pdpc_decisions_version_detail (view)
32 rows where tags contains "Others"
This data as json, CSV (advanced)
Suggested facets: _commit_at, _commit_hash, _version, _commit, date, nature, timestamp, decision, _changed_columns, _commit_at (date), date (date), timestamp (date), tags (array), _changed_columns (array)
| _commit_at | _commit_hash | _id | _item | _version | _commit | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _item_full_hash | _changed_columns |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 2 | 2 | 1 | 952 | A financial penalty of $3,000 was imposed on Autobahn Rent A Car for failing to put in place reasonable security arrangements to protect the personal data in its possession or under its control. Directions were also issued to strengthen access control measures to administrator accounts and to conduct reasonable security review of technical and administrative arrangements for the protection of personal data. | [
"Protection",
"Financial Penalty",
"Directions",
"Others"
] |
2023-09-15 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GD_Autobahn-Rent-A-Car-Pte-Ltd_090623.pdf | Protection | Breach of the Protection Obligation by Autobahn Rent A Car | https://www.pdpc.gov.sg/all-commissions-decisions/2023/09/breach-of-the-protection-obligation-by-autobahn-rent-a-car | 2023-09-15 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPCS 4 Case No. DP-2210-C0345 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Autobahn Rent A Car Pte. Ltd. SUMMARY OF THE DECISION 1 On 21 October 2022, Autobahn Rent A Car Pte. Ltd. (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) of a personal data breach (the “Incident”). 2 The Organisation operates a car-sharing service, Shariot, in Singapore. On 24 September 2022, the Organisation received customer feedback that a photograph on its mobile application had been replaced with a pornographic photograph. The Organisation discovered that the pornographic photograph had been uploaded through an unrevoked administrator account belonging to an ex-employee, who had Page 1 of 6 left the Organisation in May 2022. The ex-employee received an email from an unknown sender on 10 September 2022 stating that his personal laptop had been hacked and demanding Bitcoins as ransom payment. The threat actor was able to log into the Shariot’s mobile application administrator portal through the administrator account belonging to the ex-employee, and used the export CSV function to download a copy of the Shariot’s users personal data. 3 Subsequently, on 21 October 2022, a cybersecurity solutions provider alerted the Organisation of a cybercrime forum post offering the sale of a Shariot database containing personal data. The Commission commenced investigations to determine whether the Incident disclosed any breaches of the Personal Data Protection Act 2012 (“PDPA”) by the Organisation. 4 The Organisation requested, and the Commission agreed, for this matter to proceed under the Expedited Decision Breach Procedure. To this end, the Organisation voluntarily and unequivocally admitted to the facts set out in this decision. It admitted to a breach of the Protection Obligation under Section 24 of the PDPA. 5 The Organisation’s internal investigations discovered that compromise of the… | Financial Penalty, Directions | 458ca2b78344d38cc2dec8a4e89a493c8a7475a2 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 10 | 10 | 1 | 952 | A warning was issued to an individual for using dictionary attack methods to generate telephone numbers which were then used for telemarketing purposes, thereby breaching section 48B of the PDPA. | [
"Do Not Call Provision(s)",
"Warning",
"Others",
"Telemarketing"
] |
2023-04-17 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GD_TaiShinFatt_140223.pdf | Do Not Call Provision(s) | Breach of Section 48B of the PDPA (Prohibition on Use of Dictionary Attacks) by an individual | https://www.pdpc.gov.sg/all-commissions-decisions/2023/04/breach-of-section-48b-of-the-pdpa-prohibition-on-use-of-dictionary-attacks-by-an-individual | 2023-04-17 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPC 2 Case No. ENF-DNC-210826-0015 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Tai Shin Fatt … Individual DECISION Tai Shin Fatt Lee Ti-Ting, Assistant Commissioner - Case No. ENF-DNC-210826-0015 14 February 2023 Introduction 1 On 2 July 2021, the Personal Data Protection Commission (“the Commission”) was notified by the Singapore Police Force that the Singapore Civil Defence Force (“SCDF”) had received an influx of marketing calls between 25 and 28 June 2021 from telephone numbers registered to one LongSheng Consultancy Pte Ltd (“LongSheng”) on behalf of one Tai Shin Fatt (the “Individual”). The Commission commenced investigations to determine whether the circumstances relating to the calls disclosed any breaches of the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case 2 The Individual is an insurance director with a large and well-known insurance company managing a team of 25 insurance agents. In an effort to conduct marketing calls more efficiently, the Individual sought to engage the services of 2 companies hereinafter referred to as the “Call Automation Vendor” and the “Checker”. 3 The Call Automation Vendor provides software to facilitate the making of automated calls using customised scripts. The Checker’s service comprises the provision of telephone numbers (from which automated calls could be made), and the provision of software to check whether the telephone numbers of intended recipients were registered with the Do Not Call Registry (“DNCR”). The systems / software of the Call Automation Vendor and the Checker were intended to work in tandem as follows: (a) the telephone numbers of intended recipients would be uploaded onto the Call Automation Vendor’s software; (b) the Checker’s software would check the DNCR for such telephone numbers; and (c) the Call Automation Vendor’s software would then avoid making any calls to the telephone numbers which appeared in the DNCR… | Warning | 065914363a4287df302d4869dbb9b671721521e1 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 11 | 11 | 1 | 952 | Sembcorp Marine was found not in breach of the PDPA in relation to an incident whereby threat actor(s) exfiltrated personal data by exploiting a zero-day vulnerability present in an application. | [
"Protection",
"Not in Breach",
"Others",
"Ransomware",
"No breach"
] |
2023-03-10 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GD_Sembcorp-Marine-Ltd_070223.pdf | Protection | No breach of the PDPA by Sembcorp Marine | https://www.pdpc.gov.sg/all-commissions-decisions/2023/03/no-breach-of-the-pdpa-by-sembcorp-marine | 2023-03-10 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPCS 2 Case No. DP-2206-B9934 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Sembcorp Marine Ltd SUMMARY OF THE DECISION 1. On 25 July 2022, Sembcorp Marine Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) of a personal data breach that had occurred through the exploitation of the Log4J zero-day vulnerability (the “Incident”). 2. As a result of the Incident, the personal data of 25,925 individuals was exfiltrated. The personal data affected included their name, address, email address, NRIC number, telephone number, passport number, photograph, date of birth, bank account details, salary, and medical screening results. 1 3. The Organisation engaged an external cybersecurity company, Sygnia, to investigate the Incident. Its investigations found that the threat actor had exploited three Log4J vulnerabilities present in an application (the “Application”) to gain unauthorised access to a server as early as on 4 January 2022. The threat actor also deployed the “Cobalt Strike” beacon, conducted reconnaissance, and made lateral movements across several machines, before exfiltrating data between 10 and 23 June 2022, and deploying a ransomware on 28 June 2022. 4. Threat intelligence research revealed that the ransomware campaign which affected the Organisation began targeting users of the Application in January 2022. Given that reports of the Log4J vulnerability were first made in December 2021, it would have been difficult for the Organisation to detect and prevent the infiltration when it was one of the early targets, having been infiltrated as early as 4 January 2022. 5. After finding out about the Log4J vulnerability, the Organisation took prompt actions to identify instances of Log4J vulnerabilities across all the software application it was using. The Organisation started identifying instances of Log4J vulnerabilities across its systems on 14 December 2021. It appli… | Not in Breach | fa527b079427e2423cb0a716970088f54b497254 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 13 | 13 | 1 | 952 | Directions were issued to CPR Vision Management Pte Ltd to conduct a security audit of its technical and administrative arrangements for the protection of personal data in its possession or control and rectify any security gaps identified in the audit report. This is pursuant to a data breach incident where CPR Vision Management Pte Ltd’s server and network storage devices were subjected to a ransomware attack. | [
"Protection",
"Directions",
"Others",
"Ransomware",
"Data Intermediary",
"Retention"
] |
2023-02-10 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---CPR-Vision-Management-Pte-Ltd---071222.pdf | Protection | Breach of the Protection Obligation by CPR Vision Management Pte Ltd | https://www.pdpc.gov.sg/all-commissions-decisions/2023/02/breach-of-the-protection-obligation-by-cpr-vision-management-pte-ltd | 2023-02-10 | PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPCS 17 Case No. DP-2207-B8974 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And CPR Vision Management Pte Ltd L’Oreal Singapore Pte Ltd L’Occitane Singapore SUMMARY OF THE DECISION 1. The Personal Data Protection Commission (the “Commission”) received data breach notification reports from (i) L’Oreal Singapore Pte Ltd (“L’Oreal”) on 29 October 2021 and (ii) L’Occitane Singapore Pte Ltd (“L’Occitane”) on 1 November 2021 respectively of a ransomware attack on their customer relationship management (“CRM”) system vendor, CPR Vision Management Pte Ltd (the “Organisation”). The Organisation is a data intermediary that helped to process personal data collected by L’Oreal and L’Occitane. 2. The ransomware attack affected a server and three network attached storage (“NAS”) devices in the Organisation’s office (“office network”), and led to the Page 1 of 6 encryption of the personal data belonging to 83,640 L’Occitane’s customers and 35,079 L’Oreal’s customers, which included their name, address, email address, mobile number, NRIC number, date of birth, age, gender, race, nationality, loyalty points and amount spent. 3. The Organisation requested, and the Commission agreed, for this matter to proceed under the Expedited Decision Breach Procedure. To this end, the Organisation voluntarily and unequivocally admitted to the facts set out in this decision. It also admitted to a breach of the Protection Obligation under Section 24 and the Retention Limitation Obligation under Section 25 of the Personal Data Protection Act (the “PDPA”). 4. The Organisation’s internal investigations found the threat actor had first gained access to the office network via a compromised user account VPN connection on 13 October 2021 before executing the ransomware attack on or about 15 October 2021. However, due to the limited data logs available on the Organisation’s FortiGate firewall and VPN appliance, the Organisation was not able to determi… | Directions | 7e9168136ea5e122bc3f4577c70535e0fc6c7689 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 17 | 17 | 1 | 952 | Directions were issued to both Shopify Commerce Singapore and Supernova to put in place a process to ensure compliance with the Transfer Limitation Obligation following a data breach incident of Shopify Inc's database. | [
"Transfer Limitation",
"Directions",
"Others",
"Data Intermediary"
] |
2022-11-18 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GD_Supernova-Pte-Ltd_06102022.pdf | Transfer Limitation | Breach of the Transfer Limitation Obligation by Shopify Commerce Singapore and Supernova | https://www.pdpc.gov.sg/all-commissions-decisions/2022/11/breach-of-the-transfer-limitation-obligation-by-shopify-commerce-singapore-and-supernova | 2022-11-18 | PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPC 7 Case No: DP-2103-B8147 / DP-2206-B9935 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Supernova Pte Ltd (2) Shopify Commerce Singapore Pte Ltd … Organisation DECISION Page 1 of 12 Supernova Pte Ltd & Anor Yeong Zee Kin, Deputy Commissioner — Case No. DP-2103-B8147/ DP-2206-B9935 6 October 2022 Introduction 1 On 8 October 2020, the Personal Data Protection Commission (the “Commission”) was notified by Supernova Pte Ltd (“SNPL”) of a data breach incident of Shopify Inc’s database affecting the personal data of certain Singapore-based customers (the “Incident”). The Commission commenced investigations to determine whether the circumstances relating to the Incident disclosed any breaches of the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case Background 2 Shopify Inc (“Shopify”) is a company based in Canada that operates an e- commerce platform for online retailers to conduct sales (the “Platform”). SNPL is an online retailer that began using the Platform in 2018 to sell its products to customers. Shopify provided payment processing and other services (the “Services”) to SNPL pursuant to the Shopify Plus Agreement, executed by Shopify and SNPL on 4 December 2018. Shopify Commerce Singapore Pte Ltd (“Shopify SG”) acted as the Page 2 of 12 Asia-Pacific data sub-processor of Shopify pursuant to the Shopify Data Processing Addendum to the Shopify Plus Agreement, and its role was confined to collecting customer personal data (including SNPL’s) via the Platform and transferring the data out of Singapore to Shopify for both Purchase Processing and Platform Processing. 3 The Platform collected personal data from customers of its online retailers for two broad sets of purposes. First, to facilitate billing, payment and shipping on behalf of the Platform’s online retailers (“Purchase Processing”). Second, for Shopify’s own commercial and administrative purposes. This mainly included th… | Directions | a460c9f6da7d242e2c26bf56c9b5bc6bd47df7e7 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 40 | 40 | 1 | 952 | A financial penalty of $21,000 was imposed on Neo Yong Xiang for using his customers' personal data to register for prepaid SIM cards without their consent. The SIM cards were subsequently sold to anonymous individual(s) who used them to send specified messages in contravention of the Do Not Call provisions of the PDPA. | [
"Consent",
"Financial Penalty",
"Others"
] |
2022-03-10 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Neo-Yong-Xiang---29102021.pdf | Consent | Breach of the Consent and Purpose Limitation Obligations by Neo Yong Xiang trading as Yoshi Mobile | https://www.pdpc.gov.sg/all-commissions-decisions/2022/03/breach-of-the-consent-and-purpose-limitation-obligations-by-neo-yong-xiang-trading-as-yoshi-mobile | 2022-03-10 | PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 12 Case No. DP-2013-B8088 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Neo Yong Xiang (trading as Yoshi Mobile) … Organisation DECISION Neo Yong Xiang (trading as Yoshi Mobile) Lew Chuen Hong, Commissioner — Case No. DP-2013-B8088 29 October 2021 Introduction 1. When customers purchased pre-paid SIM cards from a mobile phone shop at Geylang Road, they would not have anticipated that their personal data would be misused to register additional SIM cards for illegal sale. Unfortunately, this was exactly what happened to at least 78 individuals who purchased pre-paid M1 SIM cards from one Mr Neo Yong Xiang (“NYX”) the sole proprietor of Yoshi Mobile (“YM”). 2. The Commission observed that between January 2020 and November 2020, there were 3,636 Do Not Call (“DNC”) complaints from persons who received specified messages even though their telephone numbers are registered with the DNC register1. Further analysis revealed that 1,379 of the messages were sent from 98 SIM cards registered at YM. The Commission initiated investigations against NYX (trading as YM) for suspected breaches of the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case 3. NYX has operated YM since 2013. As an exclusive retailer of M1 SIM cards, NYX was provided a terminal device installed at YM’s premises for the purposes of 1 Under Section 43 of the PDPA, a person is not allowed to send specified messages to a Singapore telephone number registered with the DNC register unless the person has, at the time where he sends the specified message, valid confirmation that the Singapore telephone number is not listed in the DNC register. SIM card registration (the “M1 Terminal Device”). SIM card registration had to be carried out in accordance with the conditions of M1’s telecommunications licence granted under Section 5 of the Telecommunications Act (Chapter 323). The typical SIM card registration process in YM would be a… | Financial Penalty | 9701ccc45e49e35f3e4018e10b92d445aca1c569 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 43 | 43 | 1 | 952 | A financial penalty of $14,000 was imposed on Nature Society (Singapore) for breaches of the PDPA. First, the organisation failed to put in place reasonable measures to protect personal data on its website database. Second, it did not appoint a data protection officer. Lastly, it did not have written policies and practices necessary to comply with the PDPA. | [
"Protection",
"Accountability",
"Financial Penalty",
"Others"
] |
2022-01-14 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---NSS---03122021.pdf | Protection, Accountability | Breach of the Protection and Accountability Obligations by Nature Society (Singapore) | https://www.pdpc.gov.sg/all-commissions-decisions/2021/12/breach-of-the-protection-and-accountability-obligations-by-nature-society | 2022-01-14 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2011-B7351 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Nature Society (Singapore) SUMMARY OF THE DECISION 1. On 6 November 2020, the Personal Data Protection Commission (the “Commission”) received information of an online article reporting about hacked databases being made available for downloads on several hacking forums and Telegram channels. In the article, Nature Society (Singapore) (the "Organisation") was named as one of the affected Organisations (the “Incident”). 2. The personal data of 5,131 members and non-members who had created membership and user accounts on the Organisation’s website were affected in the Incident. The datasets affected comprised of names, usernames, passwords (encrypted), email addresses, telephone numbers, types of membership, gender, mailing addresses, dates of births, occupation, company and nationality. 1 3. Following the Incident, the Organisation engaged two IT professionals to carry out an investigation and analysis of the Organisation's website. The investigation and analysis revealed vulnerabilities in the Organisation's website and suspicious SQL injection activities prior to the Incident. The possible attack vector was identified as a SQL injection attack which led to personal data on the Organisation's website database being accessed and exfiltrated by unknown parties. 4. The Organisation took the following remedial measures after the Incident: (a) Edited the website to stop all online membership sign-ups/renewals and logins to the website; (b) Removed all members' and users' data from the website database; (c) Backed up the website database and kept all personal data offline; (d) Change all login passwords; (e) Notified all affected individuals of the Incident via email; (f) Appointed a Data Protection Officer ("DPO") (g) Developed and implemented a personal data policy; and (d) Engaging vendors to develop a new website to improve security. 5. In… | Financial Penalty | 50aef1ea4a6b3252366a112e13092602d7c8bd3b | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 51 | 51 | 1 | 952 | Carousell was found not in breach of the PDPA in relation to incidents where threat actor accessed Carousell users' accounts due to credential stuffing. | [
"Not in Breach",
"Others",
"Password"
] |
