Personal Data Protection Policy
(Updated: June 2017)
The Personal Data Protection Act 2012 (“PDPA”) was introduced as Singapore´s first general data protection law and came into force in 2014. It governs the collection, use, disclosure and care of an individual´s Personal Data (as defined hereinafter) by organisations. It recognises both the rights of individuals to have their personal data protected, including rights of access and correction, and the needs of organisations to collect, use or disclose personal data for legitimate and reasonable purposes. The PDPA further established the Personal Data Protection Commission (“Commission”) which, among other objectives, promotes awareness of data protection in Singapore and administers and enforces the PDPA.
FPS Management & Consulting Pte. Ltd. (“FPS”) is committed to protecting the personal data of individuals and to fully complying with the PDPA. Accordingly, all employees of FPS must as part as their job duties comply with this Personal Data Protection Policy (“Policy”) and the procedures set out herein in respect of activities such as collection, use, disclosure or (cross border) transfer of Personal Data.
This Policy shall be made available to all employees of FPS.
- What is Personal Data?
In this Policy, “Personal Data” means data, whether true or not, about an individual who can be identified from that data or from that data and other information to which FPS has access. Personal data may include the following:
- Full name;
- NRIC Number or FIN (Foreign Identification Number);
- Passport number;
- Photograph or video image of an individual;
- Mobile telephone number;
- Personal email address;
- Residential address;
- Physical characteristics;
- Information about an individual’s use of FPS’s website including cookies and IP address.
Personal Data should not be confused with Business Contact Information, which is not covered by the PDPA and this Policy. “Business Contact Information” means an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his personal purposes.
- How is the PDPA relevant for FPS?
Personal Data may be collected from business contacts, employees, directors and other individuals, and such Personal Data may be used and/or disclosed by FPS from time to time in the course of its business.
- Collection, Use and Disclosure of Personal Data
FPS will only collect, use and/or disclose Personal Data in accordance with this Policy and in compliance with the PDPA. Generally, FPS may collect Personal Data through the following means:
- When an individual submits forms relating to any of FPS’s products or services;
- Consent for Collection, Use and/or Disclosure of Personal Data
FPS will only collect, use or disclose Personal Data with the respective individual´s knowledge and consent (save where the exceptions set out in the PDPA apply).
- Circumstances under which no consent is required
No consent needs to be obtained, if consent is deemed to be given by virtue of law.
This is the case where
- an individual, without actually giving consent, voluntarily provides the Personal Data to FPS for the purpose FPS intends to collect, use or disclose such information; and
- it is reasonable that the individual would voluntarily provide the Personal Data.
Further, if an individual gives, or is deemed to have given, consent to the disclosure of his/her Personal Data by FPS to another organisation for a particular purpose, the individual is deemed to consent to the collection, use or disclosure of the Personal Data for that particular purpose by that other organisation.
Consent from the individual is also not required for the collection, use and/or disclosure of Personal Data under the circumstances pursuant to the Second, Third and/or Fourth Schedule of the PDPA respectively (as set out in Annex III). In particular, consent of an employee is not required where FPS collects, uses or discloses Personal Data of an employee for the purposes of managing or terminating his/her employment.
Personal Data obtained by FPS before 2 July 2014 may continue to be used and/or disclosed by FPS, as long as such use and/or disclosure is for the purpose it was collected, unless the individual no longer consents to such use and/or disclosure. If FPS wishes to use and/or disclose such Personal Data for any other purposes, it shall obtain the consent of the individual and inform him/her of the purposes of such use and/or disclosure.
- How is consent to be obtained
Where consent is required, such consent should in general be obtained in writing. Please refer to the notice to be given in accordance with Section II a. below.
- Withdrawal of consent
An individual may at any time withdraw his consent (or deemed consent) for the use or disclosure by FPS of his Personal Data for any purposes. He may do so by giving FPS reasonable notice of the withdrawal. Upon receiving such notice, FPS will inform the individual of the consequences of withdrawing consent, and thereupon cease (and cause its data intermediaries and agents to cease) collecting, using or disclosing the Personal Data, as the case may be, unless the collection, use or disclosure of the Personal Data is required or authorized under the PDPA or other written law.
