pdpc_decisions_version_detail (view)
27 rows where tags contains "Consent"
This data as json, CSV (advanced)
Suggested facets: _commit_at, _commit_hash, _commit, date, nature, timestamp, decision, _commit_at (date), date (date), timestamp (date), tags (array), _changed_columns (array)
| _commit_at | _commit_hash | _id | _item | _version | _commit | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _item_full_hash | _changed_columns |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 14 | 14 | 1 | 952 | RedMart had failed to obtain consent and inform its suppliers of the purpose for collecting images of the physical NRICs and other identification documents. However, the Commission had subsequently assessed that RedMart had met the requirements for reliance on the Legitimate Interests Exception and complied with the proposed direction. As such, no direction was issued to RedMart. | [
"Consent",
"Notification",
"Purpose Limitation",
"No Further Action",
"Wholesale and Retail Trade"
] |
2023-02-10 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---RedMart-Limited---18012023.pdf | Consent, Notification, Purpose Limitation | Breach of the Consent, Notification and Purpose Limitation Obligations by RedMart | https://www.pdpc.gov.sg/all-commissions-decisions/2023/02/breach-of-the-consent,-notification-and-purpose-limitation-obligations-by-redmart | 2023-02-10 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2105-B8405 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And RedMart Limited … Organisation DECISION Page 1 of 11 RedMart Limited [2023] SGPDPC 1 Yeong Zee Kin, Deputy Commissioner — Case No. DP-2105-B8405 18 January 2023 Introduction 1 On 31 May 2021, the Personal Data Protection Commission (the “Commission”) received a complaint that RedMart Limited (the “Organisation”) was collecting images of the physical NRICs and other identification documents of suppliers making deliveries to its warehouses (the “Incident”), and that this practice did not appear to be in compliance with the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case 2 Investigations revealed that the Organisation operated two warehouses at 47 Jalan Buroh, CWT Distripark, Singapore 619491 (“Warehouses”) which were used to store goods and produce sold by the Organisation. The Warehouses were regularly visited by suppliers delivering goods and produce (“Visitors”), and the Organisation implemented measures to regulate such Visitors’ access to the Warehouses. Security checkpoints at the Warehouses used an Organisation-issued tablet computer Page 2 of 11 (“Tablet”) to take photographs of Visitors’ NRIC or other identification documents (“ID Photographs”). The Organisation said it collected ID Photographs to Visitors seeking access to areas where food safety risks had to be managed. The Organisation explained that these measures are intended to deter acts that could compromise food safety and facilitate investigations of food safety incidents. 3 Prior to the Incident, there were no notices at the Warehouses’ security checkpoints informing Visitors of the purpose for collection of ID Photographs. After being notified by the Commission of the Incident, the Organisation put up notices at the Warehouses’ security checkpoints to inform Visitors of the purpose of collection of ID Photographs. Findings and Basis for Determination … | No further action | 4eaff99c5b7557a88a0ca128e03e4b18ea52c953 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 27 | 27 | 1 | 952 | Both organisations were found not in breach of the PDPA in relation to complaints regarding alleged collection and disclosure of personal data without consent. | [
"Consent",
"Not in Breach",
"Real Estate",
"No breach"
] |
2022-06-16 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---SLP-Scotia-Pte-Ltd-and-SLP-International-Property-Consultants-Pte-Ltd---09042022.pdf | Consent | No Breach of the Consent Obligation by SLP Scotia and SLP International Property Consultants | https://www.pdpc.gov.sg/all-commissions-decisions/2022/06/no-breach-of-the-consent-obligation-by-slp-scotia-and-slp-international-property-consultants | 2022-06-16 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2007-B6585, DP-2007-B6591, DP-2007-B6594, DP-2007-B6598 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And SLP Scotia Pte. Ltd. SLP International Property Consultants Pte. Ltd. SUMMARY OF THE DECISION 1. Between 10 to 14 July 2020, the Personal Data Protection Commission (the “Commission”) received four complaints against SLP International Property Consultants Pte Ltd (“SLPIPC”) and its subsidiary SLP Scotia Pte Ltd (“SLPS”) (collectively, the “Organisations”). The complainants were property agents registered through SLPS (the “Complainants”). 2. As a merger was due to take place between the Organisations, on 7 July 2020, SLPIPC initiated the registration of salespersons in SLPS as salespersons in SLPIPC with the Council of Estate Agencies (“CEA”). CEA thereafter emailed the Complainants asking them to either initiate a salesperson application to join SLPIPC or disregard the email if they were not interested in registering with SLPIPC (the “Incident”). 1 3. The Complainants alleged that: a. they had not consented to be contacted for such purposes; and b. SLPS had improperly disclosed their personal data (including NRIC number, date of birth, and home address) to SLPIPC, and SLPIPC had in turn improperly disclosed the data to CEA. 4. CEA is the entity which administers the registration of salespersons (such as the Complainants) under the Estate Agents Act 2010 (“EAA”). Pursuant to section 29(1) of the EAA, a person may not act as a salesperson for any estate agent unless he or she is registered; the said register is maintained by the CEA pursuant to section 36 of the EAA. Further, under section 40(1) of the EAA, a salesperson may not be registered to act as a salesperson for more than one estate agent at any one time. 5. SLPIPC disclosed the personal data of the Complainants to CEA for the purposes of the change in registration from SLPS to SLPIPC. In doing so, SLPIPC was complying with its obligations under the… | Not in Breach | 81943b55f3e50d31e820edf46499ec3602f370c0 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 29 | 29 | 1 | 952 | Ngian Wen Hao Dennis, Chua Puay Hwa Melissa and Winarto were found in breach of the PDPA and issued warnings in relation to two incidents involving the unauthorised collection and disclosure of individuals’ personal data in 2019 and 2020. | [
"Consent",
"Notification",
"Warning",
"Finance and Insurance"
] |
2022-06-16 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Dennis-Ngian--Others---08032022.pdf | Consent, Notification | Breach of the Consent and Notification Obligations by three insurance financial advisers | https://www.pdpc.gov.sg/all-commissions-decisions/2022/06/breach-of-the-consent-and-notification-obligations-by-three-insurance-financial-advisers | 2022-06-16 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2109-B8857 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Ngian Wen Hao Dennis (2) Chan Puay Hwa Melissa (3) Winarto (4) Aviva Financial Advisers Pte Ltd SUMMARY OF THE DECISION 1. On 7 September 2021, the Personal Data Protection Commission (the “Commission”) was notified of two incidents involving unauthorised disclosure and collection of personal data by three individuals. 2. Ngian Wen Hao Dennis (“Dennis”) was an Aviva Financial Advisers Pte Ltd (“AFA”) representative between December 2017 and February 2019. In March 2019 and August 2020, Dennis approached two insurance financial advisers, Chua Puay Hwa Melissa (“Melissa”) and Winarto, to offer them a list of client leads, stating that he was leaving the insurance industry and looking for a reliable agent 1 to take over his clientele. Melissa and Winarto each said they paid $1,000 to Dennis for the list (the “Incidents”). 3. The list contained approximately 1,000 clients’ names, mailing addresses, contact numbers and the names of organisations underwriting the hospitalisation plans bought by the clients (“Personal Data Sets”). 4. The PDPA defines “organisations” to include individuals. As held in Re Sharon Assya Qadriyah Tang1, individuals who collect, use or disclose personal data otherwise than in a personal or domestic capacity will be treated as organisations within the meaning of the Act, and are obliged to comply with the Data Protection Provisions. In this case, we are of the view that it is clear that Dennis, Melissa and Winarto can be regarded as an “organisation” as defined under the PDPA for a number of reasons. First, the trio had bought and sold the client leads for work and business purposes, with the aim of generating an income or profit, and cannot be said to have been acting in a personal or domestic capacity. 5. Second, Dennis, Melissa and Winarto were not employees. In Re Ang Rui Song2, the Commission found that the respondent, … | Warning | 11afc51e552a655c8c243aa724648b2011a2eb25 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 40 | 40 | 1 | 952 | A financial penalty of $21,000 was imposed on Neo Yong Xiang for using his customers' personal data to register for prepaid SIM cards without their consent. The SIM cards were subsequently sold to anonymous individual(s) who used them to send specified messages in contravention of the Do Not Call provisions of the PDPA. | [
"Consent",
"Financial Penalty",
"Others"
] |
