May 182016
 May 18, 2016  Breaches, Business, Court, Misc, Non-U.S.

Okay, $2061(USD) is not any kind of huge fine by U.S. or even U.K. standards, but it’s nice to see enforcement. From the Office of the Privacy Commissioner for Personal Data, Hong Kong:

(16 May 2016) A marketing company, GMS (Asia Pacific) Limited (“GMS“), faced two charges under the Personal Data (Privacy) Ordinance (the “Ordinance“) today at the Kwun Tong Magistrates’ Court. The first charge relates to the offence of using the personal data of a data subject in direct marketing without taking specified actions and obtaining his consent, contrary to section 35C of the Ordinance. The other charge relates to the offence of failing to comply with the requirement from the data subject to cease to use his personal data in direct marketing, contrary to section 35G of the Ordinance. GMS pleaded guilty to both charges, and was fined HK$16,000 in total (HK$8,000 in respect of each charge).

Case Background

The case stemmed from a complaint received by the Privacy Commissioner for Personal Data (“PCPD“) in May 2014.

The complainant once made a reservation with a restaurant of a hotel in Hong Kong and provided his surname and mobile number for that purpose. Since then, the complainant had received calls promoting the membership and services of the hotel. In April 2014, the complainant received a call from GMS’s promoter who promoted membership of the hotel to him. The complainant immediately informed the caller that he was not interested and requested the caller not to call him again, and the caller agreed. However, in May 2014, the complainant received another call from GMS promoting the membership of the hotel, in which the caller indicated that GMS was outsourced by the hotel to promote its services.

GMS admitted that it had received the opt-out request from the complainant. It stated that it had already notified its information technology department to place the telephone number of the complainant in the opt-out list on the same day it received the opt-out request. The call to the complainant might be due to some part-time promoters who had not received the updated opt-out list, or they had overlooked the list. The complainant also stated that he had never given any written or verbal consent for using his personal data for direct marketing.

PCPD’s Comments

Section 35C of the Ordinance provides that a data user (e.g. a company or an organisation) must provide the following information to the data subject (e.g. individual consumer) orally or in writing before using his personal data in direct marketing:

(a) the organisation intends to so use the personal data;
(b) the organisation may not so use the data unless with the consent of the data subject;
(c) the kinds of personal data to be used;
(d) the classes of goods, facilities or services offered/advertised; and
(e) a channel through which the data subject may, without charge, communicate his consent to the intended use.

Pursuant to section 35G(3) of the Ordinance, a company which receives a customer’s request for cessation of using his personal data in direct marketing must comply with the request without charge.

Failure to comply with any of the above requirements is a criminal offence, which is punishable by a fine of up to HK$500,000 and imprisonment for up to 3 years.

The Privacy Commissioner for Personal Data Mr Stephen Kai-yi WONG said, “In order to comply with the marketing target’s (data subject’s) opt-out request effectively, marketing companies (data users) have to maintain a list of all customers who have indicated that they do not wish to receive further marketing approaches (i.e., the “Opt-Out List”) and distribute the Opt-Out List to the staff members of the relevant department in a timely manner and thereafter communicate with the department from time to time. If the list is distributed other than by a computer network, it is recommended that marketing staff members are notified of the updates at a frequency of no less than once per week. A marketing company should have standing procedures for its staff members to follow and provide appropriate training with regard to accessing and updating the Opt-Out List for compliance with opt-out requests by marketing targets.”

The PCPD has published the following publications to suit the needs of our stakeholders:

For guidance on legal compliance, data users can refer to the “Guidance on Direct Marketing” 

As for consumers, please refer to:

Sorry, the comment form is closed at this time.