No reporting to PDPC required

Where a data breach is discovered by a data intermediary, the data intermediary is:

  1. required to notify the relevant organisation or public agency (i.e. Data Controller) without undue delay from the time it has credible grounds to believe that the data breach has occurred. The organisation that engaged the data intermediary remains responsible for notifying the affected individuals and/or the PDPC.
  2. not required to assess whether the data breach is notifiable, or to notify affected individuals and/or the PDPC.

You can refer to our Guide to Managing and Notifying Data Breaches under the PDPA for more information.

If you wish to continue with the assessment, please click the following link: