pdpc_undertakings
Data source: pdpc.gov.sg/Undertakings · About: choco-up/sg-law-archive-data
33 rows sorted by timestamp descending
This data as json, CSV (advanced)
Suggested facets: timestamp, _commit, timestamp (date)
| _id | _item_id | id | organisation | url | timestamp ▲ | description | pdf-url | pdf-content | _commit |
|---|---|---|---|---|---|---|---|---|---|
| 33 | 6e98f92db05dac23a73da70032d38ef5f0dc2fea | 33 | AEM Holdings Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-AEM-Holdings-Ltd | 2023-12-14 | Background The Personal Data Protection Commission (the "Commission") was notified by AEM Holdings Ltd. ("AEM") on 1 July 2022 of a personal data breach involving the unauthorised access and exfiltration of personal data. Investigations revealed that a malicious actor had likely obtained initial access to AEM's IT environment through a virtual private network ("VPN") applianced owned, controlled, and maintained by its vendor. The VPN appliance had contained a known critial exploit, as the vendor had not updated it. The malicious actor had likely made use of the critical exploit to obtain the VPN credentials and session information. The malicious actor successfully deployed ransomeware, encrypting and/or exfiltrating the personal data of 18,135 individuals (the "Incident"). The personal data affected included their identification numbers, personal contact information, employee status, salary, leave records, date of birth, race, religion, COVID-19 test results, body temperatures for COVID-19 measures, vaccination information, list of shareholders, employee bank account numbers, profile photographs, and fingerprints. Remedial Actions After the incident, as part of a remediation plan, AEM put in place the following measures: (a) Implemented a third-party vendor cybersecurity risk management policy; (b) Implemented standard contractual clauses for contracting with third-party vendors; (c) Implemented regular cybersecurity reviews; and (d) Reviewed and enhanced its data classification policy. The Commission was also satisfied with the additional actions undertaken by AEM. Undertaking Having considered the circumstances of the case, the Commission accepted an undertaking from AEM to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 2 May 2023 (the "Undertaking"). The Commission accepted the Undertaking having considered the number of affected individuals, the types of personal data involved and the impact of the Incident. Accepting the Undertaking was also consiste… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---AEM-Holdings-Ltd.pdf | VOLUNTARY UNDERTAKING UNDER SECTION 48L OF THE PERSONAL DATA PROTECTION ACT 2012 Case number: DP-2207-9942 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (“the Act”) And (1) AEM Holdings Ltd. (UEN No. 200006417D) … Organisation The Commission has reasonable grounds to believe that the Organisation has not complied, is not complying or is likely not to comply with section 24 of the Act. In order for the Commission to suspend its investigation pursuant to section 50(3)(ca) of the Act, the Organisation HEREBY UNDERTAKES that it will: (a) Complete the remediation plan set out at Schedule B within the timelines stated in Schedule B; and (b) Within 14 days of the completion of the remediation plan set out at Schedule B, provide the Commission with a copy of the declaration set out at Schedule C duly signed by the signatory of this Undertaking or a representative of the Organisation of equal designation. The Organisation acknowledges that the Commission shall be entitled to publish and make available to the public this Undertaking and the summary of the Commission’s findings set out at Schedule A to this Undertaking. Page 1 of 8 The terms of this Undertaking may be varied by the written agreement of the Commission and the Organisation. SIGNED, for and on behalf of ) AEM Holdings Ltd. ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 2 of 8 SCHEDULE A Page 3 of 8 SUMMARY OF FACTS 1. On 1 July 2022, the PDPC was informed by the Organisation about the deployment of ransomware on its network. 2. As a result, the personal data of 18,135 individuals including their names, personal contact information, identification numbers, employment records, date of birth, race, religion, COVID-19 test results and vaccination information, shareholding information, employee bank account number, profile photographs and fingerprints were encrypted and/or exf… | 1187 |
| 32 | 91301e7edd0c4a62c2cf819d8e3b96aaa3ff3480 | 32 | Starbucks Coffee Singapore Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Starbucks-Coffee-Singapore-Pte-Ltd | 2023-11-10 | Background On 13 September 2022, the Personal Data Protection Commission (the “Commission”) reached out to Starbucks Coffee Singapore Pte. Ltd. (the “Organisation”) after receiving information that personal data purporting to belong to the Organisation’s customers were available for sale online. The Organisation lodged a data breach notification to the Commission on 15 September 2022 and confirmed that its customer database, managed by its data intermediary, Ascentis Pte. Ltd. (“Ascentis”), was compromised by an unknown threat actor. As a result, the personal data of approximately 332,774 individuals including their names, phone numbers, email addresses, addresses, date of birth and membership information was compromised. Investigations revealed that the personal data breach could not be directly attributed to the Organisation but had occurred due to internal lapses on Ascentis’ end. Ascentis had engaged an overseas vendor, Kyanon Digital Co. Ltd (“Kyanon”) which was based in Vietnam, to complement and be part of the development team to assist in its project implementation for the Organisation. However, Ascentis failed to implement reasonable administrative and technical measures to ensure that Kyanon was in compliance with its IT policies and standards. Remedial Actions After the incident, as part of a remediation plan, the Organisation implemented the following: (a)Requested its vendor to implement two-factor authentication and IP address restriction to access the admin portal of the customer database; (b) Reset the application programming interface as a precautionary measure; (c) Audited the processes of its vendor and require them to improve on its monitoring and security processes; (d) Reviewed its existing contracts with 3rd party vendors; and (e) Notified all affected customers. Undertaking The Commission accepted the Undertaking as it was satisfied that notwithstanding that the cause of the data breach occurred due to the internal lapses by Ascentis, the Organisation could further improve on the con… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Starbucks-Coffee-Singapore-Pte-Ltd_2023.pdf | VOLUNTARY UNDERTAKING UNDER SECTION 48L OF THE PERSONAL DATA PROTECTION ACT 2012 Case number: DP-2209-C0193 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (“the Act”) And (1) Starbucks Coffee Singapore Pte. Ltd. (UEN No. 198800670D) … Organisation The Commission has reasonable grounds to believe that the Organisation has not complied, is not complying or is likely not to comply with section 24 of the Act. In order for the Commission to suspend its investigation pursuant to section 50(3)(ca) of the Act, the Organisation HEREBY UNDERTAKES that it will: (a) Complete the remediation plan set out at Schedule B within the timelines stated in Schedule B; and (b) Within 14 days of the completion of the remediation plan set out at Schedule B, provide the Commission with a copy of the declaration set out at Schedule C duly signed by the signatory of this Undertaking or a representative of the Organisation of equal designation. The Organisation acknowledges that the Commission shall be entitled to publish and make available to the public this Undertaking and the summary of the Commission’s findings set out at Schedule A to this Undertaking. Page 1 of 10 The terms of this Undertaking may be varied by the written agreement of the Commission and the Organisation. SIGNED, for and on behalf of ) Starbucks Coffee Singapore Pte. Ltd. ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 2 of 10 SCHEDULE A Page 3 of 10 SUMMARY OF FACTS 1. On 15 September 2022, the Commission was informed that personal data purported to be from the Organisation’s Singapore customers were available on the dark web. 2. Investigation revealed that the above-mentioned personal data were indeed from the Organisation’s customer database and this database were handled by Ascentis Pte. Ltd (“Ascentis”), an external vendor contracted to provide IT solutions since year 2014. 3. … | 949 |
| 31 | f981ac0d28f349a756b93a3180f8b6337d51dec5 | 31 | OG Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-OG-Pte-Ltd | 2023-08-16 | Background On 4 January 2022, OG Private Limited (the "Organisation") received a ransom email from Desorden Group. The email claimed that Desorden Group had hacked into the Organisation and stolen personal data belonging to the Organisation's customers. The Desorden Group demanded a ransom of USD$90,000 in return for not publishing the stolen data. Investigations revealed that the threat actor had conducted a bruteforce SQL injection attack and was able to download 3 databases. 2 of these databases contained "dummy data" for internal testing while another database contained the personal data (including the name, gender, address, date of birth, email address, telephone numbers and the encrypted NRIC numbers and passwords) of approximately 276,677 individuals. The impact of the ransomware attack on the Organisation was limited as the Organisation's data intermediary, Poket Pte Ltd ("Poket") responded quickly. Within 8 minutes of receiving the security notifications that abnormal traffic had been detected, Poket shut down the affected servers and blocked access to the Organisation's databases. Remedial Actions After the incident, as part of a remediation plan, the Organisation implemented the following: (a) SQL injection prevention enhancement; (b) Streamline data storage; (c) Harden web portal security; (d) Implement annual security review; and (e) Tighten protocols for contracting with 3rd party vendors. Undertaking Having considered the circumstances of the case, the Commission accepted an undertaking from the Organisation to improve its compliance with the PDPA. The Commission accepted the undertaking after considering the security arrangements the Organisation had in place to protect the personal data of individuals in its possession or control and the promot response taken by the Organisation which mitigated the effect of the ransomeware attack. The undertaking was executed on 3 June 2022 (the "Undertaking"). The Organisation has since updated the Commission that it has fully implemented its remediatio… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---OG-Private-Limited.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: OG Private Limited UEN: 196200157H Registered Address: 60 Albert Street #05-01 (189969) OG Albert Complex, Singapore (hereinafter referred to as the “Organisation’). By signing this Undertaking, the above-named Organisation matters stated herein and undertakes to the Commission 1. DEFINITIONS 1.1 In this Undertaking: acknowledges the in the terms set out herein. (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts Ill, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) |The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) Asaresult of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48] or 48J of the PDPA. (c) |The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data Page 1of 11 protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) 2.2 Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be… | 950 |
