pdpc_decisions_version_detail (view)
13 rows where tags contains "Transport and Storage"
This data as json, CSV (advanced)
Suggested facets: tags, date, nature, title, timestamp, decision, _commit_at (date), date (date), timestamp (date), tags (array)
| _commit_at | _commit_hash | _id | _item | _version | _commit | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _item_full_hash | _changed_columns |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 22 | 22 | 1 | 952 | Directions were issued to Budgetcars to put in place appropriate contractual provisions, conduct a security audit of its technical and administrative arrangements for the security and maintenance of its website and rectify any security gaps identified in the audit report. This is pursuant to a data breach incident where personal data could be accessed by changing a few digits of the tracking ID. | [
"Protection",
"Directions",
"Transport and Storage"
] |
2022-08-11 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Budgetcars-Pte-Ltd---06072022.pdf | Protection | Breach of the Protection Obligation by Budgetcars | https://www.pdpc.gov.sg/all-commissions-decisions/2022/07/breach-of-the-protection-obligation-by-budgetcars | 2022-08-11 | PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPCS 13 Case No. DP-2108-B8798 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Budgetcars Pte. Ltd. SUMMARY OF THE DECISION 1. On 25 August 2021, the Personal Data Protection Commission (the “Commission”) received a complaint that the delivery tracking function (the “Tracking Function Page”) on the website of Budgetcars Pte Ltd (the “Organisation”) could be used to gain access to the personal data belonging to another individual. By changing a few digits of a Tracking ID, the complainant could access the personal data of another individual (the “Incident”). 2. The Organisation is a logistics company delivering parcels to customers (“Customers”) on behalf of retailers (“Retailers”). 3. The personal data of 44,357 individuals had been at risk of unauthorised access. The datasets comprised name, address, contact number and photographs of their signatures. 4. The Tracking Function Page was set up in December 2020 to allow Retailers and Customers to (i) keep track of the delivery status of their parcels; and (ii) confirm the identity of individuals to collect parcels on their behalf (where applicable). The Tracking IDs were generated by Retailers and comprised either sequential or nonsequential numbers. Although generated by Retailers, the Organisation adopted the Tracking IDs for use on its own Tracking Function Page that allowed their customers to track their deliveries, which would disclose personal data listed above. The Protection Obligation therefore required the Organisation to ensure that there were reasonable access controls in its use of the Tracking IDs for giving access to an individual’s personal data. 5. The risk of unauthorised access to personal data from altering numerical references, both sequential and non-sequential, have featured in the published decisions of the Commission in Re Fu Kwee Kitchen Catering Services [2016] SGPDPC 14, and more recently, in Re Ninja Logistics Pte. Ltd. [2019] SGPDPC… | Directions | f58b11a86b70faf2534d0dbe08ee7f22ddbeaeb9 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 31 | 31 | 1 | 952 | Warnings were issued to Toll Logistics (Asia), Toll Global Forwarding, Toll Offshore Petroleum Services, and Toll (TZ) for breaches of the PDPA in relation to the transfer of employees’ personal data to a human resources software vendor in Ireland. | [
"Transfer Limitation",
"Warning",
"Transport and Storage"
] |
2022-05-19 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--Toll-Logistics-Asia-Limited-and-others--180322.pdf | Transfer Limitation | Breach of the Transfer Limitation Obligation by Toll Logistics (Asia) and others | https://www.pdpc.gov.sg/all-commissions-decisions/2022/05/breach-of-the-transfer-limitation-obligation-by-toll-logistics-and-others | 2022-05-19 | PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPC 4 Case No. DP-2008-B6707 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Toll Logistics (Asia) Limited (2) Toll Global Forwarding (Singapore) Pte. Limited (3) Toll Offshore Petroleum Services Pte. Ltd. (4) Toll (TZ) Pte. Ltd. … Organisations DECISION Toll Logistics (Asia) Limited and others [2022] SGPDPC 4 Yeong Zee Kin, Deputy Commissioner — Case No. DP-2008-B6707 14 March 2022 Introduction 1 Toll Holdings Limited (“Toll Holdings”) is an integrated logistics services provider headquartered in Australia. Toll Logistics (Asia) Limited (“Toll Logistics”), Toll Global Forwarding Singapore Pte. Ltd. (“Toll Forwarding”), Toll Offshore Petroleum Services Pte. Ltd. (“Toll Offshore"), and Toll (TZ) Pte. Ltd. (“Toll TZ”) are Singapore-registered entities (collectively, “the Organisations”) that are part of a multinational group of companies headed by Toll Holdings (“the Group”). 