Background 

On 3 April 2025, the Personal Data Protection Commission (the “Commission”) received a complaint from an individual (the “Complainant”) against Cold Press Index Private Limited (the “Organisation”) on disclosure of the Complainant’s personal data without consent. The Complainant had discovered that the Organisation had posted the Complainant’s personal data (name, residential address, contact number) in its replies to two of the Complainant’s reviews on the Organisation on its Google Review Pages (the “Incident”).

The Complainant had provided the said personal data to the Organisation for purposes of contact and fulfilling delivery of an order placed with the Organisation. After being informed on the day of the delivery that the order could not be fulfilled and being refunded, the Complainant shared the negative experience in a public review on three of the Organisation’s Google Review Pages.

In response to the Complainant’s reviews, the Organisation posted the said personal data as part of its replies on two of the three Google Review Pages, to “shame” the Complainant. The Organisation did not limit disclosure to the extent necessary for the original consent, did not notify the Complainant of the new purpose of the disclosure or seek fresh consent before the disclosure on the Google Review Pages as required under sections 13(a), 18 and 20(1) of the Personal Data Protection Act 2012 (“PDPA”). The Commission notes that the Organisation did not disclose personal data in its replies for other reviews on its Google Review Pages.

The Organisation did not have a data protection officer and did not provide this information to the public as required to comply with section 11 of the PDPA. The Organisation has since appointed a data protection officer and published this information, removed the Complainant’s personal data on the Google Review Pages, reviewed its data protection policies to highlight the importance of data protection, and ensured that its staff do not disclose personal data without consent when responding to any Google reviews to prevent a recurrence of the Incident.

Voluntary Undertaking

Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from the Organisation to improve its compliance with the PDPA. The Undertaking was executed on 15 September 2025.

As part of the Undertaking, the Organisation will:

(a) Refrain from disclosing personal data about individuals unless (i) the individual gives, or is deemed to have given, his or her consent under the PDPA, or (ii) the disclosure of personal data falls within the exceptions provided for under section 17 read with the First and Second Schedules to the PDPA; and

(b) Take appropriate measures to ensure that the Organisation complies with its obligations under the PDPA for a period of not less than six months from the date of entering into this Undertaking.

If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction to ensure the Organisation’s compliance with the Undertaking.