2021-09-21 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Carousell-Pte-Ltd---030821.pdf | No Breach of the Protection Obligation by Carousell | https://www.pdpc.gov.sg/all-commissions-decisions/2021/09/no-breach-of-the-protection-obligation-by-carousell | 2021-09-21 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2105-B8350 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Carousell Pte. Ltd. SUMMARY OF THE DECISION 1. On 14 May 2021, Carousell Pte. Ltd. (the “Organisation”) informed the Personal Data Protection Commission of an unauthorized access to their users’ accounts due to credential stuffing. 2. The Organisation was first alerted on 26 April 2021 when a user reported to the Organisation that his account had been hijacked and there were attempts to make unauthorised purchases. On 1 June 2021, the Organisation was alerted to another incident involving the same modus operandi where legitimate credentials were used to log in to users’ accounts and unauthorised purchases were made (collectively, the “Incident”). 3. The Organisation’s investigations indicated that the Incident was due to the threat actor(s) obtaining the login details and passwords of some of their users due to an exposure of the account details on another service provider’s platform. The threat actor(s) succeeded in certain cases where the user used the same login and password for their account with the Organisation and their compromised accounts with other provider’s platforms. After successfully logging into the account, the threat actor(s) was able to perform actions as an authorised user. The threat actor(s) would also have access to the data in an individual’s account and modify the account settings. 4. The Organisation’s investigations found that there was no known compromise or unauthorised access of information in other accounts that were stored in the same database. At the time of the Incident, the Organisation had in place security arrangements including, but not limited to, the following: a. Users are informed when there is a change to the password, email or phone number linked to their account, or when a new device is used to log in; b. Training of account takeover model to identify and investigate likely account takeovers; c. Card tr… | Not in Breach | da3c0f91c3b8e24ee0b6a4d9f85d596df8a36ab7 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 55 | 55 | 1 | 952 | A warning was issued to Specialized Asia Pacific for failing to put in place reasonable security arrangements to protect the personal data of 2,445 application users. | [
"Protection",
"Warning",
"Others",
"Mobile application"
] |
2021-09-21 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Specialized-Asia-Pacific-Pte-Ltd---300721.pdf | Protection | Breach of the Protection Obligation by Specialized Asia Pacific | https://www.pdpc.gov.sg/all-commissions-decisions/2021/09/breach-of-the-protection-obligation-by-specialized-asia-pacific | 2021-09-21 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2101-B7826 In the matter of an investigation under Section 50(1) of the Personal Data Protection Act 2012 And Specialized Asia Pacific Pte Ltd … Organisation SUMMARY OF THE DECISION 1. On 29 January 2021, Specialized Asia Pacific Pte Ltd. (the “Organisation”) informed the Personal Data Protection Commission of a data security incident involving the Specialized Cadence application (the “Application”) that it developed, operated and maintained. 2. The Organisation’s developing staff did not realize that the online development tool, which was used to develop the Application, had a default privacy setting that made all data created by users or developers “visible”, even though this had been stated in the tool’s privacy rules. This default setting allowed the Application’s network traffic to be intercepted and accessed using third-party security testing software that can be acquired online. A member of the public had therefore been able to intercept and access the personal data of the Application’s users by using a free version of such software (the “Incident”). However, the risk of unauthorised access had been limited to parties who knew how to use such security testing software to obtain access. This factored in the enforcement outcome below (see paragraph 6 below). 3. The undetected default privacy setting of “visible” put the personal data of 2,445 individuals at risk of unauthorised access. The data affected included names, addresses, dates of birth, telephone numbers, email addresses and gender. 4. Remediation by the Organisation encompassed turning off all access and use of the Application by all external parties, including users, and changing the privacy setting from “visible” to “hidden”. The Organisation also engaged a third-party IT security firm to test and address any security and privacy issues relating to the Application, commenced discussions with its IT application designers and employees involved to adopt ‘privacyby-design’ in future appl… | Warning | bb6b30899dc237cbbb5ca65a53c42a6e8fc69444 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 66 | 66 | 1 | 952 | Chapel of Christ the Redeemer failed to put in place reasonable measures to protect its members' personal data. Further, it did not have written policies and practices necessary to comply with the PDPA. | [
"Accountability",
"Protection",
"Directions",
"Others",
"No Policy",
"Access control",
"Indexing"
] |
2021-04-15 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Chapel-of-Christ-the-Redeemer---290121.pdf | Accountability, Protection | Breach of the Protection and Accountability Obligations by Chapel of Christ the Redeemer | https://www.pdpc.gov.sg/all-commissions-decisions/2021/04/breach-of-the-protection-and-accountability-obligations-by-chapel-of-christ-the-redeemer | 2021-04-15 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2010-B7132 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Chapel of Christ the Redeemer SUMMARY OF THE DECISION 1. On 6 October 2020, Chapel of Christ the Redeemer (the “Organisation”) informed the Personal Data Protection Commission (the “Commission”) that a file (the “File”) containing personal data of 815 members’ name, NRIC, address, date of birth, marital status, email address, mobile and residential phone number was inadvertently disclosed online. 2. Investigations revealed that a staff had accidentally uploaded the File (which was supposed to be an internal document) onto the sub-directory on 24 November 2019. The Organisation only discovered the matter on 8 September 2020 when a member of the Organisation performed a Google search of another member’s name and found a Google search result of the File. 3. The Organisation admitted that there were no access controls to the sub-directory prior to the incident as the sub-directory was intended to be accessible to public. As a result, the File was indexed by search engines and showed up in online search results. The Organisation also admitted that at the time of the incident, the Organisation had not developed any internal policies and practices to ensure compliance with the Personal Data Protection Act 2012 (the “PDPA”). In particular, there was no system of checks for the uploading of files on the Organisation’s website. 4. Fortuitously, it appeared that the access to the File was minimal – based on Google Analytics Report, save for the Organisation’s member who discovered the File on the internet on 8 September 2020, there was only one other access to the File on 9 December 2019, and the access only lasted for approximately 1 minute. 5. Following the incident, the Organisation disabled the search engine indexing to the subdirectory, password-protected all files with members’ data, and implemented a weekly check of all files uploaded onto the websi… | Directions | 3af9997c53409121b23cd38f9ec106f784e3648c | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 81 | 81 | 1 | 952 | Directions, including a financial penalty of $7,500 were imposed on Majestic Debt Recovery for failing to obtain consent from its debtors to record the debt collection process. Majestic Debt Recovery also did not obtain consent to upload the recordings onto its Facebook Page. Additionally, Majestic Debt Recovery did not have written policies and practices necessary to ensure its compliance with the PDPA. | [
"Protection",
"Accountability",
"Directions",
"Financial Penalty",
"Others",
"Consent",
"No DPO",
"No Policy"
] |
2020-11-24 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Majestic-Debt-Recovery---02032020.pdf | Protection, Accountability | Breach of the Consent and Accountability Obligations by Majestic Debt Recovery | https://www.pdpc.gov.sg/all-commissions-decisions/2020/11/breach-of-the-consent-and-accountability-obligations-by-majestic-debt-recovery | 2020-11-24 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 7 Case No DP-1903-B3570 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Majestic Debt Recovery Pte Ltd … Organisation DECISION 1 Majestic Debt Recovery Pte Ltd [2020] SGPDPC 7 Yeong Zee Kin, Deputy Commissioner — Case No DP-1903-B3570 2 March 2020 Introduction 1 This case concerns a debt collection company’s posting of a video recording on social media as a tactic to shame a debtor. The recordings in question captured exchanges between the company’s representative and staff of the debtor company. Facts of the Case 2 Majestic Debt Recovery Pte Ltd (the “Organisation”) is a company in the business of collecting debts on the behalf of its clients. On 22 March 2019, the Personal Data Protection Commission (the “Commission”) received a complaint from the managing director (the “Complainant”) of a debtor company (the “Company”) stating that the Organisation had been engaged by the Company’s sub-contractor to recover debts from the Company. The Complainant stated that on or around 21 March 2019, the Organisation’s representatives (the “Representatives”) visited the Company’s premises to collect a debt on behalf of its client (the “Incident”). Not surprisingly, heated words were exchanged with the Company’s personnel when the Representatives attempted to recover the debt. The Representatives recorded video footage of the exchanges with the Company’s personnel, including the Complainant (the “Recording”), on a tablet device. The Complainant and the Company’s personnel could be identified from the images and audio captured by the Recording. According to the Complainant, he “protested against the taking of [the Recording and] posting it [on] social media but [the Representative] said he would do it”. The Representatives nonetheless took the Recording and subsequently posted it on the Organisation’s official public Facebook page (its “Facebook Page”). 2 3 During its investigation, the Commission found other… | Directions, Financial Penalty | 735c56aebf1838696565bb02754125b665e3d968 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 82 | 82 | 1 | 952 | Directions were issued to Security Masters for failing to put in place reasonable security arrangements to prevent the unauthorised access of building visitors’ mobile numbers. A security personnel contacted the visitors to request return of visitor passes and send them Chinese New Year greetings. | [
"Protection",
"Directions",
"Others",
"Text messages",
"Mobile numbers",
"Protection"
] |