2 On 11 June 2020, Toll Holdings notified the Personal Data Protection Commission (“the Commission”) of a ransomware attack which had affected the Group’s IT systems, including servers in Australia and Singapore containing the personal data of current and former employees of the Organisations (“the Incident”). The Commission subsequently received complaints from 3 former employees of Toll Logistics in relation to the Incident. Investigations were commenced to determine whether the circumstances relating to the Incident disclosed any breaches by the Organisations of the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case 3 In July 2013, Toll Holdings contracted with a vendor in Ireland (“the HR Vendor”) for the Group’s use of the HR Vendor’s human resources software platform (“the HR Platform”). To facilitate use of the common HR Platform, the respective Group entities (including the Organisations) uploaded the personal data of their employees to the HR Platform. The data uploaded to the HR Platform was hosted by the HR… | Warning | 3366d27f6930503cebbbff6dd8de747f0da55d18 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 61 | 61 | 1 | 952 | A financial penalty of $8,000 was imposed on ST Logistics for failing to put in place reasonable security arrangements to prevent the unauthorised access of 2,400 MINDEF and SAF personnel's personal data. | [
"Protection",
"Financial Penalty",
"Transport and Storage",
"Phishing",
"Malware"
] |
2021-06-10 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---ST-Logistics-Pte-Ltd---26102020.pdf | Protection | Breach of the Protection Obligation by ST Logistics | https://www.pdpc.gov.sg/all-commissions-decisions/2021/06/breach-of-the-protection-obligation-by-st-logistics | 2021-06-10 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 19 Case Nos. DP-1912-B5514 and DP-1912-B5559 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And ST Logistics Pte Ltd … Organisation DECISION ST Logistics Pte Ltd [2020] SGPDPC 19 Lew Chuen Hong, Commissioner — Case Nos. DP-1912-B5514 and DP1912-B5559 26 October 2020 Introduction 1 Phishing attacks are increasingly prevalent and are one of the top cybersecurity threats faced by organisations1. In its latest report, the Cyber Security Agency of Singapore reported 47,500 cases of phishing in Singapore last year, almost triple the number of cases in 20182. This case is yet another example of an organisation falling victim to phishing. 2 On 16 December 2019, ST Logistics Pte Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that the Organisation had detected an Emoted malware (“Emotet”) in their network which had infected 6 of its users’ laptops (including 4 laptops containing personal data), potentially affecting up to 4,000 individuals in the Ministry of 1 Phishing is a method employed by cyber criminals, often disguising themselves as legitimate individuals or reputable organisations, to fraudulently obtain personal data and other sensitive or confidential information. Once cyber criminals obtain an individual’s personal data, they may gain access to the individual’s online accounts and may impersonate the individual to scam persons known to the individual. See Cyber Security Agency of Singapore, Cyber Tip – Spot Signs of Phishing (25 February 2020) https://www.csa.gov.sg/gosafeonline/go-safe-forme/homeinternetusers/spot-signs-of-phishing. 2 See “Phishing attacks last year tripled from 2018”, The Straits Times, 27 June 2020. ST Logistics Pte Ltd [2020] SGPDPC 19 Defence (“MINDEF”) and Singapore Armed Forces (“SAF”) (the “Incident”). Subsequently, on 23 December 2019, the Commission received a complaint from an individual affected by the Incident. Facts of the … | Financial Penalty | 50724d913acafbfd43b21653cd18c545ba471871 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 92 | 92 | 1 | 952 | A financial penalty of $10,000 was imposed and a direction was issued to Grabcar for failing to put in place reasonable security arrangements to prevent the unauthorised access of GrabHitch drivers’ and passengers’ personal data via its mobile application. | [
"Protection",
"Financial Penalty",
"Directions",
"Transport and Storage",
"Mobile application",
"Code review"
] |
