_commit_at,_commit_hash,_id,_item,_version,_commit,description,tags,date,pdf-url,nature,title,url,timestamp,pdf-content,decision,_item_full_hash,_changed_columns 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,17,17,1,952,Directions were issued to both Shopify Commerce Singapore and Supernova to put in place a process to ensure compliance with the Transfer Limitation Obligation following a data breach incident of Shopify Inc's database.,"[""Transfer Limitation"", ""Directions"", ""Others"", ""Data Intermediary""]",2022-11-18,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GD_Supernova-Pte-Ltd_06102022.pdf,Transfer Limitation,Breach of the Transfer Limitation Obligation by Shopify Commerce Singapore and Supernova,https://www.pdpc.gov.sg/all-commissions-decisions/2022/11/breach-of-the-transfer-limitation-obligation-by-shopify-commerce-singapore-and-supernova,2022-11-18,"PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPC 7 Case No: DP-2103-B8147 / DP-2206-B9935 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Supernova Pte Ltd (2) Shopify Commerce Singapore Pte Ltd … Organisation DECISION Page 1 of 12 Supernova Pte Ltd & Anor Yeong Zee Kin, Deputy Commissioner — Case No. DP-2103-B8147/ DP-2206-B9935 6 October 2022 Introduction 1 On 8 October 2020, the Personal Data Protection Commission (the “Commission”) was notified by Supernova Pte Ltd (“SNPL”) of a data breach incident of Shopify Inc’s database affecting the personal data of certain Singapore-based customers (the “Incident”). The Commission commenced investigations to determine whether the circumstances relating to the Incident disclosed any breaches of the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case Background 2 Shopify Inc (“Shopify”) is a company based in Canada that operates an e- commerce platform for online retailers to conduct sales (the “Platform”). SNPL is an online retailer that began using the Platform in 2018 to sell its products to customers. Shopify provided payment processing and other services (the “Services”) to SNPL pursuant to the Shopify Plus Agreement, executed by Shopify and SNPL on 4 December 2018. Shopify Commerce Singapore Pte Ltd (“Shopify SG”) acted as the Page 2 of 12 Asia-Pacific data sub-processor of Shopify pursuant to the Shopify Data Processing Addendum to the Shopify Plus Agreement, and its role was confined to collecting customer personal data (including SNPL’s) via the Platform and transferring the data out of Singapore to Shopify for both Purchase Processing and Platform Processing. 3 The Platform collected personal data from customers of its online retailers for two broad sets of purposes. First, to facilitate billing, payment and shipping on behalf of the Platform’s online retailers (“Purchase Processing”). Second, for Shopify’s own commercial and administrative purposes. This mainly included the collection of consumer personal data through the Platform’s own consumer-facing applications and services e.g. Shop Pay (collectively, “Platform Processing”). Granted, for Platform Processing, users of the Platform included customers of merchants who are on the Platform, such as SNPL’s customers. Nevertheless, customer personal data was being collected and processed by Shopify for its own purposes, and not on behalf of merchants. 4 On 1 July 2019, the Shopify Plus Agreement (including the Shopify Data Processing Addendum) was assigned to Shopify SG (the “Assignment”). At the material time, SNPL had no knowledge of the Assignment as no notice of assignment was required. Consequently, the relationship between the parties was reconfigured in the following manner: (a) For Purchase Processing, Shopify SG became the data intermediary of SNPL, and was responsible for processing personal data on behalf of SNPL. Page 3 of 12 The flow of SNPL’s customer personal data did not change - Shopify SG continued to collect SNPL’s customer personal data and transferred this to Shopify to carry out Purchase Processing on its behalf. (b) For Platform Processing, Shopify SG became the data controller of the customer personal data collected through the Platform and its customer-facing applications, including the personal data of the customers of merchants who use the Platform (such as SNPL). In such circumstances, personal data from such users are collected by Shopify SG and processed for its purposes and not on behalf of the merchants. The flow of customer personal data also did not change, as Shopify SG continued to transfer personal data of users of its Platform to Shopify to carry out Platform Processing. The Incident 5 Between June to September 2020, two Philippines-based service contractors of Shopify that were engaged through a third party, illegally accessed and exfiltrated certain customer personal data stored in Shopify’s systems, which had been collected via the Platform for Purchase Processing (the “Incident”). This included customer personal data of SNPL. Shopify became aware of this on 15 September 2020 and informed SNPL on 18 September 2020. 6 The customer personal data affected in the Incident included full names, email addresses, billing addresses, shipping addresses, phone numbers, bank identification Page 4 of 12 numbers, IP addresses, last 4 digits of the customer payment cards, and purchase histories of 23,928 individuals. Findings and Basis for Determination 7 Neither SNPL nor Shopify SG were responsible for the security of Shopify’s systems in Canada holding the personal data affected in the Incident. Nevertheless, both organisations were bound by section 26 of the PDPA. Transfer limitation obligation under section 26 of the PDPA 8 Section 26(1) of the PDPA provides that an organisation shall not transfer any personal data to a country or territory outside Singapore except in accordance with requirements prescribed under the PDPA to ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection under the PDPA (the “Transfer Limitation Obligation”). The requirements applicable to the aforementioned transfers of personal data from SNPL and Shopify SG to Shopify were those prescribed in Part III of the Personal Data Protection Regulations 2014 (“PDPR 2014”)1. In particular: (a) Regulation 9(1)(b) of the PDPR 2014 requires an organisation that transfers personal data to a country or territory outside of Singapore to take appropriate steps to ensure that the recipient of the personal data is bound by legally 1 The PDPR 2014 governs the transfers of personal data prior to 1 February 2021. Transfers of personal data after 1 February 2021 are governed by the Personal Data Protection Regulations 2021. Page 5 of 12 enforceable obligations to provide to the transferred personal data a standard of protection that is at least comparable to that under the PDPA; and (b) Regulation 10(1)(b) and 10(1)(c) provide that such legally enforceable obligations include may be imposed on the recipient by contract or binding corporate rules (subject to Regulation 10(2) and 10(3) respectively). Breach of the Transfer Limitation Obligation by SNPL 9 When SNPL entered into the Shopify Plus Agreement on 4 December 2018, it was aware that by using the Platform its customer personal data would be transferred to Shopify, which was outside Singapore, for Purchase Processing. Shopify was SNPL’s data intermediary, whilst Shopify SG was Shopify’s data sub-processor as explained in paragraph 2. 10 SNPL (as the data controller of its customers’ personal data) had been notified, in the Shopify Plus Agreement, that its customer personal data may be transferred out of Singapore for the purpose of Purchase Processing, and was obligated to comply with the Transfer Limitation Obligation vis-à-vis the personal data collected by Shopify / Shopify SG for Purchase Processing. Section 4(3) of the PDPA provides that an organisation shall have the same obligation under the PDPA in respect of personal data processed on its behalf and for its purposes by a data intermediary as if the personal data were processed by the organisation itself. Such obligations include the Page 6 of 12 Transfer Limitation Obligation. As stated in the Commission’s Advisory Guidelines on Key Concepts in the PDPA2: “Considerations for organisations using data intermediaries 6.20 Section 4(3) provides that an organisation has the same obligations under the PDPA in respect of personal data processed on its behalf by a data intermediary as if the personal data were processed by the organisation itself. As such, it is good practice for an organisation to undertake an appropriate level of due diligence to assure itself that a potential data intermediary is capable of complying with the PDPA. … Overseas transfers of personal data 6.22 Where an organisation engages a data intermediary to process personal data on its behalf and for its purposes, the organisation is responsible for complying with the Transfer Limitation Obligation in respect of any overseas transfer of personal data. This is regardless of whether the personal data is transferred by the organisation to an overseas data intermediary or transferred overseas by the data intermediary in 2 Advisory Guidelines on Key Concepts in the PDPA (Rev 1 October 2021) Page 7 of 12 Singapore as part of its processing on behalf and for the purposes of the organisation. 