Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Organisations vs Data Intermediaries: What their difference is and why it matters   

Organisations vs Data Intermediaries
Knowing the difference between Organisations vs Data Intermediaries

Organisations vs Data Intermediaries: What their difference is and why it matters   

Singapore’s Personal Data Protection Act (PDPA), like all other data protection and privacy laws, makes a distinction between two different types of companies: organisations (commonly referred to as “controllers” under other laws) and data intermediaries (commonly referred to as “processors” under other laws).

Organisations and data intermediaries have extremely diverse data protection responsibilities because of the very different roles they play in handling an individual’s personal data. 

Under the PDPA, a data intermediary is an organisation that manages personal data “on behalf of another organisation. As a result, data intermediates process data on behalf of other organisations, frequently their business customers, rather than on their own behalf. It is crucial that consumer-facing rules are not directly applied to data intermediaries in that capacity because they frequently do not interact with individuals directly. 

However, contractual data protection duties often impose restrictions on how and when data intermediaries can access personal data for processing purposes.  

Organisations vs Data Intermediaries
Organisations and data intermediaries have extremely diverse data protection responsibilities because of the very different roles they play in handling an individual’s personal data. 

Why is the Organisation/Intermediary difference important? 

Distinguishing organisations from data intermediaries ensures that data protection rules apply requirements that match a company’s role in managing personal data. The difference protects individuals’ personal data without posing new privacy or security issues. Here are two concrete examples: 

  • Responding to Requests for Access and Correction: The PDPA requires organisations to respond to access and rectification requests, but does not force data intermediaries to do so. This is not without reason. Responding to requests to access or correct personal data necessitates knowledge of the data’s contents. 

Organisations typically engage with individuals and decide when and why to gather data, so they are in a good position to make that decision. Data intermediaries, on the other hand, frequently lack visibility into the data they process on behalf of a company and may even be contractually forbidden from viewing it. Furthermore, a data intermediary may not know if there is a cause to decline a request, such as when a request for access to personal data is excessive or may reveal the personal data of another individual. 

Forcing data intermediaries to respond directly to requests for access to and correction of personal data may thus pose both security and privacy problems (by requiring them to send data to individuals they do not know) (by requiring them to look at data they otherwise would not). 

  • Data Security: In contrast to individual-facing requirements, like the responsibility to honor access and correction requests, all enterprises should have obligations to secure the personal data they process. The Protection and Retention Limitation responsibilities are applied to both organisations and data intermediaries under the PDPA. Both sorts of businesses should take reasonable and acceptable security precautions.
Organisations vs Data Intermediaries
Data intermediates process data on behalf of other organisations, frequently their business customers, rather than on their own behalf.

How should organisations and Data Intermediaries fulfill their obligations? 

The first step is to determine whether your company works as an organisation or a data middleman. 

In some circumstances, a corporation may serve in both capacities for various sorts of processing activities. A firm that operates as a data intermediary and processes data on behalf of its business customers, for example, may also act as an organisation for its own internal processing activities, such as processing personnel data.

To establish and execute appropriate privacy compliance standards, it is critical to first understand whether your company performs its processing activities as an organisation or as a data intermediary. 

What Organisations and Data Intermediaries should know 

Contractual commitments can be used to execute compliance measures for both organisations and data intermediaries in various circumstances.

Before engaging in a contractual partnership, both parties should ensure that the organisation’s and data intermediary’s duties and obligations are well-established and commensurate with the respective responsibilities of the organisation and data intermediary under the PDPA. 

How a DPO enters into the picture 

Companies of all sizes must understand the distinction between organisations and their data intermediaries in order to guarantee that their compliance processes are appropriate, but this alone is not enough.

The commonality between these two companies lies in the personal data of individuals, and the PDPC has never been lenient when it comes to noncompliance with the PDPA, especially if there has been a breach of personal data. This is shown in the case of Fying Cape. If it weren’t for the low number of affected individuals, it could have suffered a hefty financial breach.

In any other case, once a breach has occurred, the PDPC will not hesitate to impose hefty financial penalties to ensure that this incident will not happen again, which will range up to S$1,000,000. This is where a DPO comes in. 

Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Furthermore, every Organization’s DPO should be able to curb any instances of PDPA noncompliance as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity.

DPOs complement organizations’ efforts to ensure that the organisation’s methods of collecting personal data comply with the PDPA. It also ensures that policies are set in place to make sure that there will be no instances of data breaches in the future.

Don’t wait any longer to ensure your organisation is PDPA compliant. Take our free 3-minute PDPA Compliance Self-audit checklist now, the same “secret weapon” used by our clients to keep them on track. Upon completion, we will send you the results so you can take the necessary action to protect your customers’ data. Complete the free assessment checklist today and take the first step towards protecting your customers’ personal data.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us