Skip to content

Case Notes

Case Notes

This case related to DPP1 - Purpose and manner of collection of personal data

Case No.:2018C04

Excessive collection of personal data for the purposes of preparing car insurance quotation – DPP1

The Complaint

The complainant intended to purchase a car insurance policy and sought a quotation via a car dealer. The complainant was requested by the car dealer to submit an insurance application form and his identification documents. The car dealer claimed that this was the requirement of the insurance company to provide a quotation. The complainant took the view that the car dealer and the insurance company had collected excessive personal data from him for the purposes of preparing a quotation.

The car dealer stated that being an intermediary, it always followed the company’s instructions in collecting customers’ personal data. The insurance company stated that only basic information of the vehicle was required for preparing a quotation. The insurance company believed that the car dealer had mistakenly handled a request for quotation as an application for insurance.

Outcome

The PCPD considered that for the purposes of providing an insurance policy quotation, it was unnecessary for the insurance company to obtain a completed application form and identification documents from the complainant. Although the insurance company attributed the incident to the car dealer’s failure to adhere to its policy in handling a request for quotation, it did not extricate its liability (being the principal) in relation to the car dealer’s acts in this case.

After the PCPD’s intervention, the insurance company undertook to enhance its communications with the car dealer and provide regular training to its staff, so as to ensure that quotation enquiries were properly dealt with. The car dealer also confirmed that it had made clarification with the insurance company on the procedures for seeking quotations and the insurance company had provided written guidelines to its staff to follow.

Lesson learnt

Intermediary services bring about business opportunities by bridging communications between companies and their clients. When an intermediary wrongfully handles customers’ personal data, the company commissioning the intermediary is also held liable for the intermediary’s negligence.

The insurance company in this case had obviously failed to take steps to issue clear personal data collection guidelines to the car dealer, or monitor its compliance with the guidelines. As a result, the car dealer collected personal data from potential clients seeking quotation information at a premature stage. Such collection of personal data was unnecessary.

Companies can take reference from this case as an example to establish an effective monitoring system, to ensure that their privacy policies are followed by the intermediaries commissioned. Otherwise, negligence of the intermediaries may indirectly damage the companies’ hard earned reputation.

(Uploaded in August 2020)


Category : Provisions/DPPs/COPs/Guidelines : Topic/Subject Matter :