On 19 November 2020 and 20 November 2020, Company A SG and company B notified the Personal Data Protection Commission of a data breach incident whereby an unauthorised third party had gained access to business servers of the Company A Group and managed to exfiltrate information, including personal data of the employees of the Organisations.
As the main Human Resources functions of Company A SG are conducted by Company A US. Company A transfers the personal data of its employees to Company A US which is then stored in company A Us’s servers.
On 12 November 2020, the Company A Group information technology team noticed anomalies in its systems. Subsequent investigations revealed that, from September to November 2020, a threat actor had accessed the Company A Group server in the USA.
As a preliminary point, Company A US is responsible for maintaining the security and integrity of the Company A Group system including its servers and implementing the appropriate safeguards. However, the data protection obligations in the Personal Data Protection Act 2012 (“PDPA”) do not apply to Company A US as it does not process personal data in Singapore.
Whether Company A SG complied with the Transfer Limitation Obligation
- It is determined that Company A SG had not complied with the Transfer Limitation Obligation
- At the material time, Company A US and certain other Company A group entities had put in place a binding intra-group contract called the Global Data Transfer Agreement dated 1 September 2020 (“GDTA”), which governs the terms on which the various Company A group entities transfer personal data to each other.
- The GDTA contained provisions that required Company A SG to provide any personal data transferred from Singapore a comparable standard of protection to that under the PDPA at the time of the Incident.
In light of Company A SG breach of the Transfer Limitation Obligation, the Commission is empowered under section 48I of the PDPA to issue Company A SG such directions as it deems fit to ensure compliance with the PDPA. This may include directing Company A SG to pay a financial penalty of such amount not exceeding $1 million as the Commission thinks fit.
Company A SG’s breach of the Transfer Limitation obligation was technical and a failure of legal formalities that were not substantive in nature.