Date: 10 January 2017
Effective Communications Within a Bank is as Important as Following Clients’ Instructions
(10 January 2017) DBS Bank (Hong Kong) Limited (“DBS Bank
”) was convicted today at the Eastern Magistrates’ Court for the offence under section 35G(3) of the Personal Data (Privacy) Ordinance (the “Ordinance
”) for failing to comply with the requirement from its customer to cease to use his personal data in direct marketing. DBS Bank pleaded guilty to the charge and was fined HK$10,000.
The case stemmed from a complaint received by the Privacy Commissioner for Personal Data (“PCPD
”) in September 2015.
The complainant applied for a loan at a branch of DBS Bank in July 2014. He filled in an application form and provided his personal data, including his name, Hong Kong ID card number and his mobile phone number. He also made an opt-out request, stating that he did not wish DBS Bank to use his personal data in direct marketing or to receive any direct marketing materials from DBS Bank via all channels. In June 2015, the complainant received a call from a staff member of DBS Bank (“the caller”) to his mobile phone, asking if he would like to apply for further loan. The complainant queried the caller why such call was made notwithstanding his opt-out request. The caller said the purpose of the call was to clarify the complainant’s information, and then hung up the phone. Subsequently, the complainant lodged a complaint to the PCPD in September 2015. The caller’s phone number was later found to be registered by DBS Bank.
In October 2015, DBS Bank issued a letter to the complainant and admitted that its staff was not aware the complainant’s name and phone number were being put on its opt-out list. DBS Bank emphasised that the incident was an isolated one and made an apology to the complainant.
Pursuant to section 35G(3) of the Ordinance, a company which receives a customer’s request for cessation of using his personal data in direct marketing must comply with the request without charge. Failure to comply with the requirement is a criminal offence which is punishable by a fine of up to HK$500,000 and imprisonment of up to 3 years.
The Privacy Commissioner for Personal Data, Hong Kong, Mr Stephen Kai-yi WONG, stresses that, “Effective and timely communication within office is as important as respect for clients’ instructions.” Banks (as data users) should maintain a list of all customers who have indicated that they do not wish to receive further direct marketing materials (i.e., the “Opt-Out List”) in order to comply with such opt-out requests effectively. He said, “The head office also has to coordinate the updating of a consolidated Opt-Out List by collecting the opt-out information supplied by all branch offices. The consolidated Opt-Out List should be updated regularly, and distributed to the branch offices in a timely manner. In this case, the staff member of DBS Bank was not aware of the complainant being included in the bank’s direct marketing Opt-Out List before using the latter’s mobile number for calling. To comply with the requirements of the Ordinance, DBS Bank should issue clear internal guidelines and provide appropriate training for its staff members to ensure their awareness of and compliance with the direct marketing provisions under the Ordinance.”
The PCPD has issued the following publications:
For guidance on legal compliance, data users may refer to the “Guidance on Direct Marketing
” and “Guidance on the Proper Handling of Customers' Personal Data for the Banking Industry
As for consumers, please refer to: