pdpc_decisions_version_detail (view)

4 rows where "date" is on date 2022-06-16

View and edit SQL

This data as json, CSV (advanced)

Suggested facets: nature, decision, _commit_at (date), date (date), timestamp (date), tags (array), _changed_columns (array)

_commit_at _commit_hash _id _item _version _commit description tags date pdf-url nature title url timestamp pdf-content decision _item_full_hash _changed_columns
2023-10-01T11:02:10+08:00 fbd32491db44d3d0c97aa12a99cefd61ec954264 27 27 1 952 Both organisations were found not in breach of the PDPA in relation to complaints regarding alleged collection and disclosure of personal data without consent. 
[
    "Consent",
    "Not in Breach",
    "Real Estate",
    "No breach"
]
 2022-06-16 https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---SLP-Scotia-Pte-Ltd-and-SLP-International-Property-Consultants-Pte-Ltd---09042022.pdf Consent No Breach of the Consent Obligation by SLP Scotia and SLP International Property Consultants https://www.pdpc.gov.sg/all-commissions-decisions/2022/06/no-breach-of-the-consent-obligation-by-slp-scotia-and-slp-international-property-consultants 2022-06-16 PERSONAL DATA PROTECTION COMMISSION Case No. DP-2007-B6585, DP-2007-B6591, DP-2007-B6594, DP-2007-B6598 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And SLP Scotia Pte. Ltd. SLP International Property Consultants Pte. Ltd. SUMMARY OF THE DECISION 1. Between 10 to 14 July 2020, the Personal Data Protection Commission (the “Commission”) received four complaints against SLP International Property Consultants Pte Ltd (“SLPIPC”) and its subsidiary SLP Scotia Pte Ltd (“SLPS”) (collectively, the “Organisations”). The complainants were property agents registered through SLPS (the “Complainants”). 2. As a merger was due to take place between the Organisations, on 7 July 2020, SLPIPC initiated the registration of salespersons in SLPS as salespersons in SLPIPC with the Council of Estate Agencies (“CEA”). CEA thereafter emailed the Complainants asking them to either initiate a salesperson application to join SLPIPC or disregard the email if they were not interested in registering with SLPIPC (the “Incident”). 1 3. The Complainants alleged that: a. they had not consented to be contacted for such purposes; and b. SLPS had improperly disclosed their personal data (including NRIC number, date of birth, and home address) to SLPIPC, and SLPIPC had in turn improperly disclosed the data to CEA. 4. CEA is the entity which administers the registration of salespersons (such as the Complainants) under the Estate Agents Act 2010 (“EAA”). Pursuant to section 29(1) of the EAA, a person may not act as a salesperson for any estate agent unless he or she is registered; the said register is maintained by the CEA pursuant to section 36 of the EAA. Further, under section 40(1) of the EAA, a salesperson may not be registered to act as a salesperson for more than one estate agent at any one time. 5. SLPIPC disclosed the personal data of the Complainants to CEA for the purposes of the change in registration from SLPS to SLPIPC. In doing so, SLPIPC was complying with its obligations under the… Not in Breach 81943b55f3e50d31e820edf46499ec3602f370c0 
[
    "pdf-content",
    "timestamp",
    "decision",
    "pdf-url",
    "tags",
    "nature",
    "url",
    "title",
    "date",
    "description"
]
2023-10-01T11:02:10+08:00 fbd32491db44d3d0c97aa12a99cefd61ec954264 28 28 1 952 Aman was found not in breach of the PDPA in relation to an incident involving unauthorised access to its servers and exfiltration of personal data. Aman had employed reasonable security arrangement and technical measures to protect its data. 
[
    "Protection",
    "Not in Breach",
    "Accommodation and F&B"
]
 2022-06-16 https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--Aman-Group-Sarl-and-or-Amanresort-International-Pte-Ltd--28022022.pdf Protection No Breach of the Protection Obligation by Aman Group S.a.r.l and Amanresort International https://www.pdpc.gov.sg/all-commissions-decisions/2022/06/no-breach-of-the-protection-obligation-by-aman-group 2022-06-16 PERSONAL DATA PROTECTION COMMISSION Case No. DP-2012-B7506 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Aman Group S.a.r.l and/or Amanresort International Pte Ltd SUMMARY OF THE DECISION 1. On 5 December 2020, the Personal Data Protection Commission (the “Commission”) received a notification from SingCERT of a personal data breach involving Aman Group S.a.r.l (“Aman Group”) and/or Amanresort International Pte Ltd (“Aman SG”). 9 systems in London and 2 systems in Singapore were compromised and files containing personal data exfiltrated (the “Incident”). Page 1 of 4 2. As a result of the Incident, personal data of approximately 2,500 individuals which included their name, date of birth, address, email address, phone number and profession were affected. 3. The Aman Group engaged an external cybersecurity company, Ankura Consulting, to investigate the Incident. Its investigations found that the threat actor(s) had gained unauthorised access into 11 systems, which included 9 servers based in London and 2 servers based in Singapore. 4. While the investigations did not uncover any evidence of what the initial method and point of entry were, the most likely scenario is that the threat actor had initially entered via the London based systems. This is because the suspicious activities were first detected in the London systems. Thereafter, the threat actor subsequently gained access to the 2 Singapore based servers by creating administrator account credentials. There was no evidence that the firewalls in the Singapore based servers were breached. 5. Investigations could not conclusively exclude the possibility that data may have been exfiltrated from one of the Singapore based servers. However, analysis conducted by the Aman Group on four extracts obtained from the threat actor(s) failed to establish any conclusive links between the extracts and the current database in the affected Singapore based server. 6. Investigations further revealed that any exfiltrat… Not in Breach 5e015c5637baabcfc9d1ffcaae0eb7490cbabe57 
[
    "pdf-content",
    "timestamp",
    "decision",
    "pdf-url",
    "tags",
    "nature",
    "url",
    "title",
    "date",
    "description"
]
2023-10-01T11:02:10+08:00 fbd32491db44d3d0c97aa12a99cefd61ec954264 29 29 1 952 Ngian Wen Hao Dennis, Chua Puay Hwa Melissa and Winarto were found in breach of the PDPA and issued warnings in relation to two incidents involving the unauthorised collection and disclosure of individuals’ personal data in 2019 and 2020. 
[
    "Consent",
    "Notification",
    "Warning",
    "Finance and Insurance"
]
 2022-06-16 https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Dennis-Ngian--Others---08032022.pdf Consent, Notification Breach of the Consent and Notification Obligations by three insurance financial advisers https://www.pdpc.gov.sg/all-commissions-decisions/2022/06/breach-of-the-consent-and-notification-obligations-by-three-insurance-financial-advisers 2022-06-16 PERSONAL DATA PROTECTION COMMISSION Case No. DP-2109-B8857 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Ngian Wen Hao Dennis (2) Chan Puay Hwa Melissa (3) Winarto (4) Aviva Financial Advisers Pte Ltd SUMMARY OF THE DECISION 1. On 7 September 2021, the Personal Data Protection Commission (the “Commission”) was notified of two incidents involving unauthorised disclosure and collection of personal data by three individuals. 2. Ngian Wen Hao Dennis (“Dennis”) was an Aviva Financial Advisers Pte Ltd (“AFA”) representative between December 2017 and February 2019. In March 2019 and August 2020, Dennis approached two insurance financial advisers, Chua Puay Hwa Melissa (“Melissa”) and Winarto, to offer them a list of client leads, stating that he was leaving the insurance industry and looking for a reliable agent 1 to take over his clientele. Melissa and Winarto each said they paid $1,000 to Dennis for the list (the “Incidents”). 3. The list contained approximately 1,000 clients’ names, mailing addresses, contact numbers and the names of organisations underwriting the hospitalisation plans bought by the clients (“Personal Data Sets”). 