Privacy Ninja

January 2022 PDPC Incidents and Undertaking

January 2022 PDPC Incidents and Undertaking
The January 2022 PDPC Incidents and Undertaking are already published for Organizations to follow

January 2022 PDPC Incidents and Undertaking

The January 2022 PDPC Incidents and Undertaking decision of the Personal Data Protection Commission (PDPC) have been published on PDPC’s official website. For this month, only two (2) cases has been issued covering a financial penalty for Nature Society (Singapore) and an undertaking to be executed by JT Legal LLC.

It should be noted that the Personal Data Protection Act (PDPA) aims to balance the organizations’ needs to use data for legitimate purposes with the protection of individuals’ personal information as it is tasked with the administration and enforcement.

In doing so, the decisions conducted by PDPC are published on their website that is open to all who want to read the latest data security standards set by the PDPC. With this, for the better observance of organizations with such standards, it is their duty to be kept updated with the latest PDPC incident and undertakings.

Let’s have a look at the January 2022 cases with the latest cybersecurity updates to date.

Here are the January 2022 PDPC Incidents and Undertaking that Organizations must take note of

Also Read: December 2021 PDPC Incidents and Undertaking: Lessons from the Cases

January 14: Nature Society (Singapore)’s breach of the Protection and Accountability Obligations

Our first case of PDPC incidents and undertaking involves Nature Society (Singapore). The PDPC was notified on November 06, 2020, that an online article reporting about hacked databases is being made available for downloads on several hacking forums and Telegram channels. Nature Society (Singapore) is one of the affected organizations.

The personal data of 5,131 members and non-members who had created membership and user accounts on the Nature Society (Singapore) ‘s website were affected in the Incident. Upon investigation, it was revealed that the possible attack vector was is an SQL injection attack which led to personal data on the Organisation’s website database being accessed and exfiltrated by unknown parties.

With this Incident, Nature Society (Singapore) was made to pay a financial penalty of S$14,000 as it admitted that it did not designate a DPO, it failed to develop and implement any personal data protection policy prior to the Incident, and it did not make reasonable security arrangements to protect the personal data on its website database.

We can get from this case the importance of appointing a DPO, which will be responsible for ensuring that an Organization complies with the PDPA. The PDPC laid down, in this case, its responsibilities as it plays a vital role in implementing and building a robust data protection framework.

The PDPC Incidents and Undertaking for January 2022 serve as guide to avoid financial penalties in the future

January 2022 PDPC Incidents and Undertaking: JT Legal LLC

Completing this month’s published decisions is the case of JT Legal LLC, where the PDPC accepted the undertaking of the Organization regarding the email phishing attack, which allowed the threat actor to access and view files on JTL’s SharePoint.

Due to the Incident, approximately 1,006 individuals’ personal data was at risk, which comprises the names of individuals, addresses, email, NRIC numbers, and passport numbers. It was established that (a) JTL had insufficient training for its staff on basic cybersecurity and data protection measures, (b) there was no personal data policy or written internal guidelines, a lack of IT security policy for and no security risk management of its information and communications technology (“ICT”) operations.

We can infer from this case that although an Organization suffered from a data breach due to failure to put in place reasonable security arrangements, it does not necessarily mean that the Organization will face a hefty fine due to the data breach. In this case, due to JT Legal LLC’s prompt remedial actions, the PDPC only gave an undertaking that they need to follow and nothing else.

Also Read: PDPC: New guidance on personal data protection practices



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us