| 30 | 8e81fa3ebd2c63a7421d56f69d93bfd59d34a028 | 30 | Employment and Employability Institute Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Employment-and-Employability-Institute-Pte-Ltd | 2023-07-20 | Background The Personal Data Protection Commission (the “Commission”) was notified by Employment and Employability Institute Pte. Ltd. on 25 March 2021 of a personal data breach involving its contact centre and data intermediary, i-vic International Pte. Ltd. (“i-vic). Investigations revealed that an employee of i-vic had most likely fallen prey to a phishing attack. As a result, a malicious actor successfully downloaded the personal data belonging to 31,002 individuals, from 2 email accounts belonging to the i-vic employee (the “Incident”).The personal data affected included the individuals’ partial or full NRIC, date of birth, telephone number, email address, residential address, highest qualification, and employment details. Further investigations found that i-vic had reasonable security measures in place to protect the personal data that it processes on behalf of e2i. i-vic had anti-virus protection, anti-phishing protection, regular anti-virus scans, security audits and conducted regular patches for its IT system. In fact, i-vic had existing anti-malware software which should have been able to detect the particular malware used in the Incident, but somehow failed to do so. After the Incident, i-vic purchased and deployed additional anti-malware software. Finally, the Commission found that i-vic had comprehensive policies and guidelines in place to protect personal data. While i-vic had reasonable security arrangements in place to protect the personal data it processes, the Commission established that this was entirely on i-vic’s account and not because of e2i’s bidding. e2i had failed to stipulate any specific data protection requirements on i-vic in their contract. e2i also lacked sufficiently robust processes to protect the personal data in its possession or control. i-vic produced evidence of several occasions where e2i’s employees had sent personal data to i-vic without any encryption or protection, which was against e2i’s standard operating procedures. Case No. DP-2106-B8424 A complainant alerted the Co… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---e2i-2023.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Employment and Employability Pte. Ltd. UEN: 200704772C Registered Address: 30 Cecil Street, #19-08, Prudential Tower, Singapore 049712 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, 1 including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undert… | 948 |
| 28 | e8a35c8ba86b53f90b846840d2c6ebc453ead910 | 28 | Simmons (Southeast Asia) Private Limited | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Simmons-Southeast-Asia-Private-Limited | 2023-06-22 | Background The Personal Data Protection Commission (the “Commission”) was notified by Simmons (Southeast Asia) Private Limited ("SPL") on 17 August 2022 that it was subject to a ransomware attack on 10 August 2022. As a result of the attack, a test server containing the personal data of 87,824 customers was encrypted by ransomware. The personal data affected included the customers' name, address, email address, telephone number and customer information such as the sales order and date, product bought, amount paid, delivery date, time of delivery, date of payment, amount paid, mode of payment, and payment reference. The data of 128 employees, including their business email address, user ID, and password was also encrypted. The Commission noted that there was no evidence of exfiltration of the data. It was established that the threat actor(s) had likely gained access to the test server by exploiting an open Remote Desktop Protocol (“RDP”) port. The RDP port had been left open just 4 days earlier, on 6 August 2022, to facilitate access to the test server by a vendor for testing and development work. Remedial Actions After the incident, as part of a remediation plan, SPL put in place measures including: (a) Reformatted and restored the test server; (b) Closed the RDP port; (c) Ensured that any connection to any of SPL’s servers within its IT environment can only be made through a SSL/VPN or IPSec connection, and that all RDP ports on all its servers are closed to public internet access; (d) Issued a SSL/VPN account to its vendor for the vendor to connect to SPL’s network before accessing the test server; (e) Removed all production data containing personal data from test servers and will ensure that any future test servers will not contain personal data in any form; (f) Set up all future test servers on a separate domain so that the possibility of lateral movement is minimised; (g) Ensured that the passwords used on test servers (including the current test server) comply with SPL’s existing password policy; (… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Simmons-Southeast-Asia-Limited.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Simmons (Southeast Asia) Private Limited UEN: 199303272D Registered Address: 300 Beach Road, #25-03, The Concourse, Singapore 199555 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation Page 1 of 16 appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be a… | 948 |
| 29 | 660b9a2c97633c0645edb31c89fded7da06491b4 | 29 | Metropolis Security Systems Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Metropolis-Security-Systems-Pte-Ltd | 2023-06-22 | Background In late June 2022, the Cyber Security Agency of Singapore alerted the Personal Data Protection Commission (the “Commission”) and Metropolis Security Systems Pte Ltd (the “Organisation”) that the Organisation’s files containing the personal data of 250 individuals was accessible online via an open port. The affected folder containing the personal data had been inadvertently set to public, and configured to an open port following a routine maintenance service in March 2018. As a result, the personal data of 250 individuals including their name, NRIC number, address, mobile number and bank account number was disclosed. Remedial Actions After the incident, as part of a remediation plan, the Organisation implemented the following: (a) Password-protect both sensitive and confidential documents stored centrally in its HQ Network Attached Storage folder; (b) Review the classification of information in its asset register at least once a year; (c) Ensure that its vendors/suppliers are contractually obliged to comply with the Personal Data Protection Act 2012; (d) Conduct adequate internal tests and penetration tests; and (e) Embark on ISO27001 implementation with an external consultant. Undertaking Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted an undertaking from the Organisation to improve its compliance with the PDPA. The undertaking was executed on 27 September 2022 (the “Undertaking”). The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking. Please click here to view the Undertaking. | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Metropolis-Security-Systems-Pte-Ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Metropolis Security Systems Pte Ltd UEN: 201008279K Registered Address: 20 Sin Ming Lane #08-63 Midview City, Singapore (573968) (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data Page 1 of 9 protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be a… | 948 |
| 27 | 435234e817ffdbe595771e1c0dfb3d270b6b5997 | 27 | SpeeDoc Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Speedoc-Pte-Ltd | 2023-05-11 | Background The Personal Data Protection Commission (the “Commission”) was informed on 27 October 2020 that SpeeDoc Pte. Ltd's (“Organisation”) AWS S3 bucket was incorrectly configured which enabled public access to the personal data stored within. The personal data of 12,652 individuals, including their names, phone numbers, email addresses was potentially publicly accessible. Of the 12,652 individuals affected, the NRIC numbers of 22 individuals, laboratory test results of 34 individuals, profile pictures of 492 individuals, and photos of their medication and symptoms (rashes and wounds) submitted by 157 individuals to the Organisation was also made potentially publicly accessible. Remedial Actions To prevent recurrence of a similar incident, the Organisation took immediate remedial action to address the cause of the personal data breach. These include: (a) Conducting an IT security audit to identify and rectify security vulnerabilities in its network and systems; (b) Attaining the ISO27001 Certification to ensure that its information systems are aligned with the industry's best practices and protected against malware and loss of data; (c) Sending its key team members to undergo relevant security and data protection training on Amazon Web Services; and (d) Sending its employees to attend cyber and data protection awareness training to ensure that they are equipped with the relevant knowledge to identify and mitigate security threats. Undertaking Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted an undertaking from the Organisation to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 28 April 2022 (the “Undertaking”). The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking. Please click here to view the Undertak… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Speedoc-Pte-Ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: SpeeDoc Pte Ltd UEN: 201705599R Registered Address: 991C Alexandra Road #01-13B Singapore 119971 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the Page 1 of 10 course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation… | 948 |
| 26 | a206ada196a8f23f7c840546f2c2efc81a92c816 | 26 | Tat Hong Heavyequipment Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Tat-Hong-Heavyequipment-Pte-Ltd | 2023-04-17 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 11 July 2022 from Tat Hong Heavyequipment (Pte.) Ltd (“Organisation”) regarding a ransomware attack in which various systems within the Organisation’s network were encrypted. A total of 43 virtual machines, 4 physical servers, 3 employees’ PC and network attached storage were affected. The personal data of the Organisation’s 3,377 current and former employees and their next-of-kin may have been compromised. The personal data included names, dates of births, NRIC/FIN/passport numbers, addresses, contact numbers, bank account numbers (for crediting of salaries) and fingerprints (for door access). There was no evidence of personal data exfiltration and all personal data have been fully restored. Remedial Actions After the incident, as part of a remediation plan, the Organisation implemented the following: (a) Hardening of perimeter firewall and fine tune firewall configurations; (b) Periodic vulnerability assessment and penetration testing done annually or after major systems upgrades; (c) Redesign network so that all traffic will through the main firewall for better visibility, monitoring and logging; (d) Implement multi-factor authentication for privileges and high-risk connections; (e) Ensure that all active PC and server are installed with Endpoint Detection and Response; (f) Upgrade existing HRMS that complies with latest industry standard encryption alogrithm; (g) Conduct end user awareness training such as phishing simulation exercises to train employees and IT staff to identify phishing emails and be alert to spot signs of compromise. Undertaking Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted an undertaking from the Organisation to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 20 October 2022 (the “Undertaking”). The Organisation has since updated the Commissio… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Tat-Hong-Heavyequipment-(Pte,-d-,)-Ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Tat Hong Heavyequipment (Pte.) Ltd. UEN: 197801297W Registered Address:82 Ubi Avenue 4 #05-01 Edward Boustead Centre Singapore 408832 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.… | 948 |
| 25 | f40c4f3d5a16ea9bd2427793dd233ad0feb0cabd | 25 | Putien Restaurant Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Pu-Tien-Restaurant-Pte-Ltd | 2023-03-10 | Background The Personal Data Protection Commission (the “Commission”) was notified by Pu Tien Restaurant Pte Ltd (the "Organisation") on 6 December 2021 that it was subject to a ransomware attack on 24 November 2021. A threat actor used stolen adminstrator account credentials to enture the Organisation's network through a remote desktop protocol port. As a result, its servers containing personal data were accessed and encrypted by ransomware. 350 employees' personal data were encrypted. The personal data included full names, contact numbers, NRIC, work permit, passport numbers, birth certificate and education certificate images, and bank account numbers. The Commission noted that there was no evidence of exfiltration of the personal data. Remedial Actions To prevent a recurrence of a similar incident, the Organisation took immediate remedial action to address the cause of the personal data breach. These include: (a) Development of policies and procedures in relation to IT security, cyber hygiene, protection, prevention of leakage and secure disposal of data and incident response; (b) Implementation of security measures such as anti-virus software, firewall, multi-factor authentication, data encryption, access control, updates, and data backups; (c) Conduct of IT audit reviews on: (i) Computer devices, hardware and software assets to ensure software and operating systems were updated and patched; (ii) User accounts to ensure all rights assigned were necessary; and (d) Conduct of cyber and data protection awareness training for key employees who handle personal data. Undertaking Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted an undertaking from the Organisation to improve its compliance with the Personal Data Protection Act (2012). The undertaking was executed on 28 July 2022 (the "Undertaking"). The organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the m… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Pu-Tien-Restaurant-Pte-Ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Pu Tien Restaurant Pte Ltd UEN: 200001660W Registered Address: 127 Kitchener Road, Singapore 208514 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowled… | 948 |
| 24 | eeb6a763909e0c1b882d1b0cfea40fda149e4731 | 24 | Nippon Express Group | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Nippon-Express-Group | 2023-01-13 | Background The Personal Data Protection Commission (the “Commission”) received data breach notifications on 25 November 2021 from Nippon Express (South Asia & Oceania) Pte Ltd, Nippon Express (Singapore) Pte Ltd, NEX Global Engineering Pte Ltd (“Nippon Express Group”). Nippon Express Group was targeted by a malicious threat actor resulting in several servers and endpoints being encrypted with an unknown ransomware variant. These servers are centrally managed by the Nippon Express (South Asia & Oceania) Pte Ltd (“NESO”) and contained not just the personal data of individuals from NESO, but also the personal data of individuals from Nippon Express (Singapore) Pte Ltd and NEX Global Engineering Pte Ltd. The personal data of 1,077 individuals was affected. The affected datasets comprised the affected individuals’ name, address, email, NRIC number, contact number, passport numbers, photographs, date of birth, health information and financial information. It was established that Nippon Express Group had: (a) Lack of MFA for administrative and remote access to all systems; and (b) Inadequate security reviews to identify vulnerabilites within its infrastructure. Remedial Actions After the incident, as part of a remediation plan, Nippon Express Group had: (a) Implemented MFA for all administrative and remote access; (b) Reviewed Active Directory accounts; (c) Performed an external and internal vulnerability assessment; (d) Ensured all software and operating systems updated with patches; (e) Ensured the usage of strong passwords; (f) Implemented enterprise-grade anti-virus software; (g) Implemented 3-2-1 backup rule; and (h) Remove remote access tools. Undertaking Having considered the circumstances of the case, including the remedial steps taken by Nippon Express Group to improve its personal data protection practices, the Commission accepted an undertaking from Nippon Express Group to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 14 July 2022 (the “Unde… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Nippon-Express-Group.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Nippon Express (Singapore) Pte. Ltd. UEN: 197301583G Registered Address: 5C Toh Guan Road East, Singapore 608828 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. Page 1 of 9 (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considere… | 948 |
| 23 | d7f029af024af1727de23ccae3615f3a73010c99 | 23 | Murata Machinery Singapore Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Murata-Machinery-Singapore-Pte-Ltd | 2022-11-18 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 1 April 2022 from Murata Machinery Singapore Pte Ltd (“Organisation”) regarding a ransomware attack on its back-end servers on 31 May 2022, causing personal data stored within to be encrypted. The personal data of 200 individuals affected included names, addresses, email addresses, contact numbers, NRIC/FIN and passport numbers, date of birth, salary and bank account numbers. Remedial Actions After the incident, as part of a remediation plan, the Organisation implemented the following: (a) Replaced existing firewall and VPN client with more complete security features; (b) Implemented MFA before re-allowing use of VPN access into its server and a lockout threshold of 5 failed attempts for the VPN clients’ logins as an added security; (c) Restricted Remote Desktop Protocol (“RDP”) as a default setting to disallow remote access to its backend servers on regular days and only allowed RDP for planned maintenance tasks; (d) Implemented automated offline backups of the contents of the server in the form of a tape drive; (e) Implemented regular manual data backup to encrypted hard disks that will be kept under lock and key; (f) Deployed suitable encryption software to encrypt server directories containing personal data; (g) Periodically off-load low use personal data to an encrypted external hard disk ti be kept under lock and key offline; (h) Engaged vendor to regularly update and maintain its firewall, VPN client, to monitor traffic of its IT network for illegal access and to fulfill the following: i. Conduct regular audit to computer devices to ensure software and OS updated and patched; ii. Conduct regular review and audit to domain user accounts and computer devices to cleanup unused accounts; iii. Implemented local administrator password solution for domain user computer devices; and iv. Enforced server message block signing to encrypt traffic between domain user computer devices and backend servers… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Murata-Machinery-Singapore-Pte-Ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: MURATA MACHINERY SINGAPORE PTE LTD UEN: 198800649D Registered Address: 69 Ubi Crescent #06-01, CES Building Singapore 408561 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012; and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Or… | 948 |
| 20 | 89521865a019db28d43debbcbc497fcf4fa9a27e | 20 | “K” Line Pte Ltd, "K" Line Ship Management (Singapore) Pte. Ltd., and “K” Line (Singapore) Pte Ltd | https://www.pdpc.gov.sg/undertakings/undertaking-by-k-line-pte-ltd-k-line-ship-management-singapore-pte-ltd-and-k-line-singapore-pte-ltd | 2022-08-11 | Background On 3 April 2021, “K” Line Pte Ltd, "K" Line Ship Management (Singapore) Pte. Ltd., and “K” Line (Singapore) Pte Ltd (the “Organisations”) notified the Personal Data Protection Commission (the “Commission”) that they had been subjected to malware attacks. These three related Organisations are Singapore registered subsidiaries of Kawasaki Kisen Kaisha Ltd, a foreign registered holding company. On 18 March 2021, the Organisations were informed of a cyber incident by an overseas affiliate, also a subsidiary of Kawasaki Kisen Kaisha Ltd. An account belonging to the affiliate, which had high privilege and access rights was compromised in the incident. The compromised account was then used to launch malware attacks on the Organisations’ IT environment in Singapore. In total, the personal data of about 2,148 individuals, which included the current and ex-employees and scholarship applicants, from these three Organisations was affected. The personal data included the name, address, NRIC number, passport number, nationality, photograph, family details, medical information and bank account number. Remedial Actions After the incident, as part of a remediation plan, the Organisations: (a) Reinforced the use of built-in password protection capability for sensitive documents and use of desktop encryption tool by all staff. The Organisations also supplemented existing email reminders on cybersecurity best practices with regimented user awareness training; (b) Reviewed the Access Control List for network traffic between the Organisations and their affiliates; (c) Reviewed the administrative rights and access of the servers between the Organisations and their affiliates; (d) Changed their password policy settings and a global exercise to update all users and system account credential; (e) Employed cybersecurity analyst to perform Security alerts triage and IT security projects; (f) Implemented 2FA for servers remote access; (g) Implemented 2FA for remote access by user via Virtual Private Network (VPN); (h) Co… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking-for-K-Line-Pte-Ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: UEN: 199902703D Registered Address: 1 Wallich Street #07-01 Guoco Tower Singapore 078881 Organisation By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) PDPA means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) Relevant Provisions and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. 1 (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertakin… | 948 |
| 21 | 3b6031c255fe17dc08c3d6aa9abe1619103bed59 | 21 | Inmagine Lab Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking%20by%20Inmagine%20Lab%20Pte%20Ltd | 2022-08-11 | Background The Personal Data Protection Commission (the “Commission”) received two data breach notifications on 13 November 2020 and 26 January 2021 from Inmagine Lab Pte Ltd (“Organisation”) regarding unauthorised access to two of its websites that took place on or about 22 March 2020 and 7 October 2020 respectively. The personal data from the websites had been exfiltrated. The datasets affected included the names, addresses, email addresses and phone numbers. It was established that the Organisation (a) lacked sufficiently robust security assessment policy, log retention policy and asset management processes, (b) had no intrusion detection or prevention systems in place and (c) operated on an outdated operating system. Remedial Actions After the incident, as part of a remediation plan, the Organisation implemented the following: (a) Developed a vulnerability assessment policy; (b) Developed an incident response plan; (c) Reviewed its log retention policy; (d) Created an asset list for the tracking of an inventory of its systems; (e) Implemented intrusion, detection and prevention systems; (f) Reviewed, compiled and updated all its systems to the latest operating system; and (g) Adopted additional security such as two-factor authentication (“2FA”). Undertaking Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted an undertaking on 23 March 2022 (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012. The Undertaking provided that the Organisation was to complete the implementation of its remediation plan. This included the development of various policies and implementation of the intrusion, detection and prevention systems. The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking. Please click here to … | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Inmagine-Lab-Pte-Ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Inmagine Lab Pte Ltd. UEN: 201532639M Registered Address: 11 Collyer Quay #17-00, The Arcade, Singapore 049317 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the (c) 1 course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. … | 948 |