2020-10-16 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Security-Masters-Pte-Ltd---21072020.pdf | Protection | Breach of the Protection Obligation by Security Masters | https://www.pdpc.gov.sg/all-commissions-decisions/2020/10/breach-of-the-protection-obligation-by-security-masters | 2020-10-16 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2002- B5875 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Security Masters Pte Ltd SUMMARY OF THE DECISION 1. On 17 February 2020, Security Masters Pte Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that a security employee had used the mobile phone numbers of eight building visitors to contact them to request their return of visitor passes and send them Chinese New Year greetings. 2. Investigation found that the Organisation did not put in place any standard operating procedure or guidelines for the retrieval and use of visitors’ personal data prior to the incident. This gap in security arrangements allowed the incident to occur. 3. The Deputy Commissioner for Personal Data Protection therefore found that the Organisation did not adopt reasonable steps to protect personal data in its possession or under its control against risk of unauthorised access. The Organisation was in breach of the Protection Obligation under section 24 of the Personal Data Protection Act 2012. 4. Following the incident, the Organisation restricted access to personal data to senior personnel and required all security personnel to sign an undertaking not to contact visitors in their personal capacity. However, structured training is needed to help its security personnel understand the importance of protecting the personal data they handled daily in their duties, such as National Registration Identification Card numbers, photographs and closed-circuit television footage. 5. On the above consideration, the Deputy Commissioner for Personal Data Protection hereby directs the Organisation to: a) Within 60 days from the date of the direction, revise its training curriculum to ensure that its security personnel understand i. the rationale for personal data protection; ii. the importance of consent and authorisation in the handling of personal data; and iii. the circumstances in which… | Directions | e24e6989567857bec320cd7ad6365fd535330a52 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 83 | 83 | 1 | 952 | A warning was issued to Interauct! for retaining personal data which was no longer necessary for legal or business purposes. | [
"Retention Limitation",
"Warning",
"Others",
"Backup files",
"Server migration"
] |
2020-10-16 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Interauct-Pte-Ltd---04082020.pdf | Retention Limitation | Breach of the Retention Limitation Obligation by Interauct! | https://www.pdpc.gov.sg/all-commissions-decisions/2020/10/breach-of-the-retention-obligation-by-interauct | 2020-10-16 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1911-B5268 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Interauct! Pte Ltd SUMMARY OF THE DECISION 1. Interauct! Pte Ltd (the “Organisation”) operated an online mobile number auction (the “Auction”) for a telecommunications provider (the “Telco”). This arrangement started in the year 2000 and ended in 2018. 2. In November 2019, the Commission was informed that the Telco’s cybersecurity team had located an internet sub-domain containing files with the personal data of individuals who had participated in the Auction (the “Files”). The Files contained the following types of personal data: a. Name; b. ID (such as passport or NRIC number); c. Mobile number; d. Address; e. Date of birth; and f. Email address. 3. The Commission’s investigations revealed the following: a. The Organisation had engaged a vendor to provide web hosting services for the Auction. In 2012 and 2016, the vendor conducted server migration exercises. On both occasions, the Organisation created backups of the Files prior to server migration exercises and uploaded them on the vendor’s servers. The Organisation did not delete the Files after the server migration were completed; b. In April 2019, the vendor misconfigured its servers. As a result, the Files became accessible on the internet sub-domain. However, to access this sub-domain requires an individual to key in either one of two URLs exactly. Both URLs were complex and lengthy. It was therefore difficult for an individual to determine the URLs exactly to enter the sub-domain. Indeed, an examination of server logs found that only the Telco had accessed the sub-domain; c. The Files contained a mix of individuals’ personal data, as well as dummy data used for testing purposes. An analysis of the Files showed that there were approximately 8,750 individuals’ personal data contained in them. The Telco compared the data with its customer records, and via a reconciliation process, was able to ide… | Warning | 5932047a3ee552243babdc8b5564ced3e448d87b | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 86 | 86 | 1 | 952 | A financial penalty of $5,000 was imposed on Vimalakirti Buddhist Centre for failing to put in place reasonable security arrangements to protect the personal data of its members and non-members from unauthorised disclosure. The incident resulted in the personal data being subjected to a ransomware attack. | [
"Protection",
"Financial Penalty",
"Others",
"Ransomware",
"No measures"
] |
2020-10-16 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Vimalakirti-Buddhist-Centre---04092020.pdf | Protection | Breach of the Protection Obligation by Vimalakirti Buddhist Centre | https://www.pdpc.gov.sg/all-commissions-decisions/2020/10/breach-of-the-protection-obligation-by-vimalakirti-buddhist-centre | 2020-10-16 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2004-B6193 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Vimalakirti Buddhist Centre SUMMARY OF THE DECISION 1. On 14 April 2020, Vimalakirti Buddhist Centre (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) of a ransomware infection that had rendered its data management system inaccessible by the Organisation (the “Incident”). 2. The Organisation subsequently requested for this matter to be handled under the Commission’s expedited breach decision procedure. In this regard, the Organisation voluntarily provided and unequivocally admitted to the facts set out in this decision. It also admitted that it was in breach of section 24 of the Personal Dara Protection Act (the “PDPA”). 3. The Incident occurred on or about 31 March 2020. Personal data of approximately 4,500 members and 4,000 non-members (total 8,500 individuals) were encrypted by the ransomware. The personal data encrypted included the name, address, contact number, NRIC number, date of birth and donation details of the individuals. 4. The Organisation admitted it did not give due attention to personal data protection, and had neglected to implement both procedural and technical security arrangements to protect the personal data in its possession and control. Consequently, it did not have the relevant security software and/or protocols in place to prevent the ransomware from entering its data management system. 5. In the circumstances, the Deputy Commissioner for Personal Data Protection finds the Organisation in breach of the Protection Obligation under section 24 of the Personal Data Protection Act 2012 (the “PDPA”). 6. Following the incident, the Organisation set up a new server with backup from 21 October 2019. For the data collected by the Organisation from 22 October 2019 to the Incident, the Organisation had retrieved the data from physical file records and restored them in the new server. It also installed a f… | Financial Penalty | e0f3f4b9ea5a6f7fe98f703d2b0a529a93f64315 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 87 | 87 | 1 | 952 | A warning was issued to Horizon Fast Ferry for failing to put in place reasonable security arrangements to protect the personal data in the Organisation’s email account. | [
"Protection",
"Warning",
"Others",
"Password policy",
"Email account",
"Phishing"
] |
2020-10-16 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision----Horizon-Fast-Ferry-Pte-Ltd---27082020.pdf | Protection | Breach of the Protection Obligation by Horizon Fast Ferry | https://www.pdpc.gov.sg/all-commissions-decisions/2020/10/breach-of-the-protection-obligation-by-horizon-fast-ferry | 2020-10-16 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1912-B5465 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Horizon Fast Ferry Pte. Ltd. SUMMARY OF THE DECISION 1. The Personal Data Protection Commission (“Commission”) investigated a complaint against Horizon Fast Ferry Pte. Ltd. (the “Organisation”) where the Organisation’s email account, singapore@horizonfastferry.com (the “Email Account”) had sent out phishing emails to its customers (the “Incident”). 2. Investigations revealed that the computer used to access the Email Account was infected with malware. This caused the Email Account to send phishng emails to three customers. Each email contained only the personal data that the customer himself had sent to the Email Account to book ferry tickets. Hence there was no disclosure of other customers’ personal data in the phishing email. 3. The Organisation informed the Commission that it had implemented various security measures prior to the Incident such as updating their anti-virus software regularly. However, investigations revealed that the password to access the Email Account was shared by 11 employees of the Organisation and had not been changed for almost 3 years. This poor management of passwords fell short of what is reasonably required to protect the personal data in the Email Account. 4. The Deputy Commissioner for Personal Data Protection therefore found that the Organisation in breach of the Protection Obligation under section 24 of the Personal Data Protection Act 2012 for failing to implement reasonable security arrangements to protect the personal data in its possession or under its control. Upon consideration of the facts, a warning was issued to the Organisation. | Warning | a9f0d524ae6cbf14f4db5cdf1e0ccba42e45b1e0 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 93 | 93 | 1 | 952 | Singtel was found not in breach for failing to make reasonable security arrangements to prevent the unauthorised access of its customers’ personal data via the mySingtel mobile application. | [
"Not in Breach",
"Others",
"No breach",
"Mobile application",
"Singtel"
] |
