pdpc_decisions_version_detail (view)
55 rows where tags contains "Directions"
This data as json, CSV (advanced)
Suggested facets: _commit_at, _commit_hash, _commit, nature, decision, _commit_at (date), date (date), timestamp (date), tags (array), _changed_columns (array)
| _commit_at | _commit_hash | _id | _item | _version | _commit | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _item_full_hash | _changed_columns |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 2 | 2 | 1 | 952 | A financial penalty of $3,000 was imposed on Autobahn Rent A Car for failing to put in place reasonable security arrangements to protect the personal data in its possession or under its control. Directions were also issued to strengthen access control measures to administrator accounts and to conduct reasonable security review of technical and administrative arrangements for the protection of personal data. | [
"Protection",
"Financial Penalty",
"Directions",
"Others"
] |
2023-09-15 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GD_Autobahn-Rent-A-Car-Pte-Ltd_090623.pdf | Protection | Breach of the Protection Obligation by Autobahn Rent A Car | https://www.pdpc.gov.sg/all-commissions-decisions/2023/09/breach-of-the-protection-obligation-by-autobahn-rent-a-car | 2023-09-15 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPCS 4 Case No. DP-2210-C0345 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Autobahn Rent A Car Pte. Ltd. SUMMARY OF THE DECISION 1 On 21 October 2022, Autobahn Rent A Car Pte. Ltd. (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) of a personal data breach (the “Incident”). 2 The Organisation operates a car-sharing service, Shariot, in Singapore. On 24 September 2022, the Organisation received customer feedback that a photograph on its mobile application had been replaced with a pornographic photograph. The Organisation discovered that the pornographic photograph had been uploaded through an unrevoked administrator account belonging to an ex-employee, who had Page 1 of 6 left the Organisation in May 2022. The ex-employee received an email from an unknown sender on 10 September 2022 stating that his personal laptop had been hacked and demanding Bitcoins as ransom payment. The threat actor was able to log into the Shariot’s mobile application administrator portal through the administrator account belonging to the ex-employee, and used the export CSV function to download a copy of the Shariot’s users personal data. 3 Subsequently, on 21 October 2022, a cybersecurity solutions provider alerted the Organisation of a cybercrime forum post offering the sale of a Shariot database containing personal data. The Commission commenced investigations to determine whether the Incident disclosed any breaches of the Personal Data Protection Act 2012 (“PDPA”) by the Organisation. 4 The Organisation requested, and the Commission agreed, for this matter to proceed under the Expedited Decision Breach Procedure. To this end, the Organisation voluntarily and unequivocally admitted to the facts set out in this decision. It admitted to a breach of the Protection Obligation under Section 24 of the PDPA. 5 The Organisation’s internal investigations discovered that compromise of the… | Financial Penalty, Directions | 458ca2b78344d38cc2dec8a4e89a493c8a7475a2 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 5 | 5 | 1 | 952 | A financial penalty of $58,000 and $10,000 was imposed on Fullerton Healthcare and Agape CP Holdings respectively for failing to put in place reasonable security arrangements to protect personal data belonging to Fullerton Healthcare’s corporate clients and direct patients. Directions were also issued to both organisations to review and enhance processes relating to data handling processes, security audits and access controls to bolster their data protection arrangements. | [
"Protection",
"Financial Penalty",
"Directions",
"Healthcare",
"Public access"
] |
2023-06-22 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GD_Fullerton-Healthcare-Group-and-Agape-CP-Holdings_230323.pdf | Protection | Breach of the Protection Obligation by Fullerton Healthcare and Agape CP Holdings | https://www.pdpc.gov.sg/all-commissions-decisions/2023/06/breach-of-the-protection-obligation-by-fullerton-healthcare-and-agape-cp-holdings | 2023-06-22 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPC 5 Case Nos. DP-2110-B9054 / DP-2110-B9060 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Fullerton Healthcare Group Pte Limited (UEN No. 201020358N) (2) Agape CP Holdings Pte. Ltd. (UEN No. 201435153E) … Organisations DECISION 1 (1) Fullerton Healthcare Group Pte Limited (2) Agape CP Holdings Pte. Ltd. Lew Chuen Hong, Commissioner — Case Nos. DP-2110-B9054 / DP-2110-B9060 23 March 2023 Introduction 1 On 19 October 2021 and 21 October 2021, Fullerton Healthcare Group Pte Limited (“FHG”) and Agape CP Holdings Pte. Ltd. (“Agape”) respectively notified the Personal Data Protection Commission (the “Commission”) that the personal data of FHG’s customers had been accessed, exfiltrated, and offered for sale on the dark web (the “Incident”). The Commission commenced investigations to determine whether the Incident disclosed any breaches of the Personal Data Protection Act 2012 (“PDPA”) by FHG and Agape. 2 On 11 January 2022 and 12 January 2022 respectively, FHG and Agape requested for the investigations to be handled under the Commission’s Expedited Decision Procedure. In this regard, FHG and Agape voluntarily provided and admitted to the facts set out below and admitted that they had failed to implement reasonable 2 security arrangements to protect the personal data accessed and exfiltrated in the Incident in breach of section 24 of the PDPA (the “Protection Obligation”). Facts of the Case 3 FHG is an enterprise healthcare service provider which provides healthcare services to individuals and employees of its corporate clients. In 2018, FHG engaged Agape, a business process outsourcing provider and social enterprise, to provide call centre and appointment booking services for its customers (the “Services”). As part of its social enterprise initiatives, Agape engaged inmates from Changi Women’s Prison (the “Agents”) to assist in provision of the Services for FHG’s customers. 4 In order to c… | Financial Penalty, Directions | 1b0b43399e4f4f5d75c72d6a95a144b1fdefd199 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 6 | 6 | 1 | 952 | Directions were issued to Kingsforce Management Services to ensure the implementation of regular patching, updates and upgrades for all software and firmware supporting its website(s) and application through which personal data in its possession may be accessed. | [
"Protection",
"Directions",
"Employment",
"Protection",
"Patching"
] |
2023-05-11 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GD_KingsforceManagementServicesPteLtd_100323.pdf | Protection | Breach of the Protection Obligation by Kingsforce Management Services | https://www.pdpc.gov.sg/all-commissions-decisions/2023/05/breach-of-the-protection-obligation-by-kingsforce-management-services | 2023-05-11 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPCS1 Case No. DP-2202-B9480 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Kingsforce Management Services Pte Ltd SUMMARY OF THE DECISION 1. On 31 January 2022, the Personal Data Protection Commission (the “Commission”) was notified by Kingsforce Management Services Pte Ltd (the “Organisation”) of the sale on RaidForums, on or about 27 December 2021, of data from its jobseeker database (the “Incident”). 2. The affected database held approximately 54,900 jobseeker datasets, comprising name, address, email address, telephone number, date of birth, job qualifications, last and expected salary, highest qualification and other data related to job searches. 3. External cyber security investigators identified outdated website coding technology, with critical vulnerabilities, as the cause of the Incident. 4. The Commission accepted the Organisation’s request for handling under the Commission’s expedited breach decision procedure. The Organisation voluntarily provided and unequivocally admitted to the facts set out in this decision, and to breach of section 24 of the Personal Data Protection Act (“the PDPA”). 5. The Organisation admitted work had not been completed on the website at launch owing to contractual disputes with the developer. The Organisation subsequently engaged IT maintenance vendors in an effort to ensure the security of the website. However, maintenance had been ad-hoc and limited to troubleshooting functionality issues from bugs, glitches and/or when a page failed to load. 6. In breach of the Protection Obligation, the Organisation failed to provide sufficient clarity and specifications to its vendors on how to protect its database and personal data. In Re Civil Service Club, the Commission had pointed out that organisations that engage IT vendors can provide clarity and emphasize the need for personal data protection to their IT vendors by a) making it part of their contractual terms, and b) revi… | Directions | 55f101a661c1696120dbd78b07f569b7bba4c9db | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 7 | 7 | 1 | 952 | A financial penalty of $8,000 was imposed on Fortytwo for failing to put in place reasonable security arrangements to protect the personal data in its possession. Fortytwo was also issued directions to complete the upgrading of its website to a supported software version, including vulnerability assessment and penetration testing. | [
"Protection",
"Financial Penalty",
"Directions",
"Wholesale and Retail Trade",
"Patching"
] |
2023-05-11 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GD_FortyTwo070323.pdf | Protection | Breach of the Protection Obligation by Fortytwo | https://www.pdpc.gov.sg/all-commissions-decisions/2023/05/breach-of-the-protection-obligation-by-fortytwo | 2023-05-11 | PERSONAL DATA PROTECTION COMMISSION [2023 SGPDPCS 3] Case No. DP-2112-B9354 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Fortytwo Pte. Ltd. SUMMARY OF THE DECISION 1. On 24 December 2021, Fortytwo Pte. Ltd. (the “Organisation”), an online furniture store, notified the Personal Data Protection Commission (the “Commission”) of malicious code injections on its website which led to the capturing of the email address and password of 6,241 individuals when they logged in to its website (the “Incident”). The name, credit card number, expiry date and CVV/CVN number of another 98 individuals’ were also affected. 2. The Organisation requested for the matter to be handled under the Commission’s expedited breach decision procedure. This means that the Organisation voluntarily provided and unequivocally admitted to the facts set out in this decision; and admitted that it was in breach of section 24 of the Personal Data Protection Act (the “PDPA”). 1 3. An issue that arose in this case is whether fictitious names or pseudonymous personal particulars form part of the personal data under the possession or control of the Organisation. The importance of this lies in how it may potentially reduce the size of the dataset that was at risk. In their addendum to the Written Statement, the Organisation stated that it does not verify the names provided by the users, and suggested that the impact of the Incident might be more limited as some of the users’ names may be incomplete, fictitious or pseudonymous. 4. Section 2(1) of the PDPA defines “personal data” to be data, whether true or not (emphasis added), about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access. The PDPA caters for the situation where not every record of personal data that is under the possession or control of an Organisation is verified. It takes a practical approach, as the accuracy of persona… | Financial Penalty, Directions | 94a50b28e4364bbb6e7cc57412b04d7d6841f870 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 8 | 8 | 1 | 952 | Directions were issued to The Law Society of Singapore to conduct a security audit of its technical and administrative arrangements for accounts with administrative privileges that can access directly and/or create access to personal data, and to rectify any gaps identified. This is pursuant to a data breach incident where The Law Society’s servers were subjected to a ransomware attack. | [
"Protection",
"Directions",
"Professional",
"Scientific and Technical",
"Ransomware",
"Patching",
"Security",
"Password"
] |
2023-05-11 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GD_LawSocietyofSingapore_140323.pdf | Protection | Breach of the Protection Obligation by The Law Society of Singapore | https://www.pdpc.gov.sg/all-commissions-decisions/2023/05/breach-of-the-protection-obligation-by-the-law-society-of-singapore | 2023-05-11 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPC 4 Case No. DP-2102-B7850 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And The Law Society of Singapore … Organisation DECISION 1 The Law Society of Singapore Yeong Zee Kin, Deputy Commissioner — Case No. DP-2102-B7850 14 March 2023 Introduction 1 On 4 February 2021, the Law Society of Singapore (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) of a ransomware attack on its servers which had encrypted and denied the Organisation access to the personal data of its members and former members (the “Incident”). The Commission commenced investigations to determine whether the circumstances behind the Incident disclosed any breaches by the Organisation of the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case 2 The Organisation is a body corporate established under the Legal Profession Act 1966 and represents members of the legal profession in Singapore. Every advocate and solicitor called to the Singapore bar is a statutory member of the Organisation as long as they have a practising certificate in force. At the material time, the Organisation stored the personal data of its current and former members (“Members”) in one of its servers for the purposes of carrying out its statutory functions. 2 3 The Organisation had implemented an off-the-shelf secure VPN solution, FortiOS, to manage remote access to its servers (the “VPN System”). The Organisation also engaged a vendor (the “Vendor”) to provide IT support services, including maintenance of the VPN System. For completeness, the Vendor was not the Organisation’s data intermediary as it did not access or process the personal data of the Members in the course of carrying out its IT support services. 4 The Organisation also implemented antivirus / malware detection software at the servers, and password complexity requirements for its users’ accounts. In particular, account passwords had a maximum lifes… | Directions | 7d6096f9562cfde74f556a2117cc264960050a02 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 13 | 13 | 1 | 952 | Directions were issued to CPR Vision Management Pte Ltd to conduct a security audit of its technical and administrative arrangements for the protection of personal data in its possession or control and rectify any security gaps identified in the audit report. This is pursuant to a data breach incident where CPR Vision Management Pte Ltd’s server and network storage devices were subjected to a ransomware attack. | [
"Protection",
"Directions",
"Others",
"Ransomware",
"Data Intermediary",
"Retention"
] |
2023-02-10 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---CPR-Vision-Management-Pte-Ltd---071222.pdf | Protection | Breach of the Protection Obligation by CPR Vision Management Pte Ltd | https://www.pdpc.gov.sg/all-commissions-decisions/2023/02/breach-of-the-protection-obligation-by-cpr-vision-management-pte-ltd | 2023-02-10 | PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPCS 17 Case No. DP-2207-B8974 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And CPR Vision Management Pte Ltd L’Oreal Singapore Pte Ltd L’Occitane Singapore SUMMARY OF THE DECISION 1. The Personal Data Protection Commission (the “Commission”) received data breach notification reports from (i) L’Oreal Singapore Pte Ltd (“L’Oreal”) on 29 October 2021 and (ii) L’Occitane Singapore Pte Ltd (“L’Occitane”) on 1 November 2021 respectively of a ransomware attack on their customer relationship management (“CRM”) system vendor, CPR Vision Management Pte Ltd (the “Organisation”). The Organisation is a data intermediary that helped to process personal data collected by L’Oreal and L’Occitane. 2. The ransomware attack affected a server and three network attached storage (“NAS”) devices in the Organisation’s office (“office network”), and led to the Page 1 of 6 encryption of the personal data belonging to 83,640 L’Occitane’s customers and 35,079 L’Oreal’s customers, which included their name, address, email address, mobile number, NRIC number, date of birth, age, gender, race, nationality, loyalty points and amount spent. 3. The Organisation requested, and the Commission agreed, for this matter to proceed under the Expedited Decision Breach Procedure. To this end, the Organisation voluntarily and unequivocally admitted to the facts set out in this decision. It also admitted to a breach of the Protection Obligation under Section 24 and the Retention Limitation Obligation under Section 25 of the Personal Data Protection Act (the “PDPA”). 4. The Organisation’s internal investigations found the threat actor had first gained access to the office network via a compromised user account VPN connection on 13 October 2021 before executing the ransomware attack on or about 15 October 2021. However, due to the limited data logs available on the Organisation’s FortiGate firewall and VPN appliance, the Organisation was not able to determi… | Directions | 7e9168136ea5e122bc3f4577c70535e0fc6c7689 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 15 | 15 | 1 | 952 | Directions were issued to Thomson Medical to conduct scan of the web to ensure no publication of affected personal data online and to include in the review of its application deployment process, measures such as the arrangements for security testing and the implementation of data retention policy. This is pursuant to a data breach incident from an unsecured Health Declaration Portal which enabled public access to visitors' personal data. | [
"Protection",
"Directions",
"Healthcare"
] |
