pdpc_decisions_version_detail (view)
5 rows where "date" is on date 2019-08-02
This data as json, CSV (advanced)
Suggested facets: nature, decision, _commit_at (date), date (date), timestamp (date), tags (array), _changed_columns (array)
| _commit_at | _commit_hash | _id | _item | _version | _commit | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _item_full_hash | _changed_columns |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 143 | 143 | 1 | 952 | Directions were issued to Avant Logistic Service for failing to make reasonable security arrangements to prevent the unauthorised disclosure of customers' personal data. The lapses resulted in personal data of customers being disclosed by an employee. | [
"Protection",
"Directions",
"Wholesale and Retail Trade"
] |
2019-08-02 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Avant-Logistic-Service-Pte-Ltd---300719.pdf | Protection | Breach of the Protection Obligation by Avant Logistic Service | https://www.pdpc.gov.sg/all-commissions-decisions/2019/08/breach-of-the-protection-obligation-by-avant-logistic-service | 2019-08-02 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 28 Case No DP-1802-B1709 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Avant Logistic Service Pte. Ltd. … Organisation DECISION Avant Logistic Service Pte. Ltd. [2019] SGPDPC 28 Yeong Zee Kin, Deputy Commissioner — Case No DP-1802-B1709 30 July 2019 Background 1 On 25 November 2017, a customer of Ezbuy Holdings Ltd. (“Ezbuy”) made a complaint to the Personal Data Protection Commission (the “Commission”) alleging that her personal data had been disclosed to another customer of Ezbuy without her consent by an employee of Avant Logistic Service Pte. Ltd. (the “Organisation”). The facts of this case are as follows. 2 Ezbuy provides an online e-commerce platform that allows its customers to shop for items from various online retailers and platforms around the world. It engaged the Organisation to provide delivery services in Singapore. The Organisation is an affiliate of Ezbuy and its delivery personnel are required to adhere to Ezbuy’s Privacy Policy and the terms and conditions in Ezbuy’s Employee Handbook and Ezbuy’s Delivery and Collection Standard Operation Procedure (“SOP”). 3 When a customer ordered an item through Ezbuy’s platform, they would be offered two modes of delivery, (i) delivery to a designated collection point 1 Avant Logistic Service Pte. Ltd. [2019] SGPDPC 28 (referred to by Ezbuy as “self-collection”), or (ii) delivery to the customer’s address. If the customer opted for self-collection, the customer would proceed to the designated collection point at a specified time. The delivery personnel there would verify their identity using their Ezbuy user ID or their mobile number registered with Ezbuy and then hand over the package with their item. 4 On 9 November 2017, the complainant scheduled to self-collect a package that she ordered from Ezbuy at a collection point in Bishan at around 6.30 p.m. One of the Organisation’s employees (referred to in this Decision as “OA”), was a… | Directions | 080f1f19619de2e97b442d076d6b4f4a81f71d57 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 144 | 144 | 1 | 952 | A financial penalty of $54,000 was imposed on Horizon Fast Ferry for failing to appoint a data protection officer, develop and implement data protection policies and practices, and put in place reasonable security arrangements to protect the personal data collected from its customers. | [
"Protection",
"Financial Penalty",
"Transport and Storage"
] |
2019-08-02 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Horizon-Fast-Ferry---250719.pdf | Protection | Breach of the Protection Obligation by Horizon Fast Ferry | https://www.pdpc.gov.sg/all-commissions-decisions/2019/08/breach-of-the-protection-obligation-by-horizon-fast-ferry | 2019-08-02 | COMMISSIONER FOR PERSONAL DATA PROTECTION [2019] SGPDPC 27 Case No DP-1710-B1202 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Horizon Fast Ferry Pte. Ltd. (UEN No. 201221074R) … Organisation DECISION Horizon Fast Ferry Pte. Ltd. [2019] SGPDPC 27 Tan Kiat How, Commissioner — Case No DP-1710-B1202 25 July 2019 1 On 9 October 2017, the Complainant informed the Personal Data Protection Commission (the “Commission”) that by entering her passport number in the booking form on the Organisation’s website, her name, gender, nationality, date of birth and passport expiry date were automatically populated in the corresponding fields on the form on the Booking Site without any requirement for further authentication (the “Incident”). Material Facts 2 The Organisation is a Singapore-based ferry operator with ferry services running between Singapore and Batam. 