pdpc_decisions_version_detail (view)
5 rows where "date" is on date 2019-10-10
This data as json, CSV (advanced)
Suggested facets: nature, decision, _commit_at (date), date (date), timestamp (date), tags (array), _changed_columns (array)
| _commit_at | _commit_hash | _id | _item | _version | _commit | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _item_full_hash | _changed_columns |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 135 | 135 | 1 | 952 | A warning was issued to Barnacles Pte. Ltd. for failing to put in place reasonable measures to protect the personal data of individuals who had made dining reservations via its website; and retaining such personal data when it no longer had any legal or business purpose to retain it. As a result, the personal data of 149 individuals were accessible over the Internet. | [
"Protection",
"Warning",
"Accommodation and F&B",
"Dining reservations",
"F&B"
] |
2019-10-10 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---Barnacles.pdf | Protection | Breach of the Protection Obligation by Barnacles | https://www.pdpc.gov.sg/all-commissions-decisions/2019/10/breach-of-the-protection-obligation-by-barnacles | 2019-10-10 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1904-B3652 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Barnacles Pte. Ltd. SUMMARY OF THE DECISION 1. Barnacles Pte Ltd (the “Organisation”) operates a website which enables its customers to make reservations to dine at its restaurant. For this purpose, it collected certain personal data from its customers such as their name, contact number, email address and date and time of their reservation, amongst other information (the “Personal Data”). However, when the Organisation developed its website, the Organisation did not instruct the vendor it appointed to develop the website to implement security arrangements to protect the Personal Data. The Organisation also made no effort to verify whether any security arrangements had been put in place by its appointed vendor. As a result, the Personal Data was accessible over the Internet, for example, if a search was made on a customer’s name using an Internet search engine. The Organisation ceased operations in January 2019 but continued to retain the Personal Data until May 2019, even though it did not have any legal or business purpose to retain the Personal Data other than to fulfil or decline its customers’ reservations. 2. Following a complaint against the Organisation in April 2019, the Personal Data Protection Commission found that the Personal Data of 149 individuals had been exposed to the risk of unauthorised disclosure as a result of the Organisation’s failure to make security arrangements to protect the Personal Data and/or to cease to retain the Personal Data once it no longer had any legal or business purpose to retain it. In the circumstances, the Deputy Commissioner for Personal Data Protection found the Organisation in breach of sections 24 and 25 of the Personal Data Protection Act 2012 and decided to give a warning to the Organisation. | Warning | ca4aa8642a9f0116f05bea853cfe7f4261e535a5 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 136 | 136 | 1 | 952 | A warning was issued to ERGO Insurance Pte. Ltd. for failing to protect the personal data of its policyholders from unauthorised disclosure via its internet portal. The personal data of 57 policyholders were mistakenly disclosed to other insurance intermediaries. | [
"Protection",
"Warning",
"Finance and Insurance"
] |
2019-10-10 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---Ergo-Insurance.pdf | Protection | Breach of the Protection Obligation by ERGO Insurance | https://www.pdpc.gov.sg/all-commissions-decisions/2019/10/breach-of-the-protection-obligation-by-ergo-insurance | 2019-10-10 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1810-B2869 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And ERGO Insurance Pte. Ltd. SUMMARY OF THE DECISION 1. ERGO Insurance Pte Ltd (the “Organisation”) is a general insurer and operates an internet portal (the “Portal”) which enables its insurance intermediaries, who are not the Organisation’s employees, to request for documents of policyholders represented by the intermediaries. These documents contain the policyholders’ personal data such as their names, addresses, car registration numbers, genders, nationalities, NRIC numbers, dates of birth and contact numbers (the “Personal Data”). 