Skip to content

Media Statements

Media Statements

Date: 25 April 2016

A Community Service Order was imposed on an Insurance Agent
for Using Personal Data in Direct Marketing without Consent 

(25 April 2016) An insurance agent faced two charges under the Personal Data (Privacy) Ordinance (the “Ordinance”) on 11 April 2016 at the Shatin Magistrates’ Court.  The first charge relates to the offence of using the personal data of a data subject in direct marketing without taking specified actions and obtaining his consent, contrary to section 35C of the Ordinance.  The other charge relates to the offence of failing to inform the data subject, when using his personal data in direct marketing for the first time, of his right to request not to use his personal data in direct marketing without charge, contrary to section 35F of the Ordinance.  The Defendant pleaded guilty to both charges.  Today, a Community Service Order of 80 hours was imposed by the Court on him in respect of each charge, to be served concurrently.     
Case Background
The case stemmed from a complaint received by the Office of the Privacy Commissioner for Personal Data (“PCPD”) in July 2014. 
The complainant had purchased an insurance policy at an insurance company (“Insurance Company A”).  Subsequently, the complainant received at his home address a letter from the Defendant who was working as an insurance agent of another insurance company.  In the letter, the Defendant promoted financial services to the complainant after knowing the suspension of service of Insurance Company A.  The complainant complained that the Defendant had failed to take the specified action and obtain his consent before using his personal data in direct marketing, and that the Defendant had failed to notify him of his opt-out right when using his personal data in direct marketing for the first time.  After processing the complaint, the PCPD referred the complaint to the Police for criminal investigation.

PCPD's Comments

The direct marketing provisions under the Ordinance require data users (individuals or organisations) not to use an individual’s personal data in direct marketing, or transfer such personal data to a third party for its use in direct marketing, without that individual’s consent. In order to obtain valid consent, the data user must notify the individual of the types of personal data that will be used; the classes of goods or services that will be marketed; and a response channel through which the individual can communicate his/her consent.

The Privacy Commissioner for Personal Data Mr Stephen Kai-yi WONG stressed, “With all the different types of direct marketing strategies available today, they can bring massive business opportunities if used properly. The Ordinance provides clear guidance for both individuals and organisations, as data users, on managing their direct marketing activities. Respecting consumers’ personal data and using them in a proper way can create a win-win situation in business. Even if the data subject has given his consent, the data user is still required to inform the data subject of his opt-out right, when using his personal data in direct marketing for the first time.  Consumers are reminded that they are not required to pay any fees when exercising their opt-out rights.”

Mr Wong also pointed out that, “This is the first time that the Court has imposed a Community Service Order, which shows that the Court takes a serious view in respect of the contraventions, and intends to put across a deterrent effect through non-remunerated community services. "

The PCPD has published the following publications to suit the needs of our stakeholders: 

For guidance on legal compliance, data users can refer to the “Guidance on Direct Marketing”  

As for consumers, please refer to: