New Commission's Decisions and Undertakings on 14 July 2022

14 Jul 2022

For breaching the Protection Obligation, a financial penalty of $67,000 was imposed on Quoine for failing to put in place reasonable security arrangements to protect the personal data in its possession.

Similarly, a financial penalty of $12,000 was imposed on Terra Systems for failing to put in place reasonable security arrangements to protect the personal data of individuals in its customer relationship management portal in Re Terra Systems Pte Ltd [2021] SGPDPC 7. An application for reconsideration was filed against the decision in Re Terra Systems Pte Ltd [2021] SGPCPC 7. Upon review and careful consideration of the application, the Commissioner had decided to affirm the finding of the breach of section 24 of the PDPA as set out in the decision and the financial penalty in the Reconsideration Decision.

A financial penalty of $10,000 was also imposed on Audio House for failing to put in place reasonable security arrangements to protect the personal data in its possession from a ransomware attack.

Directions were issued to Crawfort to conduct a security audit of its technical and administrative arrangements for its AWS S3 environment and rectify any security gaps identified in the audit report. This is pursuant to a data breach incident where Crawfort's customer database were offered for sale in the dark web.

The PDPC also accepted undertaking from 2 organisations, HSL Constructor Pte Ltd and Asia Petworld Pte Ltd, which implemented remediation plans that rectified the immediate breach and addressed systemic shortcomings to ensure continual compliance with the PDPA.

Access the Decisions here and Undertakings here.

Follow us on Telegram for the latest updates on personal data protection: https://t.me/pdpcsg