Errant businesses rapped for breaches of Personal Data requirements

May 7, 2016

The Personal Data Protection Commission (“PDPC”) recently released a record documenting various enforcement actions it has taken against businesses which have breached the requirements of the Personal Data Protection Act (“PDPA”).

It has been close to 2 years since the PDPA has come into force in Singapore and the “honeymoon” period for businesses to get to know and implement its requirements is clearly over. It is evident from the report that the PDPC has been active on the enforcement front and has followed up on and/or taken action in 92% of the 667 complaints received by it.

The following are salient points gleaned from the report:

1. Businesses which hold personal data must ensure that its IT system is secure and there is no leakage of personal data. K Box Entertainment Group Pte Ltd was fined $50,000 for flouting this requirement.

2. IT outsourcing service providers or System Implementors can also be liable if they fail to address vulnerabilities in the client’s IT system which cause personal data to be leaked. Finantech Holding Pte Ltd failed to do that when developing and managing a CMS platform for a client (which resulted in a data leak) and for this, it was fined S$10,000.

3. The PDPC also highlighted concerns relating to Xiaomi Singapore Pte Ltd’s cloud messaging services which the company had since addressed by providing commitments to bolster the PDPA compliance processes and policies.

4. When a complaint is received and a breach of the PDPA is identified, the PDPC will examine several factors in determining the severity of the infringement and accordingly, the severity of the “punishment” to be meted out. These are:

a. Whether the organisation had implemented any data protection policies and processes

b. Whether reasonable measures had been taken to prevent infringement of the PDPA including providing training for the employees to educate them on the requirements of the PDPA and the do’s and don’ts

c. Whether the organisation has systems in place to check the vulnerabilities of its IT system.


What is not clear to (or ignored by) many businesses is that the PDPA makes it compulsory for all companies which collect, use and/or disclose personal data to implement an inhouse personal data privacy policy and to train its staff on the terms of the policy as well as the requirements of the PDPA.

This inhouse policy is meant to be used for your own employees and service providers and is to be distinguished from the privacy policy which you place on your website.

Businesses who engage employees and third parties to market and sell its products/services or give them access to their customers’ personal data (e.g. sales team members, IT service providers, accountants, advertising agencies, marketing agents, email “blasters”…etc) must know that what these employees/third parties do with the customers’ personal data will also have implications on them.

So if the employee or third party service breaches the PDPA by using a company’s personal data wrongfully, the company itself (together with the employee/third party) will be liable to be charged under the PDPA. It is suggested therefore that appropriate provisions should be inserted in employment contracts and service contracts to ensure the company is protected in such circumstances.

These are some of the measures that companies should take to ensure that in the event someone in their organisation breaches the PDPA, the PDPC will take into account the above measures which will be seen favourably as mitigatory steps taken the company.

Should you have any queries or comments on the above note, kindly contact

If you like to continue receiving our regular updates, please “like” our Facebook page at or drop us an email to indicate your wish to subscribe at

 Important Notice: The contents of this note are owned by its author and subject to copyright protection in Singapore and, through international treaties, other countries. No part of this note may be reproduced, licensed, sold, published, transmitted, modified, adapted, publicly displayed, broadcast (including storage in any medium by electronic means) without the prior written permission of Gluu.

While the information in this note is correct to the best of the author’s knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as legal advice or a substitute for specific professional advice for any particular course of action. Should you intend to rely on the contents of this note, please seek legal advice applicable to your specific situation.

Share This

Hey, like this post? Why not share it with a buddy?

More Posts

Leave A Reply