Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

December 2021 PDPC Incidents and Undertaking: Lessons from the Cases

December 2021 PDPC Incidents and Undertaking
December 2021 PDPC Incidents and Undertaking

December 2021 PDPC Incidents and Undertaking

The December 2021 PDPC Incidents and Undertaking decision of the Personal Data Protection Commission (PDPC) have been published on PDPC’s official website. For this month, only one (1) case has been issued covering a warning for Belden Singapore Pte Ltd.

It should be noted that the Personal Data Protection Act (PDPA) aims to balance the organizations’ needs to use data for legitimate purposes with the protection of individuals’ personal information as it is tasked with the administration and enforcement.

In doing so, the decisions conducted by PDPC are published on their website that is open to all who want to read the latest data security standards set by the PDPC. With this, for the better observance of organizations with such standards, it is their duty to be kept updated with the latest PDPC incident and undertakings.

Let’s have a look at the only December 2021 case with the latest cybersecurity updates.

Also Read: PDPA compliance for Singapore schools

December 2021 PDPC Incidents and Undertaking
December 2021 PDPC Incidents and Undertaking

December 09: Belden Singapore Pte Ltd, Breach of the Transfer Limitation Obligation 

Our only case for this month’s PDPC incidents and undertaking involves Belden Singapore Pte Ltd and Grass Valley Singapore Pte Ltd. These Organizations notified the PDPC on November 19 and 20, 2020, respectively, of a data breach incident in which an unauthorized third party gained access to Belden Group’s business servers and exfiltrated information, including personal data of the Organizations’ employees.

The incident exposed the personal information of 126 people associated with Belden Singapore and 63 people associated with Grass Valley Singapore Pte Ltd.

December 2021 PDPC Incidents and Undertaking
December 2021 PDPC Incidents and Undertaking

The main Human Resources functions of Belden Singapore Pte Ltd are conducted by Belden Inc., which is headquartered in St Louis, Missouri, United States. With this, Belden Singapore transfers the personal data of its employees to Belden Inc.

Thus, when Grass Valley entities where acquired by another company, formerly part of the global Belden Group, and where Grass Valley Singapore Pte Ltd is under, the personal data of Grass Valley Singapore‘s employees where transferred to Belden Inc. and stored in Belden Inc.’s servers, as per the terms of the acquisition.

While the PDPA does not generally apply to the Belden Singapore Pte Ltd on the basis of processing personal data in Singapore, it applies based on its failure to comply with the Transfer Limitation Obligation. Under this obligation, Organizations must ensure that the personal data transferred overseas is protected to a standard comparable with the Data Protection Provisions.

This was executed by putting in place a binding intra-group contract called the Global Data Transfer Agreement (GDTA), which governs the terms on which the various Belden entities transfer personal data to each other. However, the GDTA was not legally binding on Belden Singapore as it had not acceded to the GDTA. For Belden Singapore to be bound by the GDTA, it must have executed a Deed of Accension and this was the cause of the Transfer Limitation Obligation’s breach.

Although Belden Singapore Pte Ltd breached the Transfer Limitation Obligation by not signing a Deed of Accession prior to the incident, the Deputy Commissioner only decided to issue a warning considering that such breach was technical and the failure to oblige with the legal formalities was not substantive in nature.

What we can get from this case is the seriousness of the PDPC with regards to any legal formalities that are placed to protect the personal data of individuals. Without the signing of the Deed of Accession prior to the incident, there was no legally enforceable obligation of ensuring that the personal data transferred from Singapore are afforded a level of protection comparable to that provided under the PDPA. 

This serves as a landmark case for future reference that prior to any transfer of personal data from Singapore, all formalities must be met to avoid any imposable fines. 

December 2021 PDPC Incidents and Undertaking
December 2021 PDPC Incidents and Undertaking

Digging deep: PDPC’s Transfer Limitation Guidelines

In a nutshell, the Transfer Limitation obligation refers to a requirement in the Personal Data Protection Act 2012 (“PDPA”) that any organization transferring personal data outside of Singapore ensures that the personal data is treated to the same standard as it would be treated in Singapore under the PDPA. This requirement is intended to avoid situations in which organizations transmit personal data outside of Singapore in order to exploit it without violating Singapore’s personal data protection regulations.

Until now, the position has been that an organization may transmit personal data if the receiver is constrained by legally enforceable requirements to ensure that the personal data transferred is protected to a standard similar to that provided under the PDPA.

The Guidelines reaffirm this point by stating that “legally enforceable responsibilities” include those imposed on the recipient under:

  • any law;
  • a contract;
  • binding corporate rules; and any other legally binding instrument.

In effect, this implies that if you’re sending personal data to a third party in another country, you’ll need to engage in an agreement with them to guarantee that they follow the PDPA. If you were transferring personal data to an overseas branch or office of the same company, you would establish binding corporate policies requiring all of the company’s departments and offices to comply with the PDPA.

Also Read: PDPA Compliance for HR Managers in Singapore: A Must



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us