New Singapore Personal Data Protection Regulator’s Decisions and Undertakings on 10 March 2023
-
Legal Development 13 March 2023 13 March 2023
-
Asia Pacific
-
Data Protection & Privacy
The Singapore Personal Data Protection Commission (“PDPC”) published its latest enforcement decisions and voluntary undertakings last Friday (10 March 2023).
In total, there were 2 enforcement decisions (Eatigo case and Sembcorp Marine case) and 1 voluntary undertaking (Putien Restaurant case) published.
In this client update, we summarise the decisions and undertakings and present our key takeaways.
Key takeaways:
There are several key takeaways from these recent decisions and undertaking:
- For an organisation to effectively safeguard the personal data in its possession or control, it must first know what its personal data assets are. The surest way to ensure such visibility is to maintain a comprehensive personal data asset inventory. The Eatigo case demonstrates the consequences of not maintaining a proper personal data asset inventory.
- In responding to the PDPC’s queries in an investigation, organisations are advised to respond timely and adequately to the PDPC’s queries (including those in the PDPC’s notices to produce specified information and documents (NTPs)). In the Eatigo case, the PDPC appeared to be frustrated by Eatigo’s inadequate responses to the PDPC’s queries which led to the PDPC expanding substantial time and resources when engaging with Eatigo. This led to the PDPC mentioning this as an aggravating factor when determining the financial penalty imposed.
- In certain circumstances, the PDPC may accept a voluntary undertaking in lieu of a full investigation as seen in the Putien Restaurant case. A benefit of a voluntary undertaking is that it does NOT amount to an admission of breach of the Personal Data Protection Act 2012 (“PDPA”). Although the PDPC has the full and complete discretion to accept (or reject) a voluntary undertaking, organisations under investigation by the PDPC may consider it appropriate to enter into a voluntary undertaking to potentially ‘enjoy’ the benefit of a non-admission of breach of the PDPA and the non-imposition of a financial penalty (as compared to a full blown PDPC investigation).
- The Protection Obligation is still the most breached obligation of the PDPA. Nevertheless, if an organisation can demonstrate that it had appropriate (and reasonable) security arrangements in place prior to an incident, the PDPC will more likely than not consider that the organisation has complied with its Protection Obligation. This appears to be the case in the Sembcorp Marine decision; the organisation took robust steps to ensure that it had good cybersecurity policies and practices in place and that these were carried out on a regular basis; these were considered by the PDPC in deciding the outcome of its investigation.
Name of Decision / Undertaking |
Summary of Incident |
Type of Potential Breach of the PDPA
|
Complaint / Self-reported |
Number of affected individuals; Types of personal data affected |
Outcome |
Eatigo International Pte. Ltd.
|
Personal data breach
A cache of personal data that was suspected to be from Eatigo’s database was being offered for sale on an online forum. |
Protection Obligation
|
Complaint by a third party |
2.74 million individuals
Personal data affected were:
|
|
Sembcorp Marine Ltd |
Personal Data breach
Sembcorp was the subject of a data breach involving an exploitation of the Log4J zero-day vulnerability which affected millions of computers worldwide in late 2021/early 2022.
|
Protection Obligation
The PDPC held that Sembcorp Marine had made reasonable security arrangements to protect personal data it possessed and/or controlled because:
|
Self-reported |
25,925 individuals
Personal data affected included:
|
|
Putien Restaurant Pte. Ltd. |
Personal Data Breach
|
Protection Obligation
|
Self-reported |
350 individuals
Personal data affected:
|
|
To discuss what this latest development in data protection enforcement decisions and undertakings may mean to you, please reach out to the author below:
End