pdpc_decisions_version_detail (view)
5 rows where nature = "Transfer Limitation"
This data as json, CSV (advanced)
Suggested facets: decision, _commit_at (date), date (date), timestamp (date), tags (array), _changed_columns (array)
| _commit_at | _commit_hash | _id | _item | _version | _commit | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _item_full_hash | _changed_columns |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 17 | 17 | 1 | 952 | Directions were issued to both Shopify Commerce Singapore and Supernova to put in place a process to ensure compliance with the Transfer Limitation Obligation following a data breach incident of Shopify Inc's database. | [
"Transfer Limitation",
"Directions",
"Others",
"Data Intermediary"
] |
2022-11-18 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GD_Supernova-Pte-Ltd_06102022.pdf | Transfer Limitation | Breach of the Transfer Limitation Obligation by Shopify Commerce Singapore and Supernova | https://www.pdpc.gov.sg/all-commissions-decisions/2022/11/breach-of-the-transfer-limitation-obligation-by-shopify-commerce-singapore-and-supernova | 2022-11-18 | PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPC 7 Case No: DP-2103-B8147 / DP-2206-B9935 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Supernova Pte Ltd (2) Shopify Commerce Singapore Pte Ltd … Organisation DECISION Page 1 of 12 Supernova Pte Ltd & Anor Yeong Zee Kin, Deputy Commissioner — Case No. DP-2103-B8147/ DP-2206-B9935 6 October 2022 Introduction 1 On 8 October 2020, the Personal Data Protection Commission (the “Commission”) was notified by Supernova Pte Ltd (“SNPL”) of a data breach incident of Shopify Inc’s database affecting the personal data of certain Singapore-based customers (the “Incident”). The Commission commenced investigations to determine whether the circumstances relating to the Incident disclosed any breaches of the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case Background 2 Shopify Inc (“Shopify”) is a company based in Canada that operates an e- commerce platform for online retailers to conduct sales (the “Platform”). SNPL is an online retailer that began using the Platform in 2018 to sell its products to customers. Shopify provided payment processing and other services (the “Services”) to SNPL pursuant to the Shopify Plus Agreement, executed by Shopify and SNPL on 4 December 2018. Shopify Commerce Singapore Pte Ltd (“Shopify SG”) acted as the Page 2 of 12 Asia-Pacific data sub-processor of Shopify pursuant to the Shopify Data Processing Addendum to the Shopify Plus Agreement, and its role was confined to collecting customer personal data (including SNPL’s) via the Platform and transferring the data out of Singapore to Shopify for both Purchase Processing and Platform Processing. 3 The Platform collected personal data from customers of its online retailers for two broad sets of purposes. First, to facilitate billing, payment and shipping on behalf of the Platform’s online retailers (“Purchase Processing”). Second, for Shopify’s own commercial and administrative purposes. This mainly included th… | Directions | a460c9f6da7d242e2c26bf56c9b5bc6bd47df7e7 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 31 | 31 | 1 | 952 | Warnings were issued to Toll Logistics (Asia), Toll Global Forwarding, Toll Offshore Petroleum Services, and Toll (TZ) for breaches of the PDPA in relation to the transfer of employees’ personal data to a human resources software vendor in Ireland. | [
"Transfer Limitation",
"Warning",
"Transport and Storage"
] |
2022-05-19 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--Toll-Logistics-Asia-Limited-and-others--180322.pdf | Transfer Limitation | Breach of the Transfer Limitation Obligation by Toll Logistics (Asia) and others | https://www.pdpc.gov.sg/all-commissions-decisions/2022/05/breach-of-the-transfer-limitation-obligation-by-toll-logistics-and-others | 2022-05-19 | PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPC 4 Case No. DP-2008-B6707 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Toll Logistics (Asia) Limited (2) Toll Global Forwarding (Singapore) Pte. Limited (3) Toll Offshore Petroleum Services Pte. Ltd. (4) Toll (TZ) Pte. Ltd. … Organisations DECISION Toll Logistics (Asia) Limited and others [2022] SGPDPC 4 Yeong Zee Kin, Deputy Commissioner — Case No. DP-2008-B6707 14 March 2022 Introduction 1 Toll Holdings Limited (“Toll Holdings”) is an integrated logistics services provider headquartered in Australia. Toll Logistics (Asia) Limited (“Toll Logistics”), Toll Global Forwarding Singapore Pte. Ltd. (“Toll Forwarding”), Toll Offshore Petroleum Services Pte. Ltd. (“Toll Offshore"), and Toll (TZ) Pte. Ltd. (“Toll TZ”) are Singapore-registered entities (collectively, “the Organisations”) that are part of a multinational group of companies headed by Toll Holdings (“the Group”). 2 On 11 June 2020, Toll Holdings notified the Personal Data Protection Commission (“the Commission”) of a ransomware attack which had affected the Group’s IT systems, including servers in Australia and Singapore containing the personal data of current and former employees of the Organisations (“the Incident”). The Commission subsequently received complaints from 3 former employees of Toll Logistics in relation to the Incident. Investigations were commenced to determine whether the circumstances relating to the Incident disclosed any breaches by the Organisations of the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case 3 In July 2013, Toll Holdings contracted with a vendor in Ireland (“the HR Vendor”) for the Group’s use of the HR Vendor’s human resources software platform (“the HR Platform”). To facilitate use of the common HR Platform, the respective Group entities (including the Organisations) uploaded the personal data of their employees to the HR Platform. The data uploaded to the HR Platform was hosted by the HR… | Warning | 3366d27f6930503cebbbff6dd8de747f0da55d18 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 44 | 44 | 1 | 952 | A warning was issued to Belden Singapore for a breach of the PDPA in relation to the transfer of its Singapore-based employees’ personal data to its parent company in the United States. | [
"Transfer Limitation",
"Warning",
"Manufacturing"
] |
2021-12-09 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Belden-Singapore-Private-Limited---12112021.pdf | Transfer Limitation | Breach of the Transfer Limitation Obligation by Belden Singapore | https://www.pdpc.gov.sg/all-commissions-decisions/2021/12/breach-of-the-transfer-limitation-obligation-by-belden-singapore | 2021-12-09 | PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 13 Case No. DP-2011-B7423, DP-2011-B7433 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Belden Singapore Private Limited (2) Grass Valley Singapore Pte Ltd … Organisations DECISION 1 Belden Singapore Private Limited & Anor [2021] SGPDPC 13 Yeong Zee Kin, Deputy Commissioner — Case No. DP-2011-B7423, DP-2011B7433 12 November 2021 Introduction 1. It is not unusual for a corporate group with a multi-national footprint to conduct cross-border transfers of personal data between its various entities. However, such arrangements also mean that data transferred from an organisation based in Singapore might risk exposure to data breach incidents in another jurisdiction. This is one such incident. 2. On 19 November 2020 and 20 November 2020, Belden Singapore Private Limited (“Belden Singapore”) and Grass Valley Singapore Pte Ltd (“GVSPL”) (collectively, the “Organisations”) notified the Personal Data Protection Commission (the “Commission”) of a data breach incident whereby an unauthorised third party had gained access to business servers of the Belden Group, and managed to exfiltrate information, including personal data of the employees of the Organisations (“Incident”). 2 Facts of the Case 3. The Belden Group is a group of companies involved in the manufacturing of networking, connectivity and cable products. Its various subsidiaries and affiliated companies operate in the Americas, Europe, Middle East, Africa and the Asia Pacific region (the “Belden entities”). The overall parent entity, Belden Incorporated (“Belden Inc.”) is headquartered in St Louis, Missouri, United States. Belden Singapore is part of the Belden Group. 4. As the main Human Resources (“HR”) functions of Belden Singapore are conducted by Belden Inc., Belden Singapore transfers the personal data of its employees to Belden Inc., which are then stored in Belden Inc.’s servers. The terms on which the various Belden entities tran… | Warning | a89e11d9b22ce2cc69d737938faf4e47ad9addbb | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 56 | 56 | 1 | 952 | Directions were issued to NUInternational Singapore and Newcastle Research and Innovation Institute for breach of the PDPA in relation to the transfer of Singapore-based individuals’ personal data to their ultimate parent company in the United Kingdom and related company in Malaysia. | [
"Transfer Limitation",
"Directions",
"Education",
"Ransomware",
"Consent"
] |
2021-09-21 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---NUI-and-NewRIIS--23062021.pdf | Transfer Limitation | Breach of the Transfer Limitation Obligation by NUInternational Singapore and Newcastle Research and Innovation Institute | https://www.pdpc.gov.sg/all-commissions-decisions/2021/09/breach-of-the-transfer-limitation-obligation-by-nuinternational-singapore-and-newcastle-research-and-innovation-institute | 2021-09-21 | PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 5 Case No. DP-2009-B7011 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) NUInternational Singapore Pte Ltd (2) Newcastle Research and Innovation Institute Pte Ltd … Organisations DECISION (1) NUInternational Singapore Pte Ltd; (2) Newcastle Research and Innovation Institute Pte Ltd [2021] SGPDPC 5 Yeong Zee Kin, Deputy Commissioner — Case No. DP-2009-B7011 23 June 2021 Introduction 1 On 17 September 2020 and 13 November 2020, the Personal Data Protection Commission (the “Commission”) was notified of a ransomware attack relating to Newcastle Research and Innovation Institute Pte Ltd and NUInternational Singapore Pte Ltd (collectively known as the “Organisations”) in Singapore (the “Incident”). Facts of the case 2 The ransomware infected, on or around 30 August 2020, (a) a database in the United Kingdom, managed by the ultimate parent company of the Organisations (containing 1,083 records of Singapore-based individuals); and (b) a database in Malaysia, hosted by a related company of the Organisations (containing 194 records of Singapore-based individuals). These records containing personal data of the Singapore-based individuals were previously transferred from the Organisations to the ultimate parent company in the United Kingdom and the related company in Malaysia respectively. The Singapore-based individuals were a mix of staff members, undergraduates and/or post-graduate students of the Organisations. Their 2 personal data (comprising names and user account identifications) were exfiltrated by the threat actor. Findings and Basis for Determination 3 Section 26(1) of the PDPA stipulates that an organisation shall not transfer any personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA to ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection un… | Directions | 3b598c8a7be71e58fadf5f81e6bf2476ad13c791 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 72 | 72 | 1 | 952 | Singapore Technologies Engineering was found not in breach of the PDPA in relation to the transfer of the personal data of its Singapore-based employees to its subsidiaries based in United States. | [
"Transfer Limitation",
"Not in Breach",
"Manufacturing",
"Ransomware"
] |
2021-01-14 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision----ST-Engineering-Ltd---16112020.pdf | Transfer Limitation | No Breach of the Transfer Limitation Obligation by Singapore Technologies Engineering | https://www.pdpc.gov.sg/all-commissions-decisions/2021/01/no-breach-of-the-transfer-limitation-obligation-by-singapore-technologies-engineering | 2021-01-14 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 21 Case No. DP-2006-B6426 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Singapore Technologies Engineering Limited … Organisation DECISION Singapore Technologies Engineering Limited [2020] SGPDPC 21 Singapore Technologies Engineering Limited [2020] SGPDPC 21 Yeong Zee Kin, Deputy Commissioner — Case No. DP-2006-B6426 16 November 2020 Introduction 1 On 10 June 2020, Singapore Technologies Engineering Limited (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that its subsidiary based in the United States of America (“USA”), VT San Antonio Aerospace Inc. (“VT SAA”), had discovered a cybersecurity incident where threat actors gained unauthorised access to VT SAA’s US-based IT network and deployed a ransomware attack (the “Incident”). Facts of the Case 2 The Organisation is a Singapore incorporated company with a network of subsidiaries in Asia, Europe, USA and the Middle East. The ransomware attack was isolated to a limited part of VT SAA’s network, but also affected a few of the Organisation’s subsidiaries based in the USA that were using IT shared services provided by VT SAA. The Organisation’s IT network in Singapore was not compromised during the Incident. However, the following types of personal data belonging to 287 individuals in Singapore (“Affected 1 Singapore Technologies Engineering Limited [2020] SGPDPC 21 Individuals”) were potentially exposed to the risk of unauthorised access (collectively, the “Personal Data Sets”)1: (a) Name; (b) Address; (c) Email address; (d) Telephone number; (e) NRIC number and date of issue; (f) Passport details; (g) Photograph; (h) Date of birth; (i) Citizenship; (j) Country of residence; (k) Place of birth; (l) USA Social Security number; (m) USA visa information; (n) Details regarding government or military service, where applicable; (o) CV information; (p) Foreign identification numbers; … | Not in Breach | e80b77152c3052ff0a5870f8773669cd59a36872 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
Advanced export
JSON shape: default, array, newline-delimited
CREATE VIEW pdpc_decisions_version_detail AS select
commits.commit_at as _commit_at,
commits.hash as _commit_hash,
pdpc_decisions_version.*,
(
select json_group_array(name) from columns
where id in (
select column from pdpc_decisions_changed
where item_version = pdpc_decisions_version._id
)
) as _changed_columns
from pdpc_decisions_version
join commits on commits.id = pdpc_decisions_version._commit;