pdpc_decisions_version_detail (view)
8 rows where nature = "Accountability"
This data as json, CSV (advanced)
Suggested facets: decision, _commit_at (date), date (date), timestamp (date), tags (array), _changed_columns (array)
| _commit_at | _commit_hash | _id | _item | _version | _commit | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _item_full_hash | _changed_columns |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 37 | 37 | 1 | 952 | Directions were issued to ACL Construction (S) for breach of the PDPA in relation to failure to appoint a data protection officer and no policies and practices in place to comply with the PDPA. | [
"Accountability",
"Directions",
"Construction",
"No DPO"
] |
2022-04-21 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--ACL-Construction-S-Pte-Ltd--030222.pdf | Accountability | Breach of Accountability Obligation by ACL Construction (S) | https://www.pdpc.gov.sg/all-commissions-decisions/2022/03/breach-of-accountability-obligation-by-acl-construction | 2022-04-21 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2107-B8598 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And ACL Construction (S) Pte Ltd SUMMARY OF THE DECISION 1. On 2 June 2021, the Personal Data Protection Commission (the “Commission”) was notified that data from ACL Construction (S) Pte Ltd (the “Organisation”), a company that provides pre-fabricated structures, structural steel products and construction services, was being offered for sale on the darkweb by one “Prometheus” (the “Incident”). 2. Investigations revealed that a few days ago, three ACL staff - a designer and two sales executives had experienced difficulties when they tried to log in to access their files. Thereafter, the ACL staff discovered that the files had been encrypted. The Organisation then sought external IT support. 3. The Organisation informed the Commission that the affected files contained the following data related to their projects: (i) Quotation folder – quotations (to clients and from suppliers), delivery orders, invoices and other supporting documents; (ii) Common folder – project document and photographs; and Page 1 of 3 (iii) Drawing folder – CAD drawings. 4. Our investigations revealed that the affected files contained the names of the Organisation’s customers, the relevant liaison person, their business contact number(s) and/or business email(s). As the names, business contact numbers and business emails were not provided by the individuals concerned for a personal purpose, they would constitute “business contact information” as defined under the Personal Data Protection Act (“PDPA”), and fall outside the scope of the Act by virtue of section 4(5) of the PDPA. Accordingly, while the Organisation may have suffered a data breach, no personal data was in fact affected. 5. This finding alone would have brought the matter to a close. However, in the course of our investigations, the Commission found out that the Organisation had failed to designate one or more individuals,… | Directions | e5d93d363b4513ab709353939decc81ce04eb8a1 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 120 | 120 | 1 | 952 | Saturday Club was found in breach of the PDPA for failing to put in place written policies and practices necessary to ensure its compliance with the PDPA. Saturday Club was directed to put in place a data protection policy to comply with the provisions of the PDPA and to conduct training to ensure its employees are aware of and comply with the requirements of the PDPA. | [
"Accountability",
"Directions"
] |
2019-12-05 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---Saturday-Club.pdf | Accountability | Breach of the Accountability Obligation by Saturday Club | https://www.pdpc.gov.sg/all-commissions-decisions/2019/12/breach-of-the-accountability-obligation-by-saturday-club | 2019-12-05 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1906-B4109 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Saturday Club Pte Ltd SUMMARY OF THE DECISION 1. Upon investigation into a suspected data breach, it was found that Saturday Club Pte Ltd (the “Organisation”) had not developed any internal policies and practices that are necessary for it to meet its obligations under the Personal Data Protection Act 2012 (“PDPA”). In the circumstances, the Deputy Commissioner for Personal Data Protection found the Organisation in breach of section 12 of the PDPA and decided to issue the directions to the Organisation. | Directions | d047195a60d37294c9b55687dc7b54978590b389 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 131 | 131 | 1 | 952 | iClick was found in breach of the PDPA for failing to put in place written policies and practices necessary to ensure its compliance with the PDPA. iClick was directed to put in place a data protection policy to comply with the provisions of the PDPA; to develop a training programme for its employees and require them to attend the training. | [
"Accountability",
"Directions",
"Information and Communications"
] |