3 As part of its service offerings, the Organisation operates a website that allows passengers to purchase ferry tickets directly from the Organisation online (“Booking Site”). At the material time, passengers who wanted to purchase ferry tickets through the Booking Site were required to provide the following personal data (the “Personal Data Set”) as set out in the form on the Booking Site (“Booking Form”): (a) the passenger’s full name; (b) gender; (c) nationality; (d) date of birth; (e) passport number; and (f) passport expiry date. 4 The same Personal Data Set was collected from passengers and entered into the Organisation’s Counter Check-In System (“CCIS”) when they checked in at the check-in counter. The CCIS is an internal system used by the Organisation’s counter staff to manage the passenger check-in process and is only accessible by authorised counter staff. 5 As a matter of practice, all Personal Data Sets collected from the Booking Site and the CCIS were stored and retained on the Organisation’s internal database (the “Database”) even after the last travelling date of the pas… | Financial Penalty | 22d8a5e1622926675d2f3bece9bfea120e5cb7a8 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 145 | 145 | 1 | 952 | A financial penalty of $16,000 was imposed on Genki Sushi for failing to put in place reasonable security arrangements to protect personal data of its employees. The incident resulted in the data being subjected to a ransomware attack. | [
"Protection",
"Financial Penalty",
"Accommodation and F&B",
"Food",
"F&B"
] |
2019-08-02 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Genki-Sushi---220719.pdf | Protection | Breach of the Protection Obligation by Genki Sushi | https://www.pdpc.gov.sg/all-commissions-decisions/2019/08/breach-of-the-protection-obligation-by-genki-sushi | 2019-08-02 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 26 Case No DP-1809-B2684 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Genki Sushi Singapore Pte. Ltd. … Organisation DECISION Genki Sushi Singapore Pte. Ltd. [2019] SGPDPC 26 Genki Sushi Singapore Pte. Ltd. [2019] SGPDPC 26 Tan Kiat How, Commissioner — Case No DP-1809-B2684 22 July 2019 Background 1 On 7 September 2018, Genki Sushi Singapore Pte. Ltd. (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that a server on the Organisation’s network which stored the personal data of its employees, among other information, had been the target of a ransomware attack. This attack resulted in the unauthorised encryption of the employee personal data hosted on that server and the Organisation being subjected to a ransom demand (the “Incident”). The Commission commenced an investigation in order to determine whether the Organisation had failed to comply with its obligations under the Personal Data Protection Act 2012 (the “PDPA”). Material Facts 2 The Organisation is a sushi chain restaurant. As part of its internal operations, it used an off-the-shelf payroll software application, “TimeSoft”, which was developed and licensed to it by Times Software Pte Ltd (“Times”). The TimeSoft application included a web portal and a database. The web portal was used by (a) employees to view their electronic payslips and (b) supervisors at the various restaurants to confirm the attendance of their employees during 1 Genki Sushi Singapore Pte. Ltd. [2019] SGPDPC 26 the designated hours. The database contained the personal data of the Organisation’s former and current employees (“Employee Data Files”). The TimeSoft application was hosted on a local server belonging to the Organisation (the “Server”). The Server also contained financial data files (e.g. financial statements and details on the Organisation’s dealings with its vendors). 3 On 30 August 2018, the Organisation’s IT per… | Financial Penalty | 2ce401cead0de35fee05185836541ed0903e6dff | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 146 | 146 | 1 | 952 | Directions, including a financial penalty of $5,000, were imposed on Championtutor for breaches of the PDPA. The organisation failed to appoint a data protection officer and did not have written policies and practices necessary to ensure its compliance with the PDPA. | [
"Accountability",
"Financial Penalty",
"Education",
"Tuition",
"Education"
] |
2019-08-02 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Championtutor---220719.pdf | Accountability | Breach of the Openness Obligation by Championtutor | https://www.pdpc.gov.sg/all-commissions-decisions/2019/08/breach-of-the-openness-obligation-by-championtutor | 2019-08-02 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 25 Case No DP-1710-B1269 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And ChampionTutor Inc. … Organisation DECISION ChampionTutor Inc [2019] SGPDPC 25 Tan Kiat How, Commissioner — Case No DP-1710-B1269 22 July 2019 Background 1 On 31 October 2017, the Personal Data Protection Commission (the “Commission”) received a complaint from a former tutor (“Complainant”) who had registered with ChampionTutor Inc (“Organisation”), stating that he found a URL link1 (“URL Link”) to the Organisation’s tutor list (“Tutor List”) through a Google search. (the “Incident”). The Commission proceeded to investigate the Incident in order to determine whether the Organisation had complied with its obligations under the Personal Data Protection Act 2012 (“PDPA”). Material Facts 2 The Organisation is a home tuition agency in Singapore with more than 10 years’ experience matching students and tutors. While the service is free for students, tutors are required to pay a commission to the Organisation for each tuition assignment they accepted. 