| 22 | 57a6b3c163db1a11cff689cc16cabe4a6eae06cd | 22 | The National University of Singapore Society | https://www.pdpc.gov.sg/Undertakings/Undertaking%20by%20The%20National%20University%20of%20Singapore%20Society | 2022-08-11 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 8 October 2021 from The National University of Singapore Society (“NUSS”). NUSS stated that its website had been subjected to a SQL injection attack sometime between 6 and 7 October 2021. The personal data of 3,725 individuals was affected. The affected datasets comprised the affected individuals’ name, address, email, NRIC number, contact number, gender, date of birth, membership number, marital status, education details and motor vehicle registration number. It was established that NUSS had (a) inadequate knowledge of the web server hosting its website, (b) inadequate security reviews to identify vulnerabilities within its website, (c) lack of clauses within its contract with its vendors to ensure compliance with the PDPA and (d) there had been an overreliance on its IT vendor to maintain the security of the web server hosting its website. Remedial Actions After the incident, as part of a remediation plan, NUSS had: (a) Ensured that no personal data was stored at its web server; (b) Fixed all vulnerabilities identified in its forensics report; (c) Conducted a penetration test; (d) Established checklists, procedures and templates for 3rd party vendors; (e) Migrated its website to a virtual private server; and (f) Revamped its website. Undertaking Having considered the circumstances of the case, including the remedial steps taken by NUSS to improve its personal data protection practices, the Commission accepted an undertaking from NUSS to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 14 December 2021 (the “Undertaking”). NUSS has since updated the Commission that it has implemented its remediation plan fully. The Commission has reviewed the matter and determined that NUSS has complied with the terms of the Undertaking. Please click here to view the Undertaking. | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---The-National-University-of-Singapore-Society.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: The National University of Singapore Society UEN: S61SS0139H Registered Address: Kent Ridge Guild House, 9 Kent Ridge Drive, #01-00 Singapore 119241 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX , and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in whi… | 948 |
| 18 | becfe1dac1474b98c6f462c97e0a768bdb5078ee | 18 | HSL Constructor Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking%20by%20HSL%20Constructor%20Pte%20Ltd | 2022-07-14 | Background The Personal Data Protection Commission (the “Commission”) was notified by HSL Constructor Pte Ltd (“HSL”) on 7 October 2021 that it was subject to ransomware attack on 30 September 2021. As a result of the attack, 3 of its servers and a Network Attached Storage (“NAS”) were encrypted by ransomware. Personal data of 758 current and former HSL employees were encrypted. The personal data included their name, NRIC number, residential address, email address, family information, salary information and medical information. The Commission noted that there was no evidence of exfiltration of the data. It was established that the threat actor(s) had likely gained access to HSL’s network by exploiting the vulnerabilities present in the outdated software used on 2 of its servers, or using compromised credentials. Remedial Actions After the incident, as part of a remediation plan, HSL: (a) Implemented multifactor authentication for all administrator access, for users with administrative privileges, and for accounts with access to sensitive data/ systems; (b) Supplemented existing email reminders on cybersecurity best practices with regimented user awareness training; (c) Decommissioned all servers running Windows Server 2008 R2 and below; (d) Installed endpoint protection on all servers; (e) Patched all servers and firewall; (f) Reset all admin account passwords; and (g) Closed unused ports on its firewall. Undertaking Having considered the circumstances of the case, including the remedial steps taken by HSL to improve its data protection practices, the Commission accepted an undertaking from HSL to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 31 March 2022 (the “Undertaking”). HSL has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and determined that HSL has complied with the terms of the Undertaking. Please click here to view the Undertaking. | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---HSL-Constructor-Pte-Ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: HSL Constructor Pte Ltd UEN: 199405996K Registered Address: 42D Penjuru Road, HSL Waterfront @ Penjuru, Singapore 609162 Organisation By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) PDPA and ; (b) Relevant Provisions and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the 1 course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to … | 948 |
| 19 | b396fef31460c4e600fc74facebb3a9f82f8eeaa | 19 | Asia Petworld Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking%20by%20Asia%20Petworld%20Pte%20Ltd | 2022-07-14 | Background The Personal Data Protection Commission (the “Commission”) was notified by Asia Petworld Pte. Ltd. (“APPL”) on 8 September 2021 that its systems had been subjected to unauthorized access. The threat actor(s) had deleted APPL’s servers, including its backup servers and backup data, made mass PayPal payments and Airwallex bank transfers from the personal accounts belonging to APPL’s senior management, and potentially accessed employee payroll sheets in an email account belonging to APPL’s senior management. Personal data of about 21,000 customers was potentially disclosed. The personal data affected included their names, addresses, telephone numbers and email addresses. In addition, the personal data of 60 employees was also affected. The personal data included their names, dates of birth, NRIC number/FIN, bank account numbers and salaries credited. The Commission noted that APPL has since recovered the data via backup, as of 12 July 2021. It was established that APPL did not have adequate processes in place to protect the personal data in its possession. Remedial Actions After the incident, as part of a remediation plan, APPL: (a) reformatted each PC and desktop in its warehouse and office and installed a clean Windows 10 environment; (b) reset all Windows passwords and implemented a password length of at least 20 character long with complex requirements. Users were also reminded not to store passwords in plain text. Further, APPL also applied a password on documents containing personal data when transmitted over the internet; (c) enabled 2FA on all available applications and services; (d) implemented staff training to enhance knowledge in personal data, safety and cyber security knowledge; and (e) hardened system access including enhancing access controls, performing regular patching etc. Undertaking Having considered the circumstances of the case, including the remedial steps taken by APPL to improve its data protection practices, the Commission accepted an undertaking from APPL to imp… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking-for-Asia-Petworld-Pte-Ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Asia Petworld Pte. Ltd. UEN: 201409741H Registered Address: 2 Woodlands Sector 1, #03-18, Woodlands Spectrum, Singapore 738068 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may … | 948 |
| 17 | 80437a3e17d245bc9ad7e5ce32d0eae6013a26b8 | 17 | Singhealth Polyclinics | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-SingHealth-Polyclinics | 2022-06-16 | Background The Personal Data Protection Commission (the “Commission”) was notified by Singhealth Polyclinics (“SHP”) on 31 May 2021 that its courier service provider had misplaced a package containing the GIRO applications forms submitted by its patients. Personal data of 87 individuals were affected, namely, names, telephone numbers, NRIC numbers, bank account numbers and transaction payment limits. It was established that, SHP did not have processes in place to confirm deliveries of packages by its courier service provider. The loss of package was only discovered 3 weeks after the incident when SHP checked with the relevant banks on the status of the GIRO applications. Remedial Actions After the incident, as part of a remediation plan, SHP: (a) conducted a process review and decided to utilize courier companies with real-time tracking for deliveries of package with confidential information; (b) worked with relevant banking institutions to provide confirmation of receipt of any SHP parcel within the next working day; and (c) rolled out additional processes to reduce the risk of loss of hardcopy documents. Undertaking Having considered the circumstances of the case, including the remedial steps taken by SHP to improve its data protection practices, the Commission accepted an undertaking from SHP to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 5 August 2021 (the “Undertaking”). The Undertaking provided that SHP has to complete the implementation of its remediation plan by conducting the process review and changing its processes for the handling of GIRO applications. In addition, SHP would also conduct the necessary training for its employees and ensure their compliance with the changes in its policies. SHP has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and determined that SHP has complied with the terms of the Undertaking. Please click here to view the Undert… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking-for-Singhealth-Polyclinics-2022.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: SingHealth Polyclinics UEN: 52928775K Registered Address: 167 Jalan Bukit Merah #15-10 Connection One, Singapore 150167 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts 3, 4, 5, 6, 6A, 6B and 9, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. Page 1 of 7 (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking … | 948 |