2019-11-04 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---iClick-Media.pdf | Accountability | Breach of the Accountability Obligation by iClick Media | https://www.pdpc.gov.sg/all-commissions-decisions/2019/11/breach-of-the-accountability-obligation-by-iclick-media | 2019-11-04 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1901-B3254 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And iClick Media Pte. Ltd. SUMMARY OF THE DECISION 1. Following a complaint against EU Holidays Pte Ltd, (“EU Holidays”), the Personal Data Protection Commission conducted an investigation to determine whether EU Holidays had contravened the Personal Data Protection Act 2012 (the “PDPA”). In the course of investigations, it was found that EU Holiday’s IT vendor, iClick Media Pte Ltd (the “Organisation”), had not developed any internal policies and practices that are necessary for it to meet its obligations under the PDPA. In the circumstances, the Deputy Commissioner for Personal Data Protection found the Organisation in breach of section 12 of the PDPA and decided to direct the Organisation to, within 60 days: 2. Put in place a data protection policy, including written internal policies, to comply with the provisions of the PDPA; 3. Develop a training programme for the Organisation’s employees in respect of their obligations under the PDPA when handling personal data and require all employees to attend such training; and 4. By no later than 7 days after the above actions have been carried out, the Organisation shall, in addition, submit to the Commission a written update. | Directions | bf9f246a0db6172bb647c44e87dcaa6e5793dce4 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 141 | 141 | 1 | 952 | A financial penalty of $5,000 was imposed on Executive Link Services for breaches of the PDPA. The organisation failed to appoint a data protection officer and did not have written policies and practices necessary to ensure its compliance with the PDPA. | [
"Accountability",
"Financial Penalty",
"Employment"
] |
2019-09-06 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---Executive-Link-20082019.pdf | Accountability | Breach of the Accountability Obligation by Executive Link Services | https://www.pdpc.gov.sg/all-commissions-decisions/2019/09/breach-of-the-accountability-obligation-by-executive-link-services | 2019-09-06 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 30 Case No DP-1806-B2237 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Executive Link Services Pte. Ltd. …Organisation(s) DECISION Executive Link Services Pte. Ltd. [2019] SGPDPC 30 Mr Yeong Zee Kin, Deputy Commissioner – Case No DP-1806-B2237 23 August 2019 Background 1. On 11 June 2018, Executive Link Services Pte. Ltd. (the “Organisation”) reported a data breach to the Personal Data Protection Commission (the “Commission”) concerning the unintended disclosure of personal data of individuals that were stored on the Organisation’s server (“Incident”). The Commission investigated the Incident and determined that the Organisation had breached its obligations under the Personal Data Protection Act 2012 (“PDPA”). Material facts 2. The Organisation is an employment agency. Sometime before 8 June 2018, one of the Organisation’s clients engaged a cybersecurity company to scan the Internet for information relating to the client. During this scan, the cybersecurity company was able to gain access and retrieve copies of draft contracts of job candidates from the Organisation’s server. The Organisation was alerted on 8 June 2018. In total, resumes of 367 individuals (the “Affected Individuals”) and around 150 draft contracts relating to some of those individuals, together with the personal data therein (the “Compromised Personal Data”), were exposed to unauthorised disclosure in this manner. 3. The Compromised Personal Data included the following: Re Executive Link Services Pte Ltd (a) [2019] SGPDPC 30 the individual’s name, address, contact number, email address(es), education level, salary expectation and employment history (in relation to the resumes); and (b) the individual’s name, address and salary information (in relation to the draft contracts). Events leading to the Incident 4. The Organisation had implemented remote access for staff to access internal files stored on its data storage se… | Financial Penalty | 738ff8a1f74b23bb71dfc2235015dbfcd02e2751 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 146 | 146 | 1 | 952 | Directions, including a financial penalty of $5,000, were imposed on Championtutor for breaches of the PDPA. The organisation failed to appoint a data protection officer and did not have written policies and practices necessary to ensure its compliance with the PDPA. | [
"Accountability",
"Financial Penalty",
"Education",
"Tuition",
"Education"
] |
2019-08-02 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Championtutor---220719.pdf | Accountability | Breach of the Openness Obligation by Championtutor | https://www.pdpc.gov.sg/all-commissions-decisions/2019/08/breach-of-the-openness-obligation-by-championtutor | 2019-08-02 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 25 Case No DP-1710-B1269 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And ChampionTutor Inc. … Organisation DECISION ChampionTutor Inc [2019] SGPDPC 25 Tan Kiat How, Commissioner — Case No DP-1710-B1269 22 July 2019 Background 1 On 31 October 2017, the Personal Data Protection Commission (the “Commission”) received a complaint from a former tutor (“Complainant”) who had registered with ChampionTutor Inc (“Organisation”), stating that he found a URL link1 (“URL Link”) to the Organisation’s tutor list (“Tutor List”) through a Google search. (the “Incident”). The Commission proceeded to investigate the Incident in order to determine whether the Organisation had complied with its obligations under the Personal Data Protection Act 2012 (“PDPA”). Material Facts 2 The Organisation is a home tuition agency in Singapore with more than 10 years’ experience matching students and tutors. While the service is free for students, tutors are required to pay a commission to the Organisation for each tuition assignment they accepted. 1 https://www.championtutor.com/certs_tutor/1certs1397642794.pdf ChampionTutor Inc 3 [2019] SGPDPC 25 In the course of investigations by the Commission, it was found that the Tutor List contained name, contact number and email address (“Disclosed Information”) of a total of 4,899 individuals, including the Complainant (“Affected Individuals”). 4 It also emerged in the course of investigations that the Organisation had not appointed any data protection office (“DPO”) and had failed to develop and put in place any internal data protection policies. Findings and Basis for Determination 5 The issues to be determined by the Commissioner in this case are as follows: (a) Whether the Disclosed Information is “business contact information” as defined under section 2(1) of the PDPA; and (b) Whether the Organisation had complied with the obligations to appoint a data protection officer (“… | Financial Penalty | a7bc8b98d073c9ff692b042e0c3cd60c12941780 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 148 | 148 | 1 | 952 | Directions, including a financial penalty of $5,000, were imposed on AgcDesign for breaches of the PDPA. The organisation failed to appoint a data protection officer and did not have written policies and practices necessary to ensure its compliance with the PDPA. | [
"Accountability",
"Financial Penalty",
"Others",
"Interior design"
] |
2019-07-04 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision--AgcDesign-Pte-Ltd--040719.pdf | Accountability | Breach of the Openness Obligation by AgcDesign | https://www.pdpc.gov.sg/all-commissions-decisions/2019/07/breach-of-the-openness-obligation-by-agcdesign | 2019-07-04 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 23 Case No DP-1805-B2072 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And AgcDesign Pte. Ltd. … Organisation DECISION AgcDesign Pte. Ltd. [2019] SGPDPC 23 Yeong Zee Kin, Deputy Commissioner – Case No DP-1805-B2072 4 July 2019 Background and Material Facts 1 AgcDesign Pte. Ltd. (the “Organisation”) provides interior designing services for commercial and residential properties. Between 5 and 9 May 2018, the Personal Data Protection Commission (the “Commission”) received complaints alleging that the Organisation had used the complainants’ names and residential addresses without the complainants’ consent to send them marketing mailers. In the course of investigations by the Commission, it was found that the Organisation had sent the mailers using information from a database of property-related information obtained from a third party. That database had been compiled from information on caveats lodged with the Singapore Land Authority, which was publicly available. 2 It also emerged in the course of investigations that the Organisation had not appointed any data protection officer (“DPO”) and it had not developed and put in place any data protection policies. Upon being notified of the complaints, the Organisation appointed a DPO and issued certain verbal instructions to its employees concerning the collection, use and disclosure of personal data. 1 AgcDesign Pte. Ltd. [2019] SGPDPC 23 Findings and Basis for Determination 3 Section 17 of the PDPA, read with the relevant provisions of the Second, Third and Fourth Schedules to the PDPA, permits organisations to collect, use and disclose personal data which is publicly available without the consent of the individuals concerned. The Commission therefore did not proceed further with its investigation into the Organisation’s use of personal data in this case and I am satisfied that it is unnecessary to do so. 4 In relation to the Organisation’s failu… | Financial Penalty | dbe45267b662cba27e20e9da8c6e449830e75c7f | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 152 | 152 | 1 | 952 | A warning was issued to Xbot for failing to put in place data protection policies to comply with the provisions of the PDPA. | [
"Accountability",
"Warning",
"Real Estate",
"Property"
] |