1 https://www.championtutor.com/certs_tutor/1certs1397642794.pdf ChampionTutor Inc 3 [2019] SGPDPC 25 In the course of investigations by the Commission, it was found that the Tutor List contained name, contact number and email address (“Disclosed Information”) of a total of 4,899 individuals, including the Complainant (“Affected Individuals”). 4 It also emerged in the course of investigations that the Organisation had not appointed any data protection office (“DPO”) and had failed to develop and put in place any internal data protection policies. Findings and Basis for Determination 5 The issues to be determined by the Commissioner in this case are as follows: (a) Whether the Disclosed Information is “business contact information” as defined under section 2(1) of the PDPA; and (b) Whether the Organisation had complied with the obligations to appoint a data protection officer (“… | Financial Penalty | a7bc8b98d073c9ff692b042e0c3cd60c12941780 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 147 | 147 | 1 | 952 | A financial penalty of $24,000 and $12,000 was imposed on CDP and Toppan Security Printing respectively for failing to put in place reasonable security arrangements to protect the data of CDP’s account holders from unauthorised disclosure. The incident resulted in other account holders’ data being printed on another account holder’s notification letter. An application for reconsideration was made by Toppan Security Printing. Upon reconsideration, directions in the decision were varied. | [
"Protection",
"Protection",
"Financial Penalty",
"Financial Penalty",
"Transport and Storage",
"Admin and Support Services"
] |
2019-08-02 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Updated-as-of-15-Nov-2019-Decision---CDP-and-Toppan---220719.pdf | Protection, Protection | Breach of the Protection Obligation by CDP and Toppan Security Printing | https://www.pdpc.gov.sg/all-commissions-decisions/2019/08/breach-of-the-protection-obligation-by-cdp-and-toppan-security-printing | 2019-08-02 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 24 Case No DP-1706-B0895 and DP-1707-B0908 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And 1. The Central Depository (Pte) Limited 2. Toppan Security Printing Pte Ltd …Organisation(s) DECISION Editorial note: An application for reconsideration was filed against the decision in Re Central Depository (Pte) Limited & Anor [2019] SGPDPC 24. Pursuant to this application, the Commissioner has decided to reduce the financial penalty imposed on the Organisation from $18,000 to $12,000. As the application did not give rise to significant legal or factual issues, a separate decision on the application will not be published. Re The Central Depository (Pte) Limited & Anor. [2019] SGPDPC 24 Tan Kiat How, Commissioner – Case No DP-1706-B0895 – Case No DP-1707B0908 22 July 2019 1. Organisations may employ vendors to carry out the printing and mailing of documents containing the personal data of their customers on their behalf. The process may involve both the organisations and vendors, which requires a concerted effort to protect personal data. This case presents the issue of division of responsibility in protecting personal data under the PDPA in such circumstances. Background and Material Facts 2. This case concerns the unauthorised disclosure of personal data of 1,358 account holders of the Central Depository (Pte) Limited (“CDP”) when their personal data was wrongly printed in the notification letters of other account holders and sent out. The incident occurred on or about 27 June 2017. 3. The exposed data included the name and/or CDP securities account number (“exposed primary identifiers”) which constitute personal data of the individual. In some notification letters, additional information on the securities owned by the Re Central Depository (Pte) Limited & Anor [2019] SGPDPC 24 individual (eg name of security and total amount of dividends or distribution for the security) was also disclosed. These, w… | Financial Penalty, Financial Penalty | 850caf449162034d53605762c40ce355aee93042 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
Advanced export
JSON shape: default, array, newline-delimited
CREATE VIEW pdpc_decisions_version_detail AS select
commits.commit_at as _commit_at,
commits.hash as _commit_hash,
pdpc_decisions_version.*,
(
select json_group_array(name) from columns
where id in (
select column from pdpc_decisions_changed
where item_version = pdpc_decisions_version._id
)
) as _changed_columns
from pdpc_decisions_version
join commits on commits.id = pdpc_decisions_version._commit;