2022-12-19 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Thomson-Medical-Pte-Ltd---140922.pdf | Protection | Breach of the Protection Obligation by Thomson Medical | https://www.pdpc.gov.sg/all-commissions-decisions/2022/11/breach-of-the-protection-obligation-by-thomson-medical | 2022-12-19 | PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPCS 15 Case No. DP-2010-B7246 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Thomson Medical Pte. Ltd. SUMMARY OF THE DECISION 1. On 26 October 2020, the Personal Data Protection Commission (the “Commission”) was notified that the Thomson Medical Pte. Ltd. (the “Organisation”) Health Declaration Portal was not secure, enabling public access to the personal data of visitors (the “Incident”) stored in a CSV (comma separated values) file. 2. Visitor data collected on the Organisation’s Health Declaration Portal had been stored concurrently in a publicly-accessible CSV file as well as a secured 1 database from 16 April 2020, when the health declaration portal was first used by the Organisation to 8 September 2020, when the storage of the visitor data was changed to only the secured database instead of the CSV file. The CSV file was hosted on the Organisation’s web server. 3. The Organisation admitted that, contrary to the instructions given to the employee to switch the data storage from the CSV file to secured database exclusively, and the organisation’s protocols, its in-house developer had omitted to remove a software code, causing the visitor data to be stored in the CSV file and the same in-house developer had omitted to change the default web server configuration, thereby allowing public access to the hosted CSV file. The switch to storage in a secured database would have ensured access controls by requiring user login ID and secure password protection, as well as encryption of data transfers using SSL certificates. The access controls would ensure that only authorized users would be able to access the data. 4. The Commission’s investigations revealed that the affected CSV file contained the personal data of 44,679 of the Organisation’s visitors, including the date and time of visit, temperature, type of visitor (purpose of visit), name of visitor, name of newborn, contact number, NRIC/FIN/passport num… | Directions | 2e2e404473e7fa064a0c51315f167b10b4810806 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 17 | 17 | 1 | 952 | Directions were issued to both Shopify Commerce Singapore and Supernova to put in place a process to ensure compliance with the Transfer Limitation Obligation following a data breach incident of Shopify Inc's database. | [
"Transfer Limitation",
"Directions",
"Others",
"Data Intermediary"
] |
2022-11-18 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GD_Supernova-Pte-Ltd_06102022.pdf | Transfer Limitation | Breach of the Transfer Limitation Obligation by Shopify Commerce Singapore and Supernova | https://www.pdpc.gov.sg/all-commissions-decisions/2022/11/breach-of-the-transfer-limitation-obligation-by-shopify-commerce-singapore-and-supernova | 2022-11-18 | PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPC 7 Case No: DP-2103-B8147 / DP-2206-B9935 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Supernova Pte Ltd (2) Shopify Commerce Singapore Pte Ltd … Organisation DECISION Page 1 of 12 Supernova Pte Ltd & Anor Yeong Zee Kin, Deputy Commissioner — Case No. DP-2103-B8147/ DP-2206-B9935 6 October 2022 Introduction 1 On 8 October 2020, the Personal Data Protection Commission (the “Commission”) was notified by Supernova Pte Ltd (“SNPL”) of a data breach incident of Shopify Inc’s database affecting the personal data of certain Singapore-based customers (the “Incident”). The Commission commenced investigations to determine whether the circumstances relating to the Incident disclosed any breaches of the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case Background 2 Shopify Inc (“Shopify”) is a company based in Canada that operates an e- commerce platform for online retailers to conduct sales (the “Platform”). SNPL is an online retailer that began using the Platform in 2018 to sell its products to customers. Shopify provided payment processing and other services (the “Services”) to SNPL pursuant to the Shopify Plus Agreement, executed by Shopify and SNPL on 4 December 2018. Shopify Commerce Singapore Pte Ltd (“Shopify SG”) acted as the Page 2 of 12 Asia-Pacific data sub-processor of Shopify pursuant to the Shopify Data Processing Addendum to the Shopify Plus Agreement, and its role was confined to collecting customer personal data (including SNPL’s) via the Platform and transferring the data out of Singapore to Shopify for both Purchase Processing and Platform Processing. 3 The Platform collected personal data from customers of its online retailers for two broad sets of purposes. First, to facilitate billing, payment and shipping on behalf of the Platform’s online retailers (“Purchase Processing”). Second, for Shopify’s own commercial and administrative purposes. This mainly included th… | Directions | a460c9f6da7d242e2c26bf56c9b5bc6bd47df7e7 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 22 | 22 | 1 | 952 | Directions were issued to Budgetcars to put in place appropriate contractual provisions, conduct a security audit of its technical and administrative arrangements for the security and maintenance of its website and rectify any security gaps identified in the audit report. This is pursuant to a data breach incident where personal data could be accessed by changing a few digits of the tracking ID. | [
"Protection",
"Directions",
"Transport and Storage"
] |
2022-08-11 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Budgetcars-Pte-Ltd---06072022.pdf | Protection | Breach of the Protection Obligation by Budgetcars | https://www.pdpc.gov.sg/all-commissions-decisions/2022/07/breach-of-the-protection-obligation-by-budgetcars | 2022-08-11 | PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPCS 13 Case No. DP-2108-B8798 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Budgetcars Pte. Ltd. SUMMARY OF THE DECISION 1. On 25 August 2021, the Personal Data Protection Commission (the “Commission”) received a complaint that the delivery tracking function (the “Tracking Function Page”) on the website of Budgetcars Pte Ltd (the “Organisation”) could be used to gain access to the personal data belonging to another individual. By changing a few digits of a Tracking ID, the complainant could access the personal data of another individual (the “Incident”). 2. The Organisation is a logistics company delivering parcels to customers (“Customers”) on behalf of retailers (“Retailers”). 3. The personal data of 44,357 individuals had been at risk of unauthorised access. The datasets comprised name, address, contact number and photographs of their signatures. 4. The Tracking Function Page was set up in December 2020 to allow Retailers and Customers to (i) keep track of the delivery status of their parcels; and (ii) confirm the identity of individuals to collect parcels on their behalf (where applicable). The Tracking IDs were generated by Retailers and comprised either sequential or nonsequential numbers. Although generated by Retailers, the Organisation adopted the Tracking IDs for use on its own Tracking Function Page that allowed their customers to track their deliveries, which would disclose personal data listed above. The Protection Obligation therefore required the Organisation to ensure that there were reasonable access controls in its use of the Tracking IDs for giving access to an individual’s personal data. 5. The risk of unauthorised access to personal data from altering numerical references, both sequential and non-sequential, have featured in the published decisions of the Commission in Re Fu Kwee Kitchen Catering Services [2016] SGPDPC 14, and more recently, in Re Ninja Logistics Pte. Ltd. [2019] SGPDPC… | Directions | f58b11a86b70faf2534d0dbe08ee7f22ddbeaeb9 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 23 | 23 | 1 | 952 | Directions were issued to Crawfort to conduct a security audit of its technical and administrative arrangements for its AWS S3 environment and rectify any security gaps identified in the audit report. This is pursuant to a data breach incident where Crawfort's customer database were offered for sale in the dark web. | [
"Protection",
"Directions",
"Finance and Insurance"
] |
2022-07-14 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Crawfort-Pte-Ltd---070622.pdf | Protection | Breach of the Protection Obligation by Crawfort | https://www.pdpc.gov.sg/all-commissions-decisions/2022/07/breach-of-the-protection-obligation-by-crawfort | 2022-07-14 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2106-B8446 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Crawfort Pte. Ltd. SUMMARY OF THE DECISION 1. On 9 June 2021, Crawfort Pte. Ltd. (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) of the sale of the Organisation’s customer data on the dark web (the “Incident”). 2. The personal data of 5,421 customers were affected. The datasets affected comprised NRIC images (front and back), PDF copies of loan contract (containing all the information in the NRIC, age, email address, contact number and loan amount) and PDF copies of income document (payslip, CPF statements or IRAS Notice of Assessment). 1 3. The Organisation engaged external cyber security teams to investigate the Incident. The investigation identified an opened S3 server port in the Organisation’s AWS environment as the cause of the Incident. 4. The Organisation explained that it had opened the S3 server port for one week during a data migration exercise sometime on or about 15 April 2020 for business continuity purposes. On 3 April 2020, the Singapore government had announced that the country will enter into a Circuit Breaker to contain the spread of COVID-19. All non-essential workplaces, including the Organisation, had to be closed from 7 April 2020. In order to continue its business, the Organisation had to pivot its operations so as to allow its staff to work from home and its customers to make loan applications remotely. Within a very short period, the Organisation had to carry out the data migration exercise and as a result, overlooked conducting a risk assessment prior to conducting the data migration exercise. 5. The opened S3 server port connected directly to the S3 server hosting the S3 buckets, which contained the affected personal data. The open remote port enabled attempts to connect to the Organisation’s AWS environment from the internet. Furthermore, the S3 bucket containing the affected p… | Directions | e2755a8249f833e1c234b8532991f2dc6896ee30 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 33 | 33 | 1 | 952 | A financial penalty of $12,500 was imposed on PINC for failing to put in place reasonable security arrangements to protect the personal data in its possession. Directions were also issued to PINC to develop and implement internal data protection policies and practices to comply with the PDPA and to ensure no copies of database were stored on employees' personal computers. | [
"Accountability",
"Protection",
"Financial Penalty",
"Directions",
"Wholesale and Retail Trade",
"No Policy"
] |
2022-05-19 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---PINC-Interactive-Pte-Ltd---04022022.pdf | Accountability, Protection | Breach of the Accountability and Protection Obligations by PINC Interactive | https://www.pdpc.gov.sg/all-commissions-decisions/2022/05/breach-of-the-accountability-and-protection-obligations-by-pinc-interactive | 2022-05-19 | PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPC 1 Case No. DP-2002-B5827 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And PINC Interactive Pte. Ltd. … Organisation DECISION Page 1 of 9 PINC Interactive Pte. Ltd. [2022] SGPDPC 1 Lew Chuen Hong, Commissioner — Case No. DP-2002-B5827 4 February 2022 Introduction 1 On 2 February 2020, the Personal Data Protection Commission (“the Commission”) received feedback about a Twitter post dated 31 January 2020 which revealed that the personal data of users of www.pincstyle.com had been exposed. The tweet included a snapshot of the data (“the Incident”). The Commission commenced investigations into the Incident thereafter. Facts of the Case 2 The website www.pincstyle.com was created and managed by PINC Interactive Pte. Ltd. (“the Organisation”) at the material time. Investigations revealed that sometime in October 2019, a database comprising 252,813 records was accessed and exfiltrated from the Organisation’s staging servers (the “Staging Database”). The Staging Database is a synthetic database containing personal data of 3,916 actual users, while the remaining 248,897 records were fake or “dummy” data modelled after the real data. The synthetic database was used to facilitate development and testing on the staging servers. The personal data from the 3,916 actual users that were exposed in the Incident included the name, username, email address, contact number (for some users) and a password hash. For completeness, the 3,916 user records in the Staging Database is equivalent to 1.6% of the Organisation’s total database of 252,813 user records. Page 2 of 9 3 Investigations revealed two likely causes of the Incident. First, the developers, who are the Organisation’s employees, had retained a copy of the Staging Database on their own personal devices, and the database was exfiltrated when the developers’ computers were compromised. The Organisation stated that while they had instructed the developers to use … | Financial Penalty, Directions | d2cda7ac80cc4638223955ef382304ee06a36b98 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 37 | 37 | 1 | 952 | Directions were issued to ACL Construction (S) for breach of the PDPA in relation to failure to appoint a data protection officer and no policies and practices in place to comply with the PDPA. | [
"Accountability",
"Directions",
"Construction",
"No DPO"
] |
2022-04-21 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--ACL-Construction-S-Pte-Ltd--030222.pdf | Accountability | Breach of Accountability Obligation by ACL Construction (S) | https://www.pdpc.gov.sg/all-commissions-decisions/2022/03/breach-of-accountability-obligation-by-acl-construction | 2022-04-21 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2107-B8598 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And ACL Construction (S) Pte Ltd SUMMARY OF THE DECISION 1. On 2 June 2021, the Personal Data Protection Commission (the “Commission”) was notified that data from ACL Construction (S) Pte Ltd (the “Organisation”), a company that provides pre-fabricated structures, structural steel products and construction services, was being offered for sale on the darkweb by one “Prometheus” (the “Incident”). 2. Investigations revealed that a few days ago, three ACL staff - a designer and two sales executives had experienced difficulties when they tried to log in to access their files. Thereafter, the ACL staff discovered that the files had been encrypted. The Organisation then sought external IT support. 3. The Organisation informed the Commission that the affected files contained the following data related to their projects: (i) Quotation folder – quotations (to clients and from suppliers), delivery orders, invoices and other supporting documents; (ii) Common folder – project document and photographs; and Page 1 of 3 (iii) Drawing folder – CAD drawings. 4. Our investigations revealed that the affected files contained the names of the Organisation’s customers, the relevant liaison person, their business contact number(s) and/or business email(s). As the names, business contact numbers and business emails were not provided by the individuals concerned for a personal purpose, they would constitute “business contact information” as defined under the Personal Data Protection Act (“PDPA”), and fall outside the scope of the Act by virtue of section 4(5) of the PDPA. Accordingly, while the Organisation may have suffered a data breach, no personal data was in fact affected. 5. This finding alone would have brought the matter to a close. However, in the course of our investigations, the Commission found out that the Organisation had failed to designate one or more individuals,… | Directions | e5d93d363b4513ab709353939decc81ce04eb8a1 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 49 | 49 | 1 | 952 | Directions were issued to J & R Bossini Fashion for breaches of the PDPA in relation to the transfer of Singapore-based individuals’ personal data to its parent company in Hong Kong and the protection of its employees’ personal data stored in its servers in Singapore. | [
"Protection",
"Transfer Limitation",
"Directions",
"Wholesale and Retail Trade"
] |
2021-10-14 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---J--R-Bossini-Fashion-Pte-Ltd---18082021.pdf | Protection, Transfer Limitation | Breach of the Protection and Transfer Limitation Obligations by J & R Bossini Fashion | https://www.pdpc.gov.sg/all-commissions-decisions/2021/10/breach-of-the-protection-and-transfer-limitation-obligations-by-j-r-bossini-fashion | 2021-10-14 | PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 9 Case No. DP-2006-B6440 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And J & R Bossini Fashion Pte Ltd … Organisation DECISION J & R Bossini Fashion Pte Ltd [2021] SGPDPC 9 Yeong Zee Kin, Deputy Commissioner — Case No. DP-2006-B6440 18 August 2021 Introduction 1 On 13 June 2020, J & R Bossini Fashion Pte Ltd (“the Organisation”) notified the Personal Data Protection Commission (“the Commission”) of a ransomware attack which had affected the IT systems of the Organisation’s group of companies on or around 27 May 2020 (“the Incident”). The Commission commenced investigations to determine whether the circumstances relating to the Incident disclosed any breaches by the Organisation of the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case 2 The Organisation is a company incorporated in Singapore, and a subsidiary of Bossini International Holdings Limited, a company listed on the Stock Exchange of Hong Kong (“Bossini Holdings”). Bossini Holdings and its subsidiaries (“the Group”) are in the business of garment retail and brand franchising. 3 The Group’s IT systems and infrastructure across different regions (including Singapore) are centrally managed by Bossini Holdings from Hong Kong. While most of the Group’s production servers are located in Hong Kong, at the material time, the Organisation maintained two servers and various workstations for its staff in Singapore which were connected to the Group’s network in Hong Kong by way of a virtual private network (“VPN”). 2 Personal data collected by the Organisation 4 Sometime prior to 2017, the Organisation collected personal data from customers and prospective customers in Singapore for the purposes of administering a customer loyalty programme. The personal data collected comprised of each individual’s: (a) Name; (b) NRIC number, (c) Phone number, (d) Email address, (e) Residential address, (f) Date of birth; and (g) Gende… | Directions | 0705137f0dd7129af2528c049cc49cf5edda8502 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 50 | 50 | 1 | 952 | A financial penalty of $37,500 was imposed on Stylez for failing to put in place reasonable security arrangements to protect personal data of its customers and cease retaining data when the purpose of collection no longer exists. As a result, the personal data of its customers was publicly exposed. A direction was also issued to Stylez to develop and implement internal data protection policies and practices to comply with the PDPA. | [
"Protection",
"Accountability",
"Retention Limitation",
"Financial Penalty",
"Directions",
"Accommodation and F&B",
"Database"
] |