2022-03-10 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Neo-Yong-Xiang---29102021.pdf | Consent | Breach of the Consent and Purpose Limitation Obligations by Neo Yong Xiang trading as Yoshi Mobile | https://www.pdpc.gov.sg/all-commissions-decisions/2022/03/breach-of-the-consent-and-purpose-limitation-obligations-by-neo-yong-xiang-trading-as-yoshi-mobile | 2022-03-10 | PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 12 Case No. DP-2013-B8088 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Neo Yong Xiang (trading as Yoshi Mobile) … Organisation DECISION Neo Yong Xiang (trading as Yoshi Mobile) Lew Chuen Hong, Commissioner — Case No. DP-2013-B8088 29 October 2021 Introduction 1. When customers purchased pre-paid SIM cards from a mobile phone shop at Geylang Road, they would not have anticipated that their personal data would be misused to register additional SIM cards for illegal sale. Unfortunately, this was exactly what happened to at least 78 individuals who purchased pre-paid M1 SIM cards from one Mr Neo Yong Xiang (“NYX”) the sole proprietor of Yoshi Mobile (“YM”). 2. The Commission observed that between January 2020 and November 2020, there were 3,636 Do Not Call (“DNC”) complaints from persons who received specified messages even though their telephone numbers are registered with the DNC register1. Further analysis revealed that 1,379 of the messages were sent from 98 SIM cards registered at YM. The Commission initiated investigations against NYX (trading as YM) for suspected breaches of the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case 3. NYX has operated YM since 2013. As an exclusive retailer of M1 SIM cards, NYX was provided a terminal device installed at YM’s premises for the purposes of 1 Under Section 43 of the PDPA, a person is not allowed to send specified messages to a Singapore telephone number registered with the DNC register unless the person has, at the time where he sends the specified message, valid confirmation that the Singapore telephone number is not listed in the DNC register. SIM card registration (the “M1 Terminal Device”). SIM card registration had to be carried out in accordance with the conditions of M1’s telecommunications licence granted under Section 5 of the Telecommunications Act (Chapter 323). The typical SIM card registration process in YM would be a… | Financial Penalty | 9701ccc45e49e35f3e4018e10b92d445aca1c569 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 56 | 56 | 1 | 952 | Directions were issued to NUInternational Singapore and Newcastle Research and Innovation Institute for breach of the PDPA in relation to the transfer of Singapore-based individuals’ personal data to their ultimate parent company in the United Kingdom and related company in Malaysia. | [
"Transfer Limitation",
"Directions",
"Education",
"Ransomware",
"Consent"
] |
2021-09-21 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---NUI-and-NewRIIS--23062021.pdf | Transfer Limitation | Breach of the Transfer Limitation Obligation by NUInternational Singapore and Newcastle Research and Innovation Institute | https://www.pdpc.gov.sg/all-commissions-decisions/2021/09/breach-of-the-transfer-limitation-obligation-by-nuinternational-singapore-and-newcastle-research-and-innovation-institute | 2021-09-21 | PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 5 Case No. DP-2009-B7011 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) NUInternational Singapore Pte Ltd (2) Newcastle Research and Innovation Institute Pte Ltd … Organisations DECISION (1) NUInternational Singapore Pte Ltd; (2) Newcastle Research and Innovation Institute Pte Ltd [2021] SGPDPC 5 Yeong Zee Kin, Deputy Commissioner — Case No. DP-2009-B7011 23 June 2021 Introduction 1 On 17 September 2020 and 13 November 2020, the Personal Data Protection Commission (the “Commission”) was notified of a ransomware attack relating to Newcastle Research and Innovation Institute Pte Ltd and NUInternational Singapore Pte Ltd (collectively known as the “Organisations”) in Singapore (the “Incident”). Facts of the case 2 The ransomware infected, on or around 30 August 2020, (a) a database in the United Kingdom, managed by the ultimate parent company of the Organisations (containing 1,083 records of Singapore-based individuals); and (b) a database in Malaysia, hosted by a related company of the Organisations (containing 194 records of Singapore-based individuals). These records containing personal data of the Singapore-based individuals were previously transferred from the Organisations to the ultimate parent company in the United Kingdom and the related company in Malaysia respectively. The Singapore-based individuals were a mix of staff members, undergraduates and/or post-graduate students of the Organisations. Their 2 personal data (comprising names and user account identifications) were exfiltrated by the threat actor. Findings and Basis for Determination 3 Section 26(1) of the PDPA stipulates that an organisation shall not transfer any personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA to ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection un… | Directions | 3b598c8a7be71e58fadf5f81e6bf2476ad13c791 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 58 | 58 | 1 | 952 | A financial penalty of $7,000 was imposed on Larsen & Toubro Infotech for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of personal data of job applicants, and for disclosing the personal data of job applicants without their consent. | [
"Protection",
"Consent",
"Financial Penalty",
"Information and Communications",
"Protection",
"Consent",
"Sample forms",
"Email",
"Recruitment"
] |
2021-06-10 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--Larsen--Toubro-Infotech-Limited-Singapore-Branch-06052021.pdf | Protection, Consent | Breach of the Protection and Consent Obligation by Larsen & Toubro Infotech | https://www.pdpc.gov.sg/all-commissions-decisions/2021/06/breach-of-the-protection-and-consent-obligation-by-larsen-toubro-infotech | 2021-06-10 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2011-B7464 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Larsen & Toubro Infotech Limited, Singapore Branch SUMMARY OF THE DECISION 1. On 29 November 2020, the Personal Data Protection Commission (the “Commission”) received a complaint against Larsen & Toubro Infotech Limited, Singapore Branch (“LTI”) from an LTI job applicant. 2. On 25 November 2020, an LTI employee had emailed the complainant a set of sample forms which contained the personal data of a past job applicant. The LTI employee had sent the complainant those sample forms to assist him in filling up his own forms correctly. 3. Subsequently, on 3 December 2020, another LTI employee sent an email reminder to the complainant and 53 other job applicants to complete their application process. The email contained all of the job applicants’ respective names, with their email addresses placed in the “To” field and thus visible to all recipients. 4. Once notified of the complaint by the Commission, LTI undertook a review of its employees’ emails for the period from 2016 to 2020, and uncovered 73 other instances where past job applicants’ personal data had been disclosed to other job applicants. 5. In total, 13 past job applicants’ forms were disclosed by 10 of LTI’s employees to 74 other job applicants. The personal data disclosed in the forms comprised: a. Name; b. Signature; c. Email address; d. National Identification/ passport numbers; e. Date of Birth; f. Address; g. Contact number; h. Medical health status; i. Employment history; j. Salary information; and k. Criminal records disclosure. 6. The Deputy Commissioner for Personal Data Protection finds that LTI negligently contravened the Protection Obligation under section 24 of the Personal Data Protection Act 2012 by failing to provide adequate instructions to its employees dealing with recruitment matters on how to handle personal data. LTI also negligently contravened the Consent Obligation und… | Financial Penalty | bd9f440070a5521214d61291f17b40de724a111a | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 62 | 62 | 1 | 952 | A warning was issued to Greatearth Corporation for failing to obtain consent to disclose personal data of 8 crane operators on the external façade of a construction site. | [
"Consent",
"Warning",
"Construction",
"Consent",
"Ban list",
"Acting in Course of Employment"
] |
2021-05-12 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Progressive-Builders-and-Greatearth-Corporation---16042021-(002).pdf | Consent | Breach of the Consent Obligation by Greatearth Corporation, No Breach of the PDPA by Progressive Builders | https://www.pdpc.gov.sg/all-commissions-decisions/2021/05/breach-of-the-consent-obligation-by-greatearth-corporation | 2021-05-12 | PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 2 Case No. DP-1907-B4305 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Progressive Builders Private Limited (2) Greatearth Corporation Pte. Ltd. … Organisation DECISION 1 (1) Progressive Builders Private Limited; (2) Greatearth Corporation Pte. Ltd. [2021] SGPDPC 2 Yeong Zee Kin, Deputy Commissioner — Case No. DP-1907-B4305 16 April 2021 Introduction 1 This case involves a series of incidents that led to the unauthorised collection, use, and disclosure of the personal data of 8 individuals (the “Complainants”) by Greatearth Corporation Pte. Ltd. (“GCPL”). On 19 and 20 July 2019, the Personal Data Protection Commission (the “Commission”) received complaints from each of the Complainants alleging that their personal data had been disclosed by Progressive Builders Private Limited (“PBPL”) without their consent (the “Complaints”). The Commission commenced an investigation into the Complaints. Facts of the Case 2 The Complainants are tower crane operators engaged by Craneworks Pte Ltd (“the Subcontractor”) to operate tower cranes for the Subcontractor’s clients, including PBPL. PBPL is the main contractor for a housing project in Geylang (the “Geylang Project”) and is in charge of the Geylang Project worksite (the “Geylang Worksite”). PBPL had collected the Complainants’ personal data (including their full name, NRIC, contact number and photograph) when they were appointed as tower crane operators for the Geylang Project. The collection of their personal data was for the purposes of managing the Complainants’ roles as tower crane operators. The Subcontractor is a sub-contractor of PBPL for the Geylang Project. It supplies licensed crane operators to PBPL for the operation of tower cranes. 3 GCPL is also a company that is in the construction business. It is the main contractor for a housing project in Clementi (the “Clementi Project”) and is in charge of the Clementi 2 Project worksite (“Clemen… | Warning | 3df9d84ac2b94b9eceb608d856f98239db7a49bc | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 81 | 81 | 1 | 952 | Directions, including a financial penalty of $7,500 were imposed on Majestic Debt Recovery for failing to obtain consent from its debtors to record the debt collection process. Majestic Debt Recovery also did not obtain consent to upload the recordings onto its Facebook Page. Additionally, Majestic Debt Recovery did not have written policies and practices necessary to ensure its compliance with the PDPA. | [
"Protection",
"Accountability",
"Directions",
"Financial Penalty",
"Others",
"Consent",
"No DPO",
"No Policy"
] |
2020-11-24 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Majestic-Debt-Recovery---02032020.pdf | Protection, Accountability | Breach of the Consent and Accountability Obligations by Majestic Debt Recovery | https://www.pdpc.gov.sg/all-commissions-decisions/2020/11/breach-of-the-consent-and-accountability-obligations-by-majestic-debt-recovery | 2020-11-24 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 7 Case No DP-1903-B3570 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Majestic Debt Recovery Pte Ltd … Organisation DECISION 1 Majestic Debt Recovery Pte Ltd [2020] SGPDPC 7 Yeong Zee Kin, Deputy Commissioner — Case No DP-1903-B3570 2 March 2020 Introduction 1 This case concerns a debt collection company’s posting of a video recording on social media as a tactic to shame a debtor. The recordings in question captured exchanges between the company’s representative and staff of the debtor company. Facts of the Case 2 Majestic Debt Recovery Pte Ltd (the “Organisation”) is a company in the business of collecting debts on the behalf of its clients. On 22 March 2019, the Personal Data Protection Commission (the “Commission”) received a complaint from the managing director (the “Complainant”) of a debtor company (the “Company”) stating that the Organisation had been engaged by the Company’s sub-contractor to recover debts from the Company. The Complainant stated that on or around 21 March 2019, the Organisation’s representatives (the “Representatives”) visited the Company’s premises to collect a debt on behalf of its client (the “Incident”). Not surprisingly, heated words were exchanged with the Company’s personnel when the Representatives attempted to recover the debt. The Representatives recorded video footage of the exchanges with the Company’s personnel, including the Complainant (the “Recording”), on a tablet device. The Complainant and the Company’s personnel could be identified from the images and audio captured by the Recording. According to the Complainant, he “protested against the taking of [the Recording and] posting it [on] social media but [the Representative] said he would do it”. The Representatives nonetheless took the Recording and subsequently posted it on the Organisation’s official public Facebook page (its “Facebook Page”). 2 3 During its investigation, the Commission found other… | Directions, Financial Penalty | 735c56aebf1838696565bb02754125b665e3d968 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 139 | 139 | 1 | 952 | Amicus Solutions and a financial consultant were issued directions, including to pay financial penalties of $48,000 and $10,000 respectively, for breaches of the PDPA. Amicus Solutions failed to notify and obtain consent for the disclosure of individuals’ personal data that it sold to the financial consultant who used such personal data for telemarketing purposes. | [
"Consent",
"Notification",
"Financial Penalty",
"Admin and Support Services",
"Finance and Insurance"
] |
2019-10-10 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision--Amicus-Solutions-Pte-Ltd---Another.pdf | Consent, Notification | Breach of the Consent and Notification Obligations by Amicus Solutions and a Financial Consultant | https://www.pdpc.gov.sg/all-commissions-decisions/2019/10/breach-of-the-consent-and-notification-obligations-by-amicus-solutions-and-a-financial-consultant | 2019-10-10 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC [33] Case No DP-1610-B0290 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Amicus Solutions Pte. Ltd. (UEN No. 201534661R) (2) Ivan Chua Lye Kiat … Organisations DECISION Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 Tan Kiat How, Commissioner — Case No DP-1610-B0290 30 August 2019 1 The Personal Data Protection Commission (the “Commission”) received a complaint regarding the unauthorised collection and use of personal data to market financial products. Investigations were commenced into the alleged unauthorised sale and disclosure of personal data by a data broker and the unauthorised collection and use of the personal data for telemarketing purposes. Upon conclusion of investigations and consideration of the totality of evidence, the Commissioner found Amicus Solutions Pte. Ltd. (“Amicus”) and Mr Ivan Chua Lye Kiat (“Mr Chua”) to be in breach of the Personal Data Protection Act 2012 (“PDPA”) for the reasons set out in these grounds. Material Facts 2 An independent life insurance brokerage company (the “Insurance Brokerage”) appointed Mr Chua as a financial adviser director to provide financial advisory services and to market financial products distributed by the Insurance Brokerage to prospective clients in accordance with the terms set out in a Financial Adviser Representative Agreement. He oversees a team of financial adviser representatives. Their main products are Eldershield related insurance policies targeted at individuals over 40 years old. 2 Amicus Solutions Pte. Ltd. & Anor. 3 [2019] SGPDPC 33 It is undisputed that Mr Chua and the financial adviser representatives in his team are not employees of the Insurance Brokerage but independent agents. As independent agents, they receive a commission for each sale but are not in an employer-employee relationship with the Insurance Brokerage nor are they entitled to any employe… | Financial Penalty | f9c77b604588fd22b9623d2884cfc03d6a7dbbb3 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 158 | 158 | 1 | 952 | A warning was issued to Skinny’s Lounge for failing to ensure that consent was obtained from its patrons to re-play recorded CCTV footage on a screen in its public lounge. Skinny’s Lounge also failed to provide due notification to its patrons on the full purposes of the CCTV footage recorded at its premises. | [
"Consent",
"Notification",
"Warning",
"Arts, Entertainment and Recreation",
"KTV",
"Karaoke"
] |
2019-06-11 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---Skinnys-Lounge---110619.pdf | Consent, Notification | Breach of the Consent and Notification Obligations by Skinny's Lounge | https://www.pdpc.gov.sg/all-commissions-decisions/2019/06/breach-of-the-consent-and-notification-obligations-by-skinny-s-lounge | 2019-06-11 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 13 Case No DP-1806-B2267 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Skinny’s Lounge … Organisation DECISION Skinny’s Lounge [2019] SGPDPC 13 Skinny’s Lounge Yeong Zee Kin, Deputy Commissioner — Case No DP-1806-B2267 11 June 2019 Background 1 The Organisation is a Karaoke Television (“KTV”) bar located in Boat Quay. The central issue in this case is whether the Organisation had valid consent from its patrons to disclose their images recorded on closed-circuit camera footage (“CCTV Footage”). The disclosure was on a screen in a publicly accessible area of its premises. 2 Following an investigation into the matter, I found the Organisation in breach of section 13(a) read with section 18 and with section 20(1) of the Personal Data Protection Act (“PDPA”). Material Facts 3 The Organisation had one KTV Room on its premise. The KTV Room had a sign beside the TV screen which read “Smile you are being recorded”. Patrons using the KTV Room were then recorded on CCTV Footage streamed “live” onto a screen in the Organisation’s public lounge (“Public Screen”) for general viewing. 4 On or before 19 June 2018, the Complainant and her friends used the KTV Room and their images were live-streamed onto the Public Screen. After the Complainant and her friends left, the CCTV in the KTV Room malfunctioned. With the live streaming disrupted, the Organisation played on the Public Screen randomly selected recorded CCTV Footage. This included CCTV Footage of the Complainant and her friends which was replayed on the Public Screen for “a day or two”. After the Complainant found out about the replaying of the CCTV Footage, she lodged a complaint with the Personal Data Protection Commission (“PDPC”) on 19 June 2018. 2 Skinny’s Lounge [2019] SGPDPC 13 Findings and Basis for Determination 5 The provisions relevant to this case are as follows: (a) Section 13(a) of the PDPA states that organisations are prohibited fro… | Warning | ee7c19d8e4e94c3b494bfbe6567abae917e4cd07 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 159 | 159 | 1 | 952 | Telcos were not found in breach of the PDPA for charging subscribers for the provision of Caller Number Non-Display value added services. | [