2020-09-10 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Grabcar-Pte-Ltd---24072020.pdf | Protection | Breach of the Protection Obligation by Grabcar | https://www.pdpc.gov.sg/all-commissions-decisions/2020/09/breach-of-the-protection-obligation-by-grabcar | 2020-09-10 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 14 Case No. DP-1909-B4675 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Grabcar Pte Ltd … Organisation DECISION Grabcar Pte Ltd [2020] SGPDPC 14 Yeong Zee Kin, Deputy Commissioner — Case No. DP-1909-B4675 21 July 2020 Introduction 1 Grabcar Pte Ltd (the “Organisation”) is a Singapore-based company offering ride-hailing transport services, food delivery and digital payment solutions through its mobile application (the “Grab App”). The Grab App also provides a carpooling option referred to as “GrabHitch”. GrabHitch matches a passenger with a driver willing to give a lift to the passenger (on the way to the driver’s destination) in return for a fee. On 30 August 2019, the Organisation notified the Personal Data Protection Commission (the “Commission”) that, for a short period of time on the same day, profile data of 5,651 GrabHitch drivers was exposed to the risk of unauthorised access by other GrabHitch drivers through the Grab App (the “Incident”). Facts of the Case 2 The Organisation’s investigations traced the cause of the Incident to the deployment of an update to the Grab App on 30 August 2019 (the “ Update”). The purpose of the Update was to address a potential vulnerability discovered within the Grab App, namely, the application programming interface (“API”) endpoint (/users/{userID}/profile) (the “URL”) that had allowed GrabHitch Grabcar Pte Ltd [2020] SGPDPC 14 drivers to access their data, contained a ‘userID’ that could potentially be manipulated to allow access to other GrabHitch driver’s data.1 3 In order to fix the vulnerability, the Update removed the variable ‘userID’ from the URL which shortened it to a hard-coded ‘/users/profile’. However, the Update failed to take into account the URL-based caching mechanism in the Grab App. This caching mechanism (which was configured to refresh every 10 seconds) served cached content in response to data requests to reduce the load of direct a… | Financial Penalty, Directions | eb17aef1e75850888d8ec821aa37aebe142109b2 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 144 | 144 | 1 | 952 | A financial penalty of $54,000 was imposed on Horizon Fast Ferry for failing to appoint a data protection officer, develop and implement data protection policies and practices, and put in place reasonable security arrangements to protect the personal data collected from its customers. | [
"Protection",
"Financial Penalty",
"Transport and Storage"
] |
2019-08-02 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Horizon-Fast-Ferry---250719.pdf | Protection | Breach of the Protection Obligation by Horizon Fast Ferry | https://www.pdpc.gov.sg/all-commissions-decisions/2019/08/breach-of-the-protection-obligation-by-horizon-fast-ferry | 2019-08-02 | COMMISSIONER FOR PERSONAL DATA PROTECTION [2019] SGPDPC 27 Case No DP-1710-B1202 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Horizon Fast Ferry Pte. Ltd. (UEN No. 201221074R) … Organisation DECISION Horizon Fast Ferry Pte. Ltd. [2019] SGPDPC 27 Tan Kiat How, Commissioner — Case No DP-1710-B1202 25 July 2019 1 On 9 October 2017, the Complainant informed the Personal Data Protection Commission (the “Commission”) that by entering her passport number in the booking form on the Organisation’s website, her name, gender, nationality, date of birth and passport expiry date were automatically populated in the corresponding fields on the form on the Booking Site without any requirement for further authentication (the “Incident”). Material Facts 2 The Organisation is a Singapore-based ferry operator with ferry services running between Singapore and Batam. 3 As part of its service offerings, the Organisation operates a website that allows passengers to purchase ferry tickets directly from the Organisation online (“Booking Site”). At the material time, passengers who wanted to purchase ferry tickets through the Booking Site were required to provide the following personal data (the “Personal Data Set”) as set out in the form on the Booking Site (“Booking Form”): (a) the passenger’s full name; (b) gender; (c) nationality; (d) date of birth; (e) passport number; and (f) passport expiry date. 4 The same Personal Data Set was collected from passengers and entered into the Organisation’s Counter Check-In System (“CCIS”) when they checked in at the check-in counter. The CCIS is an internal system used by the Organisation’s counter staff to manage the passenger check-in process and is only accessible by authorised counter staff. 