2021-10-14 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Stylez-Pte-Ltd---04082021.pdf | Protection, Accountability, Retention Limitation | Breach of the Protection, Accountability and Retention Limitation Obligations by Stylez | https://www.pdpc.gov.sg/all-commissions-decisions/2021/10/breach-of-the-protection-accountability-and-retention-limitation-obligations-by-stylez | 2021-10-14 | PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 8 Case No. DP-2001-B5645 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Stylez Pte Ltd … Organisation DECISION Stylez Pte. Ltd. [2021] SGPDPC 8 Lew Chuen Hong, Commissioner — Case No. DP-2001-B5645 4 August 2021 Introduction 1 On 25 December 2019, a local newspaper reported that data from a quotation and service comparison portal, iCompare.sg (“the Portal”), had been uploaded onto the Dark Web (the “Incident”)1 . The Personal Data Protection Commission (“the Commission”) commenced investigations into the Incident thereafter. Facts of the Case 2 The Portal was created and operated by Stylez Pte Ltd (“Organisation”) at the material time. In July 2016, the Organisation created a new database containing data from the Portal for the purposes of testing a new function for the Portal in a separate test environment (the “Testing Database”). The Testing Database was a text file comprising records of the Portal’s renovation and interior design clients from 2009 to 2016 and was hosted on a cloud server leased from a cloud storage service provider (“the Server”). 3 Investigations revealed that the data exposed in the Incident was accessed and exfiltrated from the Testing Database some time before December 2019. A total of 9,983 individuals’ personal data, comprising their name, email address, and phone number were exposed in the Incident. 4 The Portal’s production and backup databases were hosted on servers leased from a different cloud service provider and were unaffected in the Incident. 1 https://www.straitstimes.com/singapore/local-renovation-database-exposed-on-dark-web 2 Remedial actions 5 Following the Incident, the Organisation took the following remedial actions: a. The Testing Database and the account from which it was hosted were deleted; b. A malware scan was run on the Server, and all unnecessary files were removed; c. The operating system of the Server was updated and the root passwor… | Financial Penalty, Directions | 573fcfa5db4c96ff1bb6711b02e1ab2d1d9cd20a | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 56 | 56 | 1 | 952 | Directions were issued to NUInternational Singapore and Newcastle Research and Innovation Institute for breach of the PDPA in relation to the transfer of Singapore-based individuals’ personal data to their ultimate parent company in the United Kingdom and related company in Malaysia. | [
"Transfer Limitation",
"Directions",
"Education",
"Ransomware",
"Consent"
] |
2021-09-21 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---NUI-and-NewRIIS--23062021.pdf | Transfer Limitation | Breach of the Transfer Limitation Obligation by NUInternational Singapore and Newcastle Research and Innovation Institute | https://www.pdpc.gov.sg/all-commissions-decisions/2021/09/breach-of-the-transfer-limitation-obligation-by-nuinternational-singapore-and-newcastle-research-and-innovation-institute | 2021-09-21 | PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 5 Case No. DP-2009-B7011 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) NUInternational Singapore Pte Ltd (2) Newcastle Research and Innovation Institute Pte Ltd … Organisations DECISION (1) NUInternational Singapore Pte Ltd; (2) Newcastle Research and Innovation Institute Pte Ltd [2021] SGPDPC 5 Yeong Zee Kin, Deputy Commissioner — Case No. DP-2009-B7011 23 June 2021 Introduction 1 On 17 September 2020 and 13 November 2020, the Personal Data Protection Commission (the “Commission”) was notified of a ransomware attack relating to Newcastle Research and Innovation Institute Pte Ltd and NUInternational Singapore Pte Ltd (collectively known as the “Organisations”) in Singapore (the “Incident”). Facts of the case 2 The ransomware infected, on or around 30 August 2020, (a) a database in the United Kingdom, managed by the ultimate parent company of the Organisations (containing 1,083 records of Singapore-based individuals); and (b) a database in Malaysia, hosted by a related company of the Organisations (containing 194 records of Singapore-based individuals). These records containing personal data of the Singapore-based individuals were previously transferred from the Organisations to the ultimate parent company in the United Kingdom and the related company in Malaysia respectively. The Singapore-based individuals were a mix of staff members, undergraduates and/or post-graduate students of the Organisations. Their 2 personal data (comprising names and user account identifications) were exfiltrated by the threat actor. Findings and Basis for Determination 3 Section 26(1) of the PDPA stipulates that an organisation shall not transfer any personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA to ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection un… | Directions | 3b598c8a7be71e58fadf5f81e6bf2476ad13c791 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 66 | 66 | 1 | 952 | Chapel of Christ the Redeemer failed to put in place reasonable measures to protect its members' personal data. Further, it did not have written policies and practices necessary to comply with the PDPA. | [
"Accountability",
"Protection",
"Directions",
"Others",
"No Policy",
"Access control",
"Indexing"
] |
2021-04-15 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Chapel-of-Christ-the-Redeemer---290121.pdf | Accountability, Protection | Breach of the Protection and Accountability Obligations by Chapel of Christ the Redeemer | https://www.pdpc.gov.sg/all-commissions-decisions/2021/04/breach-of-the-protection-and-accountability-obligations-by-chapel-of-christ-the-redeemer | 2021-04-15 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2010-B7132 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Chapel of Christ the Redeemer SUMMARY OF THE DECISION 1. On 6 October 2020, Chapel of Christ the Redeemer (the “Organisation”) informed the Personal Data Protection Commission (the “Commission”) that a file (the “File”) containing personal data of 815 members’ name, NRIC, address, date of birth, marital status, email address, mobile and residential phone number was inadvertently disclosed online. 2. Investigations revealed that a staff had accidentally uploaded the File (which was supposed to be an internal document) onto the sub-directory on 24 November 2019. The Organisation only discovered the matter on 8 September 2020 when a member of the Organisation performed a Google search of another member’s name and found a Google search result of the File. 3. The Organisation admitted that there were no access controls to the sub-directory prior to the incident as the sub-directory was intended to be accessible to public. As a result, the File was indexed by search engines and showed up in online search results. The Organisation also admitted that at the time of the incident, the Organisation had not developed any internal policies and practices to ensure compliance with the Personal Data Protection Act 2012 (the “PDPA”). In particular, there was no system of checks for the uploading of files on the Organisation’s website. 4. Fortuitously, it appeared that the access to the File was minimal – based on Google Analytics Report, save for the Organisation’s member who discovered the File on the internet on 8 September 2020, there was only one other access to the File on 9 December 2019, and the access only lasted for approximately 1 minute. 5. Following the incident, the Organisation disabled the search engine indexing to the subdirectory, password-protected all files with members’ data, and implemented a weekly check of all files uploaded onto the websi… | Directions | 3af9997c53409121b23cd38f9ec106f784e3648c | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 76 | 76 | 1 | 952 | Directions were imposed on Everlast Projects, Everlast Industries (S) and ELG Specialist for breaches of the PDPA. First, the organisations failed to put in place reasonable measures to protect their employees’ personal data. Second, they did not have written policies and practices necessary to ensure its compliance with the PDPA. | [
"Accountability",
"Protection",
"Directions",
"Construction",
"No Policy",
"Ransomware"
] |
2020-12-18 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Everlast-Projects-and-Others---301020.pdf | Accountability, Protection | Breach of the Accountability and Protection Obligations by Everlast Projects, Everlast Industries (S) and ELG Specialist | https://www.pdpc.gov.sg/all-commissions-decisions/2020/12/breach-of-the-accountability-and-protection-obligations-by-everlast-projects | 2020-12-18 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 20 Case No. DP-1908-B4369 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Everlast Projects Pte Ltd (2) Everlast Industries (S) Pte Ltd (3) ELG Specialist Pte Ltd … Organisations DECISION Everlast Projects Pte Ltd & Others [2020] SGPDPC 20 Everlast Projects Pte Ltd & Others [2020] SGPDPC 20 Yeong Zee Kin, Deputy Commissioner — Case No. DP-1908-B4369 30 October 2020 Introduction 1 On 29 September 2019, Everlast Projects Pte Ltd (“EPPL”) notified the Personal Data Protection Commission (“Commission”) that its server (“Server”) had been hacked and all the files within it were encrypted by ransomware sometime in August 2019 (the “Incident”). Facts of the Case 2 EPPL, Everlast Industries (S) Pte Ltd (“EIPL”) and ELG Specialist Pte Ltd (“ESPL”) (collectively, the “Organisations”) specialise in the supply and installation of architectural metal works, glass and aluminium products. The Organisations are owned by the same shareholder, managed by the same directors, and operate from common premises. Two of the Organisations also have a common name, “Everlast”. The Organisations operated like a group of companies and centralised their payroll processing, such that the human resources (“HR”) department of EPPL was in charge of processing payrolls of not only its own employees, but also the employees of EIPL and ESPL. The Organisations’ employees’ personal data were stored in the Server, which was owned and maintained by EPPL. 3 On 10 August 2019, EPPL discovered the Incident. EPPL had both an onsite physical backup and a secondary cloud backup of the contents of the Server. The physical backup was affected by the ransomware and rendered unusable. A total of 384 individuals were affected by the Incident (the “Affected Employees”): 2 Everlast Projects Pte Ltd & Others [2020] SGPDPC 20 Name of Organisation Number of employees affected EPPL 141 EIPL 239 ESPL 4 Total number of individuals 384 4 T… | Directions | 6bf33286d1c3d26557836242297e0273d9b08921 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 81 | 81 | 1 | 952 | Directions, including a financial penalty of $7,500 were imposed on Majestic Debt Recovery for failing to obtain consent from its debtors to record the debt collection process. Majestic Debt Recovery also did not obtain consent to upload the recordings onto its Facebook Page. Additionally, Majestic Debt Recovery did not have written policies and practices necessary to ensure its compliance with the PDPA. | [
"Protection",
"Accountability",
"Directions",
"Financial Penalty",
"Others",
"Consent",
"No DPO",
"No Policy"
] |
2020-11-24 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Majestic-Debt-Recovery---02032020.pdf | Protection, Accountability | Breach of the Consent and Accountability Obligations by Majestic Debt Recovery | https://www.pdpc.gov.sg/all-commissions-decisions/2020/11/breach-of-the-consent-and-accountability-obligations-by-majestic-debt-recovery | 2020-11-24 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 7 Case No DP-1903-B3570 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Majestic Debt Recovery Pte Ltd … Organisation DECISION 1 Majestic Debt Recovery Pte Ltd [2020] SGPDPC 7 Yeong Zee Kin, Deputy Commissioner — Case No DP-1903-B3570 2 March 2020 Introduction 1 This case concerns a debt collection company’s posting of a video recording on social media as a tactic to shame a debtor. The recordings in question captured exchanges between the company’s representative and staff of the debtor company. Facts of the Case 2 Majestic Debt Recovery Pte Ltd (the “Organisation”) is a company in the business of collecting debts on the behalf of its clients. On 22 March 2019, the Personal Data Protection Commission (the “Commission”) received a complaint from the managing director (the “Complainant”) of a debtor company (the “Company”) stating that the Organisation had been engaged by the Company’s sub-contractor to recover debts from the Company. The Complainant stated that on or around 21 March 2019, the Organisation’s representatives (the “Representatives”) visited the Company’s premises to collect a debt on behalf of its client (the “Incident”). Not surprisingly, heated words were exchanged with the Company’s personnel when the Representatives attempted to recover the debt. The Representatives recorded video footage of the exchanges with the Company’s personnel, including the Complainant (the “Recording”), on a tablet device. The Complainant and the Company’s personnel could be identified from the images and audio captured by the Recording. According to the Complainant, he “protested against the taking of [the Recording and] posting it [on] social media but [the Representative] said he would do it”. The Representatives nonetheless took the Recording and subsequently posted it on the Organisation’s official public Facebook page (its “Facebook Page”). 2 3 During its investigation, the Commission found other… | Directions, Financial Penalty | 735c56aebf1838696565bb02754125b665e3d968 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 82 | 82 | 1 | 952 | Directions were issued to Security Masters for failing to put in place reasonable security arrangements to prevent the unauthorised access of building visitors’ mobile numbers. A security personnel contacted the visitors to request return of visitor passes and send them Chinese New Year greetings. | [
"Protection",
"Directions",
"Others",
"Text messages",
"Mobile numbers",
"Protection"
] |
2020-10-16 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Security-Masters-Pte-Ltd---21072020.pdf | Protection | Breach of the Protection Obligation by Security Masters | https://www.pdpc.gov.sg/all-commissions-decisions/2020/10/breach-of-the-protection-obligation-by-security-masters | 2020-10-16 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2002- B5875 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Security Masters Pte Ltd SUMMARY OF THE DECISION 1. On 17 February 2020, Security Masters Pte Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that a security employee had used the mobile phone numbers of eight building visitors to contact them to request their return of visitor passes and send them Chinese New Year greetings. 2. Investigation found that the Organisation did not put in place any standard operating procedure or guidelines for the retrieval and use of visitors’ personal data prior to the incident. This gap in security arrangements allowed the incident to occur. 3. The Deputy Commissioner for Personal Data Protection therefore found that the Organisation did not adopt reasonable steps to protect personal data in its possession or under its control against risk of unauthorised access. The Organisation was in breach of the Protection Obligation under section 24 of the Personal Data Protection Act 2012. 4. Following the incident, the Organisation restricted access to personal data to senior personnel and required all security personnel to sign an undertaking not to contact visitors in their personal capacity. However, structured training is needed to help its security personnel understand the importance of protecting the personal data they handled daily in their duties, such as National Registration Identification Card numbers, photographs and closed-circuit television footage. 5. On the above consideration, the Deputy Commissioner for Personal Data Protection hereby directs the Organisation to: a) Within 60 days from the date of the direction, revise its training curriculum to ensure that its security personnel understand i. the rationale for personal data protection; ii. the importance of consent and authorisation in the handling of personal data; and iii. the circumstances in which… | Directions | e24e6989567857bec320cd7ad6365fd535330a52 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 92 | 92 | 1 | 952 | A financial penalty of $10,000 was imposed and a direction was issued to Grabcar for failing to put in place reasonable security arrangements to prevent the unauthorised access of GrabHitch drivers’ and passengers’ personal data via its mobile application. | [
"Protection",
"Financial Penalty",
"Directions",
"Transport and Storage",
"Mobile application",
"Code review"
] |
2020-09-10 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Grabcar-Pte-Ltd---24072020.pdf | Protection | Breach of the Protection Obligation by Grabcar | https://www.pdpc.gov.sg/all-commissions-decisions/2020/09/breach-of-the-protection-obligation-by-grabcar | 2020-09-10 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 14 Case No. DP-1909-B4675 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Grabcar Pte Ltd … Organisation DECISION Grabcar Pte Ltd [2020] SGPDPC 14 Yeong Zee Kin, Deputy Commissioner — Case No. DP-1909-B4675 21 July 2020 Introduction 1 Grabcar Pte Ltd (the “Organisation”) is a Singapore-based company offering ride-hailing transport services, food delivery and digital payment solutions through its mobile application (the “Grab App”). The Grab App also provides a carpooling option referred to as “GrabHitch”. GrabHitch matches a passenger with a driver willing to give a lift to the passenger (on the way to the driver’s destination) in return for a fee. On 30 August 2019, the Organisation notified the Personal Data Protection Commission (the “Commission”) that, for a short period of time on the same day, profile data of 5,651 GrabHitch drivers was exposed to the risk of unauthorised access by other GrabHitch drivers through the Grab App (the “Incident”). Facts of the Case 2 The Organisation’s investigations traced the cause of the Incident to the deployment of an update to the Grab App on 30 August 2019 (the “ Update”). The purpose of the Update was to address a potential vulnerability discovered within the Grab App, namely, the application programming interface (“API”) endpoint (/users/{userID}/profile) (the “URL”) that had allowed GrabHitch Grabcar Pte Ltd [2020] SGPDPC 14 drivers to access their data, contained a ‘userID’ that could potentially be manipulated to allow access to other GrabHitch driver’s data.1 3 In order to fix the vulnerability, the Update removed the variable ‘userID’ from the URL which shortened it to a hard-coded ‘/users/profile’. However, the Update failed to take into account the URL-based caching mechanism in the Grab App. This caching mechanism (which was configured to refresh every 10 seconds) served cached content in response to data requests to reduce the load of direct a… | Financial Penalty, Directions | eb17aef1e75850888d8ec821aa37aebe142109b2 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 104 | 104 | 1 | 952 | Both MCST 3593 and New-E Security failed to put in place reasonable security arrangements to prevent the unauthorised disclosure of CCTV footage of a common property at Marina Bay Residences. MCST3593 also failed to appoint a data protection officer and put in place policies and practices necessary for the organisation to comply with the PDPA. | [
"Protection",
"Accountability",
"Financial Penalty",
"Directions"
] |