- Purposes of Collection, Use and/or Disclosure of Personal Data
FPS will collect, use or disclose Personal Data only for purposes that a reasonable person would consider appropriate in the circumstances, and where the individual has been notified.
Generally, FPS may collect, use and/or disclose Personal Data for the following purposes:
- To provide customer services including responding to an individual’s queries and requests and responding to complaints;
An individual shall not be required as a condition of providing a product or service, to consent to the collection, use or disclosure of his Personal Data beyond what is reasonable to provide the product or service to that individual or obtain or attempt to obtain consent for collecting, using or disclosing personal data by providing false or misleading information with respect to the collection, use or disclosure of the Personal Data, or using deceptive or misleading practices.
- How an individual is to be notified of FPS’s purposes
An individual must be informed of the purposes for the collection, use or disclosure of his Personal Data, on or before such Personal Data is collected. Such notification shall generally be in writing, and may be in the form as set out in Annex II.
Where the individual concerned is an employee of FPS, and if FPS is collecting, using or disclosing his Personal Data for the purpose of managing or terminating the employment, consent for such collection, use and disclosure is not required and mere notification would suffice. Such notification may be contained by including a clause in his/her employment contract (in the form as set out in Annex I). All employees should be duly notified of the purposes for which his Personal Data may be collected, used or disclosed by FPS.
Notification is not required where (i) the individual is deemed to have consented to the collection, use or disclosure of his Personal Data under section 15 of the PDPA; or (ii) where the exceptions to the requirement for consent (as set out in the Second, Third and Fourth Schedules to the PDPA) apply. In particular, where an individual submits a form containing his/her Personal Data to FPS for the purposes of registering for seminars, programmes, courses or other events, he/she is deemed to have consented to the collection, use or disclosure of his/her Personal Data, and therefore FPS will not be required to notify him/her of the purposes for which such Personal Data will be used and/or disclosed.
- Change in purpose
FPS shall inform the individual and obtain his/her consent (unless consent is not required) where it wishes to use his/her Personal Data for a purpose which it has not yet informed the individual or for which it has not yet obtained the individual’s consent. This may be done in the form as set out in Annex II.
Whenever collecting Personal Data, FPS’s employees shall ensure that the data collected is accurate and complete if it is likely to be used by FPS to make a decision that affects the individual to whom the Personal Data relates (For example: Personal Data of job applicants), or is likely to be disclosed to another organization (for instance other companies in the FPS group). To ensure the accuracy of Personal Data collected, the PDPO (as defined below) should where appropriate and/or necessary:
(a) review collected data for obvious discrepancies from time to time,
(b) request an individual to update his/her Personal Data where such information is obviously outdated,
(c) request from an individual supporting documents,
(d) seek a declaration from the individual providing the Personal Data that the information provided is accurate and complete.
- Retention of Personal Data; Destruction of Personal Data no longer required
FPS shall destroy (such as by shredding physical documents and deleting electronic files of documents containing Personal Data) and cease to retain all documents containing Personal Data and remove the means by which the Personal Data can be associated with an individual, as long as it is reasonable to assume that such Personal Data is no longer required for the purpose for which it has been collected or which is no longer necessary to be retained for legal or business purposes. The same applies to Personal Data pertaining to which consent for the intended collection, use and/or disclosure has been withdrawn. Generally, no Personal Data shall be retained for a period of longer than seven years after the original purposes for which the Personal Data was collected have ceased to be applicable, unless otherwise required by law or other mandatory directions by court or government authorities or for purposes of legal proceedings or other similar proceedings or investigations.
- Personal Data Protection Officer
The following person is appointed by FPS as its Personal Data Protection Officers (each a “PDPO”) : […………]
- FPS´s PDPO
The contact details of FPS´s PDPO is as follows:
Email Address: Estelle.Malone@luther-lawfirm.com
Postal Address: FPS Management & Consulting Pte. Ltd.
