pdpc_decisions_version_detail (view)
8 rows where tags contains "Purpose Limitation"
This data as json, CSV (advanced)
Suggested facets: _commit_at, _commit_hash, _commit, nature, decision, _commit_at (date), date (date), timestamp (date), tags (array), _changed_columns (array)
| _commit_at | _commit_hash | _id | _item | _version | _commit | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _item_full_hash | _changed_columns |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 14 | 14 | 1 | 952 | RedMart had failed to obtain consent and inform its suppliers of the purpose for collecting images of the physical NRICs and other identification documents. However, the Commission had subsequently assessed that RedMart had met the requirements for reliance on the Legitimate Interests Exception and complied with the proposed direction. As such, no direction was issued to RedMart. | [
"Consent",
"Notification",
"Purpose Limitation",
"No Further Action",
"Wholesale and Retail Trade"
] |
2023-02-10 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---RedMart-Limited---18012023.pdf | Consent, Notification, Purpose Limitation | Breach of the Consent, Notification and Purpose Limitation Obligations by RedMart | https://www.pdpc.gov.sg/all-commissions-decisions/2023/02/breach-of-the-consent,-notification-and-purpose-limitation-obligations-by-redmart | 2023-02-10 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2105-B8405 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And RedMart Limited … Organisation DECISION Page 1 of 11 RedMart Limited [2023] SGPDPC 1 Yeong Zee Kin, Deputy Commissioner — Case No. DP-2105-B8405 18 January 2023 Introduction 1 On 31 May 2021, the Personal Data Protection Commission (the “Commission”) received a complaint that RedMart Limited (the “Organisation”) was collecting images of the physical NRICs and other identification documents of suppliers making deliveries to its warehouses (the “Incident”), and that this practice did not appear to be in compliance with the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case 2 Investigations revealed that the Organisation operated two warehouses at 47 Jalan Buroh, CWT Distripark, Singapore 619491 (“Warehouses”) which were used to store goods and produce sold by the Organisation. The Warehouses were regularly visited by suppliers delivering goods and produce (“Visitors”), and the Organisation implemented measures to regulate such Visitors’ access to the Warehouses. Security checkpoints at the Warehouses used an Organisation-issued tablet computer Page 2 of 11 (“Tablet”) to take photographs of Visitors’ NRIC or other identification documents (“ID Photographs”). The Organisation said it collected ID Photographs to Visitors seeking access to areas where food safety risks had to be managed. The Organisation explained that these measures are intended to deter acts that could compromise food safety and facilitate investigations of food safety incidents. 3 Prior to the Incident, there were no notices at the Warehouses’ security checkpoints informing Visitors of the purpose for collection of ID Photographs. After being notified by the Commission of the Incident, the Organisation put up notices at the Warehouses’ security checkpoints to inform Visitors of the purpose of collection of ID Photographs. Findings and Basis for Determination … | No further action | 4eaff99c5b7557a88a0ca128e03e4b18ea52c953 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 178 | 178 | 1 | 952 | A warning was issued to Galaxy Credit and Investments for failing to make reasonable security arrangements to protect the personal data of its borrowers, and using personal data not for a purpose that a reasonable person would consider appropriate in the circumstances. | [
"Protection",
"Purpose Limitation",
"Warning",
"Finance and Insurance",
"Licensed moneylender"
] |
2018-09-25 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Galaxy_Credit_and_Investments_Pte_Ltd_250918.pdf | Protection, Purpose Limitation | Breach of the Protection and Purpose Limitation Obligations by Galaxy Credit and Investments | https://www.pdpc.gov.sg/all-commissions-decisions/2018/09/breach-of-the-protection-and-purpose-limitation-obligations-by-galaxy-credit-and-investments | 2018-09-25 | PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 22 Case No DP-1803-B1886 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Galaxy Credit & Investments Pte. Ltd. … Organisation DECISION Galaxy Credit & Investments Pte. Ltd [2018] SGPDPC 22 Yeong Zee Kin, Deputy Commissioner — Case No DP-1803-B1886 25 September 2018 Background 1 Is it appropriate for a licensed moneylender, or any organisation, to attach a photograph of a debtor to a letter demanding payment of a debt and leave both the photograph and letter at the residence of the debtor? What is the objective or purpose of such a practice? If the Organisation had considered these questions, the unauthorised disclosure in this matter may very well have not occurred. 