2020-03-19 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---MCST-3593-and-Others---02032020.pdf | Protection, Accountability | Breach of the Protection and Accountability Obligations by MCST 3593 and Breach of the Protection Obligation by New-E Security | https://www.pdpc.gov.sg/all-commissions-decisions/2020/03/breach-of-the-protection-and-accountability-obligations-by-mcst-3593-and-breach-of-the-protection-obligation-by-new-e-security | 2020-03-19 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 6 Case No DP-1903-B3554 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Management Corporation Strata Title Plan No. 3593 (2) Edmund Tie & Company Property Management Services Pte Ltd (3) New-E Security Pte Ltd … Organisations DECISION 1 Management Corporation Strata Title Plan No. 3593 & Others [2020] SGPDPC 6 Yeong Zee Kin, Deputy Commissioner — Case No DP-1903-B3554 2 March 2020 Introduction 1 On 19 March 2019, Edmund Tie & Company Property Management Services Pte Ltd (“ETCPM”) on behalf of Management Corporation Strata Title Plan No. 3593 (“MCST 3593”) notified the Personal Data Protection Commission (the “Commission”) of unauthorised disclosure of closed-circuit television (“CCTV”) footage recorded at the premises of MCST 3593, known as Marina Bay Residences (the “Condominium”), by NewE Security Pte Ltd (“New-E”), a company providing security services at the Condominium, to an owner resident of a unit at the condominium (the “Incident”). Facts of the Case 2 MCST 3593 had appointed ETCPM as the managing agent of the Condominium since 2012. In November 2014, MCST 3593 had also engaged New-E to provide security services at the Condominium. ETCPM’s scope of work as managing agent included supervising New-E to ensure it carried out its duties properly. 3 On 1 February 2019, an owner resident of a unit at the Condominium (the “Resident”) approached the security supervisor on duty, who was an employee of New-E (the “Security Supervisor”), to request a copy of the CCTV footage of the Condominium’s lobby on 29 January 2019 between 9.00 pm to 9.30 pm (the “Requested CCTV Footage”). The Requested CCTV Footage had captured images of identifiable individuals who had passed through the common property during that period, and hence contained personal data of those individuals. The Security Supervisor proceeded to review the CCTV recordings and used his mobile phone to record a copy of the Requested CCTV Fo… | Financial Penalty, Directions | eeb49dfd4acb4b4db0e54f38d3c03d45e12085b1 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 105 | 105 | 1 | 952 | Both MCST 4375 and A Best Security Management failed to put in place reasonable security arrangements to prevent the unauthorised disclosure of CCTV footage of an individual injured by a falling glass door at Alexandra Central Mall. MCST 4375 also failed to put in place policies and practices necessary for the organisation to comply with the PDPA. | [
"Protection",
"Accountability",
"Directions"
] |
2020-03-19 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/MCST-4375-and-Others---Decision---03022020.pdf | Protection, Accountability | Breach of the Protection and Accountability Obligations by MCST 4375 and Breach of the Protection Obligation by A Best Security Management | https://www.pdpc.gov.sg/all-commissions-decisions/2020/03/breach-of-the-protection-and-accountability-obligations-by-mcst-4375-and-breach-of-the-protection-obligation-by-a-best-security-management | 2020-03-19 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 4 Case No. DP-1903-B3437 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Management Corporation Strata Title Plan No. 4375 (2) Smart Property Management (Singapore) Pte Ltd (3) A Best Security Management Pte Ltd … Organisations DECISION Management Corporation Strata Title Plan No. 4375 & Others [2020] SGPDPC 4 Yeong Zee Kin, Deputy Commissioner — Case No DP-1903-B3437 3 February 2020 Introduction 1 In late February 2019, a woman was injured when a glass door fell on her at the premises of Management Corporation Strata Title Plan No. 4375 (“MCST 4375”), also known as Alexandra Central Mall (the “Mall”). The Personal Data Protection Commission (the “Commission”) subsequently became aware that closed-circuit television (“CCTV”) footage showing the glass door falling on the woman was disclosed on the Internet (the “Incident”). Facts of the Case 2 At the time of the incident, MCST 4375 had appointed Smart Property Management (Singapore) Pte Ltd (“SPMS”) as its managing agent and A Best Security Management Pte Ltd (“ABSM”) to provide security services at the Mall. These appointments took effect from 1 July 2018 and 1 June 2018 respectively. SPMS’ scope of work as managing agent included supervising service providers such as ABSM to ensure it carried out its duties properly. 3 On 24 February 2019, the senior security supervisor from ABSM (the “SSS”) who was on duty at the Mall’s Fire Control Centre, saw a glass door fall on a woman at Level 4 of the Mall’s car park lift lobby (the “Accident”) through Management Corporation Strata Title Plan No. 4375 & Others [2020] SGPDPC 4 the CCTV monitors. The SSS immediately called for an ambulance and notified MCST 4375’s Property Officer and ABSM’s Operations Manager of the Accident. Shortly thereafter, MCST 4375’s Property Officer asked the SSS to send her a copy of CCTV footage of the Accident. In response to this request, the SSS replayed the portion of t… | Directions | c9534d20c08d9b7217ff8dd7e875c02139ab7e2a | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 106 | 106 | 1 | 952 | Directions were imposed on Henry Park Primary School Parents’ Association for breaches of the PDPA. First, the organisation failed to put in place reasonable measures to protect its members’ personal data. Second, it did not appoint a data protection officer. Lastly, it did not have written policies and practices necessary to ensure its compliance with the PDPA. | [
"Protection",
"Accountability",
"Directions"
] |
2020-02-11 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---HPPA.pdf | Protection, Accountability | Breach of the Protection and Accountability Obligations by Henry Park Primary School Parents' Association | https://www.pdpc.gov.sg/all-commissions-decisions/2020/02/breach-of-the-protection-and-accountability-obligations-by-henry-park-primary-school-parents-association | 2020-02-11 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1903-B3531 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Henry Park Primary School Parents’ Association SUMMARY OF THE DECISION 1. Henry Park Primary School Parents’ Association (the “Organisation”) is a registered society whose membership comprised parent volunteers. To register as members of the Organisation, individuals provided to the Organisation their names, contact numbers, name of child and the child’s class in Henry Park Primary School (the “Personal Data Set”). The Organisation had a website at https://hppa.org.sg (the “Website”) where members could view their own account particulars upon logging in using their assigned user ID and password. 2. On 15 March 2019, the Personal Data Protection Commission (“the Commission”) received a complaint. The complainant informed that when she performed a Google search using her name, she found a search result of a webpage of the Website which disclosed her personal data (the “Incident”). 3. The Personal Data Sets of registered members were never intended to be disclosed online. The Website had been developed by a parent volunteer using the WordPress content management system. 4. The Organisation had conducted tests to verify that members who logged in to the Website could view their own account particulars. The Organisation also verified that account particulars could not be viewed when accessing the Website as a public user. Nevertheless, the Personal Data Set was crawled, indexed and searchable by Google. This points to a weakness in access control that had not been picked up by these rudimentary tests. 5. Security testing such as vulnerability scans would have identified the access control issue. The Organisation failed to conduct adequate security testing before launching the Website. On the above facts, the Commission found that the Organisation did not put in place reasonable security arrangements to protect the Personal Data Sets. 6. The Commission also… | Directions | 79c294efa7335db9a6489bfae8e1c1eedccbf23b | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 115 | 115 | 1 | 952 | Directions, including a financial penalty of $20,000, were imposed on Society of Tourist Guides for breaches of the PDPA. First, the organisation failed to put in place reasonable measures to protect its members’ personal data. Second, it did not appoint a data protection officer. Lastly, it did not have written policies and practices necessary to ensure its compliance with the PDPA. | [
"Protection",
"Accountability",
"Directions",
"Financial Penalty"
] |
2020-01-09 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--Society-of-Tourist-Guides-Singapore-261219.pdf | Protection, Accountability | Breach of the Protection and Accountability Obligations by Society of Tourist Guides | https://www.pdpc.gov.sg/all-commissions-decisions/2020/01/breach-of-the-protection-and-accountability-obligations-by-society-of-tourist-guides | 2020-01-09 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 48 Case No. DP-1903-B3445 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Society of Tourist Guides (Singapore) … Organisation DECISION Society of Tourist Guides (Singapore) [2019] SGPDPC 48 Tan Kiat How, Commissioner — Case No. DP-1903-B3445 26 December 2019 Introduction 1 On 3 March 2019, the Personal Data Protection Commission (the “Commission”) received a complaint that personal data of individuals had apparently been exposed to unauthorised access and disclosure through links on the Society of Tourist Guides (Singapore)’s (the “Organisation”) website. Facts of the Case 2 The Organisation is a non-profit organisation that works with the Singapore Tourism Board (“STB”) to promote the professionalism of tourist guides as tourism ambassadors of Singapore. Tourist guides registered with STB may sign up as members of the Organisation (“Members”). In May 2018, the Organisation engaged a Vietnam-based IT company (the “Vendor”) to develop its website https://societyoftouristguides.org.sg (the “Website”). 3 One of the Organisation’s purposes for the Website was to collect personal data from its Members. Personal data was collected from Members through their respective user accounts on the Website and included their names, photographs, contact numbers, e-mail addresses and 2 a write-up of themselves (for example, with the type of services they provided) (“Profile Data”). Members could also upload images of their identification documents (e.g. NRIC, employment pass, driving and vocational licences) which contained various personal data (“ID Data”). 4 Members’ Profile Data were published on their respective public profile pages on the Website. This enabled members of the public to find and engage a Member with the necessary experience and expertise to provide services that he or she required. 5 As regards the ID Data, these were used by the Organisation for a few purposes. These included (i) applyin… | Directions, Financial Penalty | 00f2b94a482f683c070998c51833856ca9a1a01a | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 118 | 118 | 1 | 952 | Directions, including a financial penalty of $10,000, were imposed on SAFRA for failing to put in place reasonable security arrangements to protect the personal data of the members of its Shooting Club. SAFRA was also directed to review its internal processes to put in place process safeguards and written internal standard operating procedures to protect the personal data of its members. | [
"Protection",
"Directions",
"Financial Penalty"
] |
2020-01-09 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---SAFRA---161219.pdf | Protection | Breach of the Protection Obligation by SAFRA National Service Association | https://www.pdpc.gov.sg/all-commissions-decisions/2020/01/breach-of-the-protection-obligation-by-safra-national-service-association | 2020-01-09 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 45 Case No DP-1809-B2711 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And SAFRA National Service Association … Organisation DECISION 1 SAFRA National Service Association [2019] SGPDPC 45 Yeong Zee Kin, Deputy Commissioner — Case No DP-1809-B2711 16 December 2019 Facts of the Case 1 On 13 September 2018, the Personal Data Protection Commission (the “Commission”) received a voluntary breach notification from SAFRA National Service Association (the “Organisation”). An employee of the Organisation (the “Employee”) who had sent out two separate batches of e-mails attaching an Excel spreadsheet (the “Spreadsheet”) containing the personal data of certain members of the Organisation’s shooting club (the “SSC”) to other members (the “Incident”). 2 According to the Employee, his job scope included sending mass e-mails to SSC members. He has been sending such e-mails since September 2016 at least once a month. According to him, he was not aware of any SOPs for sending of such mass emails. The Employee claims that his supervisor had instructed him verbally on the process. First, prepare proposed e-mail, and attach a spreadsheet containing intended recipients’ e-mail addresses extracted from another internal system. Next, send this draft email from his individual work email account to the official SSC e-mail account. Thereafter, copy the intended recipients’ emails addresses into the draft email, and delete the attached spreadsheet, before sending out the mass email. This is the process that the Employee has been following whenever he sends mass e-mails to SSC members, as was the case during the Incident. 3 The Organisation claims that it was not aware of this process for mass e-mails. However, its staff were briefed on the practice of using the bcc function when sending mass emails and were verbally instructed to “check and ensure that no unnecessary information or document (including those which contain personal… | Directions, Financial Penalty | 010708766ce21b512c280cfe9da288cff633f350 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 120 | 120 | 1 | 952 | Saturday Club was found in breach of the PDPA for failing to put in place written policies and practices necessary to ensure its compliance with the PDPA. Saturday Club was directed to put in place a data protection policy to comply with the provisions of the PDPA and to conduct training to ensure its employees are aware of and comply with the requirements of the PDPA. | [
"Accountability",
"Directions"
] |
2019-12-05 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---Saturday-Club.pdf | Accountability | Breach of the Accountability Obligation by Saturday Club | https://www.pdpc.gov.sg/all-commissions-decisions/2019/12/breach-of-the-accountability-obligation-by-saturday-club | 2019-12-05 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1906-B4109 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Saturday Club Pte Ltd SUMMARY OF THE DECISION 1. Upon investigation into a suspected data breach, it was found that Saturday Club Pte Ltd (the “Organisation”) had not developed any internal policies and practices that are necessary for it to meet its obligations under the Personal Data Protection Act 2012 (“PDPA”). In the circumstances, the Deputy Commissioner for Personal Data Protection found the Organisation in breach of section 12 of the PDPA and decided to issue the directions to the Organisation. | Directions | d047195a60d37294c9b55687dc7b54978590b389 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 122 | 122 | 1 | 952 | Global Outsource Solutions was found in breach of the PDPA for failing to put in place reasonable security arrangements to protect the personal data collected by its website and for failing to develop and implement data protection policies. This resulted in the disclosure of personal data of customers on the organisation’s online warranty registration portal. Global Outsource Solutions was directed to develop and implement policies for data protection and staff training in data protection, and to put all employees handling personal data through such training. | [
"Protection",
"Accountability",
"Directions"
] |
2019-12-05 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---Global-Outsource.pdf | Protection, Accountability | Breach of the Protection and Accountability Obligations by Global Outsource Solutions | https://www.pdpc.gov.sg/all-commissions-decisions/2019/12/breach-of-the-protection-and-accountability-obligations-by-global-outsource-solutions | 2019-12-05 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1809-B2767 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Global Outsource Solutions Pte. Ltd. SUMMARY OF THE DECISION 1. Global Outsource Solutions Pte. Ltd. (the “Organisation”) provided warranties for products purchased by its clients’ customers. To be eligible for this warranty, customers registered their purchases with the Organisation via the Organisation’s website at http://www.globaloutsourceasia.com (the “Website”). The Organisation collected various personal data from such customers for this purpose, including personal information such as their name, email address, mailing address and contact number, and details of the customers’ purchases such as the name of the product purchased, the purchase date, the name of the retailer and the location of the physical store where the product was purchased (collectively, the “Personal Data”). 2. The Personal Data Protection Commission (“the Commission”) received a complaint on 23 September 2018 that the complainant could access the Personal Data of another individual when viewing a warranty registration summary page on the Website (the “Incident”). 3. The Organisation admitted to the occurrence of the Incident but was unable to identify the cause of the Incident. The Commission found that the Organisation had not provided any security requirements to the vendor it had engaged sometime in 2013 to develop the Website. Consequently, it had not reviewed the Website’s security arrangements or conducted any security testing on the Website. In the circumstances, the Organisation had not implemented reasonable security arrangements to protect the personal data collected by the Website (including but not limited to the Personal Data disclosed in the Incident) and is therefore in breach of section 24 of the PDPA. 4. The Commission also found that the Organisation did not have any internal data protection policies for its employees in relation to the handling of perso… | Directions | ab0971aeb10525bfdeea3bf683966ddd8fc40f11 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 123 | 123 | 1 | 952 | Directions, including a financial penalty of $8,000, were imposed on Chizzle for failing to put in place reasonable security arrangements to protect the personal data of users of its mobile application in Re Chizzle Pte Ltd [2019] SGPDPC 44. The organisation was also directed to develop an IT security policy, review and revise its developmental processes in order to adopt a data protection by design approach for future enhancements to its mobile application. An application for reconsideration was filed against the decision in Re Chizzle Pte Ltd [2019] SGPDPC 44. Upon review and careful consideration of the application, the Commissioner has decided to affirm the finding of breach of section 24 of the PDPA as set out in the decision and the direction, in the Reconsideration Decision. | [