| 16 | 8e72b402c98689e46331d2efbd360f419c6f6cdd | 16 | Jade E-Services Singapore Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking%20by%20Jade%20E-Services%20Singapore%20Pte%20Ltd | 2022-04-21 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 11 September 2021 from Jade E-Services Singapore Pte. Ltd. (“Organisation”) following an incident where a marketing email was wrongly sent, as a result of an employee’s lapse. The marketing email was sent to the email addresses belonging to 456,868 individuals who had withdrew their consent to receive such marketing emails. The recipients included 165 individuals who had previously requested for their account to be terminated. It was established that the Organisation lacked sufficiently robust processes to identify and correct any human error by their employees in the use of its system. The Organisation also did not have sufficiently robust retention policies. This resulted in the retention of email addresses of individuals who had unsubscribed to the Organisation’s newsletter and did not have any account with the Organisation. Remedial Actions After the incident, as part of a remediation plan, the Organisation: (a) immediately stopped any further sending of automated emails that had yet to be processed; (b) corrected the system settings; (c) implemented an additional layer of approval for all automated emails that have been modified by an employee to prevent erroneous changes; (d) sent apology emails to individuals who had received the erroneous emails; and (e) issued social media communications to inform all customers of the incident. Undertaking Having considered the circumstances of the case, including the remedial steps taken by the Organisation to improve its personal data protection practices, the Commission accepted an undertaking from the Organisation to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 3 December 2021 (the “Undertaking”). The Undertaking provided that the Organisation was to complete the implementation of its remediation plan to develop and implement an automated feature to trigger anonymisation of email addresse… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking-for-Jade-E-Services-Singapore-Pte-Ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Jade E-Services Singapore Pte. Ltd. UEN: 201134432E Registered Address: 51 Bras Basah Road #07-01/04, Singapore 189554 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. 1 (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be acc… | 948 |
| 15 | cc49b316e5869915f0d8c07eab9094eb11898cc4 | 15 | JT Legal LLC | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-JT-Legal-LLC | 2022-01-14 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 16 June 2021 from JT Legal LLC (“JTL”). JTL stated that it had been subjected to an email phishing attack which allowed the threat actor to access and view files on JTL’s SharePoint. The personal data of approximately 1,006 individuals were at risk. The datasets affected comprised the names, addresses, email addresses, NRIC numbers and passport numbers. It was established that (a) JTL had insufficient training for its staff on basic cybersecurity and data protection measures, (b) there was no personal data policy or written internal guidelines, (c) a lack of IT security policy for and no security risk management of its information and communications technology (“ICT”) operations. Remedial Actions After the incident, as part of a remediation plan, JTL promptly implemented the following measures: (a) Implemented Multi-Factor Authentication for all user accounts; (b) Secured files and documents using password protection; (c) Implemented dedicated anti-virus on all computers; (d) Conducted a review of IT infrastructure; (e) Implemented further security measures; (f) Developed an internal reporting system; (g) Implemented training and awareness programmes for its employees; and (h) Reviewed and updated its personal data protection policy. Undertaking The Commission recognises that JTL has made efforts to address the concerns raised in this case and to improve its personal data protection practices. Having considered the circumstances of the case, the Commission accepted an undertaking from JTL to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 27 August 2021 (the “Undertaking”). The Undertaking provided that JTL has to complete its implementation of the remediation plan. This includes a professional review of its IT infrastructure and other measures outlined within the remediation plan. JTL has since updated the Commission that implementation of its r… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking-for-JT-Legal-LLC-5-April-2022.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: JT Legal LLC UEN: 201706016E Registered Address: 12 Marina Boulevard #17-01 Marina Bay Financial Centre, Tower 3, Singapore (018982) (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts III, IV, V, VI, VIA and IX , and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. 1 (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Underta… | 948 |
| 14 | e9041fe8eb095696f0435c0a3ea023f11d0ef556 | 14 | Fujioh International Trading Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Fujioh-International-Trading-Pte-Ltd | 2021-11-11 | Background The Personal Data Protection Commission (the “Commission”) received information on 24 August 2020 that Fujioh International Trading Pte Ltd’s (“Fujioh”) website had been affected by URL manipulation, resulting in its customers’ personal data being exposed on Fujioh’s online warranty system on its website. The attacker gained access to the Organisation’s website by iterating through the customers’ given identifiers that were reflected at the end of the URL, to download the uploaded receipt images. The personal data of 2,771 individuals was affected. The affected datasets comprised the affected individuals’ name, address, email and telephone number. It was established that Fujioh (a) had application weakness in the receipt submission process of their online warranty system, (b) did not have proper data protection clauses in its contract with its vendor, and (c) had insufficient data protection management. Remedial Actions After the incident, as part of a remediation plan, Fujioh had: (a) introduced session tokens in the online warranty system that expires at the end of each receipt; (b) replaced its online warranty system to fix undetected vulnerabilities; (c) established a Data Protection Management Programme that consisted of drafting of polices and notices, establishment of procedures, templates, data inventory map, training data protection curriculum for employees; and (d) established checklists, procedures and templates for 3rd party vendors. Undertaking Having considered the circumstances of the case, including the remedial steps taken by Fujioh to improve its personal data protection practices, the Commission accepted an undertaking from Fujioh to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 31 March 2021 (the “Undertaking”). The Undertaking provided that Fujioh was to complete implementation of its remediation plan by replacing its online warranty system to fix undetected vulnerabilities. Fujioh has since updated the Commission th… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Fujioh-International-Trading-Pte-Ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Fujioh International Trading Pte Ltd UEN: 199305801D Registered Address: 130 Joo Seng Road, #05-05, Singapore 368357 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts 3, 4, 5, 6, 6A, 6B and 9, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted.… | 948 |
| 13 | 4a798725b22da14eeb19302545d82f57b69ae88c | 13 | MindChamps Preschool Limited | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-MindChamps-Preschool-Limited | 2021-09-21 | Background The Personal Data Protection Commission (the “Commission”) received information on 27 February 2020, informing that a dataset containing the personal data of the users of MindChamps Preschool Limited’s (“MindChamps”) mobile application was publicly accessible via an internet link. Personal data of approximately 6,521 individuals were affected, namely, email addresses, login passwords and mobile numbers. In addition, the birth certificate numbers of 607 minors were also at risk of unauthorised disclosure. Remedial Actions After the incident, as part of a remediation plan, MindChamps: (a) engaged an external IT consultant to determine the cause of the incident; (b) performed a password reset for all the user accounts of its mobile application; and (c) migrated all users to a newly designed mobile application. Undertaking Having considered the circumstances of the case, including the remedial steps taken by MindChamps to improve its data protection practices, the Commission accepted an undertaking from MindChamps to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 7 January 2021 (the “Undertaking”). The Undertaking provided that MindChamps was to complete the implementation of its remediation plan by carrying out data protection and security reviews on all of its current frontend and backend IT systems. In addition, MindChamps would also conduct training for its employees and ensure their compliance with its policies on vendor security management and to perform data protection impact assessments for any new IT projects. MindChamps has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and determined that MindChamps has complied with the terms of the Undertaking. Please click here to view the Undertaking. | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---MindChamps.pdf | VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: MindChamps PreSchool Limited UEN: 200814577H Registered Address: 6 Raffles Boulevard, #04-100 Marina Square, Singapore 039594 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 23 December 2020 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. Page 1 of 6 (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation is already implementing the remediation plan set out in clause 3 below. (d) Having carefully considered all the relevant facts a… | 948 |
| 12 | bf8314bbb67139fb3195e857b03fd2e125c3c50d | 12 | Equity Solution Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Equity-Solution-Pte-Ltd | 2021-08-12 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 23 February 2021 from Equity Solution Pte Ltd (“ESPL”), informing that ESPL had been subject to a phishing attack after a staff member opened an email containing an excel file with a macro-enabled malware. The personal data of approximately 1,359 individuals was affected. The affected datasets comprised the affected individuals’ names, addresses, dates of birth, NRIC numbers, passport numbers and financial information. It was established that (a) ESPL had insufficient training for its staff on basic cybersecurity and data protection measures, (b) there was a lack of IT security policy for and no security risk management of its information and communications technology (“ICT”) operations. Remedial Actions After the incident, as part of a remediation plan, ESPL promptly implemented the following measures: (a) Secured files and documents using password protection; (b) Hardened its operating system; (c) Implemented a strong password protection policy; (d) Reviewed and updated its email usage policy; (e) Implemented training and awareness programmes for its employees; and (f) Reviewed and updated its personal data protection policy.Undertaking Undertaking The Commission recognises that ESPL has made efforts to address the concerns raised in this case and to improve its personal data protection practices. Having considered the circumstances of the case, the Commission accepted an undertaking from ESPL to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 8 June 2021 (the “Undertaking”). The Undertaking provided that ESPL was to complete implementation of its remediation plan by subscribing to an email service provider with greater privacy and security features, and enhancing its data security processes. ESPL has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and determined … | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Equity-Solution-Pte-Ltd.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: Equity Solution Pte Ltd UEN: 201601961Z Registered Address: 16 Kallang Pl #07-03 Singapore (339156) (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts 3, 4, 5, 6, 6A, 6B and 9, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organis… | 948 |
