On 19 November 2020 and 20
November 2020, Company A SG and company B notified the Personal Data Protection
Commission of a data breach incident whereby an unauthorised third party had
gained access to business servers of the Company A Group and managed to
ex-filtrate information, including personal data of the employees of the
Organisations.
As the main Human Resources
functions of Company ASG are conducted by Company A US.Company A transfers the
personal data of its employees to Company A US which are then stored in company
A Us’s servers.
On 12 November 2020, the Company
A Group information technology team noticed anomalies in its systems.
Subsequent investigations revealed that, from September to November 2020, a
threat actor had accessed the Company A Group server in the USA.
As a preliminary point, Company
A US is responsible for maintaining the security and integrity of the Company A
Group system including its servers and implementing the appropriate safeguards.
However, the data protection obligations in the Personal Data Protection Act
2012 (“PDPA”) do not apply to Company A USas it does not process personal data
in Singapore.
Whether Company A SG
complied with the Transfer Limitation Obligation
-
It
is determined that Company A SG had not complied with the Transfer Limitation
Obligation
-
At
the material time, Company A US and certain other Company A group entities had
put in place a binding intra-group contract called the Global Data Transfer
Agreement dated 1 September 2020 (“GDTA”), which governs the terms on which the
various Company A group entities transfer personal data to each other.
-
The
GDTA contained provisions that required Company A SG to provide any personal
data transferred from Singapore a comparable standard of protection to that
under the PDPA at the time of the Incident.
In light of Company A SG
breach of the Transfer Limitation Obligation, the Commission is empowered under
section 48I of the PDPA to issue Company A SG such directions as it deems fit
to ensure compliance with the PDPA. This may include directing Company A SG to
pay a financial penalty of such amount not exceeding $1 million as the
Commission thinks fit.
Company A SG’s breach of
the Transfer Limitation obligation was technical and a failure of legal
formalities that were not substantive in nature.
No comments:
Post a Comment