5 As a matter of practice, all Personal Data Sets collected from the Booking Site and the CCIS were stored and retained on the Organisation’s internal database (the “Database”) even after the last travelling date of the pas… | Financial Penalty | 22d8a5e1622926675d2f3bece9bfea120e5cb7a8 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 147 | 147 | 1 | 952 | A financial penalty of $24,000 and $12,000 was imposed on CDP and Toppan Security Printing respectively for failing to put in place reasonable security arrangements to protect the data of CDP’s account holders from unauthorised disclosure. The incident resulted in other account holders’ data being printed on another account holder’s notification letter. An application for reconsideration was made by Toppan Security Printing. Upon reconsideration, directions in the decision were varied. | [
"Protection",
"Protection",
"Financial Penalty",
"Financial Penalty",
"Transport and Storage",
"Admin and Support Services"
] |
2019-08-02 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Updated-as-of-15-Nov-2019-Decision---CDP-and-Toppan---220719.pdf | Protection, Protection | Breach of the Protection Obligation by CDP and Toppan Security Printing | https://www.pdpc.gov.sg/all-commissions-decisions/2019/08/breach-of-the-protection-obligation-by-cdp-and-toppan-security-printing | 2019-08-02 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 24 Case No DP-1706-B0895 and DP-1707-B0908 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And 1. The Central Depository (Pte) Limited 2. Toppan Security Printing Pte Ltd …Organisation(s) DECISION Editorial note: An application for reconsideration was filed against the decision in Re Central Depository (Pte) Limited & Anor [2019] SGPDPC 24. Pursuant to this application, the Commissioner has decided to reduce the financial penalty imposed on the Organisation from $18,000 to $12,000. As the application did not give rise to significant legal or factual issues, a separate decision on the application will not be published. Re The Central Depository (Pte) Limited & Anor. [2019] SGPDPC 24 Tan Kiat How, Commissioner – Case No DP-1706-B0895 – Case No DP-1707B0908 22 July 2019 1. Organisations may employ vendors to carry out the printing and mailing of documents containing the personal data of their customers on their behalf. The process may involve both the organisations and vendors, which requires a concerted effort to protect personal data. This case presents the issue of division of responsibility in protecting personal data under the PDPA in such circumstances. Background and Material Facts 2. This case concerns the unauthorised disclosure of personal data of 1,358 account holders of the Central Depository (Pte) Limited (“CDP”) when their personal data was wrongly printed in the notification letters of other account holders and sent out. The incident occurred on or about 27 June 2017. 3. The exposed data included the name and/or CDP securities account number (“exposed primary identifiers”) which constitute personal data of the individual. In some notification letters, additional information on the securities owned by the Re Central Depository (Pte) Limited & Anor [2019] SGPDPC 24 individual (eg name of security and total amount of dividends or distribution for the security) was also disclosed. These, w… | Financial Penalty, Financial Penalty | 850caf449162034d53605762c40ce355aee93042 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 156 | 156 | 1 | 952 | A financial penalty of $16,000 was imposed on GrabCar for failing to put in place reasonable security arrangements to protect the personal data of its customers from unauthorised disclosure. Personal data of a customer was disclosed to one other customer via an email sent out by GrabCar. | [
"Protection",
"Financial Penalty",
"Transport and Storage",
"PHV",
"Private Hire Vehicle"
] |
2019-06-11 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision--Grabcar-Pte-Ltd-Emails--110619.pdf | Protection | Breach of Protection Obligation by GrabCar | https://www.pdpc.gov.sg/all-commissions-decisions/2019/06/breach-of-protection-obligation-by-grabcar-financial-penalty | 2019-06-11 | GrabCar Pte. Ltd [2019] SGPDPC 15 COMMISSIONER FOR PERSONAL DATA PROTECTION [2019] SGPDPC 15 Case No DP-1801-B1526 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) GrabCar Pte. Ltd. (UEN No. 201427085E) … Organisation DECISION 1 GrabCar Pte. Ltd [2019] SGPDPC 15 GrabCar Pte. Ltd. Tan Kiat How, Commissioner — Case No DP-1801-B1526 11 June 2019 1 This case concerns the unauthorised disclosure of the