| 10 | ab34617b61ded83277fee4392b60509b7a1f6eaf | 10 | Assisi Hospice | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Assisi-Hospice | 2021-07-12 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 22 September 2020 from Assisi Hospice (“Assisi”). Assisi had disclosed personal data of its patients (“Patients”) via 43 separate emails (“Emails”) sent erroneously to a single unintended external party from January to September 2020. The aforesaid personal data was contained in a list set out in an Excel spreadsheet (“List”) attached to the Emails and updated periodically. The List was meant to serve as easy reference for after hours on-call employees, especially if there are difficulties in accessing Patients’ data, such as when the system containing the electronic patients’ record is undergoing maintenance. The List included the names, addresses, contact numbers, NRIC numbers and disease classifications of 1593 Patients (cumulative number over the 43 occasions). The disease classifications are referenced from the International Classification of Diseases. It was established that the disclosure occurred due to an Assisi employee sending the Emails to an erroneous email address belonging to an external party. Notably, the erroneous email address was not an official work email account. The said employee had also not followed Assisi’s existing personal data protection policy to password protect the List. Remedial Actions After the incident, as part of the remediation plan, Assisi: (a) ceased the practice of distributing a soft-copy List containing personal data of the Patients to its after hours on-call employees (including via emails) and required such employees to refer to the electronic patient records instead; (b) reminded all employees to password protect email attachments containing personal data and to send the password in a separate channel or email thereafter. Where an email has no attachment, employees were required to mask personal data in the email body itself; (c) reminded all employees to use only work email accounts for communication of work-related items, and not to send any email co… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking-for-Assisi-Hospice.pdf | VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: Assisi Hospice UEN: 201208993Z Registered Address: 80 Raffles Place, #32-01, UOB Plaza, Singapore 048624 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 15 December 2020 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation is already implementing the remediation plan set out in clause 3 below. (d) Having carefully considered all the relevant facts and circumstances, the Commission t… | 948 |
| 11 | e55f71c048b6c6681cdad2a75fd0e29cf2a8721b | 11 | Thye Hua Kwan Moral Charities Limited | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Thye-Hua-Kwan-Moral-Charities-Limited | 2021-07-12 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 11 April 2020 from Thye Hua Kwan Moral Charities Limited (“THKMC”), after THKMC discovered that its website was hacked. Investigations revealed that malicious actors had gained access to the web content management system, by altering a web configuration file which had been left in a public directory without protection for the usage of the file. The employee tasked with the administration of the website lacked the requisite technical knowledge and awareness of basic website security features and cyber security hygiene. As a result, the personal data of 550 volunteers was at risk of unauthorised access. However, investigation by THKMC found no evidence of data loss or access by third party visitors. The types of personal data which were at risk included the volunteers’ names, residential telephone numbers, mobile numbers, email addresses, residential addresses, dates of birth, volunteering experiences, and interests. Remedial Actions After the incident, as part of the remediation plan, THKMC: (a) engaged a professional web development vendor to re-build its website to conform with established web security standards and the Open Web Application Security Project (OWASP) guidelines; (b) took preventive measures to harden the website by subscribing to cyber security threat monitoring software and updating the Firewall IP tables with the blacklisted IPs of past attackers; (c) discontinued the storage of personal data on its new website. The volunteer sign-up page and database were outsourced to a third -party cloud-based volunteer management portal which has a set of security controls to protect the personal data that it collects; (d) migrated internal report submission services from the THKMC internet website to THKMC intranet staff portal, which is a more secured environment; (e) assigned control of website administration (previously administered by its Corporate Communications Department) and operations hos… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking-for-Thye-Hua-Kwan-Moral-Charities-5-April-2022.pdf | VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: Thye Hua Kwan Moral Charities Limited UEN: 201130733N Registered Address: 1 North Bridge Road, #03-33, High Street Centre, Singapore 179094 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 27 November 2020 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for Page 1 of 6 information. The Commission further recognises that the Organisation is already implementing the remediation plan set out in clause 3 below. (d) Having carefully considered all the rel… | 948 |
| 8 | b55ba72d2a364811c6297c1e03ad7960b709634c | 8 | Seafront Support Company Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Seafront-Support-Company-Pte-Ltd | 2021-06-10 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 17 July 2020 from Seafront Support Company Pte. Ltd. (“Seafront Support”) informing that a ransomware attack had rendered data on its server inaccessible. The personal data of approximately 400 to 500 individuals was lost in the incident. The affected datasets comprised the affected individuals’ full name, last 3 digits and checksum of their NRIC number, passport number, last 3 digits and checksum of their FIN number, first 5 digits of their work permit number, address, date of birth, salaries and/or CPF payment details. It was established that Seafront Support had not implemented adequate security measures to protect the personal data in the server at the time of the incident. Seafront Support did not have a dedicated IT department to monitor and manage its IT system, including the server which had not been patched regularly. Seafront Support’s staff were also not well-informed of safe IT practices. Remedial Actions After the incident, as part of a remediation plan, Seafront Support: (a) engaged an external IT consultant to manage its IT system; (b) conducted an audit of Seafront Support’s entire IT system and made improvements to harden its IT system; (c) developed and implemented an IT security policy; (d) conducted meetings and sent periodic email reminders on safe IT practices to increase staff awareness on cybersecurity issues; and (e) instructed staff to back-up their files daily on separate cloud-based storage. Undertaking Having considered the circumstances of the case, including the remedial steps taken by Seafront Support to improve its personal data protection practices, the Commission accepted an undertaking from Seafront Support to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 15 December 2020 (the “Undertaking”). The Undertaking provided that Seafront Support was to complete the implementation of its remediation plan by upgrading it… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Seafront.pdf | VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: Seafront Support Company Pte. Ltd. UEN: 201106511C Registered Address: 102E, Pasir Panjang Road, #02-08, Citilink Warehouse Complex, Singapore 118529 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 25 November 2020 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. Page 1 of 6 (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation is already implementing the remediation plan set out in clause 3 below. (d) Having carefully considered … | 948 |
| 9 | f4d8851e5210f2a6535f23d99232477d195be170 | 9 | Platinum Yoga Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Platinum-Yoga-Pte-Ltd | 2021-06-10 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 29 October 2020 from Platinum Yoga Pte. Ltd. (“Platinum Yoga”), informing of a suspected alleged act of mischief by a terminated employee of Platinum Yoga, who gained unauthorised access to its Customer Relationship Management (“CRM”) system and Facebook account. The CRM system held the email addresses and photographs of Platinum Yoga’s members. Consequently, photographs of 25 individuals were disclosed in an unauthorised Facebook post, and the email addresses of 58 individuals were disclosed in an email impersonating Platinum Yoga. It was established that Platinum Yoga had 1) lacked access restriction to the accounts it had which included the CRM system and its Facebook account; 2) lacked dedicated personnel to ensure and enforce password changes to the CRM system and Facebook account periodically or whenever necessary, among its employees; and 3) not developed a data protection policy internally. Remedial Actions After the incident, as part of a remediation plan, Platinum Yoga: (a) Implemented access restrictions to the CRM system and other accounts, including access to the CRM system on a need-to-know basis, and 2 Factor Authentication to accounts possible; (b) Ensured that personal data can only be viewed or accessed from its property only; (c) Appointed dedicated team to monitor and ensure password change to the CRM system and other accounts periodically, and whenever necessary, among its employees; (d) Implemented periodic reminders to members on changing of passwords; (e) Implemented quarterly review of its internal data protection policy. Undertaking Having considered the circumstances of the case, including the remediation actions taken by Platinum Yoga to improve its personal data protection practices, the Commission accepted an undertaking from Platinum Yoga to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 20 January 2021 (the “Undertaking… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Platinum-Yoga-Pte-Ltd.pdf | VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: Platinum Yoga Pte. Ltd. UEN: 201109593N Registered Address: 1 Marine Parade Central, #13-09 Parkway Centre, Singapore 449408 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated <14 January 2021> from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for Page 1 of 5 information. The Commission further recognises that the Organisation is already implementing the remediation plan set out in clause 3 below. (d) Having carefully considered all the relevant facts an… | 948 |
