Personal Data Protection Updates

Personal Data Protection Updates

On 18 November 2022, the Personal Data Protection Commission (“PDPC”) released 2 decisions relating to the Personal Data Protection Act (“PDPA”). At TRS, we have summarised the cases for your convenience as follows:

Organisation(s)/Cause of Data Breach Outcome Category of Key Lapse

Technical Process People

Supernova Pte Ltd and Shopify Commerce Singapore Pte Ltd (Decision)
– failure to ensure protection of their personal data to a standard comparable to the PDPA Directions imposed X

Farrer Park Hospital Pte Ltd (Decision)
– failure to implement sufficient security arrangements to protect the personal data in possession or control S$58,000 Penalty X X

Total (November 2022) 1 2 0

Learning Points:

When transacting online, it is inevitable that there would be cross border transfers of data. While merchants often focus on the security of the e-commerce platform, they tend to overlook a specific requirement of the PDPA, which is to ensure that their personal data will be protected at a standard comparable to the PDPA.

In the case of Supernova Pte Ltd (“Supernova”) and Shopify Commerce Singapore Pte Ltd (“Shopify SG”), Supernova, an online retailer engaged Shopify Inc (“Shopify”), an e-commerce platform based in Canada, to sell its products to customers. Shopify SG acts as the Asia-Pacific data sub-processor of Shopify and its role is to collect customer personal data via the platform and transfer data out of Singapore to Shopify for both Purchase Processing and Platform Processing. The incident occurred when two Philippines-based service contractors of Shopify, illegally accessed and exfiltrated 23,928 customer personal data, including Supernova’s, stored in Shopify’s system.

PDPC’s investigations revealed that both Shopify SG and Supernova had failed to comply with the Transfer Limitation Obligation. For Shopify SG, there were no legally binding obligations, in the form of contracts or binding corporate rules within the Shopify group, requiring Shopify to provide PDPA-comparable protection to personal data transferred from Shopify SG to Shopify for processing. Likewise, Supernova had failed to put in place the necessary contractual clauses to ensure the protection of its personal data to a standard comparable to the PDPA by Shopify SG.

To ensure that the Transfer Limitation Obligation is adhered to, organisations can consider implementing the following:

Appoint one or more Data Protection Officer (DPO), who will ensure compliance with the PDPA when developing and implementing policies and processes for handling personal data;
When transferring personal data to a third party or engaging a data processor, ensure that the receiving organisation is bound by legally enforceable obligations to provide protection comparable to the standard under PDPA;
When sharing data among related entities, establish binding corporate rules to enforce data protection requirements comparable to the standard under PDPA;
Sign contractual clauses with data intermediaries or external IT vendors that include adequate provisions on personal data protection prior to any transfer or disclosure of personal data; and
Consider retaining your external IT vendors for annual maintenance, vulnerability checks on your network and servers and penetration testing on publicly accessible databases.

You may also contact us at infotrs@trsforensics.com for a non-obligatory discussion on how we can assist you to strengthen your organisation's data protection processes and controls.

Singapore | Malaysia | China

The content of this newsletter is for general information only and does not constitute advice to you. Readers are encouraged to contact us, TRS, at infotrs@trsforensics.com to obtain advice tailored to their particular circumstances. All discussions will be confidential and non-obligatory.

Further information on our privacy policy can be found here.