names and mobile phone numbers of 120,747 GrabCar Pte. Ltd. (the “Organisation”) customers in marketing emails sent out by the Organisation (the “Incident”). On 5 January 2018, GrabTaxi Holdings Pte. Ltd., a related corporation of the Organisation, 1 notified the Personal Data Protection Commission of the Incident on behalf of the Organisation. The Commissioner’s findings and grounds of decision based on the investigations carried out in this matter are set out below. Material Facts 2 The Organisation is part of the Grab Group, which offers, among other things, ride- hailing transport services, food delivery and payment services on its mobile platform. As part of its marketing strategy, the Organisation regularly conducts marketing campaigns to reach out to targeted customers. These frequently involves sending emails offering special promotions to selected customers. 3 On 17 December 2017, the Organisation sent out 399,751 marketing emails to a targeted group of customers as part of a marketing campaign (“Marketing Campaign”). Out of the emails sent on that date, 120,747 emails contained the name and mobile phone number2 of another customer, i.e. the email was sent to User A’s (the intended recipient) email address but User B’s (the mismatched customer) name and mobile phone number was reflected in the email as that of the intended recipient (the “Mismatched Emails”). 4 Shortly after the Mismatched Emails were sent out, the Organisation’s Customer Experience team reported an increased number of customer queries regarding the unauthorised disclosu… | Financial Penalty | 7e78075cc7309a399647c800c3e751c80479ea85 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 157 | 157 | 1 | 952 | Directions were issued to GrabCar for failing to put in place reasonable security arrangements for GrabHitch drivers to protect the personal data of passengers that used GrabHitch services. Personal data of some GrabHitch passengers were disclosed by GrabHitch drivers without consent on social media. | [
"Protection",
"Directions",
"Transport and Storage",
"PHV",
"Private Hire Vehicle"
] |
2019-06-11 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision--Grabcar-Pte-Ltd-GrabHitch--110619.pdf | Protection | Breach of Protection Obligation by GrabCar | https://www.pdpc.gov.sg/all-commissions-decisions/2019/06/breach-of-protection-obligation-by-grabcar-directions | 2019-06-11 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 14 Case Nos DP-1702-B0508/DP-1703-B0613 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Grabcar Pte. Ltd. [UEN 201427085E] … Organisation ________________________________________________________ DECISION ________________________________________________________ Grabcar Pte. Ltd. [2019] SGPDPC 14 Grabcar Pte. Ltd. [2019] SGPDPC 14 Yeong Zee Kin, Deputy Commissioner – Case Nos DP-1702-B0508/DP-1703B0613 11 June 2019 Introduction and facts of the cases 1 This decision addresses, in the main, the obligations of an online ride- sharing platform and drivers who use the platform to provide carpool rides to passengers. Grabcar Pte Ltd (the “Organisation”) operates an online platform through the Grab mobile application (the “Grab App”) which enables individuals to book taxis or private cars for transportation services. The Grab App also provides a carpooling option, referred to in the app as “GrabHitch”. GrabHitch matches a passenger with a driver who is willing to give a lift to the passenger on the way to the driver’s destination in return for a fee. The Organisation states on its website,1 “GrabHitch is a social carpooling platform powered by everyday, non-commercial drivers giving you a lift along the way to cover petrol costs.”2 2 This decision relates to separate complaints by two passengers (the “Complainants”) who used GrabHitch to book carpool rides. The carpool rides were provided by two different drivers (the “Drivers”) on separate occasions. 1 www.grab.com/sg/hitch/ The Organisation’s website also states that GrabHitch is provided in compliance with the Road Traffic (Car Pools) (Exemption) Order 2015. 2 2 Grabcar Pte. Ltd. [2019] SGPDPC 14 Nevertheless, the two complaints are dealt with together in this decision as they both relate to similar issues, in particular, to the issue of disclosure of passengers’ personal data without consent by GrabHitch drivers. 3 The substance of each compla… | Directions | b13cfd3e762e67fa7f3823843de7d5cae693b203 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 162 | 162 | 1 | 952 | A warning was issued to H3 Leasing for disclosing personal data online without the consent of the individual concerned. | [
"Consent",
"Warning",