6.23 The Transfer Limitation Obligation requires that an organisation ensures that personal data transferred overseas is protected to a standard comparable with the Data Protection Provisions. The onus is on the transferring organisation to undertake appropriate due diligence and obtain assurances when engaging a data intermediary to ensure that it is capable of doing so. In undertaking its due diligence, transferring organisations may rely on data intermediaries’ extant protection policies and practices, including their assurances of compliance with relevant industry standards or certification.” (emphasis added) 11 The Transfer Limitation Obligation required SNPL to ensure, prior to transferring customer personal data for processing by Shopify, that Shopify provided a standard of protection to transferred personal data that was comparable to the protection under the PDPA. This obligation did not abate by virtue of the Assignment on 1 July 2019, even though SNPL claimed that it was not made aware of the Assignment. At all times, SNPL was responsible for complying with the Transfer Limitation Obligation for its transfer to Shopify (initially) and Shopify SG (latterly). Even though Shopify SG assumed legal responsibility as SNPL’s data intermediary Page 8 of 12 supposedly without informing SNPL, the flow of SNPL’s customer personal data was not altered, as Shopify SG continued to transfer SNPL’s customer personal data outside of Singapore (i.e. to Shopify) for Purchase Processing. 12 In connection with this, the onus laid with SNPL to put in place the relevant contractual clauses to ensure the protection of its personal data to a standard comparable to the PDPA. However, investigations revealed that SNPL did not do so. The omission to put in place contractual clauses to ensure such comparable protection began with the start of their commercial arrangement. SNPL stated that, in 2018, it carried out a due diligence assessment of Shopify’s approach to data protection before entering into the Shopify Plus Agreement and migrating its online retail activities to the Platform (“2018 Due Diligence Exercise”). However, this assessment was inadequate as it failed to ensure that there were binding contractual clauses requiring personal data transferred between them to be protected to a standard comparable to the PDPA. 13 Accordingly, SNPL failed to comply with the Transfer Limitation Obligation. Breach of the Transfer Limitation Obligation by Shopify SG 14 For the Purchase Processing of customer personal data discussed in the preceding paragraphs, Shopify SG acted as SNPL’s data intermediary and was thus not bound by the Transfer Limitation Obligation. Page 9 of 12 15 However, Shopify SG must also comply with the Transfer Limitation Obligation in relation to the personal data collected for Platform Processing. This is because Shopify SG was processing customer personal data for its own purposes, and was thus the data controller, while Shopify is the data intermediary. 16 In connection with this, investigations revealed that there were no legally binding obligations, in the form of contracts or binding corporate rules within the Shopify group, requiring Shopify to provide PDPA-comparable protection to personal data transferred from Shopify SG to Shopify for processing. While the Shopify Data Processing Addendum makes references to certain data protection legislation applicable to the European Union and the State of California, it did not cover the PDPA. During the course of investigations, Shopify indicated that it would “be putting in place binding corporate rules governing the transfer of merchants’ customers’ data between group entities” and furnished a draft APAC Cross-Border Whitepaper to the Commission. Whilst this was a step in the right direction, it did not retrospectively allow Shopify SG to regularise its intra-group data transfers to ensure compliance with the Transfer Limitation Obligation at the material time. 17 In view of the foregoing, Shopify SG failed to comply with the Transfer Limitation Obligation in respect of Platform Processing of personal data. The Deputy Commissioner’s Directions 18 In determining what directions (if any) should be given to the organisations pursuant to section 48I of the PDPA, and/or whether the Organisation should be Page 10 of 12 required to pay a financial penalty under section 48J of the PDPA, the factors listed at section 48J(6) of the PDPA were considered. In particular, the Commission placed emphasis on the fact that SNPL and Shopify SG had been highly cooperative with the Commission’s investigations. 19 On 18 July 2022, SNPL made representations to the Commission requesting for additional time to comply with the above direction. In consideration of SNPL’s limitations as a small and medium enterprise, SNPL’s deadline to comply with the direction is extended from 60 days to 6 months. 20 Having considered all the relevant factors of this case, SNPL is hereby directed to take the following actions: (a) SNPL is to put in place within 6 months a process to ensure compliance with the Transfer Limitation Obligation under section 26 of the PDPA in any future engagement of services that may involve the processing of personal data outside of Singapore on behalf of SNPL; and (b) Shopify SG is to put in place within 60 days a process to ensure compliance with the Transfer Limitation Obligation under section 26 of the PDPA in any future engagement of its services that may involve the processing of personal data outside of Singapore. 21 Specific to SNPL’s transfer of personal data for the purpose of Purchase Processing to Shopify in Canada, the following observations may be helpful. The Page 11 of 12 Association of Southeast Asian Nations (“ASEAN”) adopted and endorsed the Model Contractual Clauses (“ASEAN MCCs”), which are meant to facilitate cross-border transfers of personal data. These provide a standard for business-to-business (B2B) transfers that can be used by enterprises of any scale, but are especially helpful for small and medium enterprises. When using them, businesses may adapt these clauses as necessary for their commercial arrangements. 22 The Commission recognises the ASEAN MCCs as meeting the requirements of the Transfer Limitation Obligation under the PDPA: see PDPC’s Guidance for the Use of ASEAN Model Contractual Clauses for Cross Border Data Flows in Singapore (published 22 January 2021). Using the ASEAN MCCs can ease B2B transfers between Singapore and other jurisdictions such as Canada. In carrying out the directions, SNPL may therefore wish to consider relying on and adapting, as necessary, the ASEAN MCCs. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION Page 12 of 12 ",Directions,a460c9f6da7d242e2c26bf56c9b5bc6bd47df7e7,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,31,31,1,952,"Warnings were issued to Toll Logistics (Asia), Toll Global Forwarding, Toll Offshore Petroleum Services, and Toll (TZ) for breaches of the PDPA in relation to the transfer of employees’ personal data to a human resources software vendor in Ireland.","[""Transfer Limitation"", ""Warning"", ""Transport and Storage""]",2022-05-19,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--Toll-Logistics-Asia-Limited-and-others--180322.pdf,Transfer Limitation,Breach of the Transfer Limitation Obligation by Toll Logistics (Asia) and others,https://www.pdpc.gov.sg/all-commissions-decisions/2022/05/breach-of-the-transfer-limitation-obligation-by-toll-logistics-and-others,2022-05-19,"PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPC 4 Case No. DP-2008-B6707 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Toll Logistics (Asia) Limited (2) Toll Global Forwarding (Singapore) Pte. Limited (3) Toll Offshore Petroleum Services Pte. Ltd. (4) Toll (TZ) Pte. Ltd. … Organisations DECISION Toll Logistics (Asia) Limited and others [2022] SGPDPC 4 Yeong Zee Kin, Deputy Commissioner — Case No. DP-2008-B6707 14 March 2022 Introduction 1 Toll Holdings Limited (“Toll Holdings”) is an integrated logistics services provider headquartered in Australia. Toll Logistics (Asia) Limited (“Toll Logistics”), Toll Global Forwarding Singapore Pte. Ltd. (“Toll Forwarding”), Toll Offshore Petroleum Services Pte. Ltd. (“Toll Offshore""), and Toll (TZ) Pte. Ltd. (“Toll TZ”) are Singapore-registered entities (collectively, “the Organisations”) that are part of a multinational group of companies headed by Toll Holdings (“the Group”). 2 On 11 June 2020, Toll Holdings notified the Personal Data Protection Commission (“the Commission”) of a ransomware attack which had affected the Group’s IT systems, including servers in Australia and Singapore containing the personal data of current and former employees of the Organisations (“the Incident”). The Commission subsequently received complaints from 3 former employees of Toll Logistics in relation to the Incident. Investigations were commenced to determine whether the circumstances relating to the Incident disclosed any breaches by the Organisations of the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case 3 In July 2013, Toll Holdings contracted with a vendor in Ireland (“the HR Vendor”) for the Group’s use of the HR Vendor’s human resources software platform (“the HR Platform”). To facilitate use of the common HR Platform, the respective Group entities (including the Organisations) uploaded the personal data of their employees to the HR Platform. The data uploaded to the HR Platform was hosted by the HR Vendor in data centres in the European Economic Area. 2 4 Subsequently in 2019, a series of Corporate Services Agreements (“CSAs”) and accession agreements were executed with the net effect that Toll Holdings undertook to provide finance, human resources (“HR”), information technology (“IT”), legal, and other corporate services to all the Organisations. Although the CSAs were inked in 2019, they took retrospective effect from 1 April 2018. 