Citibank (Hong Kong) Limited (the Bank) was convicted today at the Kowloon City Magistrates’ Court of the offence under section 35G(3) of the Personal Data (Privacy) Ordinance (the Ordinance) for failing to comply with the requirement from a data subject to cease to use his personal data in direct marketing. The Bank pleaded guilty to the charge, and was fined HK$10,000.
The case stemmed from a complaint received by the office of the Privacy Commissioner for Personal Data, Hong Kong (the PCPD) in 2016.
The complainant applied for the Bank’s credit card online in August 2016. He had opted out the use of his personal data in direct marketing during the application process. However, the complainant still received a direct marketing call from the Bank in October 2016 promoting its insurance services. He then complained to the PCPD. After processing the complaint, the Privacy Commissioner for Personal Data, Hong Kong (the Privacy Commissioner) was of the view that the Bank failed to comply with the complainant’s opt-out request.
Relevant Statutory Provision
Pursuant to section 35G(3) of the Ordinance, a data user which receives a customer’s request for cessation of using his personal data in direct marketing must comply with the request without charge. Failure to comply with the requirement is a criminal offence which is punishable by a fine of up to HK$500,000 and imprisonment of up to 3 years.
The Privacy Commissioner Mr Stephen Kai-yi WONG said, “To avoid causing nuisance to customers, organisations should maintain an opt-out list with customers who do not wish to receive further marketing approaches. The opt-out list should be updated regularly and distributed to the staff members of relevant departments in a timely manner. Standing procedures with regard to accessing and updating the opt-out list should be in place, with appropriate training provided to staff members as well.” Mr Wong also stressed that organisations should abide by higher ethical standards and adopt the three management values (i.e. respectful, beneficial and fair) in handling customers’ data so as to meet their expectations, apart from meeting the requirements of laws and regulations.
The Privacy Commissioner also reminded consumers that if they still receive direct marketing messages after making an opt-out request, they should make a record and gather as many details of the direct marketing messages as possible so as to enable themselves to formulate a valid complaint to the PCPD.
The PCPD has published the following publications for organisations and consumers:
As for consumers, please refer to: