Skip to content

Case Notes

Case Notes

This case related to Customer data

Case No.:2014C06

An online shop should not disclose a customer’s personal data to another customer for product exchange without consent

The Complaint

Summary of Facts

Customer A provided her personal data, including her name, mobile phone number and delivery address, to an online Optical Company (“the Company”) when she placed an order for contact lenses. She was later informed by the Company’s staff that they had mistakenly delivered her contact lenses to Customer B and delivered Customer B’s lenses to her. The staff member suggested Customer A exchange the contact lenses direct with Customer B. The Company then disclosed Customer A’s personal data without her consent to Customer B, resulting in her receipt of an SMS message from the latter to her mobile phone number asking her to exchange the contact lenses. Customer A lodged a complaint with this Office against the Company.

Information provided by the Company

The Company explained that as Customer B needed the correct contact lenses urgently, they sent an email to both Customer A and B suggesting they swap the contact lenses between themselves and asking for their views on the suggestion. The Company mistakenly recorded Customer A as having agreed to the suggestion, so her contact details were wrongly passed on to Customer B. In fact, it was Customer B who had agreed to the suggestion.

Outcome

Given that the Company’s original purpose for collecting Customer A’s personal data was to deliver her online order, the Commissioner took the view that the inadvertent disclosure of Customer A’s personal data to Customer B by the Company for the purpose of product exchange, without Customer A’s prior consent, violated DPP3.

The Company accepted the Commissioner’s recommendations and wrote to Customer B to request the deletion of Customer A’s personal data. They also issued guidelines to their staff reminding them to keep customers’ personal data confidential and obtain customers’ prior consent before disclosing their personal data to a third party.

(Uploaded in October 2015)


Category : Provisions/DPPs/COPs/Guidelines : Topic/Subject Matter :