4 Battery Road #25-01
Bank of China Building
Telephone Number : +65 6408 8000
- Duties of PDPO
The PDPO shall oversee the data protection responsibilities within FPS and ensure that FPS complies with the PDPA.
- Maintenance of Personal Data File
The PDPO shall be responsible for the digitalization and/or filing of any collected Personal Data, notices and consents from individuals relating to the collection, use and disclosure of their Personal Data in a designated Personal Data File together with (i.) the date of collection; (ii.) the period of maximum retention; and (iii.) information about how the Personal Data has been used. The PDPO should ensure that the Personal Data File is always up to date and be in a position to always reply to inquiries of individuals about the use of their Personal Data during the last twelve months. The PDPO shall check once a year whether all digitalized and/or filed Personal Data has been filed as described.
- Security and Protection of Personal Data
The PDPO shall further ensure that the Personal Data in FPS´s possession or under its control is protected. FPS has in place security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. These include physical measures and technical measures such as the following:
- Restricting employee access to confidential documents on a need-to-know basis;
- Marking confidential documents clearly and prominently;
- Ensuring computer networks are secure;
- Installing appropriate computer security software and using suitable computer security settings;
- Updating computer security and IT equipment regularly.
Employees are also strongly encouraged set passwords for their respective computer system and to activate self-locking mechanism for the computer screens if their computers are left unattended for a certain period of time
In case of any complaint of any individual or if the PDPO has been informed by anybody of a possible data breach, the PDPO must immediately look into the matter. Where a PDPO can confirm at least the suspicion of a data / PDPA breach, she must inform the Managing Director to discuss the necessary measures.
- Access to Personal Data
The PDPO shall on written request of an individual as soon as reasonably possible, in any case no later than 30 days from the date of request, inform such individual about any of his/her Personal Data which FPS has collected, used and / or disclosed and that is in FPS’s possession or under its control. If the Personal Data has been transferred to a data intermediary processing the Personal Data under FPS’s control, FPS must also take into account the Personal Data which is in the possession of the data intermediary. Individuals are also entitled to be informed about the ways in which the Personal Data has been or may have been used or disclosed by FPS within twelve months before the date of the request. If access to the Personal Data may not be provided by FPS within 30 days from request, then the PDPO should inform the requesting individual within the 30 days of the time by which FPS will respond to the request.
Before informing an individual, the PDPO should verify the identity of the requesting individual. The identity of the individual may be verified through the following means:
(a) by him/her providing the PDPO with a photocopy of his/her IC or passport, or his IC or passport number; or
If the requesting individual is making a request on behalf of another individual, the PDPO should ensure that the requestor is legally authorised to act on behalf of that individual, such as by requesting for a written letter of authorisation signed by the individual whose Personal Data is concerned.
If any of the situations mentioned in the Fifth Schedule or in Section 21 (3) of the PDPA (an excerpt of which is reproduced in “Annex IV” attached hereto) applies, the PDPO shall inform the individual requesting the information that in accordance with the law, no information about any Personal Data will be provided. Where it is possible to provide the Personal Data without providing any of the aforementioned excluded information, the PDPO shall provide the requesting individual with such access to his/her Personal Data without the excluded personal data or information.
An individual should be informed by FPS in writing of the reasons for any rejection of access to the requested personal data or other requested information.
FPS shall not inform any individual that it has disclosed personal data to a prescribed law enforcement agency if the disclosure was made without the consent of the individual pursuant to paragraph 1(f) or (n) of the Fourth Schedule of the PDPA or under any other written law.
No fee shall be charged for an individual requesting access to his/her Personal Data.
A record in the Personal Data File shall be kept of all access requests received and processed, documenting clearly whether the requested access was provided or rejected.
- Correction of Personal Data
Upon written request of an individual, the PDPO should correct any error or omission concerning any Personal Data FPS holds about the individual as soon as practicably possible unless there are reasonable grounds for this correction not to be made. The Sixth Schedule of the PDPA (an excerpt of which is provided in “Annex V”) provides for certain circumstances under which FPS need not correct Personal Data. The corrected data should also be sent to any third party to which the Personal Data has been disclosed by FPS previously within a year before the date the correction was made, unless the other organisation does not need the corrected personal data for any legal or business purpose.
