WHAT IS THE KEY LEARNING FROM THIS CASE STUDY?

On 19 November 2020 and 20 November 2020, Company A SG and company B notified the Personal Data Protection Commission of a data breach incident whereby an unauthorised third party had gained access to business servers of the Company A Group and managed to exfiltrate information, including personal data of the employees of the Organisations.

As the main Human Resources functions of Company A SG are conducted by Company A US. Company A transfers the personal data of its employees to Company A US which is then stored in company A Us’s servers.

On 12 November 2020, the Company A Group information technology team noticed anomalies in its systems. Subsequent investigations revealed that, from September to November 2020, a threat actor had accessed the Company A Group server in the USA.

As a preliminary point, Company A US is responsible for maintaining the security and integrity of the Company A Group system including its servers and implementing the appropriate safeguards. However, the data protection obligations in the Personal Data Protection Act 2012 (“PDPA”) do not apply to Company A US as it does not process personal data in Singapore.

Whether Company A SG complied with the Transfer Limitation Obligation

It is determined that Company A SG had not complied with the Transfer Limitation Obligation
At the material time, Company A US and certain other Company A group entities had put in place a binding intra-group contract called the Global Data Transfer Agreement dated 1 September 2020 (“GDTA”), which governs the terms on which the various Company A group entities transfer personal data to each other.
The GDTA contained provisions that required Company A SG to provide any personal data transferred from Singapore a comparable standard of protection to that under the PDPA at the time of the Incident.

In light of Company A SG breach of the Transfer Limitation Obligation, the Commission is empowered under section 48I of the PDPA to issue Company A SG such directions as it deems fit to ensure compliance with the PDPA. This may include directing Company A SG to pay a financial penalty of such amount not exceeding $1 million as the Commission thinks fit.

Company A SG’s breach of the Transfer Limitation obligation was technical and a failure of legal formalities that were not substantive in nature.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

If you think we can help you, why not drop us an email.