"Protection",
"Directions",
"Financial Penalty"
] |
2019-12-05 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---Chizzle-Pte-Ltd.pdf | Protection | Breach of the Protection Obligation by Chizzle | https://www.pdpc.gov.sg/all-commissions-decisions/2019/12/breach-of-the-protection-obligation-by-chizzle | 2019-12-05 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 44 Case No. DP-1807-B2495 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Chizzle Pte. Ltd. … Organisation DECISION Chizzle Pte. Ltd. [2019] SGPDPC 44 Tan Kiat How, Commissioner — Case No. DP-1807-B2495 26 November 2019 Introduction 1 Chizzle Pte. Ltd. (the “Organisation”) provides a mobile application (the “Mobile App”) designed to connect learners and teachers in Singapore, Australia and India. On 31 July 2018, the Organisation notified the Personal Data Protection Commission (the “Commission”) of a cyberattack (the “Incident”) which had compromised the personal data of about 2,213 users of the Mobile App, including some users in Singapore (the “Affected Individuals”). Material Facts 2 On 30 July 2018, the Organisation noticed that the Mobile App had stopped responding. It was found that an unauthorised party had deleted its database containing the personal data of the Affected Individuals (the “Chizzle Database”) and left a ransom demand in text. The personal data in question included the names, dates of birth, genders, email addresses and some mobile numbers and residential addresses of the Affected Individuals (the “Compromised 2 Chizzle Pte Ltd [2019] SGPDPC 44 Personal Data”). Before this, on 9 July 2018, the Organisation had changed the Chizzle Database from Amazon’s Relational Database Service to the MySQL relational database. 3 Since 2016, the Organisation had a “L.A.M.P.” stack (i.e. Linux operating system, Apache HTTP server, MySQL server and PHP) (collectively with the Mobile App, the “System”) as part of its IT infrastructure. “phpMyAdmin”, a MySQL database administration tool, was installed with the L.AM.P stack. The tool was configured to allow remote access to it from the Internet. The Organisation believed that the unauthorised party gained entry into the Chizzle Database through the phpMyAdmin tool by a brute force attack. However, it did not have the logs to prove that a br… | Directions, Financial Penalty | d2f01a3d69daa429f27a8ad071d760e7006d4489 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 130 | 130 | 1 | 952 | Directions, including a financial penalty of $90,000, were imposed on Ninja Logistics for failing to put in place reasonable security arrangements to protect customers’ data in relation to the Tracking Function Page on the Ninja Logistics website. This resulted in customers’ data on the website to be accessible by the public. Click here to learn more. | [
"Protection",
"Directions",
"Financial Penalty",
"Wholesale and Retail Trade"
] |
2019-11-04 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---Ninja-Logistics-Pte-Ltd.pdf | Protection | Breach of the Protection Obligation by Ninja Logistics | https://www.pdpc.gov.sg/all-commissions-decisions/2019/11/breach-of-the-protection-obligation-by-ninja-logistics | 2019-11-04 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 39 Case No DP-1804-B2020 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Ninja Logistics Pte Ltd … Organisation DECISION 1 Ninja Logistics Pte Ltd [2019] SGPDPC 39 Tan Kiat How, Commissioner — Case No DP-1804-B2020 14 October 2019 Introduction 1 Ninja Logistics Pte Ltd (the “Organisation”) is a logistics company providing packaging, delivery and tracking services on behalf of retailers (“Retailers”) to the Retailers’ customers (“Customers”). This case concerns the disclosure of personal data via a delivery order tracking function on the Organisation’s website (the “Tracking Function Page”). 2 On 23 April 2018, the Personal Data Protection Commission (the “Commission”) received a complaint that the Tracking Function Page could potentially be used to harvest personal data of the Customers. By changing a few digits of a Tracking ID, the complainant could access personal data of another Customer (the “Incident”). Facts of the Case 3 The Organisation first set up the Tracking Function Page in December 2014 to allow Customers to (i) enquire on the delivery status of their parcels; and (ii) confirm the identity of individuals who collect parcels on their behalf (where applicable). Generally, for a delivery, only a Retailer and the relevant Customers of the Retailer would be provided with a Tracking ID for parcels sent by the Retailer that were to be delivered by the Organisation to the Customer. 4 There were 2 types of Tracking IDs used by the Organisation, namely sequential and non-sequential Tracking IDs. According to the Organisation, the reason for having sequential numbers in some of the Tracking IDs was for recording and business analytics purposes. Since the launch of the Tracking Function Page, the Organisation was aware that Tracking IDs could potentially be manipulated by changing the last few digits of the Tracking ID. While Tracking IDs with non-sequential numbers may have a lower risk of ma… | Directions, Financial Penalty | 15f399417f152a9a341caa9715008baacdbf0985 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 131 | 131 | 1 | 952 | iClick was found in breach of the PDPA for failing to put in place written policies and practices necessary to ensure its compliance with the PDPA. iClick was directed to put in place a data protection policy to comply with the provisions of the PDPA; to develop a training programme for its employees and require them to attend the training. | [
"Accountability",
"Directions",
"Information and Communications"
] |
2019-11-04 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---iClick-Media.pdf | Accountability | Breach of the Accountability Obligation by iClick Media | https://www.pdpc.gov.sg/all-commissions-decisions/2019/11/breach-of-the-accountability-obligation-by-iclick-media | 2019-11-04 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1901-B3254 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And iClick Media Pte. Ltd. SUMMARY OF THE DECISION 1. Following a complaint against EU Holidays Pte Ltd, (“EU Holidays”), the Personal Data Protection Commission conducted an investigation to determine whether EU Holidays had contravened the Personal Data Protection Act 2012 (the “PDPA”). In the course of investigations, it was found that EU Holiday’s IT vendor, iClick Media Pte Ltd (the “Organisation”), had not developed any internal policies and practices that are necessary for it to meet its obligations under the PDPA. In the circumstances, the Deputy Commissioner for Personal Data Protection found the Organisation in breach of section 12 of the PDPA and decided to direct the Organisation to, within 60 days: 2. Put in place a data protection policy, including written internal policies, to comply with the provisions of the PDPA; 3. Develop a training programme for the Organisation’s employees in respect of their obligations under the PDPA when handling personal data and require all employees to attend such training; and 4. By no later than 7 days after the above actions have been carried out, the Organisation shall, in addition, submit to the Commission a written update. | Directions | bf9f246a0db6172bb647c44e87dcaa6e5793dce4 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 132 | 132 | 1 | 952 | Directions, including a financial penalty of $15,000, were imposed on EU Holidays for breaches of the PDPA. The organisation failed to put in place reasonable measures to protect its customers’ personal data and did not have written policies and practices necessary to ensure its compliance with the PDPA. | [
"Protection",
"Accountability",
"Directions",
"Financial Penalty"
] |
2019-11-04 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---EU-Holidays-Pte-Ltd.pdf | Protection, Accountability | Breach of the Protection and Accountability Obligations by EU Holidays | https://www.pdpc.gov.sg/all-commissions-decisions/2019/11/breach-of-the-protection-and-accountability-obligations-by-eu-holidays | 2019-11-04 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 38 Case No DP-1901-B3254 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And EU Holidays Pte. Ltd. … Organisation DECISION 1 EU Holidays Pte. Ltd. [2019] SGPDPC 38 Tan Kiat How, Commissioner — Case No DP-1901-B3254 4 October 2019 Introduction 1 On 14 January 2019, the Personal Data Protection Commission (the “Commission”) received a complaint that personal data of EU Holidays Pte. Ltd.’s (the “Organisation”) customers was accessible through its website (the “Incident”). Facts of the Case 2 Pursuant to a Quotation of Services dated 16 May 2017 (“Contract”), the Organisation engaged an IT vendor (the “Vendor”) to develop a new website with e-commerce capabilities (the “Website”). One of the purposes of the Website was to allow the Organisation’s customers (“Customers”) to make online reservations for tour packages either directly or through the Organisation’s partner agents. Information relating to travel reservations received from Customers were stored in 2 web directories. For reservations made directly by Customers on the Website, the tax invoice generated would be stored in a web directory (“Web Directory 1”). As for reservations made through the Organisation’s partner agents on the Website, the tax invoice generated would be stored in another web directory (“Web Directory 2”). 3 The scope of work in the Contract did not specify any requirements with respect to the storage and protection of Customers’ personal data which was collected through the Website. The Website was launched on 9 December 2017. Since its launch, the Organisation has been managing the Website, with the Vendor’s role limited to maintenance and technical troubleshooting. 4 On or around 5 January 2019, a member of the public (“Complainant”) discovered copies of tax invoices containing Customers’ personal information while browsing for tour packages on the Website. The Complainant notified the Commission of the Incident on 14 Janua… | Directions, Financial Penalty | e42f8ca451f258f74f2ef56d5d97b02110634815 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 143 | 143 | 1 | 952 | Directions were issued to Avant Logistic Service for failing to make reasonable security arrangements to prevent the unauthorised disclosure of customers' personal data. The lapses resulted in personal data of customers being disclosed by an employee. | [
"Protection",
"Directions",
"Wholesale and Retail Trade"
] |
2019-08-02 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Avant-Logistic-Service-Pte-Ltd---300719.pdf | Protection | Breach of the Protection Obligation by Avant Logistic Service | https://www.pdpc.gov.sg/all-commissions-decisions/2019/08/breach-of-the-protection-obligation-by-avant-logistic-service | 2019-08-02 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 28 Case No DP-1802-B1709 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Avant Logistic Service Pte. Ltd. … Organisation DECISION Avant Logistic Service Pte. Ltd. [2019] SGPDPC 28 Yeong Zee Kin, Deputy Commissioner — Case No DP-1802-B1709 30 July 2019 Background 1 On 25 November 2017, a customer of Ezbuy Holdings Ltd. (“Ezbuy”) made a complaint to the Personal Data Protection Commission (the “Commission”) alleging that her personal data had been disclosed to another customer of Ezbuy without her consent by an employee of Avant Logistic Service Pte. Ltd. (the “Organisation”). The facts of this case are as follows. 2 Ezbuy provides an online e-commerce platform that allows its customers to shop for items from various online retailers and platforms around the world. It engaged the Organisation to provide delivery services in Singapore. The Organisation is an affiliate of Ezbuy and its delivery personnel are required to adhere to Ezbuy’s Privacy Policy and the terms and conditions in Ezbuy’s Employee Handbook and Ezbuy’s Delivery and Collection Standard Operation Procedure (“SOP”). 3 When a customer ordered an item through Ezbuy’s platform, they would be offered two modes of delivery, (i) delivery to a designated collection point 1 Avant Logistic Service Pte. Ltd. [2019] SGPDPC 28 (referred to by Ezbuy as “self-collection”), or (ii) delivery to the customer’s address. If the customer opted for self-collection, the customer would proceed to the designated collection point at a specified time. The delivery personnel there would verify their identity using their Ezbuy user ID or their mobile number registered with Ezbuy and then hand over the package with their item. 4 On 9 November 2017, the complainant scheduled to self-collect a package that she ordered from Ezbuy at a collection point in Bishan at around 6.30 p.m. One of the Organisation’s employees (referred to in this Decision as “OA”), was a… | Directions | 080f1f19619de2e97b442d076d6b4f4a81f71d57 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 150 | 150 | 1 | 952 | Directions were issued to SME Motor for failing to make reasonable security arrangements to prevent the unauthorised disclosure of individuals’ personal data. The lapses resulted in personal data of other customers being disclosed on the reverse side of an invoice document. | [
"Protection",
"Directions",
"Others",
"Auto Repair and servicing",
"Car"
] |
2019-07-04 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---SME-Motor-Pte-Ltd---040719.pdf | Protection | Breach of the Protection Obligation by SME Motor | https://www.pdpc.gov.sg/all-commissions-decisions/2019/07/breach-of-the-protection-obligation-by-sme-motor | 2019-07-04 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 21 Case No DP-1901-B3318 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And SME Motor Pte. Ltd. … Organisation DECISION 1 SME Motor Pte. Ltd. [2019] SGPDPC 21 Yeong Zee Kin, Deputy Commissioner — Case No DP-1901-B3318 4 July 2019 Background 1 On 31 January 2019, the Personal Data Protection Commission (the “Commission”) received a complaint from an individual (the “Complainant”) in relation to the disclosure of other individuals’ personal data that had been printed on the reverse side of an invoice issued to the Complainant by SME Motor Pte. Ltd. (the “Organisation”). Material Facts 2 The facts of this case and circumstances leading to the breach bear some resemblance to the cases of Re SLF Green Maid Agency [2018] SGPDPC 27 and Re Furnituremart.sg [2017] SGPDPC 7. 3 The Organisation is in the business of auto repair and servicing. In an effort to be environmentally friendly, the Organisation had a practice of re-using scrap or unwanted paper documents by printing other documents on the reverse side. 4 The Complainant met with a car accident and brought her vehicle to the Organisation’s workshop for repair. The Complainant subsequently discovered 1 [2019] SGPDPC 21 SME Motor Pte. Ltd. that the Organisation had printed her workshop repair invoice on a piece of paper that contained the personal data of two other individuals (the “Personal Data”) on the reverse side. On 31 January 2019, the Complainant lodged a complaint with the Commission in relation to the disclosure of the Personal Data. 5 The Personal Data disclosed to the Complainant included the following: (a) the first individual’s name, National Registration Identification Card (“NRIC”) number, and insurance policy number; and (b) the second individual’s name, insurance policy number, and claim number. Findings and Basis for Determination 6 The issue that arises in this case for determination is whether the Organisation had complied … | Directions | 8817cb0bc39f451aa5b8c5d679937e87fcd26cf9 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 157 | 157 | 1 | 952 | Directions were issued to GrabCar for failing to put in place reasonable security arrangements for GrabHitch drivers to protect the personal data of passengers that used GrabHitch services. Personal data of some GrabHitch passengers were disclosed by GrabHitch drivers without consent on social media. | [
"Protection",
"Directions",
"Transport and Storage",
"PHV",
"Private Hire Vehicle"
] |
2019-06-11 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision--Grabcar-Pte-Ltd-GrabHitch--110619.pdf | Protection | Breach of Protection Obligation by GrabCar | https://www.pdpc.gov.sg/all-commissions-decisions/2019/06/breach-of-protection-obligation-by-grabcar-directions | 2019-06-11 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 14 Case Nos DP-1702-B0508/DP-1703-B0613 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Grabcar Pte. Ltd. [UEN 201427085E] … Organisation ________________________________________________________ DECISION ________________________________________________________ Grabcar Pte. Ltd. [2019] SGPDPC 14 Grabcar Pte. Ltd. [2019] SGPDPC 14 Yeong Zee Kin, Deputy Commissioner – Case Nos DP-1702-B0508/DP-1703B0613 11 June 2019 Introduction and facts of the cases 1 This decision addresses, in the main, the obligations of an online ride- sharing platform and drivers who use the platform to provide carpool rides to passengers. Grabcar Pte Ltd (the “Organisation”) operates an online platform through the Grab mobile application (the “Grab App”) which enables individuals to book taxis or private cars for transportation services. The Grab App also provides a carpooling option, referred to in the app as “GrabHitch”. GrabHitch matches a passenger with a driver who is willing to give a lift to the passenger on the way to the driver’s destination in return for a fee. The Organisation states on its website,1 “GrabHitch is a social carpooling platform powered by everyday, non-commercial drivers giving you a lift along the way to cover petrol costs.”2 2 This decision relates to separate complaints by two passengers (the “Complainants”) who used GrabHitch to book carpool rides. The carpool rides were provided by two different drivers (the “Drivers”) on separate occasions. 1 www.grab.com/sg/hitch/ The Organisation’s website also states that GrabHitch is provided in compliance with the Road Traffic (Car Pools) (Exemption) Order 2015. 2 2 Grabcar Pte. Ltd. [2019] SGPDPC 14 Nevertheless, the two complaints are dealt with together in this decision as they both relate to similar issues, in particular, to the issue of disclosure of passengers’ personal data without consent by GrabHitch drivers. 3 The substance of each compla… | Directions | b13cfd3e762e67fa7f3823843de7d5cae693b203 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 173 | 173 | 1 | 952 | Directions were issued to SLF Green Maid Agency for failing to make reasonable security arrangements to prevent the unauthorised disclosure of individuals’ personal data. | [
"Protection",
"Directions",
"Others",
"domestic helper"
] |