2 The facts in this matter are straightforward and are not in dispute. On 16 March 2018, the Registry of Moneylenders & Pawnbrokers, Ministry of Law (“ROMP”) informed the Personal Data Protection Commission (the “Commission”) that the Organisation had sent three letters of demand, each with a photograph of a borrower, [Redacted] (Replaced with “Mr T”), to the residence of another borrower, [Redacted] (Replaced with “Mr W”). The Commission proceeded to investigate into an alleged breach of the Personal Data Protection Act 2012 (“PDPA”). Galaxy Credit & Investments Pte Ltd [2018] SGPDPC 22 Material Facts 3 The Organisation is a licensed Moneylender. As part of their business, the Organisation issued letters of demand (“LODs”) to borrowers who defaulted on the repayment of their loan. These LODs would be delivered to the defaulting borrowers by a third-party debt collector engaged by the Organisation. Prior to each delivery, the Organisation would provide their debt collector with the LOD and a photograph of the borrower. According to the Organisation, the purpose of providing a photograph was to help the debt collector correctly identify the borrower. 4 The Organisation instructed the debt collectors to attach the photograph to the LOD … | Warning | 88b0d7aaedbad54d85d3b73d6a27e2cd7d69902d | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 185 | 185 | 1 | 952 | Spring College International failed to notify and obtain consent from the parents of young students before disclosing online the students’ personal data for marketing purposes. Directions were issued to Spring College International. | [
"Consent",
"Purpose Limitation",
"Notification",
"Directions",
"Education"
] |
2018-05-24 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Spring_College_International_240518.pdf | Consent, Purpose Limitation, Notification | Breach of Consent and Purpose Limitation Obligations by Spring College International | https://www.pdpc.gov.sg/all-commissions-decisions/2018/05/breach-of-consent-and-purpose-limitation-obligations-by-spring-college-international | 2018-05-24 | PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 15 Case No DP-1705-B0799 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Spring College International Pte. Ltd. … Organisation DECISION Spring College International Pte. Ltd. Mr Yeong Zee Kin, Deputy Commissioner — Case No DP-1705-B0799 24 May 2018 Background 1 This matter involves a private educational institution that posted information about its students, including their names and photographs, on a public social media page, in order to promote its courses. The Organisation operates a private educational institution, known as “Spring College International Pte. Ltd.” (“SCI”), that offers various academic courses to students of varying ages and levels. A complaint was made to the Personal Data Protection Commission (“PDPC”) regarding the unauthorised disclosure of a student’s personal data on the Organisation’s Facebook page. The complaint was made by the student’s parent (“the Complainant”). 2 The Commissioner’s findings and grounds of decision, based on the investigations carried out in this matter, are set out below. Material Facts 3 Since September 2010, the Organisation has maintained a Facebook page which is accessible to the general public, titled “Spring College International”. In December 2015, the Complainant enrolled her son (“Individual A”) as a student in SCI. Sometime thereafter, the Spring College International Pte. Ltd. [2018] SGPDPC 15 Complainant came across a post on the Organisation’s Facebook page, dated 24 April 2016 (“Post A”). The post contained the following text: Application for Supplementary Admissions Exercise for International Students 1 We are pleased to inform you that your application for admission to a secondary school through the Supplementary Admissions Exercise for International Students is successful. The results of your application are as follows: … 4 Post A further set out the following information about Individual A: full name; partially masked passport num… | Directions | ab610ebd87a5e51bcfa08294b0f5948e87401467 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 193 | 193 | 1 | 952 | A financial penalty of $12,500 was imposed on Aventis for using the personal data of individuals beyond the notified purposes, and for failure to give effect to the withdrawal of consent within a reasonable time. | [