2. The Organisation voluntarily informed the Personal Data Protection Commission on 15 October 2018 that it had earlier discovered, on 11 September 2018, that some of its insurance intermediaries had been incorrectly sent documents of policyholders who were represented by other insurance intermediaries (the “Incident”). The Incident arose when some insurance intermediaries (the “Intermediaries”) requested for documents of policyholders which they represent through the Portal. However, the Organisation’s application and printer servers had been shut down for a scheduled system downtime and when they were restarted, the Organisation’s employees had failed to follow the correct restart process. They were supposed to start both servers at the same time but this was not done as the starting of the printer server initially failed. This resulted in documents with duplicate document IDs being generated and hence the wrong documents being sent to the Intermediaries. As a result of the Incident, the Personal Data of 57 individuals were mistakenly disclosed to the Intermediaries. 3. The Personal Data Protection Commission found that the Organisation did not have in place a clearly defined process to restart its application and printer servers and a sufficiently robust document ID generation process (such as including a timestamp as … | Warning | 2eda8279b0e8c55d340038ea44d528dc61b77f48 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 137 | 137 | 1 | 952 | Financial penalties of $4,000 and $7,000 were imposed on Zero1 and XDel respectively for failing to put in place reasonable measures to protect the personal data of the subscribers of Zero1. | [
"Protection",
"Protection",
"Financial Penalty",
"Financial Penalty",
"Information and Communications",
"Information and Communications",
"Mobile",
"Telco",
"Courier"
] |
2019-10-10 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---Zero1-and-XDel.pdf | Protection, Protection | Breach of the Protection Obligation by Zero1 and XDel | https://www.pdpc.gov.sg/all-commissions-decisions/2019/10/breach-of-the-protection-obligation-by-zero1-and-xdel | 2019-10-10 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 37 Case No DP-1803-B1866 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Zero1 Pte. Ltd. XDEL Singapore Pte. Ltd. … Organisations DECISION Zero1 Pte. Ltd. XDEL Singapore Pte Ltd [2019] SGPDPC 37 Tan Kiat How, Commissioner — Case No DP-1803-B1866 16 September 2019. Background 1 Zero1 Pte. Ltd. (“Zero1”) is a Mobile Virtual Network Operator founded in 2017. In order to deliver its SIM cards to its customers, Zero1 contracted XDEL Singapore Pte Ltd (“XDEL”) for courier services. In the course of delivering the SIM cards, XDEL inadvertently disclosed the personal data of Zero1’s customers. Central to this case is the question of whether XDEL and Zero1 (collectively referred to as the “Organisations”) had made reasonable security arrangements to protect the personal data of Zero1’s customers pursuant to their obligations under the Personal Data Protection Act 2012 (“PDPA”). Material Facts 2 In March 2018, XDEL was appointed by Zero1 to deliver SIM cards to the latter’s subscribers. Zero1’s subscribers would register for mobile services using Zero1’s website. After their application had been processed, Zero1 would provide to XDEL the subscriber’s information (including the subscriber’s name, NRIC number, delivery address and contact number), the SIM card number and the subscriber’s preferred time of delivery. In the event that the customer had authorised another person to receive the SIM card on his or her behalf (an Zero1 Pte. Ltd. and XDEL Singapore Pte. Ltd. [2019] SGPDPC 37 “authorised recipient”), the authorised recipient’s information (name, NRIC number, contact number and delivery address) would additionally be provided to XDEL. 3 Each Zero1 subscriber was provided with a unique URL link which would allow them to access a customised delivery notification webpage through which they could monitor the status of their SIM card delivery (the “notification webpage”). It was through the notification webpa… | Financial Penalty, Financial Penalty | f6fb3aeaa2483b2aa1c8060f6e827d7401bf887c | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 138 | 138 | 1 | 952 | A financial penalty of $1,000 was imposed on Advance Home Tutors for failing to put in place reasonable security arrangements to protect the personal data collected from its tutors and for not developing and implementing data protection policies and practices necessary to ensure its compliance with PDPA. | [
"Protection",
"Accountability",
"Financial Penalty",
"Education",
"Tuition"
] |
2019-10-10 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---Advance-Home-Tutors.pdf | Protection, Accountability | Breach of the Protection and Accountability Obligations by Advance Home Tutors | https://www.pdpc.gov.sg/all-commissions-decisions/2019/10/breach-of-the-protection-and-accountability-obligations-by-advance-home-tutors | 2019-10-10 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 35 Case No DP-1806-B2218 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Advance Home Tutors … Organisation DECISION Advance Home Tutors [2019] SGPDPC 35 Yeong Zee Kin, Deputy Commissioner — Case No DP-1806-B2218 12 September 2019 Facts of the Case 1 On 7 June 2018, the Personal Data Protection Commission (the “Commission”) received a complaint that personal data of many individuals had apparently been disclosed without authorisation on the Organisation’s website, www.advancetutors.com.sg (the “Website”). Upon investigation, the Commission found the following facts leading to this apparent unauthorised disclosure of personal data. 2 The Organisation is a sole proprietor who provides “matching services” through the Website between freelance tutors and prospective clients seeking tuition services. 