| 7 | dadb6a547ccf8a5d54e7e5795704abcf40d731cd | 7 | DLI Asia Pacific Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-DLI-Asia-Pacific-Pte-Ltd | 2021-05-12 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 18 June 2020 from DLI Asia Pacific Pte Ltd (“DLIAP”), informing that a ransomware attack had infected one of its file servers (“the File Server”), affecting the personal data of approximately 848 individuals. The affected datasets comprised the affected individuals’ names, addresses, contact numbers, dates of birth, marital status, insurance policy details, insurance premiums, passport copies, education background, employment details and/or salary information. It was established that DLIAP had not implemented adequate security measures to protect the personal data in the File Server at the time of the incident. In particular, there were insufficient controls to regulate access to the File Server via a virtual private network (“VPN”). The server hosting the VPN had not been patched, and the same credentials were used to access both the File Server and the VPN . Remedial Actions After the incident, as part of a remediation plan, DLIAP : (a) Implemented multi-factor authentication to strengthen VPN login; (b) Implemented different user accounts for VPN and File Server access; (c) Implemented a virtual desktop for its IT vendor with activity monitoring; (d) Engaged a security consultant to review its current IT infrastructure and propose enhancements; (e) Implemented additional security monitoring by a different IT vendor; (f) Improved patch update & management processes; (g) Established thorough file management rules for cloud storage of data; (h) Implemented email rules including password rules for attachments; and (i) Implemented compliance training for DLIAP’s employees; Undertaking The Commission recognises that DLIAP has made efforts to address the concerns raised in this case and to improve its personal data protection practices. Having considered the circumstances of the case, the Commission accepted an undertaking from DLIAP to improve its compliance with the Personal Data Protection Act 2012. The… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---DLI-Asia-Pacific-Pte-Ltd.pdf | VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: DLI Asia Pacific Pte Ltd UEN: 201431235K Registered Address: 12 Marina view #24-03/04 Asia Square Tower 2 S(018961) (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 1 December 2020 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for 1 information. The Commission further recognises that the Organisation appears ready to implement the remediation plan set out in clause 3 below forthwith. (d) Having carefully considered all the relevant facts and circum… | 948 |
| 6 | 30d986a796cbef1bc88e629159ce75844c423851 | 6 | Manulife (Singapore) Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Manulife-Singapore-Pte-Ltd | 2021-04-15 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 23 March 2020 from Manulife (Singapore) Pte Ltd (“MLS”), informing that a representative who was licensed to provide financial advisory services representing MLS had misplaced an unencrypted thumb drive which contained the personal data of 104 individuals on 19 March 2020. The personal data consisted of NRIC images, passport images, MLS forms used to conduct financial needs analysis for clients, MLS insurance application forms, medical reports, claims documents (current and past claims), insurance summaries for client portfolios. It was found that MLS’ financial representatives were not continuously conveyed and trained on up-to-date requirements on the permissibility of using personal devices for business purposes and the proper use of removable storage media via onboarding and refresher training sessions, circulars and quarterly bulletins. Remedial Actions After the incident, MLS notified all affected individuals of the incident and monitored their insurance policies for unusual requests and/or transactions for a period of six months. A refresher training on privacy and data security was also conducted for MLS representatives. Undertaking The Commission considered the circumstances of the case and accepted an undertaking from MLS to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 15 January 2021 (the “Undertaking”). The Undertaking provides that MLS was to: (a) take all necessary steps to implement its remediation plan, namely, to carry out the actions referred to in Schedule A of the Undertaking; and (b) provide a status report to the Commission at a time requested by the Commission confirming whether MLS has fulfilled each of the specific measures set out in the implementation plan. MLS has since provided the Commission with the status report referred to at paragraph 5(b) above. The Commission has reviewed the matter and determined that MLS h… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Manulife-Singapore.pdf | VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: Manulife (Singapore) Pte Ltd UEN: 198002116D Registered Address: 8 Cross Street, #15-01, Manulife Tower, Singapore 048424 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 4 January 2021 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has several enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data Page 1 of 6 protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation is already implementing the remediation plan set out in clause 3 below. (d) Having carefully considered all the relevant facts and circums… | 948 |
| 5 | 7fff9707a7ac5ea1ba96fd1c505bffca8bf48690 | 5 | StarMed Specialist Centre Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-StarMed-Specialist-Centre-Pte-Ltd | 2021-02-18 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 7 February 2020 from StarMed Specialist Centre Pte Ltd (“StarMed”), informing that ransomware had infected one of its servers and encrypted a database containing 373 patients’ personal data. The personal data consisted of the name, NRIC number, date of birth, gender, electrocardiogram data and treadmill stress test data. It was established that StarMed had not implemented the necessary security measures at the time of the incident. A Remote Desktop Protocol (“RDP”) Port had been left open, which likely enabled the unauthorised access to the database. In addition, both the server and database had weak login credentials and passwords. Remedial Actions After the incident, StarMed disabled the RDP Port and all public facing connections on the firewall. It also formalised its internal password SOPs into a written password policy. Additionally, StarMed rolled out several group-led IT security enhancement initiatives, including the implementation of a secured wide-area network and cybersecurity protection suite. StarMed will also continue to bolster staff awareness on cybersecurity issues through further training at its Cyber Security Awareness workshops, conducted by an external cybersecurity consultant. Undertaking The Commission considered the circumstances of the case and accepted an undertaking from StarMed to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 12 October 2020 (the “Undertaking”). The Undertaking provides that StarMed was to: (a) review password policies relating to StarMed’s servers and IT equipment storing personal data; (b) review process of login authentication on StarMed’s servers and IT equipment storing personal data; (c) review the need for an alert system in the event of multiple failed account login attempts to StarMed’s server and IT equipment storing personal data, including logging such attempts; (d) once the Commission approves… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---StarMed.pdf | VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: StarMed Specialist Centre Pte Ltd UEN: 201629251M Registered Address: 7 Temasek Boulevard #12-10 Suntec Tower One Singapore 038987 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated [Date] from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for 1 information. The Commission further recognises that the Organisation appears ready to implement the remediation plan set out in clause 3 below forthwith. (d) Having carefully considered all the relevant facts and … | 948 |
| 4 | fd15ac0c88507638e0f0e483f93c110aab57a8de | 4 | NEC Asia Pacific Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-NEC-Asia-Pacific-Pte-Ltd | 2021-01-14 | Background On 28 August 2017, the Personal Data Protection Commission (the “Commission”) received a data breach notification from JK TruData Solutions Pte Ltd (“JK TruData”) regarding a print job request via email (the “Email”) that it had received from NEC Asia Pacific Pte Ltd (“NEC”). The Email enclosed personal data that had been received by NEC from the common end customer (“Customer”) of both NEC and JK TruData (the “Incident”). JK TruData informed the Commission that it was not the intended recipient of the Email. The Commission’s investigations showed that NEC employed a two-step process when sending relevant data to appointed printing vendors: (a) first, NEC would send the relevant data to the printing agent via an automated email function; (b) thereafter, NEC would follow up manually with an email to confirm the receipt of the automated email; NEC’s SOP required the staff doing this to check that the recipient was correct before sending the email, and for all confidential data to be encrypted. In this Incident, a mistake was made at the second step – an NEC employee sent the follow-up email (with the same content and attachment contained in the automated email without any encryption) to JK TruData instead of the correct printing agent. Although the Commission’s investigation findings suggested that NEC had not fully complied with its obligations under the PDPA, the Commission recognised that there was limited impact from the disclosure. The Commission found that disclosure of personal data had been limited to two authorised printing vendors of the Customer, one of which was JK TruData themselves, who were already bound in contract to the Customer to keep such information confidential. JK TruData also was already familiar with the types of personal data contained within the attachment and there was no further disclosure by NEC beyond JK TruData. The Deputy Commissioner also recognised that the incident did not arise as a result of the lack of controls but that the controls put in place by NEC were no… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---NEC.pdf | APPENDIX A LEGALLY BINDING UNDERTAKING TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission by: NEC Asia Pacific Pte Ltd UEN: 197700754G Registered Address: 80 Bendemeer Road #05-01/02, Hyflux Innovation Centre Singapore 339949 By signing this Undertaking, NEC Asia Pacific Pte Ltd acknowledges the matters stated herein and agrees to be bound by the terms of this Undertaking. 1. DEFINITIONS 1.1. In this Undertaking: (a) “Commission” means the Personal Data Protection Commission. (b) “Commission’s Letter” means the letter dated 4 April 2018 from the Commission to NEC Asia Pacific Pte Ltd concerning its investigation under the PDPA, including the appendices thereto. (c) “Data Protection Provisions” means Parts III to VI of the PDPA. (d) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). (e) “Time Frame” has the meaning given to it in paragraph 3.2. (f) “NEC” means NEC Asia Pacific Pte Ltd. 2. ACKNOWLEDGEMENTS 2.1. NEC hereby acknowledges the following matters: (a) The Commission has carried out an investigation into certain acts and practices of NEC, which allegedly infringe one or more provisions of the Data Protection Provisions. (b) The detailed facts and circumstances relating to the Commission’s investigation, as well as the Commission’s investigation findings and concerns arising therefrom, are set out in the Commission’s Letter, a copy of which has been furnished to NEC. (c) NEC agrees that it has been given the opportunity to submit representations to the Commission in relation to the facts, allegations and the Commission’s investigation findings, as well as the form of binding undertaking, as set out in the Commission’s Letter. (d) The Commission’s investigation findings suggest that NEC has not fully complied with its obligations under the PDPA. (e) As a result of the alleged non-compliance with the PDPA, the Commission has a number of enforcement options under the PDPA, including the option to give a … | 948 |
| 1 | 216bf0da47497fa41ce7a7fa5c79070fa910939a | 1 | Grabcar Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Grabcar-Pte-Ltd | 2020-09-10 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 14 June 2018 from Grabcar Pte Ltd (“Grabcar”). Grabcar had inadvertently sent an email report on 6 June 2018 (the “Report”) to 9 fleet group partners. The Report contained the name, NRIC number, telephone number, and vehicle rental details of 110,931 Grabcar drivers. Each fleet partner was supposed to receive a filtered copy of the report, containing only the information of the drivers under its fleet. However, the Report contained information of drivers that were not in the respective fleet partner’s fleet. It was established that the inadvertent disclosure occurred due to an error in the script written by a software provider engaged by Grabcar. On 4 June 2018, Grabcar had requested the software provider to replicate the schedule for sending out the email report to accommodate a new version of the report. However, the software provider made a mistake in the script, which led to the email filter being set to “all”. Remedial Actions Each fleet partner was bound by confidentiality clauses in their partnership agreement with Grabcar, which required the fleet partner to protect personal data received from Grabcar. Upon discovering the inadvertent disclosure, Grabcar contacted the fleet partners and requested that they delete the email containing the Report. The fleet partners confirmed to Grabcar that they had done so, within 40 mins of the email being sent. Undertaking The Commission considered the circumstances of the case and accepted an undertaking from Grabcar to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 23 March 2020 (the “Undertaking”). The Undertaking provides that Grabcar was to: (a) review its change management process and to ensure that reasonable security checks are made before deploying such changes; (b) propose an implementation plan for fulfilling the above; (c) once the Commission approves the proposed implementation plan, comply w… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---Grabcar.pdf | LEGALLY BINDING UNDERTAKING TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: Grabcar Pte. Ltd. UEN: 201427085E Registered Address: 6 Shenton Way, #38-01, OUE Downtown, Singapore 068809 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and agrees to be bound by the terms of this Undertaking. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 21 February 2020 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out an investigation into certain acts and practices of the Organisation, which infringes one or more provisions of the Data Protection Provisions. (b) The facts and circumstances relating to the Commission’s investigation, as well as the Commission’s investigation findings and concerns arising therefrom, are set out in the Commission’s Letter, a copy of which has been furnished to the Organisation. (c) The Organisation agrees that it has been given the opportunity to submit representations to the Commission in relation to the facts, allegations and the Commission’s investigation findings, as well as the form of binding undertaking, as set out in the Commission’s Letter. 1 (d) As a result of any non-compliance with the PDPA by an organisation, there are a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (e) The Commission recognises that the Organisation has ma… | 948 |
| 2 | 37bd4cdd0b27d929983b1ff4a241ffeae39691a5 | 2 | Employment & Employability Institute Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Employment-Employability-Institute-Pte-Ltd | 2020-09-10 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 24 July 2019 from Employment & Employability Institute Pte Ltd (“e2i”). e2i had disclosed personal data of its jobseekers via an email (“Email”) sent erroneously to one external party. The aforesaid personal data was contained in an Excel Spreadsheet (“Spreadsheet”) attached to the Email. The Spreadsheet contained the name, NRIC number, email address, date of birth, citizenship, race, gender, qualifications and employer name of 101 jobseekers. Additionally, 24 sets of actual salary information and 77 sets of desired salary information belonging to the same 101 jobseekers were also disclosed. It was established that the inadvertent disclosure occurred due to an e2i employee selecting the wrong recipient from the dropdown list. The Email was meant for an internal colleague. However, as the external party bore the same first name as the internal colleague, the wrong recipient was picked. Remedial Actions e2i communicated with the external party to delete the Email and the Spreadsheet. Additionally, e2i reminded all employees to password protect all files containing personal data for both internal and external correspondence. Guidelines on protecting personal data were also emailed to all employees. Undertaking The Commission considered the circumstances of the case and accepted an undertaking from e2i to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 15 November 2019 (the “Undertaking”). The Undertaking provides that e2i was to: (a) review its procedures for the sending of internal and external correspondences including emails which contain personal data of its jobseekers by all relevant employees; (b) review the training of employees involved in correspondences that may comprise or touch on the personal data of jobseekers on how to handle and protect the data adequately; (c) propose an implementation plan for fulfilling the above; (d) once the Comm… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---e2i-2020.pdf | APPENDIX A LEGALLY BINDING UNDERTAKING TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission by: Employment and Employability Institute Pte Ltd UEN: 200704772C Registered Address: 30 Cecil Street, #19-08, Prudential Tower, Singapore 049712 By signing this Undertaking, Employment and Employability Institute Pte Ltd acknowledges the matters stated herein and agrees to be bound by the terms of this Undertaking. 1. DEFINITIONS 1.1. In this Undertaking: (a) “Commission” means the Personal Data Protection Commission. (b) “Commissioner” means the Protection. (c) “Commission’s Letter” means the letter dated 17 October 2019 from the Commission to Employment and Employability Institute Pte Ltd concerning its investigation under the PDPA, including the appendices thereto. (d) “Data Protection Provisions” means Parts III to VI of the PDPA. (e) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). (f) “Time Frame” has the meaning given to it in paragraph 3.2. (g) “E2i” means Employment and Employability Institute Pte Ltd, a company incorporated in Singapore (UEN: 200704772C). Commissioner for Personal Data Page 1 of 5 2. ACKNOWLEDGEMENTS 2.1. E2i hereby acknowledges the following matters: (a) The Commission has carried out an investigation into certain acts and practices of E2i, which infringes one or more provisions of the Data Protection Provisions. (b) The facts and circumstances relating to the Commission’s investigation, as well as the Commission’s investigation findings and concerns arising therefrom, are set out in the Commission’s Letter, a copy of which has been furnished to E2i. (c) E2i agrees that it has been given the opportunity to submit representations to the Commission in relation to the facts, allegations and the Commission’s investigation findings, as well as the form of binding undertaking, as set out in the Commission’s Letter. (d) As a result of any non-compliance with the PDPA by an organisation, there… | 948 |
| 3 | 4d507e6992e221664d138fc0a91101fd2035fc72 | 3 | HSBC Bank (Singapore) Limited | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-HSBC-Bank-(Singapore)-Limited | 2020-09-10 | Background On 21 May 2018 and 30 May 2018 respectively, the Personal Data Protection Commission (the “Commission”) received complaints from two individuals that HSBC Bank (Singapore) Limited (“HSBC”) had sent them a marketing email (the “Email”) without their consent (the “Incident”). HSBC reported the Incident to the Commission voluntarily on 25 May 2018. As reported by HSBC, the Email was a “test email”, and it had intended to send the Email only to HSBC’s employees to test their eDM (electronic direct mail) platform. However, due to incorrect configurations set on the eDM platform, The Email was sent to a significant number of email addresses (more than 100,000). This number included email addresses of individuals who had withdrawn their consent to receive marketing emails from HSBC.The individuals had received the Email twice, as it was sent once on two consecutive days. No personal data was disclosed in the Incident. Remedial Actions HSBC rectified the configuration settings immediately upon finding out about the error. In addition, to prevent recurrence of similar incidents, HSBC introduced a checklist to ensure all procedures were adhered to prior to the sending of eDMs. It also cleaned up its existing database. Undertaking The Commission considered the circumstances of the case and accepted an undertaking from HSBC to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 20 January 2020 (the “Undertaking”). The Undertaking provides that HSBC was to: (a) review and update its procedure for the sending of eDMs using its emailing platform to ensure that any error or omission in setting or configuration does not result in the mass dispatch of eDMs to all email addresses stored in its database; (b) review the training provided for its employees involved in the eDM process, particularly in the steps necessary to select and verify the correct email addresses; (c) review the process of retaining and storing email addresses of both current and former customer… | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---HSBC.pdf | APPENDIX A LEGALLY BINDING UNDERTAKING TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission by: HSBC Bank (Singapore) Limited UEN: 201420624K Registered Address: 21 Collyer Quay #13-02 HSBC Building, Singapore 049320 By signing this Undertaking, HSBC Bank (Singapore) Limited acknowledges the matters stated herein and agrees to be bound by the terms of this Undertaking. 1. DEFINITIONS 1.1. In this Undertaking: (a) “PDPC” means the Personal Data Protection Commission. (b) “Commissioner” means the Protection. (c) “Commission’s Letter” means the letter dated 12 December 2019 from the Commission to HSBC Bank (Singapore) Limited concerning its investigation under the PDPA, including the appendices thereto. (d) “Data Protection Provisions” means Parts III to VI of the PDPA. (e) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). (f) “Time Frame” has the meaning given to it in paragraph 3.2. (g) “HSBC” means HSBC Bank (Singapore) Limited, a company incorporated in Singapore (UEN: 201420624K). Commissioner for Personal Data Page 1 of 6 2. ACKNOWLEDGEMENTS 2.1. HSBC hereby acknowledges the following matters: (a) PDPC has carried out an investigation into certain acts and practices of HSBC involving the erroneous sending of electronic direct mails (the “Incident”). (b) The facts and circumstances relating to the Commission’s investigations are set out in the Commission’s Letter, a copy of which has been furnished to HSBC. (c) HSBC agrees that it has been given the opportunity to submit representations to the Commission in relation to the facts and allegations, and that it has done so in the form of the following documents: i. Response to “NOTICE TO REQUIRE PRODUCTION OF DOCUMENTS AND INFORMATION UNDER THE NINTH SCHEDULE TO THE PERSONAL DATA PROTECTION ACT 2012” dated 20 June 2018; ii. Response to “SECOND NOTICE TO REQUIRE PRODUCTION OF DOCUMENTS AND INFORMATION UNDER THE NINTH SCHEDULE TO THE PERSONAL DATA PROTECTION… | 948 |
Advanced export
JSON shape: default, array, newline-delimited, object
CREATE TABLE [pdpc_undertakings] (
[_id] INTEGER PRIMARY KEY,
[_item_id] TEXT
, [id] TEXT, [organisation] TEXT, [url] TEXT, [timestamp] TEXT, [description] TEXT, [pdf-url] TEXT, [pdf-content] TEXT, [_commit] INTEGER);
CREATE UNIQUE INDEX [idx_pdpc_undertakings__item_id]
ON [pdpc_undertakings] ([_item_id]);