2019-06-20 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision--Xbot-Pte-Ltd---200619.pdf | Accountability | Breach of the Openness Obligation by Xbot | https://www.pdpc.gov.sg/all-commissions-decisions/2019/06/breach-of-the-openness-obligation-by-xbot | 2019-06-20 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 19 Case No DP-1803-1781 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Xbot Pte. Ltd. … Organisation DECISION Xbot Pte. Ltd. [2019] SGPDPC 19 Yeong Zee Kin, Deputy Commissioner — Case No DP-1803-1781 20 June 2019 Introduction 1. On 2 March 2018, the Personal Data Protection Commission (the “Commission”) received a complaint that Xbot Pte. Ltd. (the “Organisation”) had disclosed the personal data of property owners through the Strata.sg mobile application without their consent. The Commission commenced an investigation in order to determine whether the Organisation had failed to comply with its obligations under the Personal Data Protection Act 2012 (the “PDPA”). Material Facts 2. The Organisation developed and operated the Strata.sg mobile application (the “App”) and an associated website, http://Strata.sg (the “Website”), which provided access to a database of residential property transactions (the “Database”). The Database included information on transactions involving both private residential properties (“Private Properties”) and Housing Development Board (“HDB”) properties (“HDB Properties”). This information was made available to users of the App and Website and included a partial address (block number, road and, for HDB Properties only, a storey range), area, type and price for the properties listed. In addition, the complete addresses of the Private Properties (including the specific unit number) was made available to premium subscribers of the App or Website who paid a fee for access to the information in the Database. 3. The Organisation also collected personal data from users of the Website and users of the App in order to grant them access to the Database. The Organisation had a data protection policy for the Website (which it referred to as a “Privacy Policy”) but that policy did not 1 Xbot Pte. Ltd. [2019] SGPDPC 19 mention or cover the personal data collected from users of the… | Warning | d2e2fb18265e0bede337a2a87e9f9ab6c61a81af | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 198 | 198 | 1 | 952 | Directions were issued to Jiwon Hair Salon, Next@Ion, Next Hairdressing and Initia for failing to put in place data protection policies to comply with the provisions of the PDPA. | [
"Accountability",
"Directions",
"Others"
] |
2018-01-23 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GroundsofDecisionJiwonNextIonNextHairdressingInitia23012018.pdf | Accountability | Breach of Openness Obligation by 4 Hair Salons | https://www.pdpc.gov.sg/all-commissions-decisions/2018/01/breach-of-openness-obligation-by-4-hair-salons | 2018-01-23 | PERSONAL DATA PROTECTION COMMISSION Case No DP-1612-B0431 [2018] SGPDPC [2] In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And 1. Jiwon Hair Salon Pte. Ltd. 2. Next@Ion Pte. Ltd. 3. Next Hairdressing Pte. Ltd. 3. Initia Pte. Ltd. DECISION … Organisations Jiwon Hair Salon Pte. Ltd. & Ors. [2018] SGPDPC [2] Mr. Yeong Zee Kin, Deputy Commissioner — Case No DP-1612-B0431 23 January 2018 Background 1 This case highlights that while the Personal Data Protection Act (“PDPA”) seeks to balance the protection of individuals’ personal data with the need for organisations to use and share that personal data, compliance with the PDPA also serves to ensure that an organisation keeps data which is of significant commercial importance to it protected and out of the reach of its competitors. Material Facts 2 This case was triggered by, unusually, a complaint from one of the Organisations, Jiwon Hair Salon Pte Ltd (“Jiwon”). Jiwon alleged that a former employee (“Employee K”) had misappropriated the names and contact numbers (collectively referred to as the “Personal Data”) of its customers by surreptitiously accessing its customer management system (“CMS”). 3 An investigation was conducted into Jiwon’s complaint and into the following Organisations which Employee K had worked at after leaving Jiwon to determine if indeed Employee K was using the Personal Data from Jiwon’s CMS: Jiwon Hair Salon Pte. Ltd. & Ors. S/N Organisation 1. 2 Jiwon Next@Ion Pte Ltd 9 April 2014 3. Next Hairdressing Pte Ltd 1 Dec 2016 4. 4 [2018] SGPDPC 2 Initia Pte Ltd Start of employment 10 August 2016 13 Jan 2017 End of employment 15 August 2016 30 November 2016 16 Dec 2016 - In the meantime, Jiwon had instituted an action against Employee K in the State Courts arising out of the facts set out in the complaint and, according to Jiwon, an out-of-court settlement had been entered into. During the investigations, it became clear that none of the Organisations had… | Directions | 22dc817cc5a859cce0bf1f96066bd7470c408c03 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
Advanced export
JSON shape: default, array, newline-delimited
CREATE VIEW pdpc_decisions_version_detail AS select
commits.commit_at as _commit_at,
commits.hash as _commit_hash,
pdpc_decisions_version.*,
(
select json_group_array(name) from columns
where id in (
select column from pdpc_decisions_changed
where item_version = pdpc_decisions_version._id
)
) as _changed_columns
from pdpc_decisions_version
join commits on commits.id = pdpc_decisions_version._commit;