"Transport and Storage",
"Vehicle rental"
] |
2019-06-06 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---H3-Leasing---06062019.pdf | Consent | Breach of the Consent Obligation by H3 Leasing | https://www.pdpc.gov.sg/all-commissions-decisions/2019/06/breach-of-the-consent-obligation-by-h3-leasing | 2019-06-06 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 9 Case No DP-1803-B1859 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And H3 Leasing … Organisation DECISION H3 Leasing [2019] SGPDPC 9 H3 Leasing [2019] SGPDPC 9 Yeong Zee Kin, Deputy Commissioner — Case No DP-1803-B1859 6 June 2019 Background 1. The complaint concerns the disclosure of personal data without consent by H3 Leasing (the “Organisation”). The Organisation is in the business of rental of motor vehicles in Singapore. 2. The Complainant was a member of the public who had come across a post on social media by the Organisation disclosing scanned images of the NRIC of another individual (“Affected Individual”). The personal data disclosed by virtue of this comprised the full name, residential address, date of birth, NRIC number, NRIC photo and the thumbprint image of the Affected Individual (the “Personal Data Set”). On 8 March 2018, the Complainant filed a complaint with the Personal Data Protection Commission (the “Commission”) in relation to the disclosure of the Personal Data Set by the Organisation. 3. The key issue raised by the Complaint is whether the Organisation had the consent required under section 13 of the Personal Data Protection Act 2012 (the “PDPA”) to disclose the Personal Data Set of the Affected Individual in the manner and for the purposes which they did. 4. Following an investigation into the matter by the Personal Data Protection Commission, I found the Organisation in breach of section 13 of the PDPA. 2 H3 Leasing [2019] SGPDPC 9 Material Facts 5. On 15 December 2017, the Affected Individual rented a motor vehicle from the Organisation. He voluntarily provided a copy of his NRIC and entered into an agreement with the Organisation for that purpose. 6. Subsequently, the Affected Individual went into rental arrears and ceased contact with the Organisation. The Organisation was unable to locate him or the motor vehicle and made a police report concerning the… | Warning | 975a9880e3865b938caf22061b31d292c5d3e479 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 177 | 177 | 1 | 952 | A financial penalty of $6,000 was imposed on Grabcar for failing to make reasonable security arrangements to prevent the unauthorised disclosure of GrabHitch drivers’ personal data. | [
"Protection",
"Financial Penalty",
"Transport and Storage",
"PHV",
"Private Hire Vehicle"
] |
2018-10-04 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Grabcar_Pte_Ltd_270918.pdf | Protection | Breach of Protection Obligation by Grabcar | https://www.pdpc.gov.sg/all-commissions-decisions/2018/10/breach-of-protection-obligation-by-grabcar | 2018-10-04 | PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 23 Case No DP-1706-B0871 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And GrabCar Pte. Ltd. … Organisation DECISION GrabCar Pte. Ltd. [2018] SGPDPC 23 Tan Kiat How, Commissioner — Case No DP-1706-B0871 27 September 2018. Background 1 This case involves the unauthorised disclosure of the personal data of GrabHitch drivers in a Google Forms survey created by the Organisation that was accessible online (the “Incident”). The Personal Data Protection Commission (the “Commission”) received a complaint from one of the drivers whose personal data was disclosed in the Incident and commenced its investigations thereafter. The Commissioner set out below his findings and grounds of decision based on the investigations carried out in this matter. Material Facts 2 The Organisation was incorporated in September 2014 and has been providing the GrabHitch service since November 2015. GrabHitch is a paid carpooling service operated by the Organisation that matches individual noncommercial private car owners (“Hitch Drivers”) with people who are commuting along the same route.1 Hitch Drivers are permitted to charge a fare to cover the Hitch Driver’s variable costs, such as petrol and car depreciation based on the distance of the ride. 1 Individuals who provide carpool trips that adhere strictly to the conditions set out in the Road Traffic (Car Pools) (Exemption) Order 2015 are exempt from the certain requirements under the Road Traffic Act (Cap. 276), such as the requirement to obtain the appropriate commercial licences and insurance. GrabCar Pte. Ltd. 3 [2018] SGPDPC 23 In accordance with the Organisation’s Driver’s Code of Conduct, Hitch Drivers who fail to comply with the Terms and Conditions or Code of Conduct may be penalised through account deactivation, the withholding, reduction or forfeit of driver incentives or credits, suspension or permanent banning. Conduct that would warrant a suspension of a Hitch Dri… | Financial Penalty | d1a439afe3fbd6596676be698dc8a24e365fd633 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 200 | 200 | 1 | 952 | A financial penalty of $10,000 was imposed on ComGateway for not protecting its webpage against URL manipulation, which resulted in unauthorised disclosure of its customers' personal data. | [
