Table of Contents Table of Contents
Previous Page  59 / 192 Next Page
Information
Show Menu
Previous Page 59 / 192 Next Page
Page Background

and its transfer to third parties) were brought to the attention of the complainant when

she filled in the application form.

5.73

The views of the AAB were followed in subsequent decisions made by the Commissioner,

most notably in the Octopus Card case

49

where the terms and conditions appearing in

the registration form for joining the Octopus rewards programme were found to have

been printed in small print and cramped into a single paragraph containing forty-two

lines in English and thirty-two lines in Chinese, making it difficult to read and comprehend.

The Commissioner was of the view that the operator of the Octopus Card had not taken

all practicable steps to clearly and dutifully inform the applicants of the specific clause

concerning the use and transfer of personal data under the rewards programme.

5.74

With the proliferated use of mobile apps to enhance customer services, it is increasingly

common for data users to collect personal data through mobile apps. Data users must

ensure compliance with the legal obligations under DPP1(3). In an investigation

conducted by the Commissioner, two travel agencies were found to have contravened

DPP1(3)(b) by failing to provide the requisite information to the mobile app users on or

before the collection of personal data.

50

Notification Requirements

5.75

The specific matters of which an individual needs to be informed under DPP1(3) are set

out in paragraphs (a) and (b). For those matters falling under paragraph (a), the

individual should be “explicitly or implicitly” informed. The Commissioner takes the view

that explicit notification of those matters will not be required where it is obvious from the

circumstances. For example, where there is an invitation to submit contact data for a

lucky draw, it is not necessary to state explicitly that the provision of the data is purely

voluntary, which is obvious from the circumstances. Another example is where a

policeman, in discharging his duties, asks a person in the street to provide his name and

address in circumstances where it is obvious that such a request is obligatory. However,

in situations where a data subject is given an option to decide whether to supply

voluntarily his personal data for use by the data user for a number of different purposes,

it is good practice for the data user to give clear indication of the choices to be given to

the data subject to avoid misunderstanding.

5.76

In contrast, under paragraph (b) a data user is required to take all reasonably

practicable steps to ensure the individual is “explicitly” informed of the matters

mentioned therein. Accordingly, notification is necessary even if it may appear to be

stating the obvious. There is, however, no requirement for the notification under DPP1(3)

to be in writing, although the Commissioner would consider this to be good practice,

especially for organisational data users. It is common practice for the notifications

49

See Investigation Report No. R10-9866, available on the Website

( https://www.pcpd.org.hk/english/enforcement/commissioners_findings/investigation_reports/files/R10_9866_e.pdf )

.

See also paragraph 5.18 of this Chapter.

50

See Investigation Report No. R14-9945, available on the Website:

https://www.pcpd.org.hk/english/enforcement/commissioners_findings/investigation_reports/files/R14_9945_e.pdf
1 54 55 56 57 58 59 60 61 62 63 64 65 192  FlippingBook