"Consent",
"Not in Breach",
"Information and Communications",
"Singtel",
"Starhub",
"M1"
] |
2019-06-06 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---3-Telcos---06062019.pdf | Consent | No Breach of the Withdrawal of Consent Obligation by Telcos | https://www.pdpc.gov.sg/all-commissions-decisions/2019/06/no-breach-of-the-withdrawal-of-consent-obligation-by-telcos | 2019-06-06 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 12 Case No DP-1609-B0229 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And 1. Starhub Mobile Pte Ltd 2. M1 Limited 3. Singtel Mobile Singapore Pte. Ltd. … Organisations DECISION Data protection – Consent obligation – Withdrawal of consent Starhub Mobile Pte Ltd, M1 Limited and Singtel Mobile Singapore Pte. Ltd. [2019] SGPDPC 12 Yeong Zee Kin, Deputy Commissioner — Case No DP-1609-B0229 6 June 2019. Background 1 The present matter arose from a complaint made by an individual mobile subscriber (“Complainant”), in relation to the current industry practice of mobile network operators charging for the provision of Caller Number NonDisplay (“CNND”) services. The CNND service is offered on a per-line basis affecting all out-going calls made using a particular telephone number. When activated by a subscriber, the CNND service essentially prevents the subscriber’s telephone number from being displayed on call recipients’ devices. 2 The Organisations are the three mobile network operators in Singapore. They offer a range of telecommunication services to subscribers, in particular, mobile telephony services. They also offer CNND as an optional value-added service to their subscribers. All the Organisations share a common practice of charging subscribers for the provision of CNND services, although the precise charges differ from Organisation to Organisation. 3 The key question which has to be determined in this case is whether section 16 of the Personal Data Protection Act 2012 (“PDPA”) prohibits organisations from imposing charges for the provision of CNND services. The Starhub Mobile Pte Ltd and others [2019] SGPDPC 12 findings and grounds of decision based on the Commission’s investigation are set out below. Material Facts 4 The Complainant is an individual subscriber of StarHub Mobile Pte Ltd (“StarHub”)’s mobile services. He had written to StarHub to request the withdrawal of his consent to the disclos… | Not in Breach | d14207cb5ac452bf33a3e97f370a686be33c72ca | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 162 | 162 | 1 | 952 | A warning was issued to H3 Leasing for disclosing personal data online without the consent of the individual concerned. | [
"Consent",
"Warning",
"Transport and Storage",
"Vehicle rental"
] |
2019-06-06 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---H3-Leasing---06062019.pdf | Consent | Breach of the Consent Obligation by H3 Leasing | https://www.pdpc.gov.sg/all-commissions-decisions/2019/06/breach-of-the-consent-obligation-by-h3-leasing | 2019-06-06 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 9 Case No DP-1803-B1859 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And H3 Leasing … Organisation DECISION H3 Leasing [2019] SGPDPC 9 H3 Leasing [2019] SGPDPC 9 Yeong Zee Kin, Deputy Commissioner — Case No DP-1803-B1859 6 June 2019 Background 1. The complaint concerns the disclosure of personal data without consent by H3 Leasing (the “Organisation”). The Organisation is in the business of rental of motor vehicles in Singapore. 2. The Complainant was a member of the public who had come across a post on social media by the Organisation disclosing scanned images of the NRIC of another individual (“Affected Individual”). The personal data disclosed by virtue of this comprised the full name, residential address, date of birth, NRIC number, NRIC photo and the thumbprint image of the Affected Individual (the “Personal Data Set”). On 8 March 2018, the Complainant filed a complaint with the Personal Data Protection Commission (the “Commission”) in relation to the disclosure of the Personal Data Set by the Organisation. 3. The key issue raised by the Complaint is whether the Organisation had the consent required under section 13 of the Personal Data Protection Act 2012 (the “PDPA”) to disclose the Personal Data Set of the Affected Individual in the manner and for the purposes which they did. 4. Following an investigation into the matter by the Personal Data Protection Commission, I found the Organisation in breach of section 13 of the PDPA. 2 H3 Leasing [2019] SGPDPC 9 Material Facts 5. On 15 December 2017, the Affected Individual rented a motor vehicle from the Organisation. He voluntarily provided a copy of his NRIC and entered into an agreement with the Organisation for that purpose. 6. Subsequently, the Affected Individual went into rental arrears and ceased contact with the Organisation. The Organisation was unable to locate him or the motor vehicle and made a police report concerning the… | Warning | 975a9880e3865b938caf22061b31d292c5d3e479 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 163 | 163 | 1 | 952 | German European School Singapore was found not to be in breach of the PDPA in relation to allegations that there was no consent given for the collection of its student’s hair sample for the purpose of drug testing. | [
"Consent",
"Not in Breach",
"Education",
"Student"
] |
2019-06-03 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---German-European-School-Singapore---030619.pdf | Consent | No Breach of the Consent Obligation by German European School Singapore | https://www.pdpc.gov.sg/all-commissions-decisions/2019/06/no-breach-of-the-consent-obligation-by-german-european-school-singapore | 2019-06-03 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 8 Case No DP-1712-B1471 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And German European School Singapore … Organisation DECISION German European School Singapore [2019] SGPDPC 8 Yeong Zee Kin, Deputy Commissioner — Case No DP-1712-B1471 3 June 2019. Background 1 This case concerns a complaint made by the father (the “Complainant”) of a student1 (“AB”) at the German European School Singapore (“GESS”). The central issue raised in the complaint, in so far as it relates to the Personal Data Protection Act 2012 (“PDPA”), was that GESS had collected and used personal data of AB without valid consent in the course of conducting a random drug test. GESS has not denied that it had collected the personal data of AB but has asserted that it did so with valid consent. The brief facts of the case are as follows. 2 On 6 December 2017, AB was selected by staff of GESS for random drug testing and asked to provide a hair sample by cutting for the drug test. This was done in accordance with GESS’ internal procedures and pursuant to its school bye-laws which provided that it may conduct drug testing at random or in cases of “proven suspicion”. When the Complainant found out about this later that day, he immediately contacted the Principal of GESS via email to 1 As this individual is a minor, his name and the names of his parents are omitted from this Decision. German European School Singapore [2019] SGPDPC 8 object to the test being done on his son. The complainant also requested that the results of the test be given to him in its unopened envelope, as received by the school. 3 In a turn of events, the drug test could not be conducted on AB’s hair sample as it apparently had not been stored correctly after it had been cut when it was sent to the overseas testing laboratory engaged by GESS to conduct the drug test2. Following the email correspondence between the Complainant and the Principal, the Complainant and his… | Not in Breach | 987d60071fb1ca62d5f365695fbcb87e5d8703f3 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 175 | 175 | 1 | 952 | A warning was issued to Big Bubble Centre for disclosing personal data online without the consent of the individuals concerned. | [
"Consent",
"Warning",
"Arts, Entertainment and Recreation",
"Scuba diving"
] |
2018-11-28 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---Big-Bubble-Centre---281118.pdf | Consent | Breach of the Consent Obligation by Big Bubble Centre | https://www.pdpc.gov.sg/all-commissions-decisions/2018/11/breach-of-the-consent-obligation-by-big-bubble-centre | 2018-11-28 | PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 25 Case No DP-1802-B1770 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Big Bubble Centre … Organisation DECISION Big Bubble Centre [2018] SGPDPC 25 Big Bubble Centre Yeong Zee Kin, Deputy Commissioner — Case No DP-1802-B1770 28 November 2018 1. The circumstances which led to the complaint over Big Bubble Centre’s (the “Organisation”) actions is a common one in today’s social media age. It usually starts with a dispute between an individual and an organisation and quickly escalates from there. One party expresses unhappiness with the other on social media and the other party then responds on social media to defend themselves. During the exchange, personal data is disclosed and is accessible to all and sundry. The approach of the Personal Data Protection Commission (“PDPC”) in such cases has been stated in Re My Digital Lock Pte Ltd [2018] SGPDPC 3 and Re M Star Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15 and that approach has been followed in this case. 2. The Organisation is a sole-proprietorship in the scuba-diving services business. The Complainant is an ex-employee of the Organisation. 3. The key issue is whether by using the personal data, the Organisation has: a) breached its obligation under section 13 of the Personal Data Protection Act 2012 (“PDPA”) to obtain valid consent before disclosing personal data; or b) breached its obligation under section 18 of the PDPA to only use and disclose personal data for purposes (i) that a reasonable person would consider appropriate in the circumstances; and (ii) that the data subject has been informed of. Material Facts 4. The Complainant and the Organisation had a contractual dispute in which the Complainant claimed that the Organisation had failed to pay his wages. The Complainant resigned and took dive equipment which he claims to have paid for. 5. The Organisation, however, refutes these claims and say that they withheld $600 from the Complain… | Warning | 09ebd633a030b216def95af0bcc6a92e9d25d637 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 185 | 185 | 1 | 952 | Spring College International failed to notify and obtain consent from the parents of young students before disclosing online the students’ personal data for marketing purposes. Directions were issued to Spring College International. | [
"Consent",
"Purpose Limitation",
"Notification",
"Directions",
"Education"
] |
2018-05-24 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Spring_College_International_240518.pdf | Consent, Purpose Limitation, Notification | Breach of Consent and Purpose Limitation Obligations by Spring College International | https://www.pdpc.gov.sg/all-commissions-decisions/2018/05/breach-of-consent-and-purpose-limitation-obligations-by-spring-college-international | 2018-05-24 | PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 15 Case No DP-1705-B0799 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Spring College International Pte. Ltd. … Organisation DECISION Spring College International Pte. Ltd. Mr Yeong Zee Kin, Deputy Commissioner — Case No DP-1705-B0799 24 May 2018 Background 1 This matter involves a private educational institution that posted information about its students, including their names and photographs, on a public social media page, in order to promote its courses. The Organisation operates a private educational institution, known as “Spring College International Pte. Ltd.” (“SCI”), that offers various academic courses to students of varying ages and levels. A complaint was made to the Personal Data Protection Commission (“PDPC”) regarding the unauthorised disclosure of a student’s personal data on the Organisation’s Facebook page. The complaint was made by the student’s parent (“the Complainant”). 2 The Commissioner’s findings and grounds of decision, based on the investigations carried out in this matter, are set out below. Material Facts 3 Since September 2010, the Organisation has maintained a Facebook page which is accessible to the general public, titled “Spring College International”. In December 2015, the Complainant enrolled her son (“Individual A”) as a student in SCI. Sometime thereafter, the Spring College International Pte. Ltd. [2018] SGPDPC 15 Complainant came across a post on the Organisation’s Facebook page, dated 24 April 2016 (“Post A”). The post contained the following text: Application for Supplementary Admissions Exercise for International Students 1 We are pleased to inform you that your application for admission to a secondary school through the Supplementary Admissions Exercise for International Students is successful. The results of your application are as follows: … 4 Post A further set out the following information about Individual A: full name; partially masked passport num… | Directions | ab610ebd87a5e51bcfa08294b0f5948e87401467 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 193 | 193 | 1 | 952 | A financial penalty of $12,500 was imposed on Aventis for using the personal data of individuals beyond the notified purposes, and for failure to give effect to the withdrawal of consent within a reasonable time. | [
"Consent",
"Purpose Limitation",
"Notification",
"Financial Penalty",
"Directions",
"Education"
] |
2018-04-30 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Aventis_300418.pdf | Consent, Purpose Limitation, Notification | Breach of Notification and Consent Obligations by Aventis | https://www.pdpc.gov.sg/all-commissions-decisions/2018/04/breach-of-notification-and-consent-obligations-by-aventis | 2018-04-30 | PERSONAL DATA PROTECTION COMMISSION Case No DP-1705-B0766 [2018] SGPDPC [7] In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Aventis School of Management Pte. Ltd. … Organisation DECISION Aventis School of Management Pte. Ltd. [2018] SGPDPC [7] Tan Kiat How, Commissioner — Case No DP-1705-B0766 30 April 2018 Background 1 The present matter concerns an individual (the “Complainant”) who had signed up to receive a free brochure for a specific programme organised by the Organisation, but ended up also receiving numerous marketing emails from the Organisation that were unrelated to the programme which the individual was interested in. The question raised is whether the Organisation’s “use” of the Complainant’s personal data to send him the marketing emails without his consent is a breach of the Personal Data Protection Act 2012 (“PDPA”). In the Commissioner’s findings, the answer is in the affirmative. 2 The Commissioner also found that the Organisation had failed to carry out the Complainant’s request to remove his email address from the Organisation’s mailing list in a timely manner, which led to further marketing emails being sent to the Complainant after the withdrawal request was made. 3 The Commissioner’s findings and grounds of decision of the matter are now set out below. Aventis School of Management Pte. Ltd. [2018] SGPDPC 7 Material Facts 4 The Organisation is an educational institution that collaborates with overseas universities to offer degrees, courses, and programmes to students across various disciplines such as Finance, Marketing, and Business. 5 The Complainant was interested in one of the programmes offered by the Organisation, and submitted his name, email address, and contact number through a web form on the Organisation’s website, titled “Take Action Today – Download Free Brochure”, at http://asm.edu.sg/california-state-university on 12 January 2017. 6 After signing up for this free brochure, the Complainant started recei… | Financial Penalty, Directions | ee94ae697675c228c71fd7f5fba9305226984d44 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 195 | 195 | 1 | 952 | A financial penalty of $6,000 was imposed on Actxa for breach of Section 13 (Consent Obligation) and Section 18 (Purpose Limitation Obligation) of the PDPA. | [
"Consent",
"Purpose Limitation",
"Financial Penalty",
"Wholesale and Retail Trade"
] |
2018-04-19 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Actxa_190418.pdf | Consent, Purpose Limitation | Breach of Consent and Purpose Limitation Obligations by Actxa | https://www.pdpc.gov.sg/all-commissions-decisions/2018/04/breach-of-consent-and-purpose-limitation-obligations-by-actxa | 2018-04-19 | PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 5 Case No DP-1611-B0320 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Actxa Pte. Ltd. … Organisation DECISION Actxa Pte. Ltd. [2018] SGPDPC 5 Actxa Pte. Ltd. [2018] SGPDPC 5 Tan Kiat How, Commissioner — Case No DP-1611-B0320 19 April 2018 Background 1 Organisations are increasingly integrating information technology components and computer network connectivity into the products they develop (“connected devices”). The embedded technology and connectivity helps turn ordinary products, such as a weighing scale, into a “smart” version of the product with the ability to collect and transfer data wirelessly through the network. 2 These connected devices have the potential to offer a multitude of benefits to improve the lives of users of these devices. A “smart” refrigerator may be able to understand your grocery shopping habits, alert you when you are low on ingredients you commonly use and order these ingredients from an online grocery store and pay for the purchase. A “smart” pacemaker may warn you when you have an impending heart attack, notify the nearest hospital and call for an ambulance. 3 Organisations may use multiple connected devices to collect users’ personal data. This would assist organisations in providing an integrated suite of services. As an example, an organisation may collect your body measurements from a “smart” weighing machine and your dietary preferences 1 Actxa Pte. Ltd. [2018] SGPDPC 5 from your “smart” refrigerator and suggest the amount of daily exercise you should undertake to maintain a healthy body weight through your “smart” watch. Some of these organisations may rely on a single document to notify users of the purposes, and obtain consent, for the collection, use and disclosure of personal data collected through these connected devices and across different platforms. To be clear, there is nothing wrong with this practice. However, such organisations need to ensure th… | Financial Penalty | 3f61cdb3a9f6b43a837fabd8bc4c32b9e24b58f1 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 199 | 199 | 1 | 952 | A financial penalty of $6,000 was imposed on an individual for selling a database containing personal data, without notifying the individuals involved. | [
