December 2021 PDPC Incidents and Undertaking
The December 2021 PDPC Incidents and Undertaking decision of the Personal Data Protection Commission (PDPC) have been published on PDPC’s official website. For this month, only one (1) case has been issued covering a warning for Belden Singapore Pte Ltd.
It should be noted that the Personal Data Protection Act (PDPA) aims to balance the organizations’ needs to use data for legitimate purposes with the protection of individuals’ personal information as it is tasked with the administration and enforcement.
In doing so, the decisions conducted by PDPC are published on their website that is open to all who want to read the latest data security standards set by the PDPC. With this, for the better observance of organizations with such standards, it is their duty to be kept updated with the latest PDPC incident and undertakings.
Let’s have a look at the only December 2021 case with the latest cybersecurity updates.
Also Read: PDPA compliance for Singapore schools
December 09: Belden Singapore Pte Ltd, Breach of the Transfer Limitation Obligation
Our only case for this month’s PDPC incidents and undertaking involves Belden Singapore Pte Ltd and Grass Valley Singapore Pte Ltd. These Organizations notified the PDPC on November 19 and 20, 2020, respectively, of a data breach incident in which an unauthorized third party gained access to Belden Group’s business servers and exfiltrated information, including personal data of the Organizations’ employees.
The incident exposed the personal information of 126 people associated with Belden Singapore and 63 people associated with Grass Valley Singapore Pte Ltd.
The main Human Resources functions of Belden Singapore Pte Ltd are conducted by Belden Inc., which is headquartered in St Louis, Missouri, United States. With this, Belden Singapore transfers the personal data of its employees to Belden Inc.
Thus, when Grass Valley entities where acquired by another company, formerly part of the global Belden Group, and where Grass Valley Singapore Pte Ltd is under, the personal data of Grass Valley Singapore‘s employees where transferred to Belden Inc. and stored in Belden Inc.’s servers, as per the terms of the acquisition.
While the PDPA does not generally apply to the Belden Singapore Pte Ltd on the basis of processing personal data in Singapore, it applies based on its failure to comply with the Transfer Limitation Obligation. Under this obligation, Organizations must ensure that the personal data transferred overseas is protected to a standard comparable with the Data Protection Provisions.
This was executed by putting in place a binding intra-group contract called the Global Data Transfer Agreement (GDTA), which governs the terms on which the various Belden entities transfer personal data to each other. However, the GDTA was not legally binding on Belden Singapore as it had not acceded to the GDTA. For Belden Singapore to be bound by the GDTA, it must have executed a Deed of Accension and this was the cause of the Transfer Limitation Obligation’s breach.
Although Belden Singapore Pte Ltd breached the Transfer Limitation Obligation by not signing a Deed of Accession prior to the incident, the Deputy Commissioner only decided to issue a warning considering that such breach was technical and the failure to oblige with the legal formalities was not substantive in nature.
What we can get from this case is the seriousness of the PDPC with regards to any legal formalities that are placed to protect the personal data of individuals. Without the signing of the Deed of Accession prior to the incident, there was no legally enforceable obligation of ensuring that the personal data transferred from Singapore are afforded a level of protection comparable to that provided under the PDPA.
This serves as a landmark case for future reference that prior to any transfer of personal data from Singapore, all formalities must be met to avoid any imposable fines.
Digging deep: PDPC’s Transfer Limitation Guidelines
In a nutshell, the Transfer Limitation obligation refers to a requirement in the Personal Data Protection Act 2012 (“PDPA”) that any organization transferring personal data outside of Singapore ensures that the personal data is treated to the same standard as it would be treated in Singapore under the PDPA. This requirement is intended to avoid situations in which organizations transmit personal data outside of Singapore in order to exploit it without violating Singapore’s personal data protection regulations.
Until now, the position has been that an organization may transmit personal data if the receiver is constrained by legally enforceable requirements to ensure that the personal data transferred is protected to a standard similar to that provided under the PDPA.
The Guidelines reaffirm this point by stating that “legally enforceable responsibilities” include those imposed on the recipient under:
- any law;
- a contract;
- binding corporate rules; and any other legally binding instrument.
In effect, this implies that if you’re sending personal data to a third party in another country, you’ll need to engage in an agreement with them to guarantee that they follow the PDPA. If you were transferring personal data to an overseas branch or office of the same company, you would establish binding corporate policies requiring all of the company’s departments and offices to comply with the PDPA.