Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

On managing Data Intermediaries and being compliant with the PDPA

managing Data Intermediaries
Managing Data Intermediaries should not be taken lightly. This is because they are also subject under the Data Protection Obligation of the PDPA.

Managing Data Intermediaries: Data Protection Obligations under the PDPA

The PDPA defines a Data Intermediary (DI) as an entity that handles personal information on behalf of a Data Controller (DC) under contract. The DI may perform any action or series of operations on personal data, including, but not limited to, the following:

a) recording;
b) storage;
c) organization, adaptation, or alteration;
d) retrieval;
e) combination;
f) transmission; and
g) erasure or destruction.

When processing personal data on behalf of the DC and for the DC’s objectives, a DI is subject to the Data Protection Provisions relating to the protection of personal data (Protection Obligation) and retention of personal data (Retention Limitation Obligation).

Suppose a DI uses or discloses personal data in its custody or control beyond the authority granted by the DC. In that case, the DI shall be accountable for adhering to all Data Protection Provisions under the PDPA.

Also Read: The Singapore financial services and markets bill: Everything you need to know

When processing personal data on behalf of the DC and for the DC’s objectives, a DI is subject to the Data Protection Provisions relating to the protection of personal data and its retention.

Understanding Data Intermediaries under Data Protection

An organization that uses a data intermediary to process personal data on its behalf must ensure compliance under the PDPA. Additionally, the data intermediary must also guarantee compliance with the said data protection law. The PDPA does not directly impose the majority of data protection requirements on a data intermediary that processes personal data on behalf of another organization under a written contract, with the exception of the protection and retention obligations.

Organizations should select the right data protection procedures to implement based on the associated data protection risk. In general, while determining the right measures to apply, organizations should evaluate the scope of the outsourcing and the sensitivity of the personal data that their DI is processing, as well as the duration of the DI contract.

Complying with the Protection Obligation with reasonable security measures

Even if it is processing personal data on behalf of another organization, a data intermediary must have “reasonable security arrangements” to protect personal data against unauthorized access, collection, use, or disclosure.

PurpleForest, for instance, ensures that all staff laptop accounts are password-protected so that only the IT administrator may install software and programs.

In addition, the cloud service provider and the employee’s computer system are configured to run scheduled security scans to detect malware automatically. Every two days, these security scans are undertaken. Every three months, the cloud service provider enforces a mandatory password change, lowering the likelihood of external hacking. The passwords must contain alphanumeric and special characters and must be eight characters long.

An organization that uses a data intermediary to process personal data on its behalf must ensure compliance under the PDPA.

Ensuring that every employee is on board

A major challenge for organizations is the need to ensure that all employees understand the relevance of personal data protection and the policies and procedures they must follow.

Employees are considered the weakest link when it comes to the cybersecurity of every organization. It is because employees have access to the organization’s system, and a slight mistake on their end, such as clicking the attachment on a suspicious email, could potentially penetrate the organization by bad actors.

This is why it is necessary that each employee must be onboard the security arrangements made by the organization to ensure that there will be no loophole in its cybersecurity hygiene.

Considerations to make while choosing a DI

Under the PDPA, depending on the scope of the work and the structure of the arrangement, such third parties may be considered data intermediaries of the employing organization. An organization should be aware that if a data intermediary processes personal data on its behalf, the organization is subject to the same personal data duties under the PDPA as if it had processed the personal data directly.

The PDPC recommends that these organizations:
(i) conduct an adequate level of due diligence to ensure that a potential data intermediary is capable of complying with the PDPA; and
(ii) emphasize in written contracts the scope of work that the data intermediary will perform on their behalf and for their purposes.

A DPO can help you ensure you have enough security policies set in place, including one for data intermediaries.

How a DPO can help organizations and its DIs comply with PDPA

Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). In this case, the DPO makes sure that the organization and its DIs comply with the PDPA and that instances of breaches will be limited. 

For instance, at Privacy Ninja, we help our clients understand their responsibility in managing their DIs. We always remind them that upon outsourcing a DI, the organization has the full responsibility of ensuring that such DIs comply with the Data Protection law. 

DPOs complement the efforts of Organizations in making sure that the personal data collected and used is accurate. This is because when there is an instance that the obligation has been breached, DPOs ensure that a protocol for dealing with it has been established and can be employed.

As a consumer who provides my very own sensitive information to each organization I encounter or have a transaction with, I would feel safe if an organization would take the extra mile to ensure that my data is correct and concise as it affects me whenever a decision is made.

Also Read: Guarding against common types of data breaches in Singapore



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us