"Consent",
"Notification",
"Financial Penalty",
"Wholesale and Retail Trade"
] |
2018-01-11 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GroundsofDecisionSharonAssyaQadriyahTang110118.pdf | Consent, Notification | Breach of the Consent and Notification Obligations by an Individual Selling Personal Data | https://www.pdpc.gov.sg/all-commissions-decisions/2018/01/breach-of-the-consent-and-notification-obligations-by-an-individual-selling-personal-data | 2018-01-11 | PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 1 Case No DP-1701-B0485 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Sharon Assya Qadriyah Tang … Organisation DECISION Sharon Assya Qadriyah Tang [2018] SGPDPC 1 Tan Kiat How, Commissioner — Case No DP-1701-B0485 11 January 2018 Background 1 This is the first reported case of an individual (the “Respondent”) who was involved in the unauthorised selling of personal data. The facts disclose a straightforward breach of the Personal Data Protection Act 2012 (“PDPA”), and the Respondent does not deny committing the infringing acts. The Commissioner has accordingly found the Respondent in breach of sections 13 and 20 of the PDPA. 2 The Commissioner’s findings and grounds of decision are set out below. Material Facts 3 The Respondent was employed as a telemarketer from 2004 to 2014. Sometime in 2012, the Respondent started purchasing ‘leads’ to expand the reach of her marketing in order to hit her sales targets. These ‘leads’ typically comprised an individual’s name, NRIC number, mobile number and annual income range. A lead would typically cost between $0.20 and $0.30. 4 The Respondent bought the leads from unknown online sellers and did not retain the details of these transactions. Also, the Respondent did not check Sharon Assya Qadriyah Tang [2018] SGPDPC 1 or verify with the sellers that the leads she purchased were obtained legitimately with the individuals’ consent. 5 On average, the Respondent would buy approximately 10,000 leads per year. According to the Respondent, her first purchase of leads was sometime in late 2012 and her last purchase was sometime in either May or June 2014. At the material time, the Respondent had in her possession approximately 30,990 leads. The leads were stored in Microsoft Excel spreadsheets. 6 From late 2012 up until 23 February 2017, the Respondent estimated that she had re-sold the leads she had bought about 9 to 10 times, typically charging customers … | Financial Penalty | 7c97ac65ddddd62ae8a119b6caa4338a79492ebb | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 203 | 203 | 1 | 952 | Directions were issued to M Stars Movers for disclosure of a customer's personal data via social media without consent, failure to appoint a Data Protection Officer, and failure to institute policies and practices that are necessary for the organisation to meet the obligations imposed under the PDPA. | [
"Accountability",
"Consent",
"Directions",
"Transport and Storage"
] |
2017-11-15 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---m-stars-movers---151117.pdf | Accountability, Consent | Breach of Consent and Openness Obligations by M Stars Movers | https://www.pdpc.gov.sg/all-commissions-decisions/2017/11/breach-of-consent-and-openness-obligations-by-m-stars-movers | 2017-11-15 | PERSONAL DATA PROTECTION COMMISSION [2017] SGPDPC 15 Case No DP-1612-B0418 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And M Stars Movers & Logistics Specialist Pte Ltd … Organisation GROUNDS OF DECISION M Stars Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15 Yeong Zee Kin, Deputy Commissioner— Case No DP-1612-B0418 15 November 2017 Background 1 This case highlights the risks that organisations face when they fail to develop and implement policies, practices and procedures to protect personal data when communicating with its customers or other individuals through social media. 2 In this matter, a customer (the “Complainant”) of the Organisation, which provides professional moving services, alleged that the Organisation had disclosed her personal data on its Facebook page without her consent. 3 The findings and grounds of decision based on the investigations carried out in this matter are set out below. Material Facts 4 Sometime in December 2016, the Complainant engaged the Organisation’s professional moving services. The Complainant voluntarily provided her name, mobile number and residential addresses (i.e. the addresses where the items were to be picked up and delivered to) to the Organisation to provide the services. M Stars Movers & Logistics Specialist Pte Ltd 5 [2017] SGPDPC 15 Dissatisfied with the allegedly unsatisfactory services provided by the Organisation, the Complainant left a negative review in a public post on the Organisation’s Facebook page. Amongst other things, there was a disagreement as to when the Organisation was required to return the S$100 deposit to the Complainant. 6 The Organisation publicly responded to the Complainant’s review in the comment section of the Complainant’s post on its Facebook page. In its response, the Organisation identified the Complainant by her English name and surname (“name”) and residential address (collectively referred to as the “Personal Data”) and informed the Complainant tha… | Directions | 76b2216f9b21cb552235144f0c76b8706503cf1a | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 211 | 211 | 1 | 952 | A joint decision was issued for three separate cases involving Management Corporation Strata Title and managing agents of condominiums. The parties were found not to be in breach for disclosing names of unit holders, unit numbers and voting shares of subsidiary proprietors via minutes and voters lists. | [
"Consent",
"Notification",
"Not in Breach",
"Real Estate"
] |
2017-06-12 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---3-mcst-ma---120617.pdf | Consent, Notification | No Breach of Consent and Notification Obligations by MCST and Managing Agents of Condominiums | https://www.pdpc.gov.sg/all-commissions-decisions/2017/06/no-breach-of-consent-and-notification-obligations-by-mcst-and-managing-agents-of-condominiums | 2017-06-12 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1607-B0117 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Exceltec Property Management Pte Ltd (2) Management Corporation Strata Title Plan No 2956 (3) Strata Land Property Consultants Pte Ltd ... Organisations Decision Citation: [2017] SGPDPC 8 GROUNDS OF DECISION 12 June 2017 A. BACKGROUND 1. This decision arises from three separate cases involving Management Corporation Strata Title (“MCSTs”) and managing agents (collectively, the “Organisations”) of condominiums posting documents containing the personal data of subsidiary proprietors (hereinafter will be referred to as “residents”) on notice boards. The nature of the complaints was that the disclosures made of these personal data was an infringement of the Personal Data Protection Act 2012 (“PDPA”). 2. The Personal Data Protection Commission (the “Commission”) commenced investigations into the matter, and provides its decision below. 3. Although the three cases involve different residents and managing agents of condominiums, the facts of the three cases are substantially similar and the legal issues involved are identical. Therefore, this consolidated decision is issued for the three cases. 1 B. MATERIAL FACTS AND DOCUMENTS 4. Between 29 June and 27 July 2016, the Commission received complaints from several residents of three condominiums (namely, (1) Prive, (2) The Mornington, and (3) Seletaris) against the condominiums’ respective MCST or managing agents, namely, (1) Exceltec Property Management Pte Ltd (“Exceltec”), (2) Management Corporation Strata Title Plan No 2956 (“MCST 2956”), and (3) Strata Land Property Consultants Pte Ltd (“Strata Land”) respectively: 5. a. In the first case, three residents (“1st Complainants”), complained that Exceltec had posted copies of the voter list containing the names, unit numbers, and voting shares of residents, and the draft minutes of the 1st council meeting on 12 July 2016 … | Not in Breach | 2ce165e02e9bb75e1c3bd17b406722924d367851 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 216 | 216 | 1 | 952 | A warning was issued to Executive Coach International for failing to notify and obtain consent from an ex-employee for the disclosure of her personal data. | [
"Consent",
"Notification",
"Warning",
"Education"
] |
