas 25.5 percent regard failures in meeting data treatment rules.
In 47.5 percent of the mentioned cases, investigations were initiated after data holders filed complaints at the GPDP.
The Office for Personal Data Protection recalled that most of the investigations relied on private entities (77 percent), which are suspected of having mistreated personal data. Complaints over data protection violations are mainly related to the sector of wholesale and retail (22), personal services (16) and associations (15).
After closing investigations, GPDP only applied sanctions in 7.8 percent of the cases, while providing suggestions and guidelines for 49.5 of the analyzed processes.
Among the investigated cases, GPDP sanctioned, for instance, a local store that had published a client’s personal data on a social media network.
A citizen had filed a complaint at the GPDP, stating that they had ordered clothing items from a store through its social network account. After receiving a notice from the shop to collect the items, the citizen failed to do so. The store published the citizen’s name and phone number on the social media network, stating that the person had now been included in their “blacklist.”
The GPDP recalled that, according to the law, the store could seek compensation from the client, but was not entitled to publish their personal data on a social media network. Although the owner of the shop argued that they were defending the shop’s name by publishing clients’ data, the GPDP stressed that such behavior was still against the law. Therefore, a MOP4,000 fine was applied.
Another case was reported last year regarding six gaming operators who had been accused of creating a blacklist with employees’ personal data.
A citizen filed a complaint within the GPDP, claiming that six gaming operators had jointly drafted a blacklist in order to exchange information on employees. The person claimed to be “a victim” of the blacklist, having been refused a job after his name was listed in the referred document.
The six gaming operators denied having drafted such a list, arguing that each company usually established its own recruitment methods, as well as an employees’ database.
After finding no evidence of the existence of a blacklist alleged to have been developed by all gaming companies, the GPDP closed the case.
A similar case was recorded when a citizen filed another complaint, after being refused a job in a local casino. The individual was told by a recruiter that he was part of another casino’s blacklist for having destroyed slot machines. The company denied having received such information through the other operator.
Yet again, the GPDP said that there was no evidence of the existence of such a list, and therefore the case was filed.
Last year, the GPDP recorded a total of 2,276 requests to provide legal advice on possible violations of personal data protection. A total of 49.8 percent of the cases regard notification or authorization on data protection treatment, whereas 40.5 percent of the requests related to surveillance matters. CP
No Comments