PARKnSHOP (HK) Ltd was fined HK$3,000 for using the personal data of a customer in direct marketing without getting the customer’s consent. The company admitted that the customer had not given consent for receiving its direct marketing materials. A direct marketing email was accidentally sent to the customer due to an isolated incident of human error while doing a system update.
This is the first conviction of the offence of section 35E(1) since the amendment provisions of the Personal Data (Privacy) Ordinance relating to direct marketing that came into effect in 2013.
“The Ordinance does not prohibit direct marketing activities,” said Stephen Wong, the privacy commissioner for personal data, Hong Kong. “Organizations must obtain a data subject’s consent before using his personal data in direct marketing.”
He added, “The conviction once again reminds organizations of such requirements, and at the same time strengthens the culture of respecting personal data privacy within organizations.”
The conviction stemmed from a complaint from a registered customer of the PARKnSHOP, who provided his personal data including his email address for online registration. The complainant had never indicated to the company that he wished to receive any direct marketing materials. In January 2016, the complainant received a direct marketing email from the company, therefore lodged a complaint with the PCPD.