4. The PDPA defines “organisations” to include individuals. As held in Re Sharon Assya Qadriyah Tang1, individuals who collect, use or disclose personal data otherwise than in a personal or domestic capacity will be treated as organisations within the meaning of the Act, and are obliged to comply with the Data Protection Provisions. In this case, we are of the view that it is clear that Dennis, Melissa and Winarto can be regarded as an “organisation” as defined under the PDPA for a number of reasons. First, the trio had bought and sold the client leads for work and business purposes, with the aim of generating an income or profit, and cannot be said to have been acting in a personal or domestic capacity. 5. Second, Dennis, Melissa and Winarto were not employees. In Re Ang Rui Song2, the Commission found that the respondent, … Warning 11afc51e552a655c8c243aa724648b2011a2eb25 
[
    "pdf-content",
    "timestamp",
    "decision",
    "pdf-url",
    "tags",
    "nature",
    "url",
    "title",
    "date",
    "description"
]
2023-10-01T11:02:10+08:00 fbd32491db44d3d0c97aa12a99cefd61ec954264 30 30 1 952 A financial penalty of $22,000 was imposed on Vhive for failing to put in place reasonable security arrangements to protect the personal data in its possession from a ransomware attack. 
[
    "Protection",
    "Financial Penalty",
    "Wholesale and Retail Trade",
    "Ransomware"
]
 2022-06-16 https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Vhive-Pte-Ltd---08032022.pdf Protection Breach of the Protection Obligation by Vhive https://www.pdpc.gov.sg/all-commissions-decisions/2022/06/breach-of-the-protection-obligation-by-vhive 2022-06-16 PERSONAL DATA PROTECTION COMMISSION Case No. DP-2013-B8138 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Vhive Pte Ltd SUMMARY OF THE DECISION 1. On 26 March 2021, Vhive Pte Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) of a ransomware attack that affected its customer database (the “Incident”). Approximately 186,281 individuals’ names, addresses, email addresses, telephone numbers, hashed passwords and customer IDs were affected. 2. The Organisation subsequently requested for this matter to be handled under the Commission’s expedited breach decision procedure. This means that the Organisation voluntarily provided and unequivocally admitted to the facts set out in this decision, and admitted that it was in breach of section 24(a) of the Personal Data Protection Act (the “PDPA”). 3. The Organisation’s forensic investigation results revealed that the Organisation’s IT infrastructure had been outdated, with multiple vulnerabilities at the time of the Incident. The Organisation’s e-commerce server ran on an outdated webserver service. This, together with an unpatched firewall, allowed the threat actor to 1 remotely execute unauthorised code on the e-commerce server, and gained backdoor access to the e-commerce server to carry out the ransomware attack. 4. The Organisation had engaged an IT vendor to host, manage and maintain the e-commerce server and all its other IT systems. However, our investigations revealed that despite the purported “engagement”, there was in fact no written contract between the Organisation and its IT vendor at the time of the Incident. 5. In Re Spize Concepts Pte Ltd [2019] SGPDPC 22 at [22], we had stated that section 4(2) of the PDPA imposes on organisations that engage data intermediaries to do so “pursuant to a contract which is evidenced or made in writing”. In that case, we also highlighted that one specific category of policies and practices under section 12(a) of the PDPA … Financial Penalty 5c70e87aac9ad5ab303f0f8cb9f8f4094c224e02 
[
    "pdf-content",
    "timestamp",
    "decision",
    "pdf-url",
    "tags",
    "nature",
    "url",
    "title",
    "date",
    "description"
]

Advanced export

JSON shape: default, array, newline-delimited

CSV options: 

CREATE VIEW pdpc_decisions_version_detail AS select
  commits.commit_at as _commit_at,
  commits.hash as _commit_hash,
  pdpc_decisions_version.*,
  (
    select json_group_array(name) from columns
    where id in (
      select column from pdpc_decisions_changed
      where item_version = pdpc_decisions_version._id
    )
) as _changed_columns
from pdpc_decisions_version
  join commits on commits.id = pdpc_decisions_version._commit;