"Consent",
"Purpose Limitation",
"Notification",
"Financial Penalty",
"Directions",
"Education"
] |
2018-04-30 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Aventis_300418.pdf | Consent, Purpose Limitation, Notification | Breach of Notification and Consent Obligations by Aventis | https://www.pdpc.gov.sg/all-commissions-decisions/2018/04/breach-of-notification-and-consent-obligations-by-aventis | 2018-04-30 | PERSONAL DATA PROTECTION COMMISSION Case No DP-1705-B0766 [2018] SGPDPC [7] In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Aventis School of Management Pte. Ltd. … Organisation DECISION Aventis School of Management Pte. Ltd. [2018] SGPDPC [7] Tan Kiat How, Commissioner — Case No DP-1705-B0766 30 April 2018 Background 1 The present matter concerns an individual (the “Complainant”) who had signed up to receive a free brochure for a specific programme organised by the Organisation, but ended up also receiving numerous marketing emails from the Organisation that were unrelated to the programme which the individual was interested in. The question raised is whether the Organisation’s “use” of the Complainant’s personal data to send him the marketing emails without his consent is a breach of the Personal Data Protection Act 2012 (“PDPA”). In the Commissioner’s findings, the answer is in the affirmative. 2 The Commissioner also found that the Organisation had failed to carry out the Complainant’s request to remove his email address from the Organisation’s mailing list in a timely manner, which led to further marketing emails being sent to the Complainant after the withdrawal request was made. 3 The Commissioner’s findings and grounds of decision of the matter are now set out below. Aventis School of Management Pte. Ltd. [2018] SGPDPC 7 Material Facts 4 The Organisation is an educational institution that collaborates with overseas universities to offer degrees, courses, and programmes to students across various disciplines such as Finance, Marketing, and Business. 5 The Complainant was interested in one of the programmes offered by the Organisation, and submitted his name, email address, and contact number through a web form on the Organisation’s website, titled “Take Action Today – Download Free Brochure”, at http://asm.edu.sg/california-state-university on 12 January 2017. 6 After signing up for this free brochure, the Complainant started recei… | Financial Penalty, Directions | ee94ae697675c228c71fd7f5fba9305226984d44 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 195 | 195 | 1 | 952 | A financial penalty of $6,000 was imposed on Actxa for breach of Section 13 (Consent Obligation) and Section 18 (Purpose Limitation Obligation) of the PDPA. | [
"Consent",
"Purpose Limitation",
"Financial Penalty",
"Wholesale and Retail Trade"
] |
2018-04-19 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Actxa_190418.pdf | Consent, Purpose Limitation | Breach of Consent and Purpose Limitation Obligations by Actxa | https://www.pdpc.gov.sg/all-commissions-decisions/2018/04/breach-of-consent-and-purpose-limitation-obligations-by-actxa | 2018-04-19 | PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 5 Case No DP-1611-B0320 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Actxa Pte. Ltd. … Organisation DECISION Actxa Pte. Ltd. [2018] SGPDPC 5 Actxa Pte. Ltd. [2018] SGPDPC 5 Tan Kiat How, Commissioner — Case No DP-1611-B0320 19 April 2018 Background 1 Organisations are increasingly integrating information technology components and computer network connectivity into the products they develop (“connected devices”). The embedded technology and connectivity helps turn ordinary products, such as a weighing scale, into a “smart” version of the product with the ability to collect and transfer data wirelessly through the network. 2 These connected devices have the potential to offer a multitude of benefits to improve the lives of users of these devices. A “smart” refrigerator may be able to understand your grocery shopping habits, alert you when you are low on ingredients you commonly use and order these ingredients from an online grocery store and pay for the purchase. A “smart” pacemaker may warn you when you have an impending heart attack, notify the nearest hospital and call for an ambulance. 