2020-09-10 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Singapore-Telecommunications-Limited---05082020.pdf | No Breach of the Protection Obligation by Singtel | https://www.pdpc.gov.sg/all-commissions-decisions/2020/09/no-breach-of-the-protection-obligation-by-singtel | 2020-09-10 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 13 Case No. DP-1904-B3731 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Singapore Telecommunications Limited … Organisation DECISION Singapore Telecommunications Limited [2020] SGPDPC 13 Yeong Zee Kin, Deputy Commissioner — Case No. DP-1904-B3731 5 August 2020 Introduction 1 On 28 March 2019, Singapore Telecommunications Limited (the “Organisation”) was notified by a customer of an issue with its MySingtel mobile application (the “Mobile App”) – customers were able to view on the Mobile App their previously assigned service numbers 1 (the “Recycled Numbers”) and the related usage information of other customers who were the current users of the Recycled Numbers (the “Incident”). The Organisation notified the Personal Data Protection Commission (the “Commission”) of the Incident on 17 April 2019. Facts of the Case 2 The Organisation is a multinational telecommunications conglomerate headquartered in Singapore. Through the Mobile App, the Organisation’s customers can conveniently manage the Organisation’s services including (but service numbers comprised mobile phone numbers, user IDs for the Organisation’s broadband internet services and service numbers for the Organisation’s TV services. 1 The Singapore Telecommunications Limited [2020] SGPDPC 13 not limited to) the payment of their bills, keeping track of their local mobile data usage, talk time and SMS, subscribing to a roaming plan to suit their travel needs etc. Communications between the Mobile App and the Organisation’s servers are conducted via an Application Programming Interface (“API”). This would include the retrieval of active service numbers associated with a user of the Mobile App. 3 The Organisation engaged a software services provider who was in charge of developing and introducing code changes for the purpose of code updates to the API (the “Vendor”). As part of a scheduled code update on the day of the Incident, the Vendor ma… | Not in Breach | cf1510a1a435f6eb0468b1dd403f3cf6c72407a6 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 148 | 148 | 1 | 952 | Directions, including a financial penalty of $5,000, were imposed on AgcDesign for breaches of the PDPA. The organisation failed to appoint a data protection officer and did not have written policies and practices necessary to ensure its compliance with the PDPA. | [
"Accountability",
"Financial Penalty",
"Others",
"Interior design"
] |
2019-07-04 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision--AgcDesign-Pte-Ltd--040719.pdf | Accountability | Breach of the Openness Obligation by AgcDesign | https://www.pdpc.gov.sg/all-commissions-decisions/2019/07/breach-of-the-openness-obligation-by-agcdesign | 2019-07-04 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 23 Case No DP-1805-B2072 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And AgcDesign Pte. Ltd. … Organisation DECISION AgcDesign Pte. Ltd. [2019] SGPDPC 23 Yeong Zee Kin, Deputy Commissioner – Case No DP-1805-B2072 4 July 2019 Background and Material Facts 1 AgcDesign Pte. Ltd. (the “Organisation”) provides interior designing services for commercial and residential properties. Between 5 and 9 May 2018, the Personal Data Protection Commission (the “Commission”) received complaints alleging that the Organisation had used the complainants’ names and residential addresses without the complainants’ consent to send them marketing mailers. In the course of investigations by the Commission, it was found that the Organisation had sent the mailers using information from a database of property-related information obtained from a third party. That database had been compiled from information on caveats lodged with the Singapore Land Authority, which was publicly available. 2 It also emerged in the course of investigations that the Organisation had not appointed any data protection officer (“DPO”) and it had not developed and put in place any data protection policies. Upon being notified of the complaints, the Organisation appointed a DPO and issued certain verbal instructions to its employees concerning the collection, use and disclosure of personal data. 1 AgcDesign Pte. Ltd. [2019] SGPDPC 23 Findings and Basis for Determination 3 Section 17 of the PDPA, read with the relevant provisions of the Second, Third and Fourth Schedules to the PDPA, permits organisations to collect, use and disclose personal data which is publicly available without the consent of the individuals concerned. The Commission therefore did not proceed further with its investigation into the Organisation’s use of personal data in this case and I am satisfied that it is unnecessary to do so. 4 In relation to the Organisation’s failu… | Financial Penalty | dbe45267b662cba27e20e9da8c6e449830e75c7f | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 150 | 150 | 1 | 952 | Directions were issued to SME Motor for failing to make reasonable security arrangements to prevent the unauthorised disclosure of individuals’ personal data. The lapses resulted in personal data of other customers being disclosed on the reverse side of an invoice document. | [
"Protection",
"Directions",
"Others",
"Auto Repair and servicing",
"Car"
] |
2019-07-04 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---SME-Motor-Pte-Ltd---040719.pdf | Protection | Breach of the Protection Obligation by SME Motor | https://www.pdpc.gov.sg/all-commissions-decisions/2019/07/breach-of-the-protection-obligation-by-sme-motor | 2019-07-04 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 21 Case No DP-1901-B3318 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And SME Motor Pte. Ltd. … Organisation DECISION 1 SME Motor Pte. Ltd. [2019] SGPDPC 21 Yeong Zee Kin, Deputy Commissioner — Case No DP-1901-B3318 4 July 2019 Background 1 On 31 January 2019, the Personal Data Protection Commission (the “Commission”) received a complaint from an individual (the “Complainant”) in relation to the disclosure of other individuals’ personal data that had been printed on the reverse side of an invoice issued to the Complainant by SME Motor Pte. Ltd. (the “Organisation”). Material Facts 2 The facts of this case and circumstances leading to the breach bear some resemblance to the cases of Re SLF Green Maid Agency [2018] SGPDPC 27 and Re Furnituremart.sg [2017] SGPDPC 7. 3 The Organisation is in the business of auto repair and servicing. In an effort to be environmentally friendly, the Organisation had a practice of re-using scrap or unwanted paper documents by printing other documents on the reverse side. 4 The Complainant met with a car accident and brought her vehicle to the Organisation’s workshop for repair. The Complainant subsequently discovered 1 [2019] SGPDPC 21 SME Motor Pte. Ltd. that the Organisation had printed her workshop repair invoice on a piece of paper that contained the personal data of two other individuals (the “Personal Data”) on the reverse side. On 31 January 2019, the Complainant lodged a complaint with the Commission in relation to the disclosure of the Personal Data. 5 The Personal Data disclosed to the Complainant included the following: (a) the first individual’s name, National Registration Identification Card (“NRIC”) number, and insurance policy number; and (b) the second individual’s name, insurance policy number, and claim number. Findings and Basis for Determination 6 The issue that arises in this case for determination is whether the Organisation had complied … | Directions | 8817cb0bc39f451aa5b8c5d679937e87fcd26cf9 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 161 | 161 | 1 | 952 | A financial penalty of $4,000 was imposed on Option Gift for failure to conduct sufficient testing before deployment of a programme script which resulted in an unauthorised disclosure of up to 426 individuals’ personal data. | [
"Protection",
"Financial Penalty",
"Others",
"Online Portal"
] |
2019-06-06 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---Option-Gift-Pte-Ltd---060619.pdf | Protection | Breach of the Protection Obligation by Option Gift | https://www.pdpc.gov.sg/all-commissions-decisions/2019/06/breach-of-the-protection-obligation-by-option-gift | 2019-06-06 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 10 Case No DP-1806-B2242, DP-1806-B2243 and DP-1806-B2244 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Option Gift Pte Ltd … Organisation DECISION Option Gift Pte Ltd [2019] SGPDPC 10 Tan Kiat How, Commissioner — Case No DP-1806-B2242, DP-1806-B2243 and DP-1806B2244 6 June 2019 Background 1 On 12 June 2018, the Personal Data Protection Commission (the “Commission”) was notified by the Organisation of the unintended disclosure of up to 426 individuals’ personal data due to a coding error in its system. The Commission subsequently received complaints from 2 of the affected individuals on 12 and 13 June 2018 respectively. 2 Following an investigation into the matter, the Commissioner found the Organisation in breach of section 24 of Personal Data Protection Act 2012 (“PDPA”) and sets out below his findings and grounds of decision based on the investigations carried out in this matter. Material Facts The Portal 3 The Organisation maintains Uniqrewards (the “Portal”), an online portal through which national servicemen (“NSmen”) may redeem credits and gifts given by the Ministry of Defence (“MINDEF”) and the Ministry of Home Affairs (“MHA”) in recognition of their good performance during in-camp training or courses, or to celebrate certain events, such as the birth of a child. An NSman may log into the Portal and submit his redemption request, following which he would instantly receive a confirmation email that his order(s) are being processed (“Confirmation Emails”). Besides the NSman concerned, the customer service team of the Organisation would also receive a copy of the Confirmation Email by way of blind Option Gift Pte Ltd [2019] SGPDPC 10 carbon copy. 4 These Confirmation Emails are generally sent via a service account linked to the Portal. The service account is hosted by an external vendor which has a password expiry policy of 180 days. While the employee concerned had previously reset… | Financial Penalty | 08f497403f3bd5aebb619dd326e88dc095e681c8 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 173 | 173 | 1 | 952 | Directions were issued to SLF Green Maid Agency for failing to make reasonable security arrangements to prevent the unauthorised disclosure of individuals’ personal data. | [
"Protection",
"Directions",
"Others",
"domestic helper"
] |
