Citibank Hong Kong has been fined HK$10,000

Citibank Hong Kong has been found guilty of violating the Personal Data Privacy Ordinance (PDPO).

The bank plead guilty to committing a direct marketing offence involving violating the PDPO. The bank failed to comply with a requirement from a data subject who requested to cease using his personal data in direct marketing.

The Privacy Commissioner for Personal Data (PCPD) received a complaint in 2016. The complainant had applied for a credit card online and had explicitly opted out of the use of his personal data in direct marketing, however despite opting-out the complainant still received a digital marketing call from the bank two months later.

As a result the PCPD took action against the bank. Under PDPO, data users receiving a customer’s request for cessation of personal data in marketing must comply with the request without charge or face penalties of up to HK$500,000 and imprisonment of up to three years for non-compliance.

Privacy Commissioner Stephen Kai-yi Wong said:

To avoid causing nuisance to customers, organisations should maintain an opt-out list with customers who do not wish to receive further marketing approaches.

“The opt-out list should be updated regularly and distributed to the staff members of relevant departments in a timely manner. Standing procedures with regard to accessing and updating the opt-out list should be in place, with appropriate training provided to staff members as well.”


Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.