2018-12-13 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---Green-Maid-Agency---131218.pdf | Protection | Breach of Protection Obligation by SLF Green Maid Agency | https://www.pdpc.gov.sg/all-commissions-decisions/2018/12/breach-of-protection-obligation-by-slf-green-maid-agency | 2018-12-13 | PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 27 Case No DP-1806-B2265 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And SLF Green Maid Agency … Organisation DECISION SLF Green Maid Agency [2018] SGPDPC 27 SLF Green Maid Agency [2018] SGPDPC 27 Yeong Zee Kin, Deputy Commissioner — Case No DP-1806-B2265 13 December 2018 1 This case arose out of the common practice of reusing scrap or discarded paper where the reverse side of the paper can still be used. This is highly commendable and environmentally-friendly, but organisations must take care to ensure that there is no personal data on the scrap or discarded paper set aside for such re-use. An employee of SLF Green Maid Agency (the “Organisation”) wrote information for the Complainant on a piece of paper which contained personal data of other individuals on the reverse side and gave the paper to the Complainant. This happened on two separate occasions. The key issue is whether this disclosure of personal data by the Organisation amounts to a breach of section 24 of the Personal Data Protection Act 2012 (“PDPA”). Material Facts 2 On 8 April 2018, the Complainant visited the Organisation’s office to enquire about engaging a foreign domestic worker. An employee of the Organisation assisted her and over the course of these enquiries, the employee handed the Complainant some paper on which he wrote information related to her query. The Complainant discovered that the reverse side of the paper contained personal data of other individuals. The Complainant informed the employee that the paper that was used should not have been given to the Complainant. 3 On 24 April 2018, the Complainant returned to the Organisation’s office and was served by the same employee. Again, over the course of the queries, she was provided information hand written on used paper. Similarly, the reverse side of the paper contained personal data of other individuals. 4 Over the two occasions, the following personal data was disclos… | Directions | db40f6c2dd8921428c1fe911f5570123eecd69e8 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 181 | 181 | 1 | 952 | Directions were issued to Singapore Cricket Association for failing to make reasonable security arrangements to prevent unauthorised disclosure of individuals’ personal data on its website, and for failing to put in place data protection policies. | [
"Protection",
"Accountability",
"Directions",
"Arts, Entertainment and Recreation"
] |
2018-08-21 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Singapore_Cricket_Association_and_Ors_210818.pdf | Protection, Accountability | Breach of Protection Obligation by Singapore Cricket Association | https://www.pdpc.gov.sg/all-commissions-decisions/2018/08/breach-of-protection-obligation-by-singapore-cricket-association | 2018-08-21 | PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC [19] Case No DP-1704-B0707 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Singapore Cricket Association (UEN No. S65SS0010H) (2) Massive Infinity Pte Ltd (UEN No. 201131950M) … Organisations DECISION Singapore Cricket Association & Ors [2018] SGPDPC 19 Singapore Cricket Association & Ors. [2018] SGPDPC [19] Yeong Zee Kin, Deputy Commissioner — Case No DP-1704-B0707 21 August 2018 1 This case concerns the unauthorised disclosure of the personal data of cricket players on the Singapore Cricket Association’s (“SCA”) websites (the “Incident”). On 20 April 2017, the Personal Data Protection Commission (the “Commission”) received a complaint regarding the unauthorised disclosure of personal data on the player profile pages on the SCA’s websites and commenced its investigations thereafter. The Deputy Commissioner’s findings and grounds of decision based on the investigations carried out in this matter are set out below. 2 The SCA is the official governing body of the sport of cricket in Singapore. It administers various cricket leagues in Singapore with more than 100 cricket clubs participating across several league divisions. The SCA owns the rights to the domain name www.singaporecricket.org (the “First Domain”), which has served as the SCA’s official website since August 2007 (“Website”). The SCA also owns the rights to the domain name, www.cricketsingapore.com (“Second Domain”). Both domains were accessible to the public and the hosting of both domains were set up and managed by the SCA or on its instructions. 3 All clubs and their players are required to register with the SCA in order to participate in any of the SCA leagues. To register new players, clubs are required to submit the following player personal data through the registration form on the SCA’s Website:1 1 (a) Player name; (b) Player photograph; Clubs were also required to provide information such as the season, league, divis… | Directions | 25d5268ed669c201d4b55ce4d00b7442bfa8671e | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 183 | 183 | 1 | 952 | A financial penalty of $30,000 was imposed on Singapore Taekwondo Federation for failing to make reasonable security arrangements to prevent the unauthorised disclosure of minors’ NRIC numbers on its website. Directions were also issued to the organisation to appoint a data protection officer and to put in place data protection policy. | [
"Protection",
"Accountability",
"Financial Penalty",
"Directions",
"Arts, Entertainment and Recreation"
] |
2018-06-22 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Singapore_Taekwondo_Federation_220618.pdf | Protection, Accountability | Breach of Protection Obligation by Singapore Taekwondo Federation | https://www.pdpc.gov.sg/all-commissions-decisions/2018/06/breach-of-protection-obligation-by-singapore-taekwondo-federation | 2018-06-22 | PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 17 Case No DP-1705-B0810 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Singapore Taekwondo Federation … Organisation DECISION Singapore Taekwondo Federation [2018] SGPDPC 17 Tan Kiat How, Commissioner — Case No DP-1705-B0810 22 June 2018 Background 1 This matter involves the Singapore Taekwondo Federation (the “Organisation”), a society registered with the Registry of Societies that is responsible for promoting, supporting, and developing taekwondo-related programmes and activities in Singapore. 2 Since 2015, the Organisation has been posting, on an annual basis, PDF documents which contain the names and schools of students who are participants of the Annual Inter-School Taekwondo Championships (“Championships”) on the Organisation’s website which is accessible to the general public. It was represented by the Organisation that the purpose of uploading the PDF documents on its website was to enable students to verify their participation in the Championships. 3 On 30 May 2017, a complaint was lodged by a member of the public (“Complainant”) with the Personal Data Protection Commission (“Commission”), alleging that there was an unauthorised disclosure of the NRIC numbers of 782 students who were participants of the 2017 Championships. Whilst the NRIC numbers, within the PDF documents, were set out in columns that were minimised, and, hence, not immediately visible, Singapore Taekwondo Federation [2018] SGPDPC 17 there was an unauthorised disclosure of these NRIC numbers when the Complainant subsequently copied and pasted the contents of the PDF documents on to another document. 4 The Commissioner sets out below his findings and grounds of decision based on the investigations carried out in this matter. Material Facts 5 On 19 May 2017, the Complainant chanced upon the PDF documents on the Organisation’s website, which contained the names and schools of students who were participants o… | Financial Penalty, Directions | 94bdb127f92702f7e738acf0d5281fd6d086147b | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 184 | 184 | 1 | 952 | Directions were issued to Flight Raja Travels for failing to make reasonable security arrangements to prevent unauthorised disclosure of individuals’ personal data on its online travel booking system. | [
"Protection",
"Directions",
"Accommodation and F&B"
] |
2018-06-11 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Flight_Raja_Travels_Singapore_110618.pdf | Protection | Breach of Protection Obligation by Flight Raja Travels | https://www.pdpc.gov.sg/all-commissions-decisions/2018/06/breach-of-protection-obligation-by-flight-raja-travels | 2018-06-11 | PERSONAL DATA PROTECTION COMMISSION Case No DP-1705-B0730 [2018] SGPDPC [16] In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Flight Raja Travels Singapore Pte. Ltd. … Organisation DECISION Flight Raja Travels Singapore Pte. Ltd. [2018] SGPDPC [16] Mr. Yeong Zee Kin, Deputy Commissioner — Case No DP-1705-B0730 11 June 2018 1 This complaint concerns a user of Flight Raja Travels Singapore Pte. Ltd’s (the “Organisation”) online travel booking system (the “Booking System”). While using the Booking System, the user was able to access information of other users (the “Incident”). 2 What happened was that after the user resumed his session after time- out, the Booking System showed him 45 sets of booking records. The booking records accessed by the user contained the personal data of 72 other individuals. This included name, passport number, booking ID, flight details (including the flight number, departing/ arrival date, time and airport), booking date, amount paid, and flight inclusions. 3 Investigations were commenced under section 50 of the Personal Data 4 Up to December 2016, the Booking System was accessed through Protection Act 2012 (the “PDPA”). The material facts of the case are as follows. browser login via the Organisation’s website. The Organisation then introduced a new application (the “New Mobile App”). The New Mobile App enabled access through mobile devices without login. It recognised the mobile device IDs of registered users stored as part of their account information. Flight Raja Travels Singapore Pte. Ltd. 5 [2018] SGPDPC 16 Proper change management would have included full system integration testing of the New Mobile App with the Booking System to detect any unintended effects from the changes. However, two unintended effects went undetected. They affected non-registered users who had just completed a booking via the Booking System through a browser, and had been registered by the Booking System as new users (“Newly Registere… | Directions | 4eac4f70563516f75e6e287250e8238d4776bb2e | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 185 | 185 | 1 | 952 | Spring College International failed to notify and obtain consent from the parents of young students before disclosing online the students’ personal data for marketing purposes. Directions were issued to Spring College International. | [
"Consent",
"Purpose Limitation",
"Notification",
"Directions",
"Education"
] |
2018-05-24 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Spring_College_International_240518.pdf | Consent, Purpose Limitation, Notification | Breach of Consent and Purpose Limitation Obligations by Spring College International | https://www.pdpc.gov.sg/all-commissions-decisions/2018/05/breach-of-consent-and-purpose-limitation-obligations-by-spring-college-international | 2018-05-24 | PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 15 Case No DP-1705-B0799 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Spring College International Pte. Ltd. … Organisation DECISION Spring College International Pte. Ltd. Mr Yeong Zee Kin, Deputy Commissioner — Case No DP-1705-B0799 24 May 2018 Background 1 This matter involves a private educational institution that posted information about its students, including their names and photographs, on a public social media page, in order to promote its courses. The Organisation operates a private educational institution, known as “Spring College International Pte. Ltd.” (“SCI”), that offers various academic courses to students of varying ages and levels. A complaint was made to the Personal Data Protection Commission (“PDPC”) regarding the unauthorised disclosure of a student’s personal data on the Organisation’s Facebook page. The complaint was made by the student’s parent (“the Complainant”). 2 The Commissioner’s findings and grounds of decision, based on the investigations carried out in this matter, are set out below. Material Facts 3 Since September 2010, the Organisation has maintained a Facebook page which is accessible to the general public, titled “Spring College International”. In December 2015, the Complainant enrolled her son (“Individual A”) as a student in SCI. Sometime thereafter, the Spring College International Pte. Ltd. [2018] SGPDPC 15 Complainant came across a post on the Organisation’s Facebook page, dated 24 April 2016 (“Post A”). The post contained the following text: Application for Supplementary Admissions Exercise for International Students 1 We are pleased to inform you that your application for admission to a secondary school through the Supplementary Admissions Exercise for International Students is successful. The results of your application are as follows: … 4 Post A further set out the following information about Individual A: full name; partially masked passport num… | Directions | ab610ebd87a5e51bcfa08294b0f5948e87401467 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 192 | 192 | 1 | 952 | Directions were issued to Habitat for Humanity Singapore for breaches of the PDPA. The organisation did not make reasonable security arrangements to prevent unauthorised disclosure of its volunteers’ personal data, failed to put in place data protection policies, and omitted to communicate data protection policies and practices to its staff. | [
"Accountability",
"Protection",
"Directions",
"Social Service"
] |
2018-05-03 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Habitat_for_Humanity_Singapore_030518.pdf | Accountability, Protection | Breach of Openness and Protection Obligations by Habitat for Humanity Singapore | https://www.pdpc.gov.sg/all-commissions-decisions/2018/05/breach-of-openness-and-protection-obligations-by-habitat-for-humanity-singapore | 2018-05-03 | PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 9 Case No DP-1707-B0971 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Habitat for Humanity Singapore Ltd … Organisation DECISION Habitat for Humanity Singapore Ltd [2018] SGPDPC 9 Yeong Zee Kin, Deputy Commissioner — Case No DP-1707-B0971 3 May 2018 Background 1 On 20 July 2017, the Organisation sent out an email to 32 of its volunteers with a PDF attachment comprising a batch of community involvement programme (“CIP”) letters (the “CIP Letters”) acknowledging the participation of each volunteer at an event organised by the Organisation (the “Incident”). The Personal Data Protection Commission (the “PDPC”) was informed of the Incident on 22 July 2017 and commenced its investigations thereafter. I set out below my findings and grounds of decision based on the investigations carried out in this matter. Material Facts 2 The Organisation is a registered charity under the National Council of Social Services, which objectives include seeking to eliminate poverty housing worldwide by providing decent and affordable housing. In furtherance of its objectives, the Organisation organises community involvement programmes, where volunteers can participate in activities such as mass clean-up events. After such events, the Organisation would generally send out a CIP letter to acknowledge and verify each individual volunteer’s participation. Habitat for Humanity Singapore Ltd 3 [2018] SGPDPC 9 The Incident involved the disclosure of a batch of CIP Letters in an email (the “Email”) that was prepared by a manager (the “Manager”) in the Organisation. The CIP Letters were created using the mail merge function in Microsoft Word which would fill in a CIP letter template with the names and NRIC numbers of the volunteers. This created a single Microsoft Word document containing the CIP Letters for all the volunteers, which the Manager then converted from Microsoft Word to PDF format. The Manager then sent the PDF contai… | Directions | 2f49f6f980fa80609521241128a33eb6a528f5a9 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 193 | 193 | 1 | 952 | A financial penalty of $12,500 was imposed on Aventis for using the personal data of individuals beyond the notified purposes, and for failure to give effect to the withdrawal of consent within a reasonable time. | [
"Consent",
"Purpose Limitation",
"Notification",
"Financial Penalty",
"Directions",
"Education"
] |
2018-04-30 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Aventis_300418.pdf | Consent, Purpose Limitation, Notification | Breach of Notification and Consent Obligations by Aventis | https://www.pdpc.gov.sg/all-commissions-decisions/2018/04/breach-of-notification-and-consent-obligations-by-aventis | 2018-04-30 | PERSONAL DATA PROTECTION COMMISSION Case No DP-1705-B0766 [2018] SGPDPC [7] In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Aventis School of Management Pte. Ltd. … Organisation DECISION Aventis School of Management Pte. Ltd. [2018] SGPDPC [7] Tan Kiat How, Commissioner — Case No DP-1705-B0766 30 April 2018 Background 1 The present matter concerns an individual (the “Complainant”) who had signed up to receive a free brochure for a specific programme organised by the Organisation, but ended up also receiving numerous marketing emails from the Organisation that were unrelated to the programme which the individual was interested in. The question raised is whether the Organisation’s “use” of the Complainant’s personal data to send him the marketing emails without his consent is a breach of the Personal Data Protection Act 2012 (“PDPA”). In the Commissioner’s findings, the answer is in the affirmative. 2 The Commissioner also found that the Organisation had failed to carry out the Complainant’s request to remove his email address from the Organisation’s mailing list in a timely manner, which led to further marketing emails being sent to the Complainant after the withdrawal request was made. 3 The Commissioner’s findings and grounds of decision of the matter are now set out below. Aventis School of Management Pte. Ltd. [2018] SGPDPC 7 Material Facts 4 The Organisation is an educational institution that collaborates with overseas universities to offer degrees, courses, and programmes to students across various disciplines such as Finance, Marketing, and Business. 5 The Complainant was interested in one of the programmes offered by the Organisation, and submitted his name, email address, and contact number through a web form on the Organisation’s website, titled “Take Action Today – Download Free Brochure”, at http://asm.edu.sg/california-state-university on 12 January 2017. 6 After signing up for this free brochure, the Complainant started recei… | Financial Penalty, Directions | ee94ae697675c228c71fd7f5fba9305226984d44 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 198 | 198 | 1 | 952 | Directions were issued to Jiwon Hair Salon, Next@Ion, Next Hairdressing and Initia for failing to put in place data protection policies to comply with the provisions of the PDPA. | [
"Accountability",
"Directions",
"Others"
] |