2018-12-13 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---Green-Maid-Agency---131218.pdf | Protection | Breach of Protection Obligation by SLF Green Maid Agency | https://www.pdpc.gov.sg/all-commissions-decisions/2018/12/breach-of-protection-obligation-by-slf-green-maid-agency | 2018-12-13 | PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 27 Case No DP-1806-B2265 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And SLF Green Maid Agency … Organisation DECISION SLF Green Maid Agency [2018] SGPDPC 27 SLF Green Maid Agency [2018] SGPDPC 27 Yeong Zee Kin, Deputy Commissioner — Case No DP-1806-B2265 13 December 2018 1 This case arose out of the common practice of reusing scrap or discarded paper where the reverse side of the paper can still be used. This is highly commendable and environmentally-friendly, but organisations must take care to ensure that there is no personal data on the scrap or discarded paper set aside for such re-use. An employee of SLF Green Maid Agency (the “Organisation”) wrote information for the Complainant on a piece of paper which contained personal data of other individuals on the reverse side and gave the paper to the Complainant. This happened on two separate occasions. The key issue is whether this disclosure of personal data by the Organisation amounts to a breach of section 24 of the Personal Data Protection Act 2012 (“PDPA”). Material Facts 2 On 8 April 2018, the Complainant visited the Organisation’s office to enquire about engaging a foreign domestic worker. An employee of the Organisation assisted her and over the course of these enquiries, the employee handed the Complainant some paper on which he wrote information related to her query. The Complainant discovered that the reverse side of the paper contained personal data of other individuals. The Complainant informed the employee that the paper that was used should not have been given to the Complainant. 3 On 24 April 2018, the Complainant returned to the Organisation’s office and was served by the same employee. Again, over the course of the queries, she was provided information hand written on used paper. Similarly, the reverse side of the paper contained personal data of other individuals. 4 Over the two occasions, the following personal data was disclos… | Directions | db40f6c2dd8921428c1fe911f5570123eecd69e8 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 174 | 174 | 1 | 952 | A financial penalty of $20,000 was imposed on WTS Automotive Services for failing to make reasonable security arrangements to prevent the unauthorised disclosure of its customers’ personal data. | [
"Protection",
"Financial Penalty",
"Others",
"vehicle repair and maintenance"
] |
2018-12-13 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---WTS-Automotive-Services-Pte-Ltd---131218.pdf | Protection | Breach of Protection Obligation by WTS Automotive Services | https://www.pdpc.gov.sg/all-commissions-decisions/2018/12/breach-of-protection-obligation-by-wts-automotive-services | 2018-12-13 | PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 26 Case No DP-1706-B0834 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And WTS Automotive Services Pte. Ltd. … Organisation ________________________________________________________ GROUNDS OF DECISION ________________________________________________________ WTS Automotive Services Pte. Ltd. [2018] SGPDPC 26 Tan Kiat How, Commissioner – Case No DP-1706-B0834 13 December 2018 Background 1 This matter involves WTS Automotive Services Pte. Ltd. (the “Organisation”), a company which provides vehicle repair and maintenance services at Kaki Bukit and Gul Circle in Singapore. On 9 June 2017, a complaint was lodged by a member of the public (“Complainant”) with the Personal Data Protection Commission (“Commission”), alleging that a URL link to the Organisation’s customer database, which contained the personal data of the Organisation’s customers, was publicly accessible over the Internet (the “Incident”). The Commissioner sets out below his findings and grounds of decision based on the investigations carried out in this matter. Material Facts 2 The Complainant had been searching for a company address via Google’s search engine, when he chanced upon the URL link to the Organisation’s Kaki Bukit customer database, which contained the personal data of 2,472 of its Kaki Bukit customers. The personal data that was disclosed included the names, NRIC and FIN numbers, residential addresses, contact numbers, email addresses and car plate registration numbers of the Organisation’s Kaki Bukit customers. The Complainant proceeded to lodge a complaint with the Commission on 9 June 2017. Upon receiving the complaint, the Commission commenced an investigation into this matter. 3 During the course of the investigation, the Organisation represented that it had implemented a Backend Electronic Job Card System (“Backend System”) which ran as a web WTS Automotive Services Pte. Ltd. [2018] SGPDPC 26 application over t… | Financial Penalty | 307dccae9f3fe07fcf0b183cff56b8e28dc80153 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 197 | 197 | 1 | 952 | The investigation on alleged disclosure of personal data by My Digital Lock has been discontinued. An advisory notice has been issued to My Digital Lock. The reasons for discontinuation are explained in the grounds of decision. | [
"Advisory Notice",
"Others"
] |
2018-02-12 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/MyDigitalLockGD2018-02-09.pdf | Discontinued Investigations Against My Digital Lockk | https://www.pdpc.gov.sg/all-commissions-decisions/2018/02/discontinued-investigations-against-my-digital-lock | 2018-02-12 | PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC [3] Case No DP-1612-B0423 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And My Digital Lock Pte. Ltd. … Organisation DECISION My Digital Lock Pte. Ltd. [2018] SGPDPC [3] Yeong Zee Kin, Deputy Commissioner — Case No DP-1612-B0423 12 February 2018 1 This is the third complaint lodged by the Complainant against My Digital Lock Pte. Ltd. (“the Organisation”). The first complaint was the subject of the decision in Re My Digital Lock Pte. Ltd. [2016] SGPDPC 20. Investigations were discontinued in respect of the second complaint, as the facts and allegations relied upon in the complaint were closely linked to legal proceedings which were ongoing at the time between the Complainant and the Organisation, and it was determined that the matter was best dealt with through the ongoing legal proceedings. In this third complaint, after a review of the material facts, I exercised my discretion under section 50 of the Personal Data Protection Act 2012 (“PDPA”) to discontinue investigations. I set out hereunder the reasons for the exercise of my discretion in this case. Background 2 Sometime in October 2015, the Complainant purchased a digital lock from the Organisation for his home. Shortly after, the Complainant and the sole director of the Organisation (“Sole Director”) became involved in a dispute concerning alleged defects in the Organisation’s product. The Organisation then took out civil action in defamation in relation to certain remarks that were allegedly made by the Complainant concerning the Organisation’s business. My Digital Lock Pte. Ltd. 3 [2018] SGPDPC [3] Subsequently, the Sole Director posted screenshots of WhatsApp messages, as well as photographs, on his personal Facebook page (“Facebook Page”). These WhatsApp messages and photographs were related to the then ongoing dispute between the Organisation and the Complainant. The personal data in the WhatsApp messages comprised the Complainant’s cont… | Advisory Notice | 31b93e29673fc8fdc2cf1b9542b449405cb70c18 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 198 | 198 | 1 | 952 | Directions were issued to Jiwon Hair Salon, Next@Ion, Next Hairdressing and Initia for failing to put in place data protection policies to comply with the provisions of the PDPA. | [
"Accountability",
"Directions",
"Others"
] |
2018-01-23 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GroundsofDecisionJiwonNextIonNextHairdressingInitia23012018.pdf | Accountability | Breach of Openness Obligation by 4 Hair Salons | https://www.pdpc.gov.sg/all-commissions-decisions/2018/01/breach-of-openness-obligation-by-4-hair-salons | 2018-01-23 | PERSONAL DATA PROTECTION COMMISSION Case No DP-1612-B0431 [2018] SGPDPC [2] In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And 1. Jiwon Hair Salon Pte. Ltd. 2. Next@Ion Pte. Ltd. 3. Next Hairdressing Pte. Ltd. 3. Initia Pte. Ltd. DECISION … Organisations Jiwon Hair Salon Pte. Ltd. & Ors. [2018] SGPDPC [2] Mr. Yeong Zee Kin, Deputy Commissioner — Case No DP-1612-B0431 23 January 2018 Background 1 This case highlights that while the Personal Data Protection Act (“PDPA”) seeks to balance the protection of individuals’ personal data with the need for organisations to use and share that personal data, compliance with the PDPA also serves to ensure that an organisation keeps data which is of significant commercial importance to it protected and out of the reach of its competitors. Material Facts 2 This case was triggered by, unusually, a complaint from one of the Organisations, Jiwon Hair Salon Pte Ltd (“Jiwon”). Jiwon alleged that a former employee (“Employee K”) had misappropriated the names and contact numbers (collectively referred to as the “Personal Data”) of its customers by surreptitiously accessing its customer management system (“CMS”). 3 An investigation was conducted into Jiwon’s complaint and into the following Organisations which Employee K had worked at after leaving Jiwon to determine if indeed Employee K was using the Personal Data from Jiwon’s CMS: Jiwon Hair Salon Pte. Ltd. & Ors. S/N Organisation 1. 2 Jiwon Next@Ion Pte Ltd 9 April 2014 3. Next Hairdressing Pte Ltd 1 Dec 2016 4. 4 [2018] SGPDPC 2 Initia Pte Ltd Start of employment 10 August 2016 13 Jan 2017 End of employment 15 August 2016 30 November 2016 16 Dec 2016 - In the meantime, Jiwon had instituted an action against Employee K in the State Courts arising out of the facts set out in the complaint and, according to Jiwon, an out-of-court settlement had been entered into. During the investigations, it became clear that none of the Organisations had… | Directions | 22dc817cc5a859cce0bf1f96066bd7470c408c03 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 208 | 208 | 1 | 952 | A warning was issued to Eagle Eye Security Management Services and MCST 3696 of Prive EC for failing to put in place any reasonable measures to prevent unauthorised access to a visitor logbook containing personal data. | [
"Protection",
"Warning",
"Others",
"MCST"
] |
