Date: 22 August 2018
Respect Customers’ Rights of Personal Data Self-determination
Follow Their Opt-out Requests in Direct Marketing
Hutchison Telecommunications (Hong Kong) Limited (the Company) faced two charges under the Personal Data (Privacy) Ordinance (the Ordinance) today at the Eastern Magistrates’ Courts. Both charges related to the offence of failing to comply with the requirement from the data subject to cease to use her personal data in direct marketing, contrary to section 35G(3) of the Ordinance. The Company pleaded guilty to both charges, and was fined HK$20,000 in total (HK$10,000 in respect of each charge).
The case stemmed from a complaint received by the Privacy Commissioner for Personal Data, Hong Kong (the PCPD) in 2016.
The complainant was a customer of 3 Hong Kong, a mobile telecommunications services brand of the Company. In May 2016, she made her opt-out request in direct marketing by phone to the Company. However, the complainant still received direct marketing calls in June and August 2016 promoting 3 Hong Kong’s mobile telecommunications services. Subsequently, she complained to the PCPD. The Privacy Commissioner for Personal Data, Hong Kong (The Privacy Commissioner) was of the view that the Company failed to comply with the opt-out request from the complainant after processing the complaint.
Pursuant to section 35G(3) of the Ordinance, a data user that receives a customer’s request for cessation of using his personal data in direct marketing must comply with the request without charge. Failure to comply with the requirement is a criminal offence which is punishable by a fine of up to HK$500,000 and imprisonment of up to three years.
The Privacy Commissioner Mr Stephen Kai-yi WONG said, “In order to comply with customers’ opt-out requests effectively, service providers have to maintain a list of all customers who have indicated that they do not wish to receive further marketing approaches (i.e., the Opt-Out List) and distribute the Opt-Out List to the staff members of the relevant department in a timely manner. Service providers should also have standing procedures for its staff members to follow and provide appropriate training with regard to accessing and updating the Opt-Out List for compliance with opt-out requests by their customers.
Meanwhile, even a service provider outsources the direct marketing to an agent (as a data processor), the service provider (as a data user) is required to adopt contractual or other means to ensure that the direct marketing activities comply with the requirements under the Ordinance. The service provider should check with the agent its latest Opt-Out List before making any direct marketing approaches, and introduce a mechanism to notify the agent the updated List from time to time.”
The Privacy Commissioner also reminded consumers about their opt-out rights against unwanted direct marketing activities, “If a consumer no longer wishes to receive direct marketing messages (addressing him by name), he should file an opt-out request preferably in writing with the company concerned and keep a copy of it. If he still receives direct marketing messages after making an opt-out request, he should make a record and gather as many details of the direct marketing messages as possible in order to formulate a valid complaint.”
The PCPD has published the following publications for organisations and customers:
As for consumers, please refer to: