What type of information is not covered under the PDPA regulations?

1) Overview

1.1) Purpose

The purpose of this policy is to set out New POS Network(S) Pte Ltd’s (“the Company”) procedures on protection of personal data of individuals in the Company’s custody. It contains important information about how and why the Company collects, uses and discloses personal data of individuals. This policy takes into consideration the Personal Data Protection Act 2012 (“PDPA”) and all applicable PDPA advisory guidelines.

2) Personal Data Protection Act 2012

2.1) The PDPA establishes a data protection law in Singapore that comprises various rules governing the collection, use, disclosure, access to, correction and care of individuals’ personal data by organisations. It recognises both the rights of individuals to protect their personal data, including rights of access and correction, and the needs of organisations to collect, use or disclose personal data for legitimate and reasonable

2.2) The PDPA contains 2 main sets of provisions, covering data protection (effective 2 July 2014) and a Do Not Call (“DNC”) Registry (effective 2 January 2014).

2.3) The DNC provisions generally prohibits organisations from sending certain marketing messages (in the form of voice calls, text or fax messages) to individuals with Singapore telephone numbers, registered with the DNC

2.4) The Company intends to comply with all applicable provisions covering data protection by implementing certain procedures as set out

3) Definitions

3.1) Personal Data

Personal data refers to data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access to.

This includes unique identifiers (e.g. NRIC number, passport number, fingerprint); as well as any set of data (e.g. name, age, address, telephone number, occupation, etc) which when taken together would be able to identify the individual.

3.2) Data Protection Officer

Data Protection Officer (“DPO”) means an individual designated by the organisation under Section 11(3) of the Personal Data Protection Act 2012 (“Act”) who is responsible for ensuring that the organisation complies with this Act or an individual to whom the responsibility of the data protection officer has been delegated under section 11(4) of the Act.

4) The Company’s Personal Data Inventory

4.1) The Company has the following personal data in its custody:

Employees

The Company collects personal data of its employees including but not limited to name, address, telephone numbers, e-mail address, NRIC number, passport number, FIN (Foreign Identification Number), date and place of birth, nationality, gender, resume, education background, employment history etc in connection with the employees’ employment or job applications with The Company.

Customer

a. Individuals

The Company has in custody personal data of individuals who:

(i) have made online purchases via any of the platforms operated by the Company; and/or

(ii) have consented to companies (“Transferring Companies”) to send them marketing messages. Such Transferring Companies then contract with the Company as an outsourced service provider to send marketing messages to such individuals.

Such personal data include but not limited to name, address, mobile and telephone numbers, e-mail address, NRIC number, passport number, FIN (Foreign Identification Number), date and place of birth, nationality, gender, education background, etc.

For the avoidance of doubt, PDPA requirements do not apply to corporate entities and hence they are not in scope of this policy.

b. Copies of identity papers of directors and/or authorised signatories of our corporate clients

The Company is required to comply with all applicable anti-money laundering and countering financing of terrorism (“AML/ CFT”) laws, rules and regulations. Under the Company’s AML/CFT Policy, we are required to collect KYC documents relating to its corporate customers. Such KYC documents may include copies of identity papers such as NRICs or passports of directors and/or authorised signatories of our corporate customers. For the purpose of meeting the AML/ CFT requirements, the Company will collect, use and disclose such information without the corporate customers’ consent as allowed by the regulations.

4.2) It is important to note that the PDPA does not apply to business contact Business contact information refers to individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by him or her solely for his or her personal purposes.

For the avoidance of doubt, the Company is not required to obtain consent before collecting, using or disclosing any business contact information or comply with any other obligations in the Data Protection Provisions in relation to business contact information.

5) Collection of Personal Data 

5.1) Generally, the Company collects personal data from the following sources: Employees

The personal data that we collect and process on our employees is sourced from:

(a) information provided by employees and/or relevant third parties in the course of a potential employee applying for a position with us; and

(b) information provided by employees, relevant third party information sources, or information otherwise generated upon a potential employee being hired and in the course of employment with – 

Customers

The Company collects customers’ personal data from the following sources:

• Personal data provided by the customers:

(a) through customers’ relationship with us, for example information provided in application forms, survey and feedback forms and/or agreements entered into with us, when using our products or services;

(b) through verbal and written communications with us;

(c) from an analysis of the customers’ transactions and from the payments which are made; and/or

(d) through the Company’s mailbox.

• Personal data from third party sources connected with customers:

(a) from any relevant third parties connected with the customers; and/or

(b) from any other sources which the customer has consented to as provided for in our terms and conditions and/or application form or where lawfully permitted

5.2) Unless permitted under the PDPA or any other laws, regulations and guidelines, the Company shall not collect personal data without the consent of the individual

6) Purposes for the Collection, Use and Disclosure of Personal Data

6.1) Generally, the Company collects, use and discloses personal data for the following purposes as described below.

