Background 

On 25 March 2025, the Personal Data Protection Commission (the “Commission”) received a complaint about the handling of jobseekers’ personal data by JWEN Marketing Pte. Ltd. (the “Organisation”) in ways not complying with the Personal Data Protection Act (“PDPA”). The Organisation places job listings on behalf of hiring companies and refers jobseekers to the hiring companies.

There was no evidence of collection, use or disclosure of personal data without consent or without notifying jobseekers of the purpose as:

(a) The Organisation had obtained unambiguous consent from individuals who submitted applications directly for job listings posted online by the Organisation, for purposes limited to being contacted by the Organisation (on behalf of the hiring company) regarding that specific job listing;

(b) While the Organisation had proactively contacted jobseekers, this was after obtaining their resumes from publicly available sources, to inform them about open job position(s). In addition, the Organisation had a process in place when contacting the jobseekers, to inform them on the purpose of using their resumes to arrange interviews, and obtaining confirmation from the jobseeker before proceeding.

However, the Organisation was lacklustre in its cybersecurity and data protection practices. At the time of the complaint, it had not implemented any policies or measures to comply with its obligations under sections 11, 12 and 24 of the PDPA, including not having designated a data protection officer, the lack of documented internal and external data protection policies and no process to receive PDPA-related complaints.

Voluntary Undertakings

Having considered the circumstances of the case and the lack of knowledge by the Organisation in cybersecurity and data protection practices, the Commission accepted a voluntary undertaking (the “Undertaking”), which was executed on 15 September 2025, from the Organisation to engage an external service provider to improve its cybersecurity set-up and its data protection practices and policies.

As part of the Undertaking, the external service provider will assist the Organisation to first complete an initial set-up within 2 months. The initial set-up will include the appointment and registration of a Data Protection Officer (“DPO”) with the Commission or the Accounting and Corporate Regulatory Authority (“ACRA”), establishing an asset inventory for personal/business data, an IT asset inventory for hardware and software, developing an incident response and data breach management plan and implementing the necessary cybersecurity measures to protect personal data. A review will then be conducted 6 months after the initial set-up to ensure, amongst others, that the latest software updates have been installed on the Organisation’s devices and systems.

The Commission will verify the Organisation’s compliance with the Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction so as to ensure the Organisation’s compliance with the Undertaking.