2017-03-21 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---executive-coach-international---210317.pdf | Consent, Notification | Breach of Consent and Notification Obligations by Executive Coach International | https://www.pdpc.gov.sg/all-commissions-decisions/2017/03/breach-of-consent-and-notification-obligations-by-executive-coach-international | 2017-03-21 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1504-A426 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (the “PDPA”) And Executive Coach International Pte. Ltd. [UEN 200414184R] ... Organisation Decision Citation: [2017] SGPDPC 3 GROUNDS OF DECISION 21 March 2017 BACKGROUND 1. On 20 April 2015, the Complainant, complained to the Personal Data Protection Commission (the “Commission”) that the Organisation had disclosed her past personal history in a WhatsApp group chat comprising the Complainant and the Organisation’s other staff and volunteer trainees (“WhatsApp Group”) without her consent and without notifying her of the purposes for the disclosure. 2. On account of the complaint made, the Commission commenced an investigation under Section 50 of the Personal Data Protection Act 2012 (the “PDPA”) to ascertain whether the Organisation had breached its obligations under the PDPA. The material facts of the case are as follows. MATERIAL FACTS AND DOCUMENTS 3. The Organisation is an organisation which provides life and executive coaching services to individual and corporate clients. The Complainant is a former employee of the Organisation. She was the personal assistant to [Redacted] (Replaced with Mr L), a director of the Organisation. The Complainant has since left the employment of the Organisation on unamicable terms. 4. The WhatsApp Group, comprising of the Organisation’s employees and volunteers, was created on 22 August 2013. The Complainant and Mr L were - 1 - both participants in this WhatsApp Group. At the material time on 7 April 2015, there were a number of other participants in this WhatsApp Group.1 5. On 7 April 2015, Mr L disclosed highly sensitive information of the Complainant’s personal history, namely her past drug problem and issue with infidelity in her amorous relationship, (“Personal Data”) to the participants in the WhatsApp Group. The Organisation has not disputed that the personal history of the Complainant is p… | Warning | 4606cb34276907f06cf0c6913f89d949fec92bb7 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 220 | 220 | 1 | 952 | A warning was issued to Jump Rope (Singapore) for disclosing the personal data of two former employees without consent and notification. | [
"Consent",
"Notification",
"Warning",
"Arts, Entertainment and Recreation"
] |
2016-11-24 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---jump-rope---241116.pdf | Consent, Notification | Breach of Consent and Notification Obligations by Jump Rope (Singapore) | https://www.pdpc.gov.sg/all-commissions-decisions/2016/11/breach-of-consent-and-notification-obligations-by-jump-rope-(singapore) | 2016-11-24 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1411-A265 JUMP ROPE (SINGAPORE) (UEN No. T13SS0090E) … Respondent Decision Citation: [2016] SGPDPC 21 GROUNDS OF DECISION 24 November 2016 A. BACKGROUND 1. On 1 December 2014, the Personal Data Protection Commission (“Commission”) received a complaint against Jump Rope (Singapore) (the “Respondent”) from a complainant (the “Complainant”) alleging that his personal data had been disclosed in an email sent to various Singapore government schools. 2. The Commission commenced an investigation under Section 50 of the Personal Data Protection Act 2012 (“PDPA”) to ascertain whether there had been a breach by the Respondent of its obligations under the PDPA. B. MATERIAL FACTS AND DOCUMENTS 3. The Respondent is a non-profit society registered with the Registry of Societies that promotes and manages the sport of rope skipping, and provides training to students in Singapore schools. The Respondent was set up by the President of the Respondent, [redacted], who is also the owner and director of Emotion Learning Pte. Ltd. (“Emotion”) and Eltitude Pte. Ltd. (“Eltitude”). Emotion and Eltitude are companies in the business of providing enrichment and CCA education, and enrichment and sports coaching services to schools respectively. 4. Based on the Respondent’s response to the Commission during the investigation, the Commission understands that the Complainant was a former employee of Emotion and Eltitude, who held the designation of Part Time Instructor. The Complainant went through an in-house training program conducted by Emotion, and obtained a certificate in rope skipping coaching, which was issued by the Respondent. 1 5. The Respondent alleged that the Complainant had breached his contract of employment with his employers and had engaged in some unethical activities during the course of his employment. As a result, the Respondent blacklisted the Complainant and revoked his certification. 6. The President of the Respondent then decided to se… | Warning | fe526eedfbd39c4afe655dd5a1fe2bb66ec6b1a7 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 221 | 221 | 1 | 952 | A warning was issued to My Digital Lock for failing to make reasonable security arrangements to protect the personal data of a customer during its transfer. | [
"Protection",
"Consent",
"Warning",
"Wholesale and Retail Trade"
] |
2016-11-04 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision---My_Digital_Lock_Pte_Ltd-(201604).pdf | Protection, Consent | Breach of Protection Obligation by My Digital Lock | https://www.pdpc.gov.sg/all-commissions-decisions/2016/11/breach-of-protection-obligation-by-my-digital-lock | 2016-11-04 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1601-A628 MY DIGITAL LOCK PTE. LTD. [UEN 201418165M] ... Respondent Decision Citation: [2016] SGPDPC 20 GROUNDS OF DECISION 4 November 2016 BACKGROUND 1. On 4 January 2016, [Redacted] (the “Complainant”), complained to the Personal Data Protection Commission (the “Commission”) that the Respondent had disclosed his personal data by posting screenshots of the Complainant’s WhatsApp conversations with the Respondent’s director, [Redacted] (Replaced with Mr A) on Mr A’s Facebook page. 2. On account of the complaint made, the Commission commenced an investigation under Section 50 of the Personal Data Protection Act 2012 (the “PDPA”) to ascertain whether the Respondent had breached its obligations under the PDPA. The material facts of the case are as follows. MATERIAL FACTS AND DOCUMENTS 3. The Respondent is in the business of selling digital locks and doors. The Complainant had made a purchase of a gate from the Respondent for his home. 4. Subsequently, the Complainant and the Respondent became involved in a dispute concerning alleged defects in the gate. The parties were engaged in legal proceedings in relation to certain remarks that were allegedly made by the Complainant concerning the Respondent’s product, business and/or service. On 4 January 2016, Mr A posted screenshots on his Facebook page of his previous WhatsApp messages (including photographs) that were exchanged between the Complainant and Mr A in connection with the dispute. In posting the screenshots on Facebook, the screenshots were made publicly viewable. The screenshots contained the Complainant’s personal mobile phone number and his residential address (“Complainant’s Personal Data”). The Complainant became aware of this and lodged his complaint. 5. On 1 March 2016, the Commission notified the Respondent of the complaint and sought assistance in investigations. In the course of the investigations, the Respondent accepted that there was a public disclosure of the - 1 - Co… | Warning | d150ba21a2141296e862e0ebc722a66b43bef1e4 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 228 | 228 | 1 | 952 | A financial penalty of $500 was imposed on a registered salesperson of a property firm for disclosing personal data of two of his landlord’s tenants to a third party tenant without consent. | [
"Consent",
"Financial Penalty",
"Others",
"ESTATE",
"Property",
"SALESPERSON"
] |
2016-08-12 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---rsp-justin-chua-(120816).pdf | Consent | Breach of Consent Obligation by a Registered Salesperson | https://www.pdpc.gov.sg/all-commissions-decisions/2016/08/breach-of-consent-obligation-by-a-registered-salesperson | 2016-08-12 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1411-A247 CHUA YONG BOON JUSTIN [NRIC NO. REDACTED] ... Respondent Decision Citation: [2016] SGPDPC 13 GROUNDS OF DECISION 12 August 2016 A. INTRODUCTION 1. On 15 November 2014, the Personal Data Protection Commission (the “Commission”) received an email from [Redacted] (Replaced with Mr K) (the “Complainant”) regarding the unauthorised disclosure of personal data of his wife and himself by the property agent of his landlord following a dispute between the Complainant, the Complainant’s wife, and another tenant, [Redacted] (Replaced with Ms C). The Commission proceeded to investigate into the alleged breach of the Personal Data Protection Act 2012 (“PDPA”). Its findings into the matter are set out below. B. MATERIAL FACTS AND DOCUMENTS 2. The Complainant, his wife, and Ms C are tenants of a landed property. For the purposes of entering into the tenancy with the landlord, the Complainant and his wife had previously provided their names and NRIC numbers (amongst other personal data) to the registered salesperson1 (commonly known as a “property agent”) of the landlord, Mr Chua Yong Boon Justin (the “Respondent”). The Respondent was registered as a salesperson with Global Property Strategic Alliance Pte Ltd (“GPS”). The Respondent’s engagement as a salesperson with GPS was governed by a “Salesperson Agreement” dated 31 October 2011. 3. In or around November 2014, a dispute arose between Ms C and the Complainant and his wife over the usage of common space within the rented premises, and an argument had apparently ensued between the parties. The Respondent was not present during the argument. However, Ms C had informed him of the argument, and also requested the Respondent to provide her with the 1 Under the Estate Agents Act (Cap. 95A) (“EAA”) Page 1 of 5 names and NRIC numbers of the Complainant and his wife so as to hold the Complainant “responsible” in the event that the Complainant had publicised the photos that were apparently take… | Financial Penalty | 028172bef7256a4b868d532ab6c60d23871e1eff | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 232 | 232 | 1 | 952 | Directions were issued to Universal Travel Corporation for disclosing a passenger list, consisting of 37 customers' personal data, to four of its customers without consent. The organisation was also penalised for its lack of data protection policies. | [