2017-06-29 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---eagle-eye---290617.pdf | Protection | Breach of Protection Obligation by Eagle Eye Security Management Services | https://www.pdpc.gov.sg/all-commissions-decisions/2017/06/breach-of-protection-obligation-by-eagle-eye-security-management-services | 2017-06-29 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1610-B0275 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) THE MANAGEMENT CORPORATION STRATA TITLE PLAN NO. 3696 (2) EAGLE EYE SECURITY MANAGEMENT SERVICES PTE LTD (UEN No. 198600160K) ... Organisations Decision Citation: [2017] SGPDPC 11 GROUNDS OF DECISION 29 June 2017 A. INTRODUCTION 1. Sometime in December 2015, the Personal Data Protection Commission (the “Commission”) had investigated into a complaint in relation to the failure by a security company to safeguard the visitor logbook of Prive Executive Condominium (the “Condominium”), which contained personal data of the visitors. The security company was found in breach of Section 24 of the Personal Data Protection Act 2012 (“PDPA”) for leaving the logbook unattended and failing to protect the logbook from prying eyes. The case is published as Spear Security Force Pte. Ltd. [2016] SGPDPC 12. 2. A similar breach has again taken place at this Condominium. This time round, the breach took place under another security company, the 2nd Respondent (“Eagle Eye”), which was engaged by the 1st Respondent (“MCST 3696”), the Management Corporation Strata Title (“MCST”) of the Condominium, for its security services. 3. Following a complaint made to the Commission, the Commission proceeded to investigate into the matter. The Commission found both the 1st and 2nd Page 1 of 7 Respondents in breach of their respective obligations under Section 24 of the PDPA. The Commission now sets out its grounds of decision of the matter. B. MATERIAL FACTS 4. The data breach incident took place in the evening of 16 October 2016. The Complainant had observed that a logbook that was placed on a table next to the gantry into the Condominium was left unattended. The Complainant subsequently took photographs to show that the logbook was left open on the table and unattended by the security guards. These photographs were sent to the Commission for its inves… | Warning | 6c6a7bcff8608468ace33b042200ddd84f7f2e52 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 209 | 209 | 1 | 952 | A financial penalty of $3,000 was imposed on DataPost, as a data intermediary, for failing to make reasonable security arrangements to prevent the unauthorised disclosure of the personal data of two customers of a bank. DataPost was also directed to review its working procedures relating to data printing and enveloping operations, improve the training of its staff, and review its personal data protection policy. | [
"Protection",
"Financial Penalty",
"Directions",
"Others"
] |
2017-06-20 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---datapost---200617.pdf | Protection | Breach of Protection Obligation by DataPost | https://www.pdpc.gov.sg/all-commissions-decisions/2017/06/breach-of-protection-obligation-by-datapost | 2017-06-20 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1606-B0061 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (the “PDPA”) And DataPost Pte Ltd (UEN 199404610D) … Organisation Decision Citation: [2017] SGPDPC 10 GROUNDS OF DECISION 20 June 2017 1. 2. This case arises out of an investigation into DataPost Pte Ltd (“DPL”). DPL printed and mailed out financial statements relating to the Overseas-Chinese Banking Corporation Ltd’s (“OCBC”) Supplementary Retirement Scheme (“SRS”) to OCBC’s customers. One customer (“the recipient”), however, discovered that she had received two additional SRS statements belonging to two other OCBC customers, in addition to her own SRS statement. The following information was disclosed in the SRS statements: a. Name; b. Address; c. Cash balance; and d. Types, quantity, and valuation of asset holdings. OCBC alerted the Commission to the incident, and informed the Commission that the recipient had received the additional SRS statements on or about 17 June 2016. The Commission has conducted an investigation into the matter and now sets out its findings. Page 1 of 7 A. MATERIAL FACTS AND DOCUMENTS 3. DPL’s procedure for printing and mailing of the SRS statements was as follows: a. The SRS statements are printed on A3 sheets in the format shown below. A sheet may contain either two different statements or two pages of the same statement. In the incident in question, the first sheet, Sheet 1, contained the statements of two different individuals. Sheet 2 also contained the statements of two different individuals. A3 size Sheet 1 Statement of Statement of Individual 1 Individual 2 A3 size Sheet 2 Statement of Statement of Individual 3 Individual 4 b. An enveloping machine was used to cut the statements and to insert the individual statements into their respective mailer envelopes. For the purpose of this decision, there are two relevant sub-components of the enveloping machine which operations affect the event… | Financial Penalty, Directions | 036e9a6584696b96ea27b7124138ef398af925a5 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 212 | 212 | 1 | 952 | Directions were issued to Asia-Pacific Star, as a data intermediary, for failing to make reasonable security arrangements to prevent the disclosure of the personal data of Tiger Airways Singapore's passengers. | [
"Protection",
"Directions",
"Others"
] |
2017-05-31 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---tigerair-sats-aps-310517.pdf | Protection | Breach of Protection Obligation by Asia-Pacific Star | https://www.pdpc.gov.sg/all-commissions-decisions/2017/05/breach-of-protection-obligation-by-asia-pacific-star | 2017-05-31 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1607-B0129 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Tiger Airways Singapore Pte Ltd (UEN No. 200312665W) (2) SATS Ltd (UEN No. 197201770G) (3) Asia-Pacific Star Private Limited (UEN No. 199705514Z) … Organisations Decision Citation: [2017] SGPDPC 6 GROUNDS OF DECISION 31 May 2017 A. INTRODUCTION 1. On 27 July 2016, the Personal Data Protection Commission received a complaint that the passenger name list for Tiger Airways Singapore Pte Ltd (“Tigerair”) flight TR2466 (“Flight Manifest”) had been improperly disposed in a rubbish bin in the gate hold room at Changi Airport. The complainant alleged that the Flight Manifest could have been retrieved by anyone in the vicinity. 2. The Commission undertook an investigation into the matter and sets out its findings and grounds of decision below. B. MATERIAL FACTS 3. Tigerair is a low cost carrier. SATS Ltd (“SATS”) is an aviation ground handling service provider. SATS was engaged by Tigerair to provide ground handling services. In accordance with the terms of the ground handling services contract between SATS and Tigerair (“Ground Handling Services Contract”), SATS was responsible for the provision of the services by its subsidiaries as if it had been provided by SATS itself. Page 1 of 8 4. Asia-Pacific Star Private Limited (“APS”) is a wholly-owned subsidiary of SATS. SATS sub-contracted the provision of ground handling services for Tigerair to APS pursuant to a Services Agreement dated 11 June 2014 (“Services Agreement”). 5. Under the Services Agreement, APS was responsible for managing the boarding process, reconciling passenger numbers and verifying travel documents at the boarding gate. Among other things, APS was required to print a copy of the Flight Manifest at the boarding gate for the cabin crew to take on board the flight and submit to the immigration authority at the arrival destination. 6. On 26 July 2016, an… | Directions | b32d291037e42478607d82bf4e86cf61437ede0d | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 228 | 228 | 1 | 952 | A financial penalty of $500 was imposed on a registered salesperson of a property firm for disclosing personal data of two of his landlord’s tenants to a third party tenant without consent. | [
"Consent",
"Financial Penalty",
"Others",
"ESTATE",
"Property",
"SALESPERSON"
] |
2016-08-12 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---rsp-justin-chua-(120816).pdf | Consent | Breach of Consent Obligation by a Registered Salesperson | https://www.pdpc.gov.sg/all-commissions-decisions/2016/08/breach-of-consent-obligation-by-a-registered-salesperson | 2016-08-12 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1411-A247 CHUA YONG BOON JUSTIN [NRIC NO. REDACTED] ... Respondent Decision Citation: [2016] SGPDPC 13 GROUNDS OF DECISION 12 August 2016 A. INTRODUCTION 1. On 15 November 2014, the Personal Data Protection Commission (the “Commission”) received an email from [Redacted] (Replaced with Mr K) (the “Complainant”) regarding the unauthorised disclosure of personal data of his wife and himself by the property agent of his landlord following a dispute between the Complainant, the Complainant’s wife, and another tenant, [Redacted] (Replaced with Ms C). The Commission proceeded to investigate into the alleged breach of the Personal Data Protection Act 2012 (“PDPA”). Its findings into the matter are set out below. B. MATERIAL FACTS AND DOCUMENTS 2. The Complainant, his wife, and Ms C are tenants of a landed property. For the purposes of entering into the tenancy with the landlord, the Complainant and his wife had previously provided their names and NRIC numbers (amongst other personal data) to the registered salesperson1 (commonly known as a “property agent”) of the landlord, Mr Chua Yong Boon Justin (the “Respondent”). The Respondent was registered as a salesperson with Global Property Strategic Alliance Pte Ltd (“GPS”). The Respondent’s engagement as a salesperson with GPS was governed by a “Salesperson Agreement” dated 31 October 2011. 3. In or around November 2014, a dispute arose between Ms C and the Complainant and his wife over the usage of common space within the rented premises, and an argument had apparently ensued between the parties. The Respondent was not present during the argument. However, Ms C had informed him of the argument, and also requested the Respondent to provide her with the 1 Under the Estate Agents Act (Cap. 95A) (“EAA”) Page 1 of 5 names and NRIC numbers of the Complainant and his wife so as to hold the Complainant “responsible” in the event that the Complainant had publicised the photos that were apparently take… | Financial Penalty | 028172bef7256a4b868d532ab6c60d23871e1eff | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 229 | 229 | 1 | 952 | A warning was issued to Spear Security Force for failing to put in place any arrangement to prevent unauthorised access to personal data in the visitor log book managed for a condominium. [Updated on 30 July 2016] | [
"Protection",
"Warning",
"Others",
"SPEAR",
"Security"
] |
