Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

March 2022 PDPC Incidents and Undertaking

March 2022 PDPC Incidents and Undertaking
The March 2022 PDPC Incidents and Undertaking are already published for Organizations to follow

The March 2022 PDPC Incidents and Undertaking decision of the Personal Data Protection Commission (PDPC) have been published on PDPC’s official Website. For this month, only one (1) case has been issued covering Neo Yong Xiang’s financial penalty.

It should be noted that the Personal Data Protection Act (PDPA) aims to balance the organizations’ needs to use data for legitimate purposes with the protection of individuals’ personal information as it is tasked with the administration and enforcement.

In doing so, the decisions conducted by PDPC are published on their Website that is open to all who want to read the latest data security standards set by the PDPC. With this, for the better observance of organizations with such standards, it is their duty to be kept updated with the latest PDPC incident and undertakings.

Let’s have a look at the March 2022 case with the latest cybersecurity updates to date.

Also Read: February 2022 PDPC Incidents and Undertaking

Here are the March 2022 PDPC Incidents and Undertaking that Organizations must take note of

March 2022 PDPC Incidents and Undertaking: Breach of the Consent and Purpose Limitation Obligations by Neo Yong Xiang

Our only case of PDPC incidents and undertaking for the month of march involves Neo Yong Xiang (NYX). Between January 2020 and November 2020, there were 3,636 Do Not Call (DNC) complaints from persons who received specified messages even though their telephone numbers were registered with the DNC register. Further analysis revealed that 1,379 of the messages were sent from 98 SIM cards registered at Yoshi Mobile (YM).  

Since 2013, NYX has run YM. NYX was issued a terminal device at YM’s premises as an exclusive reseller of M1 SIM cards for the purpose of SIM card registration, which should be carried out in accordance with the terms of M1’s telecommunications license granted under Section 5 of the Telecommunications Act.

When consumers purchased pre-paid SIM cards from a Geylang Road mobile phone shop, they had no idea their personal information would be utilized to register more SIM cards for illicit sale. Regrettably, this was the case for at least 78 persons who acquired pre-paid M1 SIM cards from Mr. Neo Yong Xiang (“NYX”), the sole proprietor of Yoshi Mobile (“YM”). The typical SIM card registration process in YM would be as follows:

(a) The M1 Terminal Device would be used to scan the customer’s identification document (such as an identity card, passport, or work pass), followed by a transaction. The system would record the customer’s personal information and indicate whether or not the customer had reached the maximum number of three prepaid SIM cards allowed by law.

(b) Following that, the barcodes of the SIM card(s) would be scanned in order for them to be associated with the registered client.

(c) Final step would be the use of a mobile application to load credit value onto the prepaid SIM card(s) in order to activate them for use in the future. Customers’ money was loaded onto their prepaid M1 SIM cards by shops, who were required to load a portion or all of the money they had paid to M1.

The PDPC Incidents and Undertaking for March 2022 serve as guide to avoid financial penalties in the future

The Commission’s investigations established that NYX abused the sim card registration procedure by using customers’ personal information without their consent to register for multiple pre-paid M1 SIM cards that the consumers had not intended to purchase.

NYX acknowledged throughout the investigation that he registered the illicit SIM cards with the intent of selling them to gain additional money. NYX believed that he earned around $15,000 in three years of selling such unlawful SIM cards to unknown walk-in customers.

Personal data obtained and used by NYX to register illicit SIM cards include, but are not limited to, the following: 78 people’ personal data (used to register 94 SIM cards): 

  • (a) the customers’ names; 
  • (b) the customers’ addresses; and 
  • (c) the customers’ NRIC numbers and/or work permit numbers. 

The PDPA’s section 2(1) broadly defines “organization” as “any individual, firm, association, or group of persons, corporate or unincorporated.” YM is a sole proprietorship with no legal personality distinct from NYX. As a result, NYX is considered an organization under the PDPA. Additionally, NYX is bound by the PDPA’s requirements because he was working in a commercial role, not a household capacity when he sold the SIM cards for profit.

The March 2022 PDPC Incidents and Undertaking must always be looked upon by Organizations to avoid financial penalties

Section 13 of the PDPA prohibits organizations from collecting, using, or disclosing any individual’s personal data unless the individual gives, or is deemed to have given, consent, an exception to the consent requirement applies, or the collection, use, or disclosure is otherwise authorized by the PDPA or any other written law (the “Consent Obligation”). Additionally, Section 14(1) of the PDPA specifies that an individual has not consented unless they have been informed of the objectives for which his or her personal data will be collected, used, or disclosed. If an organization does not comply with this requirement, any consent acquired from an individual is null and void.

Additionally, pursuant to Section 18 of the PDPA, an organization may collect, use, or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances and only after the individual has been informed of the stated purposes pursuant to Section 20 of the PDPA.

On the facts of this case, NYX breached both the Consent Obligation and the Purpose Limitation obligation by using his customers’ personal data to register the illicit SIM cards for sale to anonymous buyers. 

With this, the organization was originally made to pay a whopping S$35,000. However, given that NYX is facing several outstanding liabilities, it was reduced to S$21,000. When imposing financial penalties, the Commission may consider the personal and financial circumstances of the organization/individual, bearing in mind that financial penalties imposed should avoid imposing a crushing burden or cause undue hardship on organizations. 

What we can, in this case, is the importance of obtaining the consent of an individual when collecting, using, and disclosing that person’s personal data. The organization should also bear in mind the obligation to inform the persons of the legal purpose as to why their data will be used. Given the fact that none of this was acquired, users can lodge a complaint when they receive unsolicited text messages considering that they registered their phone numbers under the DNC registry. 

Also Read: January 2022 PDPC Incidents and Undertaking



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us