5 The services provided by Toll Holdings to the Organisations under the CSAs included: 6 (a) Development and maintenance of HR policies and procedures; (b) Development and maintenance of IT strategy; (c) Development and maintenance of IT policies and procedures; and (d) Provision of IT support services. Under the terms of the CSAs, Toll Holdings was permitted to appoint subcontractors to perform part or all of the services subject of the CSAs but was responsible to the same extent as if it had performed the services itself. 7 The scope of IT services to be provided by Toll Holdings under the CSAs specifically excluded the “development or implementation of IT systems”, which responsibility presumably remained with the Organisations. To this end, the Organisations maintained ten servers in Singapore to support their operations. Three of these servers (“the Singapore Servers”) were used by the Organisations’ corporate teams (i.e. finance, legal, HR) in the ordinary course of their work and contained personal data within the email archives and other working documents. 8 The Group (including the Organisations) had implemented various industry- standard security solutions for its IT systems such as end-point protection software, logging and monitoring software and/ services, firewall and intrusion prevention software, security detection and response software, identity access management and control software and services, vulnerability scanning software and services, and patching software. A Managed Security Service Provider (“MSSP”) was also engaged to provide cyber security detection and incident response services for the Group. With 3 the assistance of the MSSP and other external vendors, the Group carried out regular vulnerability scanning and penetration testing of its IT systems. Transfer of personal data to Australia 9 Sometime prior to the Incident, Toll Holdings’ Chief Human Resources Officer extracted personal data relating to 1,748 of the Organisations’ current and former employees from the HR Platform and transmitted them to a server in Australia (“the Australia Server”). Toll Holdings represented that this personal data was transferred for the purposes of performing services for the Organisations pursuant to the CSAs. 10 11 The personal data downloaded by Toll Holdings comprised each employee’s: (a) Name; (b) Address (c) Age; and (d) Salary. 5 employees of Toll Logistics and 2 employees of Toll Forwarding also had other datasets disclosed including: (a) Driver’s licence number; (b) Emergency contact details; (c) National ID; (d) Fingerprint; (e) Medical details; and (f) Passport details. 4 The Incident 12 On 26 April 2020, a malicious actor gained access to Toll Holdings’ IT environment in Australia using credentials stolen from a third-party vendor. The thirdparty vendor had been granted administrative access to two servers in Toll Holding’s IT environment in order to provide support services for a software solution. 13 Having gained access to the Group’s IT environment, the malicious actor used advanced malware and a range of hacking tools to move through the Group’s network, conduct reconnaissance, and escalate account privileges. The malicious actor also made various efforts to bundle and compress data from the Australia Server and stage it for exfiltration. 14 Threat monitoring software deployed by the Group detected events related to the malicious actor’s account takeover and privilege escalation during the Incident and raised alerts to the MSSP. However, according to Toll Holdings, no alerts were brought to its attention. On 3 May 2020, the malicious actor exfiltrated less than 2% (two percent) of the data stored on the Australia Server using a web-based file sharing service. The malicious actor then ran scripts to disable various endpoint protections across the Group and executed a ransomware attack. The ransomware attack encrypted files on a number of the Group’s servers, including the Australia Server and the Singapore Servers. 15 When subsequently making ransom demands, the malicious actor provided Toll Holdings a summary of the files exfiltrated from the Australia Server and eventually uploaded portions of the exfiltrated files onto the dark web. Based on (i) the summary provided by the malicious actor, (ii) the Group’s review of the available logs and records on the Australia Server, and (iii) a review of the files eventually published by the malicious actor on the dark web, the Organisations concluded that there was no evidence of exfiltration of the personal data of its current or former employees from the Australia Server. 16 The Organisations also concluded that there was no evidence of data exfiltration from the Singapore Servers, or any other servers in the Group’s IT environment in the Incident, other than the Australia Server. The Organisations were 5 able to restore the encrypted data in the Singapore Servers from securely stored backups. Remedial actions 17 Following the Incident, Toll Holdings implemented the following remedial measures on a Group-wide basis: (a) Temporarily disconnected from the Internet, and undertook a rolling shutdown of IT systems in order to mitigate spread of any infection; (b) Isolated all impacted servers and implemented network restrictions to prevent spread of the ransomware within the Group’s network; (c) Engaged third-party experts to assist with incident response, including investigation and remediation; (d) Upgraded its user access system and reset all administrator passwords; (e) Blocked the malware used in the Incident; (f) Removed access privileges obtained by the malicious actor; (g) Implemented additional vulnerability scanning across the Group’s IT systems to harden the Group’s network perimeter; (h) Strengthened the Group’s Active Directory infrastructure; (i) Implemented additional end point protection, forensic tools, and monitoring tools; (j) Introduced a shadow security operations centre and initiated transition to a new MSSP; (k) Initiated plans for an asset lifecycle review to identify legacy critical business applications and treatment required to address cyber risks; (l) Commenced a logging, monitoring and alerting uplift to review existing policies and standards; 6 (m) Completed the rollout of multi-factor authentication for all remote access; (n) Updated organisational measures such as incident response plans, policies, and playbooks; and (o) Rolled out a cyber awareness programme containing training and assignments for its employees Findings and Basis for Determination 18 Based on the circumstances of the Incident, the Commission’s investigation centred on: (a) Whether the Organisations had breached their respective obligations under section 26 of the PDPA to not transfer any personal data to a country or territory outside Singapore except in accordance with requirements prescribed under the PDPA (the “Transfer Limitation Obligation”); and (b) Whether the Organisations had breached their respective obligations under section 24 of the PDPA to protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks (the “Protection Obligation”). Whether the Organisations had contravened the Transfer Limitation Obligation 19 The HR Platform was implemented on a Group-wide basis on or around July 2013. The Organisations began uploading the personal data of their employees to the HR Platform for storage in the HR Vendor’s servers in the European Economic Area around this time, and would have continued to do so as part of the normal course of HR functions (for example, when new employees joined). Any transfers of personal data by the Organisations out of Singapore after 2 July 2014 would have been subject to the Transfer Limitation Obligation and the requirements prescribed in Part III of the Personal Data Protection Regulations 2014 (“PDPR 2014”). For transfers of personal data outside of Singapore which occurred after 1 February 2021, such transfers would 7 have been subject to the requirements in Part 3 of the Personal Data Protection Regulations 2021 (“PDPR 2021”). 20 Regulation 9(1)(b) of the PDPR 2014 and regulation 10(1) of the PDPR 2021 require an organisation that transfers personal data outside of Singapore to take appropriate steps to ensure that the recipient of the personal data is bound by legally enforceable obligations to provide the transferred personal data a standard of protection that is at least comparable to that under the PDPA. Under regulation 10 of the PDPR 2014 and regulation 11(1) of the PDPR 2021, such legally enforceable obligations can be imposed on the recipient organisation under (a) any law; (b) any contract between the parties; (c) binding corporate rules; or (d) any other legally binding instrument. 21 In gist, the Organisations were required to take appropriate steps to ensure that the personal data transferred out of Singapore via the HR Platform for storage in the European Economic Area would be protected to a standard comparable to under the PDPA, before any such transfers were made. 22 There was no evidence of any such steps taken by the Organisations. While the contract between Toll Holdings and the HR Vendor included data protection obligations imposed on the HR Vendor, the Organisations were not party to this agreement. The CSAs also did not contain any provisions relating to the protection of personal data or impose obligations on Toll Holdings to protect the personal data of the other Organisations for the purposes of the centralised corporate functions to be undertaken pursuant to the CSAs. Accordingly, the Organisations were determined to have contravened the Transfer Limitation Obligation in relation to the personal data uploaded on to the HR Platform. 