"Protection",
"Financial Penalty",
"Transport and Storage"
] |
2017-12-29 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GroundsofDecisionComGateway291217.pdf | Protection | Breach of Protection Obligation by ComGateway | https://www.pdpc.gov.sg/all-commissions-decisions/2017/12/breach-of-protection-obligation-by-comgateway | 2017-12-29 | PERSONAL DATA PROTECTION COMMISSION [2017] SGPDPC 19 Case No DP-1611-B0368 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And ComGateway (S) Pte. Ltd. … Organisation GROUNDS OF DECISION ComGateway (S) Pte. Ltd. [2017] SGPDPC 19 Tan Kiat How, Commissioner — Case No DP-1611-B0368 29 December 2017 Background 1 On 29 November 2016, the Complainant, a customer of the Organisation, informed the Personal Data Protection Commission (the “Commission”) that: (a) when the Organisation provided a shipping details webpage (“Shipping Webpage”), it disclosed the Complainant’s personal data (in the form of shipping details) to another customer (the “First Data Breach”); and (b) the URL1 of the Shipping Webpage of one customer could be manipulated to enable access to shipping details of other customers, by changing the last character (the “Second Data Breach”). 2 The shipping details included personal data such as the customer’s name, contact number and address. 1 <www.comgateway.com/ship_track_detail?shipId=MTYwMTExMQ>. ComGateway (S) Pte. Ltd. 3 [2017] SGPDPC 19 The Commissioner ultimately found the Organisation not to be in breach of the Personal Data Protection Act 2012 (“PDPA”) in respect of the First Data Breach, but in breach of Section 24 of the PDPA in respect of the Second Data Breach. The Commissioner’s findings are now set out below. Material Facts 4 The Organisation operates an online portal that provides logistics, shopping (“buy-for-me”) and shipping services to its customers. 5 The Organisation uses an electronic system and application through and on its website (the “Website”) to process, track and manage shipping / transaction orders from its customers. 6 The Organisation had been conducting quarterly “Trustwave” vulnerability scans and annual penetration tests for its external and internal networks. The vulnerability scans were used to identify and report on network security vulnerabilities that could be exploited by cybercriminals. … | Financial Penalty | 9d6a4562c790c2b9a5f2f033dd45d090888298ae | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 203 | 203 | 1 | 952 | Directions were issued to M Stars Movers for disclosure of a customer's personal data via social media without consent, failure to appoint a Data Protection Officer, and failure to institute policies and practices that are necessary for the organisation to meet the obligations imposed under the PDPA. | [
"Accountability",
"Consent",
"Directions",
"Transport and Storage"
] |
2017-11-15 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---m-stars-movers---151117.pdf | Accountability, Consent | Breach of Consent and Openness Obligations by M Stars Movers | https://www.pdpc.gov.sg/all-commissions-decisions/2017/11/breach-of-consent-and-openness-obligations-by-m-stars-movers | 2017-11-15 | PERSONAL DATA PROTECTION COMMISSION [2017] SGPDPC 15 Case No DP-1612-B0418 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And M Stars Movers & Logistics Specialist Pte Ltd … Organisation GROUNDS OF DECISION M Stars Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15 Yeong Zee Kin, Deputy Commissioner— Case No DP-1612-B0418 15 November 2017 Background 1 This case highlights the risks that organisations face when they fail to develop and implement policies, practices and procedures to protect personal data when communicating with its customers or other individuals through social media. 2 In this matter, a customer (the “Complainant”) of the Organisation, which provides professional moving services, alleged that the Organisation had disclosed her personal data on its Facebook page without her consent. 