2016-07-25 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---spear-security-force-(250716).pdf | Protection | Breach of Protection Obligation by Spear Security Force | https://www.pdpc.gov.sg/all-commissions-decisions/2016/07/breach-of-protection-obligation-by-spear-security-force | 2016-07-25 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1602-A642 SPEAR SECURITY FORCE PTE. LTD. [Reg. No. 200810808H] ... Respondent Decision Citation: [2016] SGPDPC 12 GROUNDS OF DECISION 25 July 2016 A. INTRODUCTION 1. The Personal Data Protection Commission (the “Commission”) had received a complaint from Mr L [Redacted] on 24 December 2015 in relation to the lapses by Respondent’s employees in safeguarding the visitor log book of Prive Executive Condominium (the “Condominium”), which contained personal data of the visitors. In this regard, Mr L claimed that the Respondent was in breach of the Personal Data Protection Act 2012 (No. 26 of 2012) (“PDPA”). B. MATERIAL FACTS AND DOCUMENTS 2. The Complainant was a resident of the Condominium. The Respondent was appointed by the MCST of the Condominium to provide security services. 3. According to the Complainant, on several occasions between November 2015 and December 2015, he had observed that the security guards under the Respondent’s supervision had left the log book open and unattended on a table near the guard post at the Condominium’s entrance. 4. The Complainant further mentioned that he highlighted his concerns to both the Condominium’s Managing Agent and the Respondent but he had not received an adequate response. 5. In its response to the Commission’s investigations into the matter, the Respondent mentioned that it was aware that the visitor log book had been left unattended by its security guards on multiple occasions from the feedback it received, and had taken certain remedial actions since then. These are set out in paragraph 7 below. 6. The Respondent further mentioned that the contents of the log book included the visitor’s name, mobile phone number, time of entry, the unit number visited and Page 1 of 4 the purpose of the visit. The purpose for the collection of the visitors’ details was to ensure that (i) there is no unauthorised entry or trespassing of the premises; and (ii) the security guards is able to contact a … | Warning | f461394874850bf93d925894cbd781d0a912d79b | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 232 | 232 | 1 | 952 | Directions were issued to Universal Travel Corporation for disclosing a passenger list, consisting of 37 customers' personal data, to four of its customers without consent. The organisation was also penalised for its lack of data protection policies. | [
"Consent",
"Purpose Limitation",
"Notification",
"Directions",
"Others"
] |
2016-04-21 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---universal-travel-corporation-(210416).pdf | Consent, Purpose Limitation, Notification | Breach of Consent and Other Obligations by Universal Travel Corporation | https://www.pdpc.gov.sg/all-commissions-decisions/2016/04/breach-of-consent-and-other-obligations-by-universal-travel-corporation | 2016-04-21 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1508-A496 UNIVERSAL TRAVEL CORPORATION PTE LTD (UEN. 197302113R) ... Respondent Decision Citation: [2016] SGPDPC 4 GROUNDS OF DECISION 20 April 2016 A. BACKGROUND 1. The Personal Data Protection Commission (“Commission”) received a complaint from a credible source concerning the alleged disclosure by the Respondent of personal data of 37 customers (the “passenger list”) in early March 2015 to certain individual(s) who participated in the 12 Days Legend of the Balkans Tour from 17 February 2015 to 28 February 2015 (“Balkans Tour”). 2. In the premises, the Commission decided to carry out an investigation into the matter. The Commission’s findings are set out below. B. MATERIAL FACTS AND DOCUMENTS 3. Sometime in or around late February 2015, four of the customers of the Balkans Tour requested the Respondent to furnish formal documentation confirming the cancellation of their transit flight to Sofia on 18 February 2015 (TK1027/18FEB15 ISTANBUL-SOFIA) (“formal confirmation”) to process their insurance claims. 4. The Respondent therefore requested from Turkish Airline written confirmation of the flight cancellation and the affected passenger list. 5. Sometime in early March 2015, the Respondent sent the formal confirmation together with the letter from Turkish Airline and the passenger list by email to four of the customers of the Balkans Tour. The passenger list that was sent contained the name, nationality, date of birth, passport number, passport expiry date and passenger name record (a record in the database of a computer reservation system (CRS) that contains the itinerary for a passenger, or a group of passengers travelling together) of all 37 of the passengers/customers that were on the Balkans Tour. The passengers’ details were not masked or redacted when it was sent by the Respondent. It is not disputed that the passengers’ details constituted personal data under the control of the Respondent at the material time. 6. In the R… | Directions | 5a0ff182bd0082f840e509fc39079487ae98fb3a | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 234 | 234 | 1 | 952 | A warning was issued to Challenger Technologies and its data intermediary, Xirlynx Innovations, for failing to make reasonable security arrangements to prevent unauthorised disclosure of Challenger members’ personal data while sending out emails to some 165,000 members. | [
"Protection",
"Warning",
"Wholesale and Retail Trade",
"Others",
"CHALLENGER",
"XIRLYNX"
] |
2016-04-21 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---challenger-technologies-(210416).pdf | Protection | Breach of Protection Obligation by Challenger Technologies and Xirlynx Innovations | https://www.pdpc.gov.sg/all-commissions-decisions/2016/04/breach-of-protection-obligation-by-challenger-technologies-and-xirlynx-innovations | 2016-04-21 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1409-A103 (1) (2) CHALLENGER TECHNOLOGIES LIMITED (U.E.N. 198400182K) XIRLYNX INNOVATIONS (U.E.N. 52942580K) …Respondents Decision Citation: [2016] SGPDPC 6 GROUNDS OF DECISION 20 April 2016 BACKGROUND 1. The Personal Data Protection Commission (the “Commission”) received a complaint from a member of the public on 15 September 2014 concerning an alleged data breach by Challenger Technologies Limited (“Challenger”). In brief, the complainant alleged that Challenger had sent email communications to members of its ValueClub programme, which contained the personal data of another ValueClub member. 2. The Commission commenced an investigation under section 50 of the Personal Data Protection Act 2012 (“PDPA”) to ascertain whether there had been a breach by Challenger of its obligations under the PDPA. 3. In the course of its investigation, the Commission found that the email communications in question (which were sent to Challenger’s ValueClub members) had been sent by Xirlynx Innovations (“Xirlynx”), a business engaged by Challenger to handle all its email communications to members of Challenger’s ValueClub programme. The Commission’s investigation therefore also examined whether there had been a breach by Xirlynx of its obligations under the PDPA. 4. The Commission’s findings are set out below. MATERIAL FACTS AND DOCUMENTS 5. Challenger is a retailer of information technology (“IT”) and other electronic products with several outlets around Singapore. As part of its customer relations efforts, Challenger established a customer membership programme known as ValueClub, which provides members with membership savings and discounts (amongst other benefits), and enables them to earn and accumulate ValueClub programme points which may be redeemed to offset the cost of purchases made at Challenger outlets. 1 6. Xirlynx is a third party IT vendor, which is registered and managed by its sole proprietor, [Redacted] (Replaced with Mr T). 7. Some … | Warning | cfdfd40c619176ddcb5c6ee791b4020b5ac902bc | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-12-14T14:54:52+00:00 | 0e20feac9c1e16c30580baa727a897e3bfcf8791 | 483 | 243 | 1 | 958 | Directions were issued to Tipros for failing to use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate. | [
"Consent",
"Notification",
"Purpose Limitation",
"Directions",
"Others"
] |
14 Dec 2023 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GD_TIPROS_080623.pdf | Consent, Notification, Purpose Limitation | Breach of the Purpose Limitation Obligation by Tipros | https://www.pdpc.gov.sg/all-commissions-decisions/2023/12/breach-of-the-purpose-limitation-obligation-by-tipros | 2023-12-14 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPC 7 Case No. DP-2207-C0019 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Tipros … Organisation DECISION Page 1 of 8 Tipros Yeong Zee Kin, Deputy Commissioner — Case No. DP-2207-C0019 8 June 2023 Introduction 1. On 21 July 2022, the Personal Data Protection Commission (the “Commission”) received a complaint that Tipros (the “Organisation”), a sole proprietorship in the wholesale of and repair of electrical appliances, had unreasonably disclosed the personal data of the complainant when responding to the complainant’s review on the Organisation’s Google reviews page (the “Incident”). 2. The Commission commenced investigations to determine the Organisation’s compliance with the Personal Data Protection Act 2012 (“PDPA”) and for suspected breaches of the same. Facts of the Case 3. The complainant had engaged the Organisation to repair a refrigerator. Following the repairs made, the complainant gave a “1-star” review on a Google reviews page “24hr fridge refrigerator #1 Quick repair service Trusted in Singapore”, which has since been renamed “Tipros.sg”. 4. The Organisation promptly responded to the complainant’s review. What is problematic was that the Organisation included the complainant’s personal data, including the complainant’s residential address and mobile number in their Page 2 of 8 response. The complainant filed a complaint with the Commission as the complainant was of the view that there was no reason for the Organisation to disclose her personal data in the course of responding to the review she left on the Organisation’s Google reviews page. 5. Apart from the Organisation’s response to the complainant’s review, the Commission found 13 other responses on the Organisation’s Google reviews page which disclosed, in a similar fashion, the personal data of other customers who had given reviews. Our Investigations 6. The Commission commenced investigations. In the course of investigations, it was … | Directions | acd36e3274c5e29fe0627b24b99136461cdd6c47 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-12-14T14:54:52+00:00 | 0e20feac9c1e16c30580baa727a897e3bfcf8791 | 485 | 10 | 3 | 958 | [
"Do Not Call Provisions",
"Warning",
"Others",
"Telemarketing"
] |
Do Not Call Provisions | 7cc9d6d995e2baf3a05f3e655093c7f953db9035 | [
"tags",
"nature"
] |
Advanced export
JSON shape: default, array, newline-delimited
CREATE VIEW pdpc_decisions_version_detail AS select
commits.commit_at as _commit_at,
commits.hash as _commit_hash,
pdpc_decisions_version.*,
(
select json_group_array(name) from columns
where id in (
select column from pdpc_decisions_changed
where item_version = pdpc_decisions_version._id
)
) as _changed_columns
from pdpc_decisions_version
join commits on commits.id = pdpc_decisions_version._commit;