23 In the course of investigations, Toll Holdings represented that it had since reviewed the data transfer arrangements under the CSAs and that the Organisations and Toll Holdings have now executed a “Singapore Data Export Agreement” to govern intra-group transfers of personal data from the Organisations to Toll Holdings (and other members of the Group who may subsequently become party to the agreement) 8 to ensure that a standard of protection comparable to the PDPA is provided to any transferred personal data. Whether the Organisations had contravened the Protection Obligation 24 As held in Everlast Projects Pte Ltd and others [2020] SGPDPC 20, members of a corporate group may satisfy the Protection Obligation by relying on binding grouplevel written policies or intra-group contracts which specify the respective data protection obligations of the members of the group. In the present case, while the Organisations had entered into the CSAs to centralise various corporate functions with Toll Holdings, the CSAs did not deal with data protection obligations. In the circumstances, the Protection Obligation remained with the Organisations, and the Organisations cannot rely on the CSAs to say that certain of its data protection operations had been centralised with Toll Holdings at the Group-level. 25 That being said, under the CSAs, Toll Holdings had undertaken to provide the Organisations with IT support services. It has been held in WTS Automotive Services Pte Ltd [2018] SGPDPC 26 that organisations can rely on the technical expertise of their service providers to satisfy the Protection Obligation (subject to clear instructions or business requirements being specified). In the case where a member of a group of companies provides technical support services to others in the group, it is advisable that their respective roles and responsibilities be clearly spelt out. 26 In the present case, the CSAs were intended to perform this role: Toll Holdings was responsible for IT support services while the Organisations remained responsible for development and implementation of IT systems: see [7] above. As part of the IT support services provided, Toll Holdings introduced and implemented Group-level IT security standards. These were communicated through the Group’s intranet and implemented by Toll Holdings on a Group-wide basis, as part of the IT support services they provided. In accordance with these standards, a number of industry-standard technical solutions and tools were implemented prior to the Incident to protect the personal data in the Singapore Servers: see [8] above. 27 Having considered these security arrangements, we are satisfied that the Organisations had not breached their Protection Obligation as the security 9 arrangements in place prior to and at the time of the Incident to protect the personal data in the Singapore Servers were reasonable and consistent with existing industry standards. In coming to this decision, we are also of the view that the security lapse and privilege escalation that enabled the malicious actor to overcome the Organisations’ endpoint protections in the Incident occurred abroad arising from theft of credentials from Toll Holdings’ vendor and was beyond the control of the Organisations. The Deputy Commissioner’s Decision 28 In determining what directions (if any) should be given to the Organisations pursuant to section 48I of the PDPA, the Deputy Commissioner took into consideration: (a) the Organisations’ cooperation with the Commission’s investigations; (b) that access to the transferred personal data was limited to entities within the same corporate group; (c) that there was no evidence of any loss or damage resulting from the Organisations’ contravention of the Transfer Limitation Obligation; and (d) that the Group had already implemented intra-group contractual arrangements to govern future transfers of personal data by the Organisations to Toll Holdings. 29 Having considered all the mitigating factors listed above, the Organisations are administered a warning in respect of their breach of the Transfer Limitation Obligation. No other directions are necessary in view of the remedial actions already taken by the Organisations. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION 10 ",Warning,3366d27f6930503cebbbff6dd8de747f0da55d18,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,44,44,1,952,A warning was issued to Belden Singapore for a breach of the PDPA in relation to the transfer of its Singapore-based employees’ personal data to its parent company in the United States.,"[""Transfer Limitation"", ""Warning"", ""Manufacturing""]",2021-12-09,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Belden-Singapore-Private-Limited---12112021.pdf,Transfer Limitation,Breach of the Transfer Limitation Obligation by Belden Singapore,https://www.pdpc.gov.sg/all-commissions-decisions/2021/12/breach-of-the-transfer-limitation-obligation-by-belden-singapore,2021-12-09,"PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 13 Case No. DP-2011-B7423, DP-2011-B7433 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Belden Singapore Private Limited (2) Grass Valley Singapore Pte Ltd … Organisations DECISION 1 Belden Singapore Private Limited & Anor [2021] SGPDPC 13 Yeong Zee Kin, Deputy Commissioner — Case No. DP-2011-B7423, DP-2011B7433 12 November 2021 Introduction 1. It is not unusual for a corporate group with a multi-national footprint to conduct cross-border transfers of personal data between its various entities. However, such arrangements also mean that data transferred from an organisation based in Singapore might risk exposure to data breach incidents in another jurisdiction. This is one such incident. 2. On 19 November 2020 and 20 November 2020, Belden Singapore Private Limited (“Belden Singapore”) and Grass Valley Singapore Pte Ltd (“GVSPL”) (collectively, the “Organisations”) notified the Personal Data Protection Commission (the “Commission”) of a data breach incident whereby an unauthorised third party had gained access to business servers of the Belden Group, and managed to exfiltrate information, including personal data of the employees of the Organisations (“Incident”). 2 Facts of the Case 3. The Belden Group is a group of companies involved in the manufacturing of networking, connectivity and cable products. Its various subsidiaries and affiliated companies operate in the Americas, Europe, Middle East, Africa and the Asia Pacific region (the “Belden entities”). The overall parent entity, Belden Incorporated (“Belden Inc.”) is headquartered in St Louis, Missouri, United States. Belden Singapore is part of the Belden Group. 4. As the main Human Resources (“HR”) functions of Belden Singapore are conducted by Belden Inc., Belden Singapore transfers the personal data of its employees to Belden Inc., which are then stored in Belden Inc.’s servers. The terms on which the various Belden entities transfer and process personal data are governed by the Global Data Transfer Agreement dated 1 September 2020 (“GDTA”). 5. GVSPL is part of a group of companies (the “Grass Valley entities”) that were formerly part of the global Belden Group. In July 2020, the Grass Valley entities (including GVSPL) were acquired by another company. Under the terms of the acquisition, Belden Inc. agreed to provide transition services, including administration of its information technology and HR systems for a period of time after the acquisition. Therefore, the personal data of GVSPL’s employees (and the employees of other Grass Valley entities) were transferred to Belden Inc. and stored in Belden Inc.’s servers. GVSPL’s parent company, Grass Valley USA, LLC (“GV USA”) (on behalf of its subsidiaries and affiliates, including GVSPL) and Belden Inc. entered into a Data 3 Sharing Agreement dated 18 June 2020 (“DSA”) to govern the sharing of data (including personal data) between the parties. 6. On 12 November 2020, the Belden Group’s information technology team noticed anomalies in its systems. Subsequent investigations revealed that, from September to November 2020, a threat actor had accessed the Belden Group’s servers in the USA and other jurisdictions through the use of malicious software at various times and exfiltrated the information and data contained therein. The compromise of GVSPL’s Personal Data Sets is taken to have arisen from the unauthorised access to the Belden Group’s servers since there was no evidence of any unauthorised access directly into the systems of the Grass Valley entities. 7. The personal data of 126 individuals related to Belden Singapore (current and former employees as well as non-employees such as suppliers / vendors) and 63 individuals related to GVSPL (current and former employees) were exfiltrated in the Incident (collectively, the “Personal Data Sets”). The types of personal data exfiltrated included the following: (a) Name; (b) Address; (c) Email Address; (d) Telephone Number; (e) Date of Birth; (f) Identification Number; (g) Marital Status; 4 (h) Photographs; (i) Salary Information; and (j) Individual Tax Information. 