3 Organisations may use multiple connected devices to collect users’ personal data. This would assist organisations in providing an integrated suite of services. As an example, an organisation may collect your body measurements from a “smart” weighing machine and your dietary preferences 1 Actxa Pte. Ltd. [2018] SGPDPC 5 from your “smart” refrigerator and suggest the amount of daily exercise you should undertake to maintain a healthy body weight through your “smart” watch. Some of these organisations may rely on a single document to notify users of the purposes, and obtain consent, for the collection, use and disclosure of personal data collected through these connected devices and across different platforms. To be clear, there is nothing wrong with this practice. However, such organisations need to ensure th… | Financial Penalty | 3f61cdb3a9f6b43a837fabd8bc4c32b9e24b58f1 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 231 | 231 | 1 | 952 | A warning was issued to AIA Singapore for failing to ensure that its disclosure of personal data belonging to an insurance policy holder to a third-party was for a reasonable purpose. | [
"Purpose Limitation",
"Warning",
"Finance and Insurance",
"AIA",
"Insurance"
] |
2016-06-24 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---aia-singapore-(220616).pdf | Purpose Limitation | Breach of Purpose Limitation Obligation by AIA Singapore | https://www.pdpc.gov.sg/all-commissions-decisions/2016/06/breach-of-purpose-limitation-obligation-by-aia-singapore | 2016-06-24 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1509-A533 AIA Singapore Private Limited (U.E.N. 201106386R) ... Respondent Decision Citation: [2016] SGPDPC 10 GROUNDS OF DECISION 22 June 2016 A. BACKGROUND 1. On 18 September 2015, the Personal Data Protection Commission (“Commission”) received a complaint from [Redacted] (“Complainant”), alleging that the Respondent had made an unauthorised disclosure of his personal data, in particular, his bank account details, to Chiropractic First CFG (TP) Pte Ltd (“CFG”) in respect of the Complainant’s claim under an insurance policy. 2. The Commission investigated into the alleged unauthorised disclosure made, and its findings are set out below. B. MATERIAL FACTS AND DOCUMENTS 3. The Respondent is an insurance company. The Complainant holds an insurance policy with the Respondent. Previously, in signing up for the insurance policy with the Respondent, the Complainant provided information of himself in the application form (“Application Form”), including, his name, address, NRIC number, contact details, occupation and various other personal particulars (“Personal Particulars”). 4. In the declaration portion of the Application Form, the Complainant agreed, amongst other things, to the Respondent: (a) releasing to any medical source or insurance office any relevant information concerning the Complainant at any time; and (b) using and/or disclosing any information to independent third parties with regard to any matters pertaining to the application/policy. 5. On 24 May 2015, the Complainant made a claim for insurance under the policy with the Respondent. In raising the claim, the Complainant had to fill in an Accident & Hospitalisation Claim Form (“A&H Form”) to be submitted to the Respondent. In the A&H Form, the Complainant had to provide, amongst other Page 1 of 7 things, his policy details, his Personal Particulars, and his bank account information “for direct crediting of claims”. For the bank account information, the Complainant provid… | Warning | e6deaa7950b7398f1a5581761f2188d24baae14d | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 232 | 232 | 1 | 952 | Directions were issued to Universal Travel Corporation for disclosing a passenger list, consisting of 37 customers' personal data, to four of its customers without consent. The organisation was also penalised for its lack of data protection policies. | [
"Consent",
"Purpose Limitation",
"Notification",
"Directions",
"Others"
] |
2016-04-21 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---universal-travel-corporation-(210416).pdf | Consent, Purpose Limitation, Notification | Breach of Consent and Other Obligations by Universal Travel Corporation | https://www.pdpc.gov.sg/all-commissions-decisions/2016/04/breach-of-consent-and-other-obligations-by-universal-travel-corporation | 2016-04-21 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1508-A496 UNIVERSAL TRAVEL CORPORATION PTE LTD (UEN. 197302113R) ... Respondent Decision Citation: [2016] SGPDPC 4 GROUNDS OF DECISION 20 April 2016 A. BACKGROUND 1. The Personal Data Protection Commission (“Commission”) received a complaint from a credible source concerning the alleged disclosure by the Respondent of personal data of 37 customers (the “passenger list”) in early March 2015 to certain individual(s) who participated in the 12 Days Legend of the Balkans Tour from 17 February 2015 to 28 February 2015 (“Balkans Tour”). 