• 29 January, 2026
• No Comments

4 PDPC Decisions Signal a Hard Line on Protection Obligation

Singapore’s data protection enforcement landscape entered 2026 with unusual clarity. In January, the Personal Data Protection Commission released four separate enforcement decisions, all involving breaches of the protection obligation under the Personal Data Protection Act. Taken together, these decisions offer a sharp and consistent message to organisations across sectors. Baseline security controls, informal reliance on vendors, and infrequent vulnerability testing are no longer defensible.

Each decision concerns a different industry, from HR technology to retail, travel, and enterprise software. Yet the underlying issues are strikingly similar. Inadequate vulnerability assessment and penetration testing, poor vendor oversight, outdated systems, and weak accountability structures featured prominently across all cases. The penalties imposed, ranging from five figures to more than sixty thousand dollars, reflect a regulatory posture focused not only on remediation but deterrence.

A clear regulatory signal from the PDPC in 2026

The timing of these decisions matters. The PDPC’s release of four protection obligation cases at the very start of the year sets expectations for how enforcement will unfold in 2026. While earlier years saw a heavier emphasis on education and gradual compliance, these cases suggest that the regulator now expects organisations to have operationalised core security practices.

Importantly, the Commission made it clear that financial hardship arguments would not outweigh systemic security failures. Multiple organisations sought penalty reductions, citing declining revenue, loan obligations, or pandemic impacts. In each instance, the PDPC rejected these representations. The Commission explicitly noted that penalties must send an effective deterrent message to errant organisations.

People Central and the cost of infrequent VAPT

The first decision involved People Central, a provider of human resource management systems. The Commission found that the organisation had not conducted any network vulnerability assessments at the time of the incident. Vulnerability scanning had been performed only once every two years, with no regular penetration testing in place. This gap allowed vulnerabilities to persist undetected.

The PDPC emphasised that internal and external penetration testing should be conducted at least annually, with vulnerability assessments carried out quarterly. This guidance was not framed as aspirational best practice but as a reasonable security baseline. The organisation’s attempt to seek a waiver of the $17,500 financial penalty on grounds of financial difficulty was rejected.

Singapore Data Hub and the limits of functional testing

Singapore Data Hub, a provider of point of sale and CRM software, faced a similar penalty of $17,500. The Commission found that while the organisation conducted internal acceptance testing before launch, these tests were focused solely on functionality. No security testing of web application code was performed, either before launch or as part of periodic reviews.

The PDPC noted that acceptance testing does not substitute for vulnerability scanning or penetration testing. Functional correctness does not equate to security resilience. The organisation had also failed to conduct basic network vulnerability scans. The decision reinforces that security testing must be intentional, continuous, and separate from business testing processes.

Goldheart Jewellery and vendor reliance under scrutiny

The most heavily contested case involved Goldheart Jewelery, which was fined $64,000, later reduced to $58,000. Goldheart argued extensively that its breach was comparable to or less serious than other PDPC cases and cited multiple precedents in its defence. The Commission was unpersuaded.

The organisation relied on a vendor to maintain its Magento based e-commerce platform. However, contractual arrangements did not absolve Goldheart of responsibility for security oversight. The PDPC found that there was no regular, extensive security testing of the website’s server and that prior scans were not paired with effective patching or vulnerability management. Reliance on a vendor without supervision was deemed unreasonable.

Air Sino-Euro and accountability failures

The fourth decision involved Air Sino-Euro Associates Travel, which breached both the accountability and protection obligations. The organisation had a public facing privacy policy but no internal data protection practices. It had not appointed a Data Protection Officer and had no contractual clauses defining vendor responsibilities for patch management or server maintenance.

The incident involved the use of Windows Server 2012, an unsupported operating system. The PDPC highlighted that continued use of outdated software materially increases security risk. Air Sino-Euro was ordered to engage a CSA licensed cybersecurity service provider to conduct vulnerability assessment and penetration testing, remediate vulnerabilities, and implement multi factor authentication. The organisation’s request for a reduced penalty was rejected.

Themes that cut across all four decisions

Across all four cases, the PDPC repeatedly returned to the same themes. Infrequent or absent VAPT was treated as a serious control failure. Informal reliance on vendors without oversight was rejected. Outdated systems were deemed indefensible. Most notably, financial constraints were not accepted as a justification for weak security practices.

These decisions collectively illustrate that the protection obligation is no longer interpreted as a best effort requirement. It is increasingly framed as an expectation of demonstrable, ongoing security governance. Organisations are expected to identify risks proactively, test their environments regularly, and maintain accountability structures that extend across internal teams and third parties.

What this means for organisations in 2026

The PDPC’s enforcement posture in 2026 signals a transition from tolerance to enforcement maturity. Organisations that still treat vulnerability testing as a periodic compliance exercise are exposed. Security practices must now withstand regulatory scrutiny, not just technical audits.

This shift also aligns with broader regulatory expectations globally. As breach detection times increase and attack surfaces expand through cloud and vendor ecosystems, regulators are focusing on whether organisations took reasonable, structured steps to prevent harm. Documentation, testing cadence, and vendor governance now carry legal weight.

How Privacy Ninja supports protection obligation readiness

In this environment, organisations require more than static policies or one-off assessments. Privacy Ninja works with organisations to operationalise the protection obligation through structured Vulnerability Assessment and Penetration Testing programmes aligned with PDPC expectations. Testing is conducted regularly, with clear prioritisation of real world risk and remediation guidance.

Beyond VAPT, Privacy Ninja supports organisations through DPO as a Service, Smart Contract Audit, and Data Breach Management. This integrated approach ensures accountability structures, technical controls, and staff responsibilities function together. As the PDPC’s 2026 decisions demonstrate, security maturity is measured by execution, not intent.

The PDPC’s release of four protection obligation decisions at the start of 2026 is not coincidental. It reflects a regulator signalling that baseline security lapses will now attract meaningful consequences. Across all cases, the message is consistent. Organisations must test, oversee, and update continuously.

For organisations operating in Singapore, these decisions serve as both warning and guidance. The protection obligation has evolved into an operational standard. Those that adapt early will not only reduce regulatory risk but strengthen trust, resilience, and long term business continuity.