8. Upon discovery of the Incident, Belden Inc. implemented, or has been in the process of implementing, the following remediation actions: (a) The following security measures: i. Conducted an audit of system administrator accounts to confirm that it was for valid users only (b) ii. Reviewed and developed plan to address incident closure activities iii. Improved relevancy and frequency of security awareness campaign. The following short-term and long-term containment actions: i. Roll out an endpoint security software to all server and client systems ii. Block command and control IP addresses on perimeter firewalls iii. Update existing security software definitions iv. Block access to Mega (cloud storage file hosting service) on firewalls v. Disallow syncing of data from internal systems to unapproved external cloud storage services vi. Remove unnecessary accounts from privileged security groups vii. Rebuild compromised systems viii. Reboot business-critical systems that cannot be rebuilt ix. Expedite patching of critical and high severity vulnerabilities 5 x. Reset passwords for Domains and Enterprise administrators xi. Reset passwords for all other privileged users xii. Reset the password for the Kerberos account xiii. Perform enterprise-wide password reset xiv. Ensured no direct remote access is available on the systems exposed to the Internet Findings and Basis for Determination 9. As a preliminary point, Belden Inc. is responsible for maintaining the security and integrity of the Belden Group’s systems (including its servers) and implementing the appropriate safeguards. However, the data protection obligations in the Personal Data Protection Act 2012 (“PDPA”) does not apply to Belden Inc., as it does not process personal data in Singapore. It is further noted that Belden Inc. has made reports to the relevant authorities in the jurisdictions where the compromised servers are located in. Therefore, no findings are made against Belden Inc. The Transfer Limitation Obligation under section 26 of the PDPA 10. Section 26(1) of the PDPA provides that an organisation shall not transfer any personal data to a country or territory outside Singapore except in accordance with requirements prescribed under the PDPA to ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection under the PDPA (the “Transfer Limitation Obligation”). The relevant 6 requirements are prescribed in Part III of the Personal Data Protection Regulations 2014 (“PDPR”)1 . In particular: (a) Regulation 9(1)(b) of the PDPR requires an organisation that transfers personal data to a country or territory outside of Singapore to take appropriate steps to ensure that the recipient of personal data is bound by legally enforceable obligations (in accordance with Regulation 10) to provide to the transferred personal data a standard of protection that is at least comparable to that under the PDPA; (b) Regulation 10(1)(b) of the PDPR provides for contracts to be one such legally enforceable obligation. Regulation 10(2) in turn provides that such contract must require the recipient of the transferred personal data to provide a comparable standard of protection , and must specify the countries and territories to which the personal data may be transferred under the contract; and (c) Regulation 10(1)(c) of the PDPR provides binding corporate rules to be another such legally enforceable obligations. Regulation 10(3) in turn provides that such binding corporate rules require every recipient to provide a comparable standard of protection , and must specify (i) the recipients of the transferred personal data to which the binding corporate rules apply; (ii) the countries and 1 As the Incident occurred on or around September 2020, the Personal Data Protection Regulations 2014 apply. However, from 1 February 2021 onwards, the Personal Data Protection Regulations 2021 would apply. 7 territories to which the personal data may be transferred under the binding corporate rules; and (iii) the rights and obligations provided by the binding corporate rules. Further, such binding corporate rules may only be used by recipients that are related to the transferring organisation. 11. To comply with the Transfer Limitation Obligation in the context of an intra- group transfer where there is centralisation of corporate functions, group members involved in ongoing relationships for regular cross-border transfers of personal data out of Singapore are required to take reasonable steps to ascertain that the overseas transferee has implemented the appropriate policies, practices and / or technical measures to ensure that the transferred personal data is provided with the requisite level of protection. This is no different from an organisation’s obligation to carry out the necessary due diligence vis-à-vis the transfer of personal data to an overseas data intermediary, since the overseas transferee is a data intermediary even though they are members within the same group of companies. As stated in the Commission’s Advisory Guidelines on Key Concepts in the PDPA2: “Overseas transfers of personal data 6.22 Where an organisation engages a data intermediary to process personal data on its behalf and for its purposes, the organisation is responsible for complying with the Transfer Limitation Obligation in respect of any overseas transfer of personal data. This is regardless of whether the personal data is transferred by the organisation to an overseas data 2 Advisory Guidelines on Key Concepts in the PDPA (Rev 1 February 2021) 8 intermediary or transferred overseas by the data intermediary in Singapore as part of its processing on behalf and for the purposes of the organisation. 6.23 The Transfer Limitation Obligation requires that an organisation ensures that personal data transferred overseas is protected to a standard comparable with the Data Protection Provisions. The onus is on the transferring organisation to undertake appropriate due diligence and obtain assurances when engaging a data intermediary to ensure that it is capable of doing so. In undertaking its due diligence, transferring organisations may rely on data intermediaries’ extant protection policies and practices, including their assurances of compliance with relevant industry standards or certification.” Whether Belden Singapore complied with the Transfer Limitation Obligation 12. It is determined that Belden Singapore had not complied with the Transfer Limitation Obligation for the reasons explained below. 13. At the material time, Belden Inc. and certain other Belden entities had put in place a binding intra-group contract called the Global Data Transfer Agreement dated 1 September 2020 (“GDTA”), which governs the terms on which the various Belden entities transfer personal data to each other. 9 14. The GDTA contained provisions that required Belden Inc. to provide any personal data transferred from Singapore a comparable standard of protection to that under the PDPA at the time of the Incident. In particular: (a) Clause 5.2.2 provided that “Where Belden Data and/or Client Data originating in a Non-EEA territory (including in the United Kingdom, if at any time the United Kingdom is not in the EEA or beyond any transition period) (the Originating Territory”) are Processed in a territory which is different from the Originating Territory (the “Importing Territory”), then the Data Importer will Process such Belden Data and/or Client Data to a standard consistent with the Applicable Privacy Law(s) of the Originating Territory…” (b) Clause 19.5.5 of Schedule 5 required the data importer (i.e. Belden Inc.) to ensure that any transfer of personal data to a country or territory outside Singapore is provided a standard of protection that is comparable to the protection under the PDPA. 15. In addition to the above, the GDTA also contained provisions that require the transferee (the “Data Importer”) to implement measures aimed at addressing identified security risks to the personal data transferred and assisting the transferor (the “Data Exporter”) to comply with the relevant data protection laws. In particular: (a) Clause 4.1(c)(ii) required the Data Importer to “comply with any requirements arising under any Applicable Privacy Law(s) to protect the Belden and/or Client Data it received including, but not limited to the following: 10 (A) assistance, taking into account the nature of the Processing, by appropriate technical and organisation measures, insofar as this is possible, to fulfil any obligations the Data Exporter may have to respond to requests from data subjects to exercise their rights under Applicable Privacy Law(s) assistance; (B) assisting the Data Exporter as necessary to comply with its obligations under Applicable Privacy Law(s) including (without limitation) to conduct a data protection impact assessment and/or to consult with a Supervisory Authority, in each case taking into account the nature of the Processing and the information available to the Data Importer; and (C) not knowingly performing its obligations under this Agreement in such a way as to cause the Data Exporter to breach any of its obligations under Applicable Privacy Law(s); (D) ensuring the reliability of any persons it authorises to access the Belden and/or Client Data (including employees, agents and sub-Processors) and ensure that they have undergone appropriate training in the care, protection and handling of Belden and/or Client Data; (E) it will ensure that any persons authorised to process the Belden and/or Client Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; (F) it will maintain appropriate and sufficient technical and organisational security measures to protect such Belden and/or Client Data against a 11 Security Breach. Such measures will include as a minimum the Belden Security Measures; and (G) it will permit the Data Exporter such access to its premises, computer and other information systems, records, document and agreements as the Data Exporter may reasonably require to satisfy itself that the Data Importer is complying with its obligations under the Agreement; and (H) it will, at the choice of the Data Exporter, delete or return all Belden and/or Client Data to the Data Exporter after the end of the provision or services relating to processing, unless EU law or any EU Member State law requires storage of the Client Data.” (b) Clause 6 also required the Data Importer to carry out certain measures in the event of a security breach to investigate the breach, mitigate its effects and assist the Data Exporter to fulfill any obligations under the Applicable Privacy Law(s). 