2018-01-23 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GroundsofDecisionJiwonNextIonNextHairdressingInitia23012018.pdf | Accountability | Breach of Openness Obligation by 4 Hair Salons | https://www.pdpc.gov.sg/all-commissions-decisions/2018/01/breach-of-openness-obligation-by-4-hair-salons | 2018-01-23 | PERSONAL DATA PROTECTION COMMISSION Case No DP-1612-B0431 [2018] SGPDPC [2] In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And 1. Jiwon Hair Salon Pte. Ltd. 2. Next@Ion Pte. Ltd. 3. Next Hairdressing Pte. Ltd. 3. Initia Pte. Ltd. DECISION … Organisations Jiwon Hair Salon Pte. Ltd. & Ors. [2018] SGPDPC [2] Mr. Yeong Zee Kin, Deputy Commissioner — Case No DP-1612-B0431 23 January 2018 Background 1 This case highlights that while the Personal Data Protection Act (“PDPA”) seeks to balance the protection of individuals’ personal data with the need for organisations to use and share that personal data, compliance with the PDPA also serves to ensure that an organisation keeps data which is of significant commercial importance to it protected and out of the reach of its competitors. Material Facts 2 This case was triggered by, unusually, a complaint from one of the Organisations, Jiwon Hair Salon Pte Ltd (“Jiwon”). Jiwon alleged that a former employee (“Employee K”) had misappropriated the names and contact numbers (collectively referred to as the “Personal Data”) of its customers by surreptitiously accessing its customer management system (“CMS”). 3 An investigation was conducted into Jiwon’s complaint and into the following Organisations which Employee K had worked at after leaving Jiwon to determine if indeed Employee K was using the Personal Data from Jiwon’s CMS: Jiwon Hair Salon Pte. Ltd. & Ors. S/N Organisation 1. 2 Jiwon Next@Ion Pte Ltd 9 April 2014 3. Next Hairdressing Pte Ltd 1 Dec 2016 4. 4 [2018] SGPDPC 2 Initia Pte Ltd Start of employment 10 August 2016 13 Jan 2017 End of employment 15 August 2016 30 November 2016 16 Dec 2016 - In the meantime, Jiwon had instituted an action against Employee K in the State Courts arising out of the facts set out in the complaint and, according to Jiwon, an out-of-court settlement had been entered into. During the investigations, it became clear that none of the Organisations had… | Directions | 22dc817cc5a859cce0bf1f96066bd7470c408c03 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 202 | 202 | 1 | 952 | A financial penalty of $18,000 and directions were issued to Social Metric for leaving the personal data exposed to the world wide web via unprotected URL links; and failure to remove personal data of its clients’ customers from its website when they no longer served a legal or business purpose. | [
"Protection",
"Retention Limitation",
"Financial Penalty",
"Directions",
"Information and Communications"
] |
2017-11-27 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision-Social-Metric-271117.pdf | Protection, Retention Limitation | Breach of Protection and Retention Obligations by Social Metric | https://www.pdpc.gov.sg/all-commissions-decisions/2017/11/breach-of-protection-and-retention-obligations-by-social-metric | 2017-11-27 | PERSONAL DATA PROTECTION COMMISSION [2017] SGPDPC 17 Case No DP-160-A712; DP-1604-A713 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Social Metric Pte Ltd … Organisation DECISION Social Metric Pte Ltd [2017] SGPDPC 17 Tan Kiat How, Commissioner — Case No DP-160-A712; DP-1604-A713 27 November 2017. Background 1 This case involves a company which, as part of its social media marketing campaigns conducted for and on behalf of its clients, created webpages containing the personal data of its clients’ customers; and subsequently failed to remove those webpages from the world wide web, even after the social media marketing campaigns were over. 2 A complaint was made to the Personal Data Protection Commission (“PDPC”) regarding the unauthorised disclosure of personal data on these webpages on the world wide web. The Commissioner undertook an investigation into the matter, and the Commissioner sets out his findings and decision on the matter below. Material Facts and Documents 3 Social Metric is a digital marketing agency that provides social media marketing services. As part of these services, Social Metric would collect personal data of its clients’ customers for various purposes, for example, as a form of customer engagement, or to analyse the customer demographics, amongst other things. Social Metric Pte Ltd 4 [2017] SGPDPC 17 For the webpages in question, Social Metric had created nine webpages (the “Webpages”) for various social media contests that Social Metric conducted for and on behalf of its clients. These Webpages were found on Social Metric’s website at https://www.socialmetric.com (the “Website”). The Webpages consisted of tables that listed out various particulars of individuals. They were created for internal administrative and client use. 5 The personal data in these nine Webpages included individuals’ names; email addresses; contact numbers; employers; occupations; date and time of registration; and other miscellaneous information … | Financial Penalty, Directions | 6e83d465218b035d98cbe2c84b157f8aa0698ca3 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 203 | 203 | 1 | 952 | Directions were issued to M Stars Movers for disclosure of a customer's personal data via social media without consent, failure to appoint a Data Protection Officer, and failure to institute policies and practices that are necessary for the organisation to meet the obligations imposed under the PDPA. | [
"Accountability",
"Consent",
"Directions",
"Transport and Storage"
] |
2017-11-15 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---m-stars-movers---151117.pdf | Accountability, Consent | Breach of Consent and Openness Obligations by M Stars Movers | https://www.pdpc.gov.sg/all-commissions-decisions/2017/11/breach-of-consent-and-openness-obligations-by-m-stars-movers | 2017-11-15 | PERSONAL DATA PROTECTION COMMISSION [2017] SGPDPC 15 Case No DP-1612-B0418 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And M Stars Movers & Logistics Specialist Pte Ltd … Organisation GROUNDS OF DECISION M Stars Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15 Yeong Zee Kin, Deputy Commissioner— Case No DP-1612-B0418 15 November 2017 Background 1 This case highlights the risks that organisations face when they fail to develop and implement policies, practices and procedures to protect personal data when communicating with its customers or other individuals through social media. 2 In this matter, a customer (the “Complainant”) of the Organisation, which provides professional moving services, alleged that the Organisation had disclosed her personal data on its Facebook page without her consent. 3 The findings and grounds of decision based on the investigations carried out in this matter are set out below. Material Facts 4 Sometime in December 2016, the Complainant engaged the Organisation’s professional moving services. The Complainant voluntarily provided her name, mobile number and residential addresses (i.e. the addresses where the items were to be picked up and delivered to) to the Organisation to provide the services. M Stars Movers & Logistics Specialist Pte Ltd 5 [2017] SGPDPC 15 Dissatisfied with the allegedly unsatisfactory services provided by the Organisation, the Complainant left a negative review in a public post on the Organisation’s Facebook page. Amongst other things, there was a disagreement as to when the Organisation was required to return the S$100 deposit to the Complainant. 6 The Organisation publicly responded to the Complainant’s review in the comment section of the Complainant’s post on its Facebook page. In its response, the Organisation identified the Complainant by her English name and surname (“name”) and residential address (collectively referred to as the “Personal Data”) and informed the Complainant tha… | Directions | 76b2216f9b21cb552235144f0c76b8706503cf1a | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 207 | 207 | 1 | 952 | A financial penalty of $15,000 was imposed on Orchard Turn Developments for failing to make reasonable security arrangements to protect personal data of its members that was stored on its server. Orchard Turn Developments was also issued directions to patch all system vulnerabilities already identified, conduct a penetration test and rectify new weaknesses identified, as well as implement a password management policy and conduct training for staff on password management best practices. | [
"Protection",
"Financial Penalty",
"Directions",
"Real Estate"
] |
2017-07-06 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---orchard-turn-dev---060717.pdf | Protection | Breach of Protection Obligation by Orchard Turn Developments | https://www.pdpc.gov.sg/all-commissions-decisions/2017/07/breach-of-protection-obligation-by-orchard-turn-developments | 2017-07-06 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1512-A612 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Orchard Turn Developments Pte. Ltd. ... Organisation Decision Citation: [2017] SGPDPC 12 GROUNDS OF DECISION 6 July 2017 A. BACKGROUND 1. In this case, the Complainant received two unauthorised emails, purportedly sent by the Organisation promoting “free” ION+ Reward points. Investigations discovered that an unknown perpetrator had gained unauthorised access to a server that held personal data of the Organisation’s members. The perpetrator then used an application on the compromised server to send the unauthorised emails to the Organisation’s members using their personal data that was held in the server. This data breach incident raised the question of whether the Organisation had met its Protection Obligation under the Personal Data Protection Act 2012 (“PDPA”) to make reasonable security arrangements to sufficiently protect personal data held on the server. 2. The following sets out the Commission’s findings following its investigations into the matter. B. MATERIAL FACTS AND DOCUMENTS 3. The Organisation is the property manager of ION Orchard, a retail mall in Singapore. The Organisation runs the ION+ Rewards Loyalty Programme (“ION’s Loyalty Programme”), which awards its members points based on their purchases made at the mall. Super e-Management Limited (“Super-E”), a Page 1 of 11 Hong Kong-based Information Technology (“IT”) service provider, manages the IT system for ION’s Loyalty Programme. The System Setup 4. ION’s Loyalty Programme runs on the Loyalty Management System (“LMS”) which comprises several interconnected servers. Only two servers are relevant to the Commission’s investigation: the (i) Web and Electronic Direct Mailer server (“EDM server”) and (ii) LMS & Reporting Server (“LMS server”). The LMS server was used to store the database of members’ personal data, while the EDM server was used to send out emails … | Financial Penalty, Directions | 35625f0c61ddfaca37e0a2cffc3703cb0a598632 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 209 | 209 | 1 | 952 | A financial penalty of $3,000 was imposed on DataPost, as a data intermediary, for failing to make reasonable security arrangements to prevent the unauthorised disclosure of the personal data of two customers of a bank. DataPost was also directed to review its working procedures relating to data printing and enveloping operations, improve the training of its staff, and review its personal data protection policy. | [
"Protection",
"Financial Penalty",
"Directions",
"Others"
] |
2017-06-20 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---datapost---200617.pdf | Protection | Breach of Protection Obligation by DataPost | https://www.pdpc.gov.sg/all-commissions-decisions/2017/06/breach-of-protection-obligation-by-datapost | 2017-06-20 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1606-B0061 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (the “PDPA”) And DataPost Pte Ltd (UEN 199404610D) … Organisation Decision Citation: [2017] SGPDPC 10 GROUNDS OF DECISION 20 June 2017 1. 2. This case arises out of an investigation into DataPost Pte Ltd (“DPL”). DPL printed and mailed out financial statements relating to the Overseas-Chinese Banking Corporation Ltd’s (“OCBC”) Supplementary Retirement Scheme (“SRS”) to OCBC’s customers. One customer (“the recipient”), however, discovered that she had received two additional SRS statements belonging to two other OCBC customers, in addition to her own SRS statement. The following information was disclosed in the SRS statements: a. Name; b. Address; c. Cash balance; and d. Types, quantity, and valuation of asset holdings. OCBC alerted the Commission to the incident, and informed the Commission that the recipient had received the additional SRS statements on or about 17 June 2016. The Commission has conducted an investigation into the matter and now sets out its findings. Page 1 of 7 A. MATERIAL FACTS AND DOCUMENTS 3. DPL’s procedure for printing and mailing of the SRS statements was as follows: a. The SRS statements are printed on A3 sheets in the format shown below. A sheet may contain either two different statements or two pages of the same statement. In the incident in question, the first sheet, Sheet 1, contained the statements of two different individuals. Sheet 2 also contained the statements of two different individuals. A3 size Sheet 1 Statement of Statement of Individual 1 Individual 2 A3 size Sheet 2 Statement of Statement of Individual 3 Individual 4 b. An enveloping machine was used to cut the statements and to insert the individual statements into their respective mailer envelopes. For the purpose of this decision, there are two relevant sub-components of the enveloping machine which operations affect the event… | Financial Penalty, Directions | 036e9a6584696b96ea27b7124138ef398af925a5 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 212 | 212 | 1 | 952 | Directions were issued to Asia-Pacific Star, as a data intermediary, for failing to make reasonable security arrangements to prevent the disclosure of the personal data of Tiger Airways Singapore's passengers. | [
"Protection",
"Directions",
"Others"
] |
2017-05-31 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---tigerair-sats-aps-310517.pdf | Protection | Breach of Protection Obligation by Asia-Pacific Star | https://www.pdpc.gov.sg/all-commissions-decisions/2017/05/breach-of-protection-obligation-by-asia-pacific-star | 2017-05-31 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1607-B0129 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Tiger Airways Singapore Pte Ltd (UEN No. 200312665W) (2) SATS Ltd (UEN No. 197201770G) (3) Asia-Pacific Star Private Limited (UEN No. 199705514Z) … Organisations Decision Citation: [2017] SGPDPC 6 GROUNDS OF DECISION 31 May 2017 A. INTRODUCTION 1. On 27 July 2016, the Personal Data Protection Commission received a complaint that the passenger name list for Tiger Airways Singapore Pte Ltd (“Tigerair”) flight TR2466 (“Flight Manifest”) had been improperly disposed in a rubbish bin in the gate hold room at Changi Airport. The complainant alleged that the Flight Manifest could have been retrieved by anyone in the vicinity. 2. The Commission undertook an investigation into the matter and sets out its findings and grounds of decision below. B. MATERIAL FACTS 3. Tigerair is a low cost carrier. SATS Ltd (“SATS”) is an aviation ground handling service provider. SATS was engaged by Tigerair to provide ground handling services. In accordance with the terms of the ground handling services contract between SATS and Tigerair (“Ground Handling Services Contract”), SATS was responsible for the provision of the services by its subsidiaries as if it had been provided by SATS itself. Page 1 of 8 4. Asia-Pacific Star Private Limited (“APS”) is a wholly-owned subsidiary of SATS. SATS sub-contracted the provision of ground handling services for Tigerair to APS pursuant to a Services Agreement dated 11 June 2014 (“Services Agreement”). 5. Under the Services Agreement, APS was responsible for managing the boarding process, reconciling passenger numbers and verifying travel documents at the boarding gate. Among other things, APS was required to print a copy of the Flight Manifest at the boarding gate for the cabin crew to take on board the flight and submit to the immigration authority at the arrival destination. 6. On 26 July 2016, an… | Directions | b32d291037e42478607d82bf4e86cf61437ede0d | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 213 | 213 | 1 | 952 | Directions were issued to Furnituremart for failing to make reasonable security arrangements to prevent the disclosure of the personal data of a customer. | [
"Protection",
"Directions",
"Wholesale and Retail Trade"
] |
2017-05-31 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---furnituremart-(310517).pdf | Protection | Breach of Protection Obligation by Furnituremart | https://www.pdpc.gov.sg/all-commissions-decisions/2017/05/breach-of-protection-obligation-by-furnituremart | 2017-05-31 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1611-B0319 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Furnituremart.sg (UEN 53169430E) … Organisation Decision Citation: [2017] SGPDPC 7 GROUNDS OF DECISION 31 May 2017 1. This is a case involving an organisation which had issued to its customer (the Complainant) an invoice which had a separate invoice (“second invoice”) containing personal data of another customer printed on the reverse side. In this regard, the other customer’s personal data was disclosed to the Complainant, comprising of the following information of the other customer: a. Customer’s surname; b. Home address; c. Delivery address; d. Telephone number; and e. E-mail address. 2. The Complainant made a complaint to the Personal Data Protection Commission (the “Commission”) on 7 November 2016 of the disclosure that was made, and the Commission conducted an investigation into the matter. It now sets out its findings of its investigations below. A. MATERIAL FACTS AND DOCUMENTS 3. The Organisation is in the business of trading furniture, bedding, and other domestic products. Page 1 of 7 4. Whenever it issues its invoices, the Organisation’s procedure is to make three copies of every invoice: The first for the Organisation’s filing, the second for the customer, and the third for the customer to sign and return to the Organisation on delivery of the goods. 5. According to the Organisation, all signed copies of invoices are supposed to be returned to its office, and subsequently destroyed by its staff on a daily basis. 6. In this case, however, the returned invoice was put in a printer feed tray, and re-used as printing paper for the complainant’s invoice. 7. In support of the foregoing, the Organisation provided the Commission with a document entitled, “Policies and internal guideline [sic] for the protection of personal data of customers as at November 2016”. The document provided for, amongst other things, (a) a… | Directions | 36a64b44f404c931de5370578f034bc3b5e25f6c | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 214 | 214 | 1 | 952 | Directions were issued to the National University of Singapore for failing to make reasonable security arrangements to prevent the disclosure of the personal data of some of its students. | [
"Protection",
"Directions",
"Education",
"NUS"
] |