2. In the premises, the Commission decided to carry out an investigation into the matter. The Commission’s findings are set out below. B. MATERIAL FACTS AND DOCUMENTS 3. Sometime in or around late February 2015, four of the customers of the Balkans Tour requested the Respondent to furnish formal documentation confirming the cancellation of their transit flight to Sofia on 18 February 2015 (TK1027/18FEB15 ISTANBUL-SOFIA) (“formal confirmation”) to process their insurance claims. 4. The Respondent therefore requested from Turkish Airline written confirmation of the flight cancellation and the affected passenger list. 5. Sometime in early March 2015, the Respondent sent the formal confirmation together with the letter from Turkish Airline and the passenger list by email to four of the customers of the Balkans Tour. The passenger list that was sent contained the name, nationality, date of birth, passport number, passport expiry date and passenger name record (a record in the database of a computer reservation system (CRS) that contains the itinerary for a passenger, or a group of passengers travelling together) of all 37 of the passengers/customers that were on the Balkans Tour. The passengers’ details were not masked or redacted when it was sent by the Respondent. It is not disputed that the passengers’ details constituted personal data under the control of the Respondent at the material time. 6. In the R… | Directions | 5a0ff182bd0082f840e509fc39079487ae98fb3a | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-12-14T14:54:52+00:00 | 0e20feac9c1e16c30580baa727a897e3bfcf8791 | 483 | 243 | 1 | 958 | Directions were issued to Tipros for failing to use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate. | [
"Consent",
"Notification",
"Purpose Limitation",
"Directions",
"Others"
] |
14 Dec 2023 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GD_TIPROS_080623.pdf | Consent, Notification, Purpose Limitation | Breach of the Purpose Limitation Obligation by Tipros | https://www.pdpc.gov.sg/all-commissions-decisions/2023/12/breach-of-the-purpose-limitation-obligation-by-tipros | 2023-12-14 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPC 7 Case No. DP-2207-C0019 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Tipros … Organisation DECISION Page 1 of 8 Tipros Yeong Zee Kin, Deputy Commissioner — Case No. DP-2207-C0019 8 June 2023 Introduction 1. On 21 July 2022, the Personal Data Protection Commission (the “Commission”) received a complaint that Tipros (the “Organisation”), a sole proprietorship in the wholesale of and repair of electrical appliances, had unreasonably disclosed the personal data of the complainant when responding to the complainant’s review on the Organisation’s Google reviews page (the “Incident”). 2. The Commission commenced investigations to determine the Organisation’s compliance with the Personal Data Protection Act 2012 (“PDPA”) and for suspected breaches of the same. Facts of the Case 3. The complainant had engaged the Organisation to repair a refrigerator. Following the repairs made, the complainant gave a “1-star” review on a Google reviews page “24hr fridge refrigerator #1 Quick repair service Trusted in Singapore”, which has since been renamed “Tipros.sg”. 4. The Organisation promptly responded to the complainant’s review. What is problematic was that the Organisation included the complainant’s personal data, including the complainant’s residential address and mobile number in their Page 2 of 8 response. The complainant filed a complaint with the Commission as the complainant was of the view that there was no reason for the Organisation to disclose her personal data in the course of responding to the review she left on the Organisation’s Google reviews page. 5. Apart from the Organisation’s response to the complainant’s review, the Commission found 13 other responses on the Organisation’s Google reviews page which disclosed, in a similar fashion, the personal data of other customers who had given reviews. Our Investigations 6. The Commission commenced investigations. In the course of investigations, it was … | Directions | acd36e3274c5e29fe0627b24b99136461cdd6c47 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
Advanced export
JSON shape: default, array, newline-delimited
CREATE VIEW pdpc_decisions_version_detail AS select
commits.commit_at as _commit_at,
commits.hash as _commit_hash,
pdpc_decisions_version.*,
(
select json_group_array(name) from columns
where id in (
select column from pdpc_decisions_changed
where item_version = pdpc_decisions_version._id
)
) as _changed_columns
from pdpc_decisions_version
join commits on commits.id = pdpc_decisions_version._commit;