Employees

The Company may collect, process and use, and retain employees’ (including potential employees) personal data for our legitimate activities, including but not limited to:

• assessing employee’s suitability for the job;
• verifying employee’s information and conducting reference checks;
• conducting background checks if the employee is offered a job;
• general administrative and record keeping purposes;
• headcount and payroll planning;
• workforce development, training and certification;
• performance management;
• approving and monitoring employee benefits and entitlements;
• posting employee’s photograph on the intranet and email directory;
• maintain emergency contact details;
• audit, risk management and security and/or compliance purposes;
• internal investigations and legal proceedings;
• purposes as required by regulators; and/ or
• other purposes as may be required by any laws, regulations and

Customers

The Company may collect, use and disclose customers’ personal data for one or more of the following purposes:

• to confirm and verify the customer’s identity;
• to assess application(s) /inquiry(ies) for our products and services;
• to process the customer’s transaction in relation to his/her investment(s) in any of our products and services;
• to manage our business and the customer’s relationship with us;
• to notify customers about benefits and changes to the features of products and services;
• to respond to customers’ enquiries and complaints and generally to resolve disputes;
• to update, consolidate and improve the accuracy of our records;
• to produce data, reports and statistics which have been anonymised or aggregated in a manner that does not identify the customer as an individual;
• to conduct research for analytical and/or statistical assessments;
• to facilitate audit, risk management and/or compliance;
• to assess financial and insurance risks;
• to conduct AML/ CFT checks for risk detection and prevention; and/or
• to provide to relevant regulatory authorities and for any other purpose that is required or permitted by any laws, regulations and

6.2) Further, the Company may rely on the Legitimate Interests exception to collect, use and disclose personal data without consent for purposes of prevention of misuse of services, for evaluative purposes, for any investigation or proceedings, for recovery or payment of debt owed, detecting or preventing illegal activities (e.g. fraud, money laundering) or threats to physical safety and security, IT and network security and carrying out other necessary corporate due diligence. “Legitimate interests” generally refer to any lawful interests of an organisation or other person (including other organisations).

6.3) The Company may continue to use personal data about an individual collected before 2 July 2014, the effective date of the data protection provisions of the PDPA, for the purposes for which the personal data was collected unless the employee or the customer has withdrawn

6.4) The Company may disclose personal data for the purposes indicated above to our employees, third parties, service providers, advisors, related entities, which includes, without limitation, the following persons or entities:

Employees

To the extent necessary, the Company may disclose employees’ personal data to a limited number of the Company’s employees whose job necessitates that they maintain, compile or otherwise have access to employees’ personal data. The Company may also disclose employees’ personal data to third parties that the Company deals with for the purpose of providing our products and services to our customers and generally operating our business.

Customers

The Company may disclose customers’ personal data (to the extent necessary) to the following third parties:

• companies and/or organisations that act as our agents and/or professional advisers;
• companies and/or organisations that assist us in processing and/or otherwise fulfilling transactions that the customer has requested;
• any person notified by the customer as authorised to give instructions on his/ her behalf;
• any competent authority(ies) and/or regulator(s),

subject at all times to any laws (including regulations, guidelines and/or obligations) applicable to the Company.

6.5) Unless permitted under the PDPA or any other laws, regulations and guidelines, the Company shall not use or disclose the personal data for any other purpose, without first identifying and documenting the other purpose and obtaining the consent of the affected employee or customer.

7) Withdrawal of Consent

7.1) Employees or customers are able to withdraw their consent to the Company’s continued use and disclosure of personal data as described in this Policy at any Such withdrawal should be made formally in writing to the Data Protection Officer (“DPO”) of the Company.

7.2) If consent is withdrawn by an employee, the Company may need to discontinue his/her employment with the company. If consent is withdrawn by a customer, the Company may no longer be able to provide the requested products or services and our relationship with the customer may have to be

8) Protection of Personal Data

8.1) The Company places great importance on ensuring the security of the personal data in our custody against risks of authorised access, collection, use, disclosure, copying, modification, disposal or destruction. The Company has implemented security measures which include computer safeguards and password-protected files to enhance the security of such personal In addition, all employees’ hardcopy personal files are maintained by the HR Department under lock and key. The Company will regularly review and implement appropriate security measures when processing and retaining personal data.

8.2) Employees of the Company are required to handle personal data securely and with strict confidentiality, failing which they may be subject to disciplinary action.

8.3) Further, the Company will impose compliance with data confidentiality requirements on our agents, third party service providers, consultants and professional advisors in our working relationships and/ or agreements with these

9) Access to Personal Data

9.1) A customer may make a request to access his/her personal data which is in the Company’s possession or control. The customer must complete a data access and correction request form (Refer to Appendix A), provide all necessary documents and make the requisite service fee payment, where relevant, as prescribed in the DAR The Company aims to revert within 30 days from the receipt of the DAR form. If the Company is unable to comply with the DAR requirements within the said timeframe, the Company will inform the customer of the extended timeframe by which the response will be provided in relation to the request.

9.2) To the extent required by PDPA, upon request by a customer, the Company shall provide information relating to how the customer’s personal data has been or may have been used or disclosed within a year before the date of such request. The Company may also provide a standard list of possible third parties as part of its response to all access requests for information relating to the disclosure of personal data during such

9.3) Employees who wish to access their personal data should contact the HR Department. Potential employees who were subsequently not employed by the Company or former employees of the Company should complete the DAR form as mentioned

9.4) The Company may not be able to provide access to all of the personal data that they hold about an individual. For example, the Company may not provide access to personal data if such provision could reveal personal data about another individual, if such information is subject to legal privilege or if provision will be contrary to national interest or where such refusal is permitted under the If access to personal data cannot be provided, the reasons for denying access will be provided to the customer within 30 days of receipt of the DAR form, subject to any legal or regulatory constraints.

10) Accuracy and Correction of Personal Data

10.1) A customer may make a request to correct or update his/her personal data which is in the Company’s possession or control. The customer must complete a data access and correction request form (Refer to Appendix A) and provide all necessary documents or information as prescribed in the said The Company will correct or update his/her personