Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

PDPA Compliance for Management Corporations (MCST): FAQs & Best Practices

PDPA Compliance for Management Corporations
PDPA Compliance for Management Corporations that every organisation in Singapore should know.

PDPA Compliance for Management Corporations (MCST): FAQs & Best Practices

Management Corporations Strata Titles (MCSTs) frequently encounter inquiries regarding the handling of personal data. The Personal Data Protection Act (PDPA) serves as the cornerstone legislation ensuring the safeguarding of personal data in Singapore. 

However, the interplay between the PDPA and other laws, such as the Building Maintenance and Strata Management Act (BMSMA), its subsidiary legislation including the Building Maintenance (Strata Management) Regulations 2005 (BMSMR), and the Land Titles (Strata) Act shapes how MCSTs manage personal data within their purview. 

In this guide, we provide an exhaustive discussion addressing common queries surrounding personal data management by MCSTs.

Access to Personal Data within the Estate

One common concern pertains to whether MCSTs can disclose personal data, such as contact information, of subsidiary proprietors to others within the same estate. 

Section 47 of the Building Maintenance and Strata Management Act (BMSMA) empowers Subsidiary Proprietors (SP) to access information in the records of a management corporation, such as the contact information of other subsidiary proprietors. Notably, under the PDPA, consent for disclosing such information is unnecessary.

To facilitate this process, a subsidiary proprietor may authorise a licensed occupier of their strata title unit, like a tenant, to make inquiries on their behalf under section 47 of the BMSMA. This provision ensures streamlined access to necessary information within the framework of the BMSMA.

Addressing Concerns on Data Handling

MCSTs fulfil their obligations outlined in the BMSMA, such as maintaining the common property. This includes collecting personal data for various purposes, like preparing and maintaining a strata roll. Given these responsibilities, Individuals who have any concerns about the handling of their personal data by MCSTs are advised to take proactive steps. 

a. Initially, individuals may opt to approach the MCST or the designated Data Protection Officer (DPO) for their estate to address any concerns regarding personal data handling.

b. If concerns persist, raising the issue at a general meeting of the management corporation provides a platform for collective discussion and resolution.

c. Should the concern remain unresolved, individuals have the option to escalate the matter to the Strata Titles Board for further assistance and resolution.

These steps are crucial because the PDPA operates alongside other laws, including the BMSMA. By adhering to these procedures, individuals can navigate concerns regarding personal data protection effectively within the legal framework provided by the PDPA and other relevant laws.

Displaying Voting Eligibility

MCSTs are entrusted with the responsibility of displaying a list of individuals eligible to vote in general meetings, along with their corresponding strata lot addresses, on the estate’s notice board. 

This statutory requirement, integral to ensuring transparency and accountability within MCSTs, does not require individual consent under the PDPA. 

The BMSMA mandates this provision, thereby superseding the requirement for explicit consent under the PDPA. By adhering to this regulation, MCSTs uphold democratic principles within the estate while remaining compliant with data protection laws.

Consent for Data Collection and Usage

The duties of MCSTs often necessitate the collection of personal data for various purposes outlined in the BMSMA. 

Where the law explicitly permits such data collection without consent, MCSTs are exempt from seeking individual consent. However, for activities not covered by such legal provisions, adherence to the Data Protection Provisions of the PDPA is imperative to ensure compliance with data protection standards. 

Thus, while certain data collection activities may not require consent under specific legal frameworks, MCSTs must remain vigilant to obtain consent when necessary to protect individuals’ data protection rights.

Access to CCTV Footage

In granting access to CCTV footage, MCSTs must exercise diligence to ensure that individuals only access their respective personal data captured in the footage. 

Exceptions to this principle include cases where other individuals in the footage have provided explicit consent for the disclosure of their personal data or where an exception under the PDPA applies, ensuring the protection of data protection rights. 

By implementing measures such as appropriate masking of personal data in footage or obtaining consent from relevant parties, MCSTs uphold the Consent Obligation and Notification Obligation under the PDPA while fulfilling their security obligations within the estate.

Disclosure in Meeting Minutes

Meeting minutes, as mandated by the BMSMA, may contain personal data of estate residents or invitees. Such disclosure is permissible under the law without individual consent, provided it aligns with the purposes outlined in the BMSMA. 

Additionally, MCSTs are required to display meeting minutes on the estate’s notice board for a stipulated period of no less than 14 days, ensuring transparency and accountability in governance. 

By adhering to statutory requirements and best practices in meeting documentation, MCSTs uphold principles of accountability and transparency while respecting individuals’ privacy rights.

Visitor Data for Security Purposes

In heightening estate security measures, MCSTs may collect personal data from visitors and invitees. This may involve recording names, contact details, and vehicle information for security clearance purposes. 

However, MCSTs must exercise prudence to collect only necessary data, avoiding excessive intrusion into individuals’ data protection rights while maintaining a safe and secure environment within the estate. 

By implementing measures such as visitor logbooks and CCTV surveillance in accordance with data protection principles, MCSTs strike a balance between security needs and data protection considerations, fostering a safe and welcoming environment for residents and visitors alike.


The management of personal data within MCSTs necessitates a detailed understanding of legal frameworks, particularly the interplay between the BMSMA and the PDPA. 

By adhering to statutory requirements and best practices in data protection, MCSTs can effectively navigate the complexities of personal data management while upholding data protection rights and fostering trust within their communities.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us