3 In January 2017, the Organisation engaged a freelance web developer based in the Philippines (the “Developer”) to provide the following services: (a) to design and develop the Website; and (b) to migrate the existing databases and files of the Organisation’s old website to the Website. 1 Advance Home Tutors 4 [2019] SGPDPC 35 At that point in time, 834 freelance tutors had signed up with the Organisation and some of these tutors had chosen to upload their educational certificates to the Website’s server (the “Server”) via the Website. These certificates would be used by the Organisation to evaluate the suitability of the tutors for prospective jobs. In addition, copies of a tutor’s certificates were to be disclosed on the tutor’s public profile on the Website if the tutor consented to such disclosure. Out of the tutors who had uploaded educational certificates, a total of 152 tutors (the “Affected Individuals”) had not consented to disclosure of their educational certificates on their public profile. 5 The Developer subsequently migrated the educational certificates of the tutors who had uploa… | Financial Penalty | 6d5126ad62fbafa12fb94c50aff6b767e9edb84c | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 139 | 139 | 1 | 952 | Amicus Solutions and a financial consultant were issued directions, including to pay financial penalties of $48,000 and $10,000 respectively, for breaches of the PDPA. Amicus Solutions failed to notify and obtain consent for the disclosure of individuals’ personal data that it sold to the financial consultant who used such personal data for telemarketing purposes. | [
"Consent",
"Notification",
"Financial Penalty",
"Admin and Support Services",
"Finance and Insurance"
] |
2019-10-10 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision--Amicus-Solutions-Pte-Ltd---Another.pdf | Consent, Notification | Breach of the Consent and Notification Obligations by Amicus Solutions and a Financial Consultant | https://www.pdpc.gov.sg/all-commissions-decisions/2019/10/breach-of-the-consent-and-notification-obligations-by-amicus-solutions-and-a-financial-consultant | 2019-10-10 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC [33] Case No DP-1610-B0290 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Amicus Solutions Pte. Ltd. (UEN No. 201534661R) (2) Ivan Chua Lye Kiat … Organisations DECISION Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 Tan Kiat How, Commissioner — Case No DP-1610-B0290 30 August 2019 1 The Personal Data Protection Commission (the “Commission”) received a complaint regarding the unauthorised collection and use of personal data to market financial products. Investigations were commenced into the alleged unauthorised sale and disclosure of personal data by a data broker and the unauthorised collection and use of the personal data for telemarketing purposes. Upon conclusion of investigations and consideration of the totality of evidence, the Commissioner found Amicus Solutions Pte. Ltd. (“Amicus”) and Mr Ivan Chua Lye Kiat (“Mr Chua”) to be in breach of the Personal Data Protection Act 2012 (“PDPA”) for the reasons set out in these grounds. Material Facts 2 An independent life insurance brokerage company (the “Insurance Brokerage”) appointed Mr Chua as a financial adviser director to provide financial advisory services and to market financial products distributed by the Insurance Brokerage to prospective clients in accordance with the terms set out in a Financial Adviser Representative Agreement. He oversees a team of financial adviser representatives. Their main products are Eldershield related insurance policies targeted at individuals over 40 years old. 2 Amicus Solutions Pte. Ltd. & Anor. 3 [2019] SGPDPC 33 It is undisputed that Mr Chua and the financial adviser representatives in his team are not employees of the Insurance Brokerage but independent agents. As independent agents, they receive a commission for each sale but are not in an employer-employee relationship with the Insurance Brokerage nor are they entitled to any employe… | Financial Penalty | f9c77b604588fd22b9623d2884cfc03d6a7dbbb3 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
Advanced export
JSON shape: default, array, newline-delimited
CREATE VIEW pdpc_decisions_version_detail AS select
commits.commit_at as _commit_at,
commits.hash as _commit_hash,
pdpc_decisions_version.*,
(
select json_group_array(name) from columns
where id in (
select column from pdpc_decisions_changed
where item_version = pdpc_decisions_version._id
)
) as _changed_columns
from pdpc_decisions_version
join commits on commits.id = pdpc_decisions_version._commit;