The written request needs to identify the individual making the correction request and state which Personal Data shall be corrected and how.
Before correcting an individual’s Personal Data, the PDPO should verify the identity of the requesting individual. The identity of the individual may be verified through the following means:
No fee shall be charged for an individual requesting correction to his/her Personal Data.
- Transfer of Personal Data
Personal Data may be transferred by FPS outside Singapore from time to time. However, it will not transfer Personal Data outside Singapore unless it is ensured that:
(i) the recipient complies with the obligations under the PDPA in respect of the transferred Personal Data while it remains in the possession or under the control of FPS; and
(ii) that the Personal Data will be accorded a level of protection which is comparable to the protection under the PDPA.
Therefore, no FPS employee may transfer Personal Data to a country or territory outside Singapore unless the recipient is bound by legally enforceable obligations to provide to the personal data transferred a standard of protection that is comparable to that under the PDPA. In this regard, legally enforceable obligations include obligations imposed on the recipient under:
- A law to which the recipient is bound;
- Any contract which requires the recipient to provide to the Personal Data transferred to the recipient a standard of protection that is at least comparable to the protection under the PDPA, and specifies the countries and territories to which the Personal Data may be transferred under the contract;
- If the recipient is related to FPS: Any binding corporate rules according to which a comparable level of protection for any Personal Data transferred is ensured. The binding corporate rules must specify the following:
- the recipients of the transferred Personal Data to which the binding corporate rules apply;
- the countries and territories to which the Personal Data may be transferred under the binding corporate rules; and
- the rights and obligations provided by the binding corporate rules.
For example, legally enforceable obligations are ensured if Personal Data is transferred to a recipient in Germany which has data protection laws which afford a level of protection to personal data which is at least comparable to the standard of protection under the PDPA. If Personal Data will be transferred by FPS to territories other than Germany, then FPS should take steps to ensure that the recipient is bound by legally enforceable obligations to provide the transferred personal data with at least a similar level of protection as under the PDPA.
Personal Data may also be transferred outside of Singapore, if
- FPS has obtained written consent from the affected individual, provided that:
- The individual has been provided with a reasonable summary in writing of the extent to which the Personal Data to be transferred to that country or territory will be protected to a standard comparable to the protection under the PDPA;
- The individual was not required to consent to the transfer as a condition of providing a product or service, except where the transfer is reasonably necessary to provide the product or service to the individual; and
- FPS did not obtain or the individual’s consent through false or deceptive means;
- The transfer is part of the performance of a contract between FPS and the individual;
- The transfer is necessary for the conclusion or performance of a contract between the FPS and a third party which is entered into at the individual’s request, or which a reasonable person would consider to be in the individual’s interest;
- The transfer is necessary for a use or disclosure in certain situations where the consent of the individual is not required under the PDPA (as set out in Annex III) and FPS has taken reasonable steps to ensure that the personal data will not be used or disclosed by the recipient for any other purpose; or
- The Personal Data is in transit or publicly available.
- Do-Not-Call List
In the event that FPS uses Personal Data for marketing purposes, it should first obtain the clear and unambiguous consent of the individual concerned before sending any marketing messages (which includes calls as well text messages) to a Singaporean telephone number. In the absence of such consent, FPS should check and ensure that the telephone number is not on a Do-Not-Call register maintained by the Personal Data Protection Commission (“DNC Register“).
- Data Protection Breaches
Any discovered or suspected breach of Personal Data must immediately be brought to the attention of the PDPO and the Managing Director.
- Consequence of Non-Compliance
All employees of FPS must ensure compliance with this Policy. Any breach thereof may lead to disciplinary actions, including summary dismissal.
 “Data intermediary” means an organisation which processes personal data on behalf of another organisation but does not include an employee of that other organisation.
We have provided a few examples of the security measures that may be taken to protect personal data. Please consider whether these are appropriate, and insert further measures that may be adopted.