"Consent",
"Purpose Limitation",
"Notification",
"Directions",
"Others"
] |
2016-04-21 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---universal-travel-corporation-(210416).pdf | Consent, Purpose Limitation, Notification | Breach of Consent and Other Obligations by Universal Travel Corporation | https://www.pdpc.gov.sg/all-commissions-decisions/2016/04/breach-of-consent-and-other-obligations-by-universal-travel-corporation | 2016-04-21 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1508-A496 UNIVERSAL TRAVEL CORPORATION PTE LTD (UEN. 197302113R) ... Respondent Decision Citation: [2016] SGPDPC 4 GROUNDS OF DECISION 20 April 2016 A. BACKGROUND 1. The Personal Data Protection Commission (“Commission”) received a complaint from a credible source concerning the alleged disclosure by the Respondent of personal data of 37 customers (the “passenger list”) in early March 2015 to certain individual(s) who participated in the 12 Days Legend of the Balkans Tour from 17 February 2015 to 28 February 2015 (“Balkans Tour”). 2. In the premises, the Commission decided to carry out an investigation into the matter. The Commission’s findings are set out below. B. MATERIAL FACTS AND DOCUMENTS 3. Sometime in or around late February 2015, four of the customers of the Balkans Tour requested the Respondent to furnish formal documentation confirming the cancellation of their transit flight to Sofia on 18 February 2015 (TK1027/18FEB15 ISTANBUL-SOFIA) (“formal confirmation”) to process their insurance claims. 4. The Respondent therefore requested from Turkish Airline written confirmation of the flight cancellation and the affected passenger list. 5. Sometime in early March 2015, the Respondent sent the formal confirmation together with the letter from Turkish Airline and the passenger list by email to four of the customers of the Balkans Tour. The passenger list that was sent contained the name, nationality, date of birth, passport number, passport expiry date and passenger name record (a record in the database of a computer reservation system (CRS) that contains the itinerary for a passenger, or a group of passengers travelling together) of all 37 of the passengers/customers that were on the Balkans Tour. The passengers’ details were not masked or redacted when it was sent by the Respondent. It is not disputed that the passengers’ details constituted personal data under the control of the Respondent at the material time. 6. In the R… | Directions | 5a0ff182bd0082f840e509fc39079487ae98fb3a | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 233 | 233 | 1 | 952 | A warning was issued to YesTuition Agency for disclosing tutors’ personal data on its website without consent. | [
"Consent",
"Warning",
"Education",
"YESTUITION",
"Tuition"
] |
2016-04-21 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---yestuition-agency-(210416).pdf | Consent | Breach of Consent Obligation by YesTuition Agency | https://www.pdpc.gov.sg/all-commissions-decisions/2016/04/breach-of-consent-obligation-by-yestuition-agency | 2016-04-21 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1407-A028 YESTUITION AGENCY (UEN No. 53084839B) …Respondent Decision Citation: [2016] SGPDPC 5 GROUNDS OF DECISION 20 April 2016 BACKGROUND 1. On 16 July 2014, the Personal Data Protection Commission (“Commission”) received information that YESTUITION AGENCY (UEN 53084839B) (the “Respondent”) had disclosed on its website the NRIC numbers and images of certain individuals who had registered to be tutors with the Respondent and it was alleged that they had done so without the consent of the individuals concerned. 2. In light of the information received, the Commission commenced an investigation under section 50 of the Personal Data Protection Act 2012 (No. 26 of 2012) (the “PDPA”) to ascertain whether there had been a breach by the Respondent of its obligations under the PDPA. The Commission’s findings are set out below. MATERIAL FACTS AND DOCUMENTS 3. The Respondent is a locally registered business providing home tuition matching services to individuals seeking tutors for primary to A-levels education. The Respondent renders its matching services via a website, which it operates at www.yestuition.sg (the “Site”). 4. The Site consists of various webpages that are accessible to the public and a tutors’ log-in portal which is accessible only by individuals who had registered with the Respondent to be a tutor. Disclosure of NRIC numbers and images by the Respondent 5. From the Commission’s examination of the Site, it was found that the Respondent had published images of its tutors on its Site. The tutors’ images were stored in a JPEG file format and named using the tutors’ respective NRIC particulars, for example, as 1234567A.jpg. As such, the Respondent had also disclosed the tutors’ respective NRIC numbers with the images. CONFIDENTIAL Page 1 of 5 6. The NRIC numbers and images were at the material time made publicly discoverable and accessible via a directory listing on one of the Site’s pages. Investigations by the Commission indica… | Warning | 20a97b6ebe97b71c317c4befaebf71b555f828dd | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-12-14T14:54:52+00:00 | 0e20feac9c1e16c30580baa727a897e3bfcf8791 | 483 | 243 | 1 | 958 | Directions were issued to Tipros for failing to use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate. | [
"Consent",
"Notification",
"Purpose Limitation",
"Directions",
"Others"
] |
14 Dec 2023 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GD_TIPROS_080623.pdf | Consent, Notification, Purpose Limitation | Breach of the Purpose Limitation Obligation by Tipros | https://www.pdpc.gov.sg/all-commissions-decisions/2023/12/breach-of-the-purpose-limitation-obligation-by-tipros | 2023-12-14 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPC 7 Case No. DP-2207-C0019 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Tipros … Organisation DECISION Page 1 of 8 Tipros Yeong Zee Kin, Deputy Commissioner — Case No. DP-2207-C0019 8 June 2023 Introduction 1. On 21 July 2022, the Personal Data Protection Commission (the “Commission”) received a complaint that Tipros (the “Organisation”), a sole proprietorship in the wholesale of and repair of electrical appliances, had unreasonably disclosed the personal data of the complainant when responding to the complainant’s review on the Organisation’s Google reviews page (the “Incident”). 2. The Commission commenced investigations to determine the Organisation’s compliance with the Personal Data Protection Act 2012 (“PDPA”) and for suspected breaches of the same. Facts of the Case 3. The complainant had engaged the Organisation to repair a refrigerator. Following the repairs made, the complainant gave a “1-star” review on a Google reviews page “24hr fridge refrigerator #1 Quick repair service Trusted in Singapore”, which has since been renamed “Tipros.sg”. 4. The Organisation promptly responded to the complainant’s review. What is problematic was that the Organisation included the complainant’s personal data, including the complainant’s residential address and mobile number in their Page 2 of 8 response. The complainant filed a complaint with the Commission as the complainant was of the view that there was no reason for the Organisation to disclose her personal data in the course of responding to the review she left on the Organisation’s Google reviews page. 5. Apart from the Organisation’s response to the complainant’s review, the Commission found 13 other responses on the Organisation’s Google reviews page which disclosed, in a similar fashion, the personal data of other customers who had given reviews. Our Investigations 6. The Commission commenced investigations. In the course of investigations, it was … | Directions | acd36e3274c5e29fe0627b24b99136461cdd6c47 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
Advanced export
JSON shape: default, array, newline-delimited
CREATE VIEW pdpc_decisions_version_detail AS select
commits.commit_at as _commit_at,
commits.hash as _commit_hash,
pdpc_decisions_version.*,
(
select json_group_array(name) from columns
where id in (
select column from pdpc_decisions_changed
where item_version = pdpc_decisions_version._id
)
) as _changed_columns
from pdpc_decisions_version
join commits on commits.id = pdpc_decisions_version._commit;