29 September 2022

Breach Of Accountability Obligation By ACL Construction (S) Pte Ltd

Global Advertising Lawyers Alliance (GALA)


With firms representing more than 90 countries, each GALA member has the local expertise and experience in advertising, marketing and promotion law that will help your campaign achieve its objectives, and navigate the legal minefield successfully. GALA is a uniquely sensitive global resource whose members maintain frequent contact with each other to maximize the effectiveness of their collaborative efforts for their shared clients. GALA provides the premier worldwide resource to advertisers and agencies seeking solutions to problems involving the complex legal issues affecting today's marketplace.
A recent decision by the Personal Data Protection Commission ("PDPC") emphasised the importance for organisations to, at a minimum, engage a data protection officer...
Singapore Privacy
To print this article, all you need is to be registered or login on

A recent decision by the Personal Data Protection Commission ("PDPC") emphasised the importance for organisations to, at a minimum, engage a data protection officer and put protocols in place to ensure compliance with the Personal Data Protection Act ("PDPA").

On 2 June 2021, the PDPC was notified that ACL Construction (S) Pte Ltd (the "Organisation") was falsely being advertised for sale on the darkweb after its staff learnt that they were unable to log in to retrieve the Organisation's files. The files included: (i) a quotation folder containing orders, bills and receipts; (ii) a common folder containing information and pictures relating to projects; and (iii) a drawing folder comprising technical illustrations.

The files had the names of the Organisation's clients, the responsible contact person, and related business contact details. Such data was beyond the purview of the PDPA as these are considered business contact information and not personal data. However, the PDPC found that the Organisation did not engage or nominate any person as a Data Protection Officer to monitor its adherence to the PDPA. In addition, the Organisation failed to put in place any protocols for data protection. Accordingly, despite no personal data being compromised in the incident, the Organisation was still found to be in breach of its obligations of the PDPA.

The PDPC noted that following the incident, the Organisation had swiftly addressed the issue by nominating one of its employees to ensure that the Organisation discharges its responsibilities under the PDPA. However, given the Organisation's relatively weak knowledge of its obligations under the PDPA, the PDPC instructed the Organisation to adhere to the following in place of a financial penalty: (i) to implement protocols to ensure compliance with the PDPA; and (ii) to implement mandatory education and training for its staff on how to adhere to the PDPA when managing personal data.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More