16. In this connection, the Belden Group has put in place the following policies and measures concerning the treatment of personal data: (a) Data Handling Standard – Governs the handling of electronic and physical data throughout the Belden Group; (b) Personal Data Handling Standard – Governs the handling of all forms of personal data throughout the Belden Group; 12 (c) Data Classification Policy – Sets the standards for protection of information assets from accidental or unlawful destruction, loss, unauthorised access, modification, compromise, disclosure or other misuse; and (d) Record Creation, Retention, Retrieval and Disposal Policy – Establishes requirements for creating, retaining, retrieving and disposing of records within the Belden Group. 17. Despite the suite of policies and technical measures adopted by the Belden Group, the GDTA and the above policies did not enable Belden Singapore to meet the requirements in Regulation 9(1)(b), read with Regulations 10(1)(b) and 10(2) when the Incident occurred: (a) The GDTA was not legally binding on Belden Singapore at the material time as Belden Singapore had not acceded to the GDTA. For Belden Singapore to be bound by the GDTA, it must have executed a Deed of Accension under Clause 12.1. However, at the time of the Incident, Belden Singapore had not executed such a Deed of Ascension. (b) Since the Belden Group opted to structure its data governance architecture around an intra-group contract (i.e. the GDTA), it is trite that the principle of privity of contracts applies, and only the parties to a contract are able to enforce the rights and obligations arising therein. Although the GDTA did, at the time of the Incident, require Belden Inc. to comply with the applicable standards under the PDPA while importing / processing personal data from Singapore (Clause 13 19.5.5 of Schedule 5), such obligations were not legally enforceable by Belden Singapore. Absent such a mechanism, Belden Singapore had no legal means to ascertain and ensure that the data transferred outside Singapore was afforded the same level of protection as under the PDPA. (c) Belden Singapore has acknowledged that this was a lapse. It subsequently rectified this oversight by signing a Deed of Accession on 18 June 2021. (d) Nevertheless, the investigations revealed that, in practice, all the relevant Belden group policies, practices and technical measures mentioned in paragraphs 14 to 16 were implemented in full to ensure that personal data transferred from Singapore are afforded a level of protection comparable to that provided under the PDPA. Therefore, Belden Singapore’s breach constituted a lapse in legal formalities rather than a failure to comply with the substance of the Transfer Limitation Obligation. Whether GVSPL complied with the Transfer Limitation Obligation 18. GVSPL was determined to have complied with the Transfer Limitation Obligation for the reasons explained below. 19. At the material time, GVSPL (as a subsidiary of GV USA) and Belden Inc. was bound by a Data Sharing Agreement dated 18 June 2020 (“DSA”), which governed the terms on which GVSPL transferred personal data to Belden Inc. The DSA is in compliance with Regulation 9(1)(b), read with Regulations 10(1)(b) and 10(2) of the 14 PDPR. Clause 10.1 of the DSA provided that, in the case of international transfers of data (including personal data): “The Receiving Party shall not process any Data (not permit any Data to be processed) in a territory outside of the European Economic Area (“EEA”) unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law3. Such measures may include (without limitation); (a) transferring the Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data; (b) to a recipient that has achieved binding corporate rules authorisation in accordance with Applicable Data Protection Law; (c) to a recipient in the United States that maintains a valid and up-to-date EU-US Privacy Shield certification or (d) to a recipient that has executed standard contractual clauses adopted or approved by the European Commission or by virtue of entering into this Agreement.” 20. Whilst Clause 10.1 of the DSA does not mention the PDPA specifically, it does require a Grass Valley entity (including GVSPL) to take measures as are necessary to ensure the transfer is in compliance with the Applicable Data Protection Law, which – in the context of GVSPL – is the PDPA. Defined to mean “all worldwide data protection and privacy laws and regulations applicable to the personal data in question, including, where applicable, EU Data Protection Law.” 3 15 21. Additionally, the DSA also contains several provisions aimed at addressing identifiable security risks posed to the transferred personal data as well as ensuring that the Receiving Party assists the Disclosing Party. In particular: (a) Clause 6.1(c) required the Receiving Party to assist the Disclosing Party as necessary to comply with its obligations under the Applicable Data Protection Law (defined to mean all worldwide data protection and privacy laws and regulations application to the personal data in question) including (but not limited to) conducting any data protection impact assessments, consultation with a supervisory authority and fulfilment of any obligations the Disclosing Party may have to respond to requests from data subjects to exercise their rights under the Applicable Data Protection Law; (b) Clause 6.1(d) required the Receiving Party to ensure that any persons authorised to process the personal data to have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and (c) Clause 7.1 provided that the Receiving Party “shall maintain appropriate and sufficient technical and organisational security measures to protect the Data against a Security Incident, taking into account state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of the data subject(s)”. Clause 7.2 further stipulates certain actions that the 16 Receiving Party is required to take in the event of a confirmed Security Incident to mitigate the effects of the incident and assist the Disclosing Party to fulfill any obligations under the Applicable Data Protection Law. 22. Finally, the group policies and measures concerning the treatment of personal data enumerated in paragraph 16 also applied to the transfers from GVSPL within the Belden Group. The Deputy Commissioner’s Decision 23. In light of Belden Singapore’s breach of the Transfer Limitation Obligation, the Commission is empowered under section 48I of the PDPA to issue Belden Singapore such directions as it deems fit to ensure compliance with the PDPA. This may include directing Belden Singapore to pay a financial penalty of such amount not exceeding $1 million as the Commission thinks fit. 24. In considering whether a direction should be given to Belden Singapore in this case, it is noted that: (a) It was an oversight that Belden Singapore did not sign a Deed of Accession prior to the Incident, and this lapse has been rectified by the signing of the Deed of Ascension. (b) Belden Singapore’s breach of the Transfer Limitation obligation was technical, and a failure of legal formalities that was not substantive in nature. As stated in paragraph 17(d), at the operational level, the suite of Belden group policies, 17 practices and technical measures implemented were sufficient to ensure that personal data transferred from Singapore to Belden Inc. were afforded a level of protection comparable to that provided under the PDPA. 25. Having considered all of the above circumstances, Belden Singapore is administered a warning in respect of its breach of the Transfer Limitation Obligation. No other directions are necessary in view of the remedial actions already taken, namely, Belden Singapore’s accession to the GDTA. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION 18 ",Warning,a89e11d9b22ce2cc69d737938faf4e47ad9addbb,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,56,56,1,952,Directions were issued to NUInternational Singapore and Newcastle Research and Innovation Institute for breach of the PDPA in relation to the transfer of Singapore-based individuals’ personal data to their ultimate parent company in the United Kingdom and related company in Malaysia.,"[""Transfer Limitation"", ""Directions"", ""Education"", ""Ransomware"", ""Consent""]",2021-09-21,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---NUI-and-NewRIIS--23062021.pdf,Transfer Limitation,Breach of the Transfer Limitation Obligation by NUInternational Singapore and Newcastle Research and Innovation Institute,https://www.pdpc.gov.sg/all-commissions-decisions/2021/09/breach-of-the-transfer-limitation-obligation-by-nuinternational-singapore-and-newcastle-research-and-innovation-institute,2021-09-21,"PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 5 Case No. DP-2009-B7011 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) NUInternational Singapore Pte Ltd (2) Newcastle Research and Innovation Institute Pte Ltd … Organisations DECISION (1) NUInternational Singapore Pte Ltd; (2) Newcastle Research and Innovation Institute Pte Ltd [2021] SGPDPC 5 Yeong Zee Kin, Deputy Commissioner — Case No. DP-2009-B7011 23 June 2021 Introduction 1 On 17 September 2020 and 13 November 2020, the Personal Data Protection Commission (the “Commission”) was notified of a ransomware attack relating to Newcastle Research and Innovation Institute Pte Ltd and NUInternational Singapore Pte Ltd (collectively known as the “Organisations”) in Singapore (the “Incident”). Facts of the case 2 The ransomware infected, on or around 30 August 2020, (a) a database in the United Kingdom, managed by the ultimate parent company of the Organisations (containing 1,083 records of Singapore-based individuals); and (b) a database in Malaysia, hosted by a related company of the Organisations (containing 194 records of Singapore-based individuals). These records containing personal data of the Singapore-based individuals were previously transferred from the Organisations to the ultimate parent company in the United Kingdom and the related company in Malaysia respectively. The Singapore-based individuals were a mix of staff members, undergraduates and/or post-graduate students of the Organisations. Their 2 personal data (comprising names and user account identifications) were exfiltrated by the threat actor. Findings and Basis for Determination 3 Section 26(1) of the PDPA stipulates that an organisation shall not transfer any personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA to ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection under the PDPA (the “Transfer Limitation Obligation”). The requirements mentioned in section 26(1) were set out in Regulations 9 and 10 of the Personal Data Protection Regulations 2014 (which were in force at the time) (the “Transfer Regulations 2014”). The Transfer Regulations 2014 was recently amended (“the Transfer Regulations 2021”). The ensuing analysis and application of the Transfer Regulations 2014 is equally relevant for the Transfer Regulations 2021, which is in pari materia but for some re-numbering of the regulations. 4 The Transfer Regulations 2014 provides for a range of transfer mechanisms to ensure compliance with Section 26(1) of the PDPA, e.g. through legally enforceable obligations under any law, contracts, binding corporate rules or any other legally binding instruments. Within a group of companies, reliance on intra-group agreements and binding corporate rules is common for cross-border data transfers. They provide a flexible system for centralisation of corporate functions and services. The commercial decision would be driven by where these functions are best located, and intra-group agreements and binding corporate rules allow the group to establish a bespoke internal governance system to ensure that personal data is well managed 3 across the group. The Transfer Regulations 2014 (and 2021) support the adoption of intragroup agreements and binding corporate rules in the following manner. 5 Pursuant to Regulation 9(1)(b), the Organisations could have met the Transfer Limitation Obligation by taking appropriate steps to ensure that the recipients of the transferred personal data in United Kingdom and Malaysia were bound by legally enforceable obligations (in accordance with Regulation 10(1) of the Transfer Regulations 2014) to provide to the transferred personal data a standard of protection that is at least comparable to that under the PDPA. Regulation 9(1)(b) is now Regulation 10(1) in the Transfer Regulations 2021. Regulation 10(1) of the Transfer Regulations 2014 specifies that such legally enforceable obligations includes any law, a contract that complies with the conditions in Regulation 10(2), or binding corporate rules that meets the conditions set out in Regulation 10(3). These same regulations are now in Regulation 11 in the Transfer Regulations 2021. These regulations support the use of intra-group agreements1 and binding corporate rules2. 6 Investigations revealed that the Organisations did not put in place intra-group agreements, binding corporate rules or any other legally binding instrument to ensure that a standard of protection comparable to the PDPA is provided to personal data transferred within the group as required by Regulation 10(1). 7 In its responses to the Commission, the Organisations put forward the argument that they had met the Transfer Limitation Obligation under the PDPA by virtue of the fact that the laws of the United Kingdom applied to the receiving organisations within their group. I do not exclude the possibility that the data protection system that governs the receiving organisation 1 2 See Re Everlast Projects & Others [2020] SGPDPC 20 at [13]. See Re Singapore Technologies Engineering Limited [2020] SGPDPC 21. 4 may, on a proper analysis, provide comparable protection. However, based on the responses made by the Organisations to the Commission, I am not satisfied that the transferring organisation conducted this analysis and concluded that there would be comparable protection before the transfer. After the fact justification will not be accepted. 8 Of the 1,083 Singapore-based individuals whose personal data had been transferred to the ultimate parent company in the United Kingdom, the Organisations mentioned that 44 of these individuals, who were employees, had consented to the transfer of their personal data out of Singapore in their employment contracts. Regulation 9(3)(a) of the Transfer Regulations 2014 did provide for the Transfer Limitation Obligation to be met by obtaining the consent of individuals for the transfer of their data. However, to meet the consent requirement under Regulation 9(3)(a) of the Transfer Regulations 2014, Regulation 9(4) requires the Organisations to provide to the individuals a summary in writing of the extent to which their personal data, when transferred to a foreign country or territory, would be protected to a standard comparable to the PDPA. These requirements are now encapsulated in Regulations 10(2)(a) and 10(3) of the Transfer Regulations 2021. The procedural safeguards established by Regulation 9(3) of the Transfer Regulations 2014 makes the use of consent somewhat more cumbersome, as there is a need for consent to be refreshed whenever reorganisation of the group’s internal function leads to a relocation of that function in a different jurisdiction. This also does not enable the Organisations to benefit from the employment management exception to the requirement for consent. Be that as it may, this option is available for organisations that choose to rely on it. However on the evidence, this summary in writing was not provided by the Organisations to the 44 Singapore employees. 5 The Deputy Commissioner’s Directions 9 In view of the foregoing, I therefore find that the Organisations have failed to discharge their Transfer Limitation Obligation under section 26 of the PDPA. The Organisations are directed to do the following within 30 days from the date of this Decision: (a) put in place intra-group agreements or binding corporate rules for compliance with section 26 of the PDPA in relation to any personal data transferred out of Singapore3; (b) if relying on consent, review and make necessary changes to its consent and notification processes for compliance with section 26 of the PDPA and Regulation 10(3) of the Personal Data Protection Regulations 2021 in relation to any personal data transferred out of Singapore; and (c) inform the Commission of the completion of the above within 7 days of implementation. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION 3 Refer to Regulation 11 of Personal Data Protection Regulations 2021, which is applicable at the present time. 6 ",Directions,3b598c8a7be71e58fadf5f81e6bf2476ad13c791,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,72,72,1,952,Singapore Technologies Engineering was found not in breach of the PDPA in relation to the transfer of the personal data of its Singapore-based employees to its subsidiaries based in United States.,"[""Transfer Limitation"", ""Not in Breach"", ""Manufacturing"", ""Ransomware""]",2021-01-14,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision----ST-Engineering-Ltd---16112020.pdf,Transfer Limitation,No Breach of the Transfer Limitation Obligation by Singapore Technologies Engineering,https://www.pdpc.gov.sg/all-commissions-decisions/2021/01/no-breach-of-the-transfer-limitation-obligation-by-singapore-technologies-engineering,2021-01-14,"PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 21 Case No. DP-2006-B6426 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Singapore Technologies Engineering Limited … Organisation DECISION Singapore Technologies Engineering Limited [2020] SGPDPC 21 Singapore Technologies Engineering Limited [2020] SGPDPC 21 Yeong Zee Kin, Deputy Commissioner — Case No. DP-2006-B6426 16 November 2020 Introduction 1 On 10 June 2020, Singapore Technologies Engineering Limited (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that its subsidiary based in the United States of America (“USA”), VT San Antonio Aerospace Inc. (“VT SAA”), had discovered a cybersecurity incident where