Background

Asia Properties & Assets Consultancy Pte. Ltd. (the “Organisation”) was at the material times appointed by The Management Corporation - Strata Title Plan No. 4869 (“MCST 4869”) as the managing agent of Riverfront Residences (the “condominium”). The complainant is a subsidiary proprietor of the condominium.

On 31 March 2025, the Personal Data Protection Commission (the “Commission”) received a complaint that the Organisation had failed to make information available in response to the complainant’s request about the Organisation’s data protection policies (the “information request”).

On 22 April 2025, the Commission received another complaint from the complainant that the Organisation’s employee had erroneously sent an email containing the personal data of two other subsidiary proprietors to the complainant (the “erroneous email”).

In relation to the information request, the complainant had on 7 March 2025 and 18 March 2025 requested for the data protection policies of MCST 4869 and the Organisation. On 17 April 2025, the Organisation responded on behalf of MCST 4869 and provided a copy of MCST 4869’s data protection policies to the complainant. However, the Organisation did not provide a copy of its own data protection policies to the complainant.

Under section 12(d) of the Personal Data Protection Act (the “PDPA”), an Organisation is required to make information available on request about its policies and practices developed and implemented to meet the Organisation’s obligations under the PDPA, and its complaint process. This is a general obligation and there is no prescribed way in which this information is to be made available. A requester could, for example, be referred to a published website containing the information. The Organisation did not comply, as it misunderstood that its data protection policies did not apply to subsidiary proprietors of the condominium and believed that it did not need to provide the complainant with the information.

In relation to the erroneous email, on 7 April 2025, the Organisation’s employee had sent the email to the complainant in error, due to similarities between the complainant’s email address and the intended email address. The erroneous email disclosed the name and email address of a subsidiary proprietor. An attachment in the email disclosed the last 4 digits of a bank account number, while another attachment disclosed the name of the subsidiary proprietor and another subsidiary proprietor, their property address, MCST account number, and transactions relating to payments towards the maintenance fund.

 The Organisation had provided data protection training for all its employees. The employee who had sent the email had last attended such training on 20 February 2025. Upon discovery of the incident, the Organisation took prompt remedial actions, including an unsuccessful attempt to recall the email, and regular reminders from the Condominium Manager for employees to check all emails before sending. However, prior to the incident there were no processes in place to password protect email attachments containing potentially sensitive personal data, nor other processes for checking email addresses before sending out emails. Organisations cannot merely rely on the diligence of individual employees to safeguard personal data, especially where potentially sensitive financial transactions are involved, which warrant a higher degree of protection.

Voluntary Undertaking

Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from the Organisation to improve its compliance with the PDPA. The Undertaking was executed on 9 February 2026.

As part of the Undertaking, the Organisation will be implementing the following:

(a) Implement a procedure within the Organisation to password protect documents sent by email containing potentially sensitive personal data;

(b) Implement a reminder or checklist for the Organisation’s staff at their terminals to double check email addresses before sending emails;

(c) Review the Organisation’s procedures for handling requests for its personal data protection policies made under section 12(d) of the PDPA.

The Commission will verify the Organisation’s compliance with the Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction to ensure the Organisation’s compliance with the Undertaking.