3 The findings and grounds of decision based on the investigations carried out in this matter are set out below. Material Facts 4 Sometime in December 2016, the Complainant engaged the Organisation’s professional moving services. The Complainant voluntarily provided her name, mobile number and residential addresses (i.e. the addresses where the items were to be picked up and delivered to) to the Organisation to provide the services. M Stars Movers & Logistics Specialist Pte Ltd 5 [2017] SGPDPC 15 Dissatisfied with the allegedly unsatisfactory services provided by the Organisation, the Complainant left a negative review in a public post on the Organisation’s Facebook page. Amongst other things, there was a disagreement as to when the Organisation was required to return the S$100 deposit to the Complainant. 6 The Organisation publicly responded to the Complainant’s review in the comment section of the Complainant’s post on its Facebook page. In its response, the Organisation identified the Complainant by her English name and surname (“name”) and residential address (collectively referred to as the “Personal Data”) and informed the Complainant tha… | Directions | 76b2216f9b21cb552235144f0c76b8706503cf1a | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 225 | 225 | 1 | 952 | Two complaints were made against Comfort Transportation and CityCab for disclosing taxi drivers’ mobile phone numbers as part of the taxi booking process. Both organisations were not found to be in breach of the consent or notification obligations, because the mobile phone numbers of taxi drivers were used as business contact numbers. | [
"Not in Breach",
"Transport and Storage",
"Transport and Storage",
"COMFORT",
"CAB",
"TAXI"
] |
2016-09-23 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decisions---comfort-and-citycab---230916.pdf | No Breach of Consent and Notification Obligations by Comfort Transportation and CityCab | https://www.pdpc.gov.sg/all-commissions-decisions/2016/09/no-breach-of-consent-and-notification-obligations-by-comfort-transportation-and-citycab | 2016-09-23 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1408-A054 (1) Comfort Transportation Pte Ltd (UEN No. 199303821R) (2) CityCab Pte Ltd (UEN No. 199502839G) …Respondents Decision Citation: [2016] SGPDPC 17 GROUNDS OF DECISION 23 September 2016 BACKGROUND 1. On 15 August 2014 and 22 August 2014, the Personal Data Protection Commission (“Commission”) received complaints from [Redacted] (“First Complainant”) and [Redacted] (“Second Complainant”) against Comfort Transportation Pte Ltd (“1st Respondent”) and CityCab Pte Ltd (“2nd Respondent”) respectively for disclosing their personal mobile phone numbers to customers who booked the taxis driven by them. 2. Pursuant to section 50 of the Personal Data Protection Act 2012 (“PDPA”), the Commission carried out an investigation into the matter. MATERIAL FACTS AND DOCUMENTS 3. The 1st and 2nd Respondents (collectively, the “Respondents”), are companies within a group that operate a taxi business. Commencing some time in 2013, the Respondents provided a mobile application (“the App”) that allowed passengers to make current or advanced bookings. The App is owned by the 1st Respondent. Upon booking a taxi through the App, the mobile phone number of the taxi driver will be sent to the booking passenger’s mobile phone together with a confirmation of the taxi booking. 4. The Complainants, in separate complaints alleged that their mobile numbers are their personal data, and the Respondents are obliged to protect such data in accordance with the PDPA. The First Complainant, in particular, asserted that the 1st Respondent is not permitted to disclose his mobile number to the booking customers without his consent. The First Complainant claimed that he did not provide such consent to the 1st Respondent. 5. The Commission understands that the mobile phone numbers that were disclosed were obtained from the Hirer Application form and/or New Relief Application Form (collectively, the “Application Forms”) for the hire of a taxi submitted by new drivers. At the m… | Not in Breach | e2cdfc96f72c2a13d54afe98051b37a310e31af7 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
Advanced export
JSON shape: default, array, newline-delimited
CREATE VIEW pdpc_decisions_version_detail AS select
commits.commit_at as _commit_at,
commits.hash as _commit_hash,
pdpc_decisions_version.*,
(
select json_group_array(name) from columns
where id in (
select column from pdpc_decisions_changed
where item_version = pdpc_decisions_version._id
)
) as _changed_columns
from pdpc_decisions_version
join commits on commits.id = pdpc_decisions_version._commit;