2017-04-26 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---national-university-of-singapore---260417.pdf | Protection | Breach of Protection Obligation by the National University of Singapore | https://www.pdpc.gov.sg/all-commissions-decisions/2017/04/breach-of-protection-obligation-by-the-national-university-of-singapore | 2017-04-26 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1605-B0028 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And National University of Singapore ... Organisation Decision Citation: [2017] SGPDPC 5 GROUNDS OF DECISION 26 April 2017 1. A student of the Organisation had complained to the Personal Data Protection Commission (the “Commission”) that a URL link that was being circulated for the Organisation’s orientation camp had disclosed (without authorisation) the personal data of student volunteers from the College of Alice and Peter Tan (“CAPT”). CAPT is a residential college of the Organisation. 2. It was found that by following the URL link, one could access an online Excel spreadsheet containing the full names, mobile numbers, matriculation numbers, shirt sizes, dietary preferences, dates of birth, dormitory room numbers, and email addresses (the “personal data set”) of approximately 143 student volunteers. The student matriculation number is a unique student identification number issued by the Organisation. The matriculation number to a student is, in a limited sense, like an NRIC number to a Singapore citizen and permanent resident, in that it is required for various school activities, such as accessing online library resources, or for the submission of examination scripts. 3. Based on the complaint that was made, the Commission proceeded to investigate into an alleged breach by the Organisation of the protection obligation under Section 24 of the Personal Data Protection Act 2012 (“PDPA”). The following sets out the Commission’s findings following its investigations into the matter. Page 1 of 10 A. MATERIAL FACTS AND DOCUMENTS 4. The CAPT Freshman Orientation Camp (“FOC”) is an annual event organised by student volunteers from CAPT for the freshmen matriculating into the Organisation. The FOC in the present case was for the year 2016. 5. The Organisation had designated several student leaders to take the responsibility for organis… | Directions | dafeb9f9b760642c9a5c2ba2036a18117c600223 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 222 | 222 | 1 | 952 | A financial penalty of $3,000 was imposed on Smiling Orchid for failing to make reasonable security arrangements to prevent unauthorised access of its customers’ personal data on its website, whereby users could access other customers’ personal data by altering the URL of its order preview webpage. Smiling Orchid was also issued directions to conduct a security audit and to patch all identified vulnerabilities on its website. | [
"Protection",
"Financial Penalty",
"Directions",
"Accommodation and F&B"
] |
2016-11-04 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---smiling-orchid---041116.pdf | Protection | Breach of Protection Obligation by Smiling Orchid | https://www.pdpc.gov.sg/all-commissions-decisions/2016/11/breach-of-protection-obligation-by-smiling-orchid | 2016-11-04 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1411-A250 [Redacted] (Replaced with Mr X) … Complainant AND (1) Smiling Orchid (S) Pte Ltd (UEN No. 199100754R) (2) T2 Web Pte Ltd (UEN No. 200510133Z) (3) Cybersite Services Pte Ltd (UEN No. 201212065M) (4) East Wind Solutions Pte Ltd (UEN No. 201135906Z) … Respondents Decision Citation: [2016] SGPDPC 19 GROUNDS OF DECISION 4 November 2016 A. BACKGROUND 1. On 24 November 2014, the Personal Data Protection Commission (the “Commission”) received a complaint from the Complainant, Mr X, in relation to the failure of the 1st Respondent, Smiling Orchid (S) Pte Ltd (“Smiling Orchid”), a food caterer, to put in reasonable security measures on its website to prevent disclosure of their customers’ personal data. 2. Following the Complainant’s complaint, the Commission undertook an investigation into the matter. The Commission has determined that there are four respondents in this matter, namely: 3. (a) Smiling Orchid; (b) T2 Web Pte Ltd (“T2”); (c) Cybersite Services Pte Ltd (“Cybersite”); and (d) East Wind Solutions Pte Ltd (“East Wind”). The Commission’s decision on the matter and grounds of decision are set out below. Page 1 of 11 B. MATERIAL FACTS AND DOCUMENTS 4. Smiling Orchid is a food catering company. 5. Smiling Orchid owns the rights to two different domains, namely, smilingorchid.com and smilingorchid.com.sg. Customers can place orders for Smiling Orchid’s bakery and catering services through its website. 6. T2 is a web design and development company. By way of a Project Agreement between T2 and Smiling Orchid dated 29 July 2008 (“Project Agreement”), T2 was engaged by Smiling Orchid to design the Smiling Orchid webpage and build a Content Management System (“CMS”) to manage Smiling Orchid’s bakery and catering content on its website. 7. T2 created the design and HTML code but outsourced the development of the entire CMS to a freelancer, who in turn subcontracted the actual development of the CMS to another en… | Financial Penalty, Directions | a828a19dfb8ee2702d79c7ae3384cc2af58d6061 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 226 | 226 | 1 | 952 | A financial penalty of $3,000 and $1,000 were imposed on Fu Kwee Kitchen Catering Services and its data intermediary, Pixart, respectively, for failing to implement proper and adequate protective measures to prevent unauthorised access of its customers’ personal data, whereby users could access other customers’ personal data by altering the URL of its order preview webpage. Fu Kwee was also issued directions to send employees for training, appoint a Data Protection Officer and conduct a security audit of its website. | [
"Protection",
"Accountability",
"Financial Penalty",
"Directions",
"Accommodation and F&B",
"Information and Communications",
"FU KWEE",
"PIXART"
] |
2016-09-21 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---fu-kwee-and-pixart-(210916).pdf | Protection, Accountability | Breach of Data Protection and Other Obligations by Fu Kwee Kitchen Catering Services and Pixart | https://www.pdpc.gov.sg/all-commissions-decisions/2016/09/breach-of-data-protection-and-other-obligations-by-fu-kwee-kitchen-catering-services-and-pixart | 2016-09-21 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1410-A163 (1) FU KWEE KITCHEN CATERING SERVICES (UEN No. 52824092K) (2) PIXART PTE. LTD. (UEN No. 201011239D) …Respondents Decision Citation: [2016] SGPDPC 14 GROUNDS OF DECISION 21 September 2016 Background 1. On 30 September 2014, the Personal Data Protection Commission (“Commission”) received a complaint against Fu Kwee Kitchen Catering Services (“Fu Kwee”) regarding an alleged data breach by Fu Kwee involving unauthorised access of Fu Kwee’s customers’ personal data. 2. The Commission commenced an investigation under section 50 of the Personal Data Protection Act 2012 (“PDPA”) to ascertain whether there had been a breach by Fu Kwee and/or Pixart Pte. Ltd. (“Pixart”) (the Respondents in this investigation) of their respective obligations under the PDPA. Material Facts and Documents Fu Kwee’s relationship with Pixart 3. Fu Kwee provides food and beverage catering services in Singapore. It owned and managed the following website at the material time of the complaint: http://www.fukweecatering.sg, where different customer orders could be viewed through at the following URLs http://www.fukweecatering.sg/fixmenu1preview.aspx?pid=[number]. 4. Pixart is an IT vendor engaged by Fu Kwee in 2010 to (a) develop an online ordering system for Fu Kwee and Fu Kwee’s corporate website, and (b) host, support and maintain the website. The PDPA came fully Page 1 of 10 into force on 2 July 2014, and as the contract between Fu Kwee and Pixart was only terminated sometime around April or May 2015, Pixart remained responsible for hosting, supporting and maintaining the website at the time of the alleged data breach incident in September 2014. Data breach incident 5. The Complainant stated that she was a customer of Fu Kwee, and alleged that she could retrieve another customer’s order details and personal data (specifically the customer’s name, postal address and personal contact number) by changing the numerals at the end of the URL of Fu Kwee’s order … | Financial Penalty, Directions | db94a5779e9ecd6a07c41892161ed40d87b027f0 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 232 | 232 | 1 | 952 | Directions were issued to Universal Travel Corporation for disclosing a passenger list, consisting of 37 customers' personal data, to four of its customers without consent. The organisation was also penalised for its lack of data protection policies. | [
"Consent",
"Purpose Limitation",
"Notification",
"Directions",
"Others"
] |
2016-04-21 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---universal-travel-corporation-(210416).pdf | Consent, Purpose Limitation, Notification | Breach of Consent and Other Obligations by Universal Travel Corporation | https://www.pdpc.gov.sg/all-commissions-decisions/2016/04/breach-of-consent-and-other-obligations-by-universal-travel-corporation | 2016-04-21 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1508-A496 UNIVERSAL TRAVEL CORPORATION PTE LTD (UEN. 197302113R) ... Respondent Decision Citation: [2016] SGPDPC 4 GROUNDS OF DECISION 20 April 2016 A. BACKGROUND 1. The Personal Data Protection Commission (“Commission”) received a complaint from a credible source concerning the alleged disclosure by the Respondent of personal data of 37 customers (the “passenger list”) in early March 2015 to certain individual(s) who participated in the 12 Days Legend of the Balkans Tour from 17 February 2015 to 28 February 2015 (“Balkans Tour”). 2. In the premises, the Commission decided to carry out an investigation into the matter. The Commission’s findings are set out below. B. MATERIAL FACTS AND DOCUMENTS 3. Sometime in or around late February 2015, four of the customers of the Balkans Tour requested the Respondent to furnish formal documentation confirming the cancellation of their transit flight to Sofia on 18 February 2015 (TK1027/18FEB15 ISTANBUL-SOFIA) (“formal confirmation”) to process their insurance claims. 4. The Respondent therefore requested from Turkish Airline written confirmation of the flight cancellation and the affected passenger list. 5. Sometime in early March 2015, the Respondent sent the formal confirmation together with the letter from Turkish Airline and the passenger list by email to four of the customers of the Balkans Tour. The passenger list that was sent contained the name, nationality, date of birth, passport number, passport expiry date and passenger name record (a record in the database of a computer reservation system (CRS) that contains the itinerary for a passenger, or a group of passengers travelling together) of all 37 of the passengers/customers that were on the Balkans Tour. The passengers’ details were not masked or redacted when it was sent by the Respondent. It is not disputed that the passengers’ details constituted personal data under the control of the Respondent at the material time. 6. In the R… | Directions | 5a0ff182bd0082f840e509fc39079487ae98fb3a | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 236 | 236 | 1 | 952 | A financial penalty of $5,000 was imposed and directions issued to Fei Fah Medical Manufacturing for failing to implement proper and adequate protective measures to secure its website and server, resulting in unauthorised disclosure of the personal data of more than 900 customers. | [
"Protection",
"Financial Penalty",
"Directions",
"Healthcare",
"FEI FAH",
"MEDICAL",
"TCM"
] |
2016-04-21 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---fei-fah-medical-manufacturing-(210416).pdf | Protection | Breach of Protection Obligation by Fei Fah Medical Manufacturing | https://www.pdpc.gov.sg/all-commissions-decisions/2016/04/breach-of-protection-obligation-by-fei-fah-medical-manufacturing | 2016-04-21 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1409-A145 FEI FAH MEDICAL MANUFACTURING PTE. LTD. (UEN No. 199800455H) …Respondent Decision Citation: [2016] SGPDPC 3 GROUNDS OF DECISION 20 April 2016 Background 1. Fei Fah Medical Manufacturing Pte. Ltd. (UEN 199800455H) (“Fei Fah Medical”) is a locally registered company specialising in the development and manufacture of healthcare and beauty products. The Ripple Website 2. Fei Fah Medical operates a website under the name Ripple Tea Company at www.ripple.com.sg (“Site”). 3. The Site consists of both publicly accessible pages, and a members’ portal (which is accessible only by individuals who had signed up with Fei Fah Medical under a membership scheme called Ripple Club, upon logging into the portal with their respective user identifications (“IDs”) and passwords). Data Leak Incident 4. On 29 September 2014, the Personal Data Protection Commission (“Commission”) was informed that information of users of the Site had been posted on http://pastebin.com (“Pastebin”), a website which allows members of the public to post and share text online publicly (the “Data Leak”). 5. The relevant information was ostensibly uploaded onto the Pastebin website by a Pastebin user with the username “KAMI_HAXOR”, in the form of a post in plain text that could be publicly viewed by any visitor to the Pastebin website. 6. The post was undated and captioned “Ripple Tea Company Singapore 900+ Users emails+passes+Names+mobile Numbers With Subscribers Emails Leaked By KaMi HaXor”. CONFIDENTIAL Page 1 of 7 7. 8. The post contained a list of data, which were numbered from 1 to 2,981, ostensibly to indicate that there were 2,981 entries in it. The data in the post appeared to be have been sorted into the following three categories: (a) Email addresses – there were 1114 entries of email addresses. The email addresses were unaccompanied by other data or identifiers. 219 of the entries contained “.sg” domain names; (b) User ID and encrypted passwords to R… | Financial Penalty, Directions | 5fcc9a763e0542a3c0b5b5064e7e18de2255f864 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 238 | 238 | 1 | 952 | A financial penalty of $10,000 was imposed and directions issued to the Institution of Engineers, Singapore for failing to implement proper and adequate protective measures to secure its IT system, resulting in unauthorised disclosure of the personal data of more than 4,000 members. | [
"Protection",
"Financial Penalty",
"Directions",
"General (eg. Chamber of Commerce)",
"IES"
] |
2016-04-21 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---institute-of-engineers-singapore-(210416).pdf | Protection | Breach of Protection Obligation by Institution of Engineers, Singapore | https://www.pdpc.gov.sg/all-commissions-decisions/2016/04/breach-of-protection-obligation-by-institution-of-engineers--singapore | 2016-04-21 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1411-A213 THE INSTITUTION OF ENGINEERS SINGAPORE …Respondent Decision Citation: [2016] SGPDPC 2 GROUNDS OF DECISION 20 April 2016 Background 1. The Institution of Engineers Singapore (UEN S66SS0041B) (“IES”) is a society registered with the Registry of Societies. IES was formally established on July 1966 as the national society of engineers in Singapore. Its functions include the accreditation of engineering academic programmes (through its Engineering Accreditation Board); the maintenance of professional registries; and the promotion of social, business, professional, and career development amongst engineers in Singapore. The IES Website 2. IES operates a website at www.ies.org.sg (“Site”), which consists of both publicly-accessible pages, and a members’ portal, accessible only by members of IES, upon logging into the portal with their respective user identifications (“IDs”) and passwords. The Site also allows members of the public, who are non-IES members, to create an account on the Site in order to login to access and post on the Site’s forums. 3. According to information provided by IES, the functions of the Site include: (a) enabling members to update their membership details such as addresses, emails and contact information; (b) applying for courses and events that are created by IES; (c) applying for email abc@ies.org.sg; (d) payment for membership and courses via PayPal; (e) accessing webmail; (f) allowing members to search for information about other members; addresses with CONFIDENTIAL ies.org.sg domain, e.g., Page 1 of 9 4. (g) publishing information on IES events, courses, seminars, job listings, and information on various registries (e.g., ABC Waters Professional Registry and others); (h) applying for IES membership; and (i) accessing IES forums. Members of IES who log in to the Site using their membership user IDs are able to access certain dedicated membership Site functions, including receipt of a… | Financial Penalty, Directions | 5e4c42b6a1aec075b5207d0eb67aa18523a6767e | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-12-14T14:54:52+00:00 | 0e20feac9c1e16c30580baa727a897e3bfcf8791 | 483 | 243 | 1 | 958 | Directions were issued to Tipros for failing to use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate. | [
"Consent",
"Notification",
"Purpose Limitation",
"Directions",
"Others"
] |
14 Dec 2023 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GD_TIPROS_080623.pdf | Consent, Notification, Purpose Limitation | Breach of the Purpose Limitation Obligation by Tipros | https://www.pdpc.gov.sg/all-commissions-decisions/2023/12/breach-of-the-purpose-limitation-obligation-by-tipros | 2023-12-14 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPC 7 Case No. DP-2207-C0019 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Tipros … Organisation DECISION Page 1 of 8 Tipros Yeong Zee Kin, Deputy Commissioner — Case No. DP-2207-C0019 8 June 2023 Introduction 1. On 21 July 2022, the Personal Data Protection Commission (the “Commission”) received a complaint that Tipros (the “Organisation”), a sole proprietorship in the wholesale of and repair of electrical appliances, had unreasonably disclosed the personal data of the complainant when responding to the complainant’s review on the Organisation’s Google reviews page (the “Incident”). 2. The Commission commenced investigations to determine the Organisation’s compliance with the Personal Data Protection Act 2012 (“PDPA”) and for suspected breaches of the same. Facts of the Case 3. The complainant had engaged the Organisation to repair a refrigerator. Following the repairs made, the complainant gave a “1-star” review on a Google reviews page “24hr fridge refrigerator #1 Quick repair service Trusted in Singapore”, which has since been renamed “Tipros.sg”. 4. The Organisation promptly responded to the complainant’s review. What is problematic was that the Organisation included the complainant’s personal data, including the complainant’s residential address and mobile number in their Page 2 of 8 response. The complainant filed a complaint with the Commission as the complainant was of the view that there was no reason for the Organisation to disclose her personal data in the course of responding to the review she left on the Organisation’s Google reviews page. 5. Apart from the Organisation’s response to the complainant’s review, the Commission found 13 other responses on the Organisation’s Google reviews page which disclosed, in a similar fashion, the personal data of other customers who had given reviews. Our Investigations 6. The Commission commenced investigations. In the course of investigations, it was … | Directions | acd36e3274c5e29fe0627b24b99136461cdd6c47 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
Advanced export
JSON shape: default, array, newline-delimited
CREATE VIEW pdpc_decisions_version_detail AS select
commits.commit_at as _commit_at,
commits.hash as _commit_hash,
pdpc_decisions_version.*,
(
select json_group_array(name) from columns
where id in (
select column from pdpc_decisions_changed
where item_version = pdpc_decisions_version._id
)
) as _changed_columns
from pdpc_decisions_version
join commits on commits.id = pdpc_decisions_version._commit;