threat actors gained unauthorised access to VT SAA’s US-based IT network and deployed a ransomware attack (the “Incident”). Facts of the Case 2 The Organisation is a Singapore incorporated company with a network of subsidiaries in Asia, Europe, USA and the Middle East. The ransomware attack was isolated to a limited part of VT SAA’s network, but also affected a few of the Organisation’s subsidiaries based in the USA that were using IT shared services provided by VT SAA. The Organisation’s IT network in Singapore was not compromised during the Incident. However, the following types of personal data belonging to 287 individuals in Singapore (“Affected 1 Singapore Technologies Engineering Limited [2020] SGPDPC 21 Individuals”) were potentially exposed to the risk of unauthorised access (collectively, the “Personal Data Sets”)1: (a) Name; (b) Address; (c) Email address; (d) Telephone number; (e) NRIC number and date of issue; (f) Passport details; (g) Photograph; (h) Date of birth; (i) Citizenship; (j) Country of residence; (k) Place of birth; (l) USA Social Security number; (m) USA visa information; (n) Details regarding government or military service, where applicable; (o) CV information; (p) Foreign identification numbers; (q) Government issued identification (ID) information; 1 This list sets out the personal data types potentially affected in the Incident. Not all of these types of personal data were affected for each Affected Individual, and the type(s) of personal data affected for each Affected Individual varies. The Personal Data Sets of 49 Affected Individuals were assessed to have been “likely exfiltrated”, with the remaining Personal Data Sets were assessed to have been “likely affected, may have been exfiltrated”. 2 Singapore Technologies Engineering Limited [2020] SGPDPC 21 (r) Associated information about minors; and (s) Employee status. 3 In this regard, the Affected Individual’s Personal Data Sets had been transferred from the Organisation (in Singapore) to VT SAA and the Organisation’s other subsidiaries (based in the USA). The purposes of the transfer included making regulatory filings with the USA authorities, secondment or transfers of employment and security clearance in connection with visits to facilities. 4 Upon discovery of the Incident, the Organisation and VT SAA immediately took the following remedial actions: VT SAA (a) Notified the federal law enforcement officials in USA; (b) Immediately disconnected certain systems from the network and retained leading third-party forensic advisors to investigate the Incident; (c) Conducted a rigorous review of the Incident and its systems, including deploying advance tools to remediate the intrusion and to restore the affected systems; (d) Strengthened its overall cybersecurity architecture, including enhanced endpoint security controls, additional network monitoring and other security hardening measures; and (e) Implemented a Security Operations Centre to provide 24/7 monitoring, detection and response capabilities. 3 Singapore Technologies Engineering Limited [2020] SGPDPC 21 The Organisation (f) Reprioritised and accelerated its existing IT harmonisation plan (including the enhancement and hardening of internal controls and external program elements) for all its entities. Findings and Basis for Determination 5 As a preliminary point, the data protection obligations in the Personal Data Protection Act 2012 (“PDPA”) did not apply to VT SAA and the Organisation’s other subsidiaries (based in the USA) with respect to the Incident. This is because they did not carry out any activities in relation to the collection, use or disclosure of the Affected Individual’s Personal Data Sets in Singapore. The Commission will defer to the ongoing investigations by the US federal law enforcement officials into VT SAA and the Organisation’s subsidiaries based in the USA. The Commission’s investigations in the present case focused on whether the Organisation’s transfer of the Affected Individual’s Personal Data Sets from Singapore to the USA met the requirements under the PDPA. The Transfer Limitation Obligation under Section 26 of the PDPA 6 Section 26(1) of the PDPA provides that an organisation shall not transfer any personal data to a country or territory outside Singapore except in accordance with requirements prescribed under the PDPA to ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection under the PDPA (the “Transfer Limitation Obligation”). The relevant requirements are prescribed in Part III of the Personal Data Protection Regulations 2014 (“PDPR”). In particular: 4 Singapore Technologies Engineering Limited (a) [2020] SGPDPC 21 Regulation 9(1)(b) of the PDPR requires an organisation that transfers personal data to a country or territory outside of Singapore to take appropriate steps to ensure that the recipient of personal data is bound by legally enforceable obligations (in accordance with Regulation 10) to provide to the transferred personal data a standard of protection that is at least comparable to that under the PDPA; (b) Regulation 10(1)(c) of the PDPR provides that such legally enforceable obligations include, amongst other things, any binding corporate rules in accordance with Regulation 10(3) of the PDPR; and (c) Regulation 10(3) of the PDPR provides that such binding corporate rules must require every recipient of the transferred personal data to provide a standard of protection for the transferred personal data that is comparable to that of the PDPA, and must specify (i) the recipients of the transferred personal data to which the binding corporate rules apply; (ii) the countries and territories to which the personal data may be transferred under the binding corporate rules; and (iii) the rights and obligations provided by the binding corporate rules. Further such binding corporate rules may only be used by recipients that are related to the transferring organisation. Whether the Organisation complied with the Transfer Limitation Obligation 7 The Commission’s investigations revealed that the Organisation had complied with the Transfer Limitation Obligation for the reasons explained below. 8 At the material time, the Organisation had put in place binding corporate rules set out in the St Engineering’s Group Binding Corporate Rules for 5 Singapore Technologies Engineering Limited [2020] SGPDPC 21 Transfers of Personal Data (PDP-04) (“BCRs”), which met the requirements of Regulation 9(1)(b) read together with Regulations 10(1)(c) and 10(3) of the PDPR: (a) The BCRs were applicable to and legally binding upon all of the Organisation’s direct and indirect subsidiaries worldwide (each a “Group Company” and collectively, the “Group”), concerning the transfers (including international transfers) of personal data within the Group; (b) The BCRs specified the countries and territories to which personal data may be transferred (which included the USA); (c) Each Group Company that received transferred personal data was bound by legally enforceable obligations to provide a standard of protection for the personal data transferred that is at least comparable to the protection under the PDPA. In particular: “5.6 The Receiving Company shall protect the transferred Personal Data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or other similar risks to the transferred Personal Data. 6.1 Each Group Company warrants and undertakes that it has implemented and maintained appropriate security, technological and organisational measures in accordance with the Group Company’s legal obligations under the PDPA or other applicable Data Protection Laws to protect Personal Data and to prevent unauthorised access, 6 Singapore Technologies Engineering Limited [2020] SGPDPC 21 collection, use, disclosure, copying, modification, disposal or other similar risks to the transferred Personal Data.” (d) Rights and obligations provided by the BCRs are specified. These included the permitted purposes for transfer of personal data, data protection obligations of the receiving company, and protection and security of personal data. The permitted purposes set out in the following clauses in the BCRs included the purposes of transfer of the Affected Individual’s Personal Data Sets at [3] “1. Managing or terminating the employment relationship … … (xvii) Preparing and making travel arrangements for employees’ work or business travel (including visa applications, transport and accommodation arrangements) … … 2. Evaluative purposes … … (iii) Evaluation for secondment / transfer of employment to another entity within the Group / for extension of contract (for contract staff) / termination / redundancy / restructuring … … 3. Group’s business operations, including the Group’s internal business management, administration and operations: … … (vi) Submission to government agencies and authorities for permits and approvals … … (xiii) To facilitate security clearance / entry access into premises of customers, vendors, consultants and other business partners”. 9 Having carefully considered all the relevant circumstances and for the reasons set out above, I find that the Organisation complied with the Transfer 7 Singapore Technologies Engineering Limited [2020] SGPDPC 21 Limitation Obligation in relation to its transfer of the Affected Individual’s Personal Data Sets to VT SAA and its other subsidiaries based in the USA. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION 8 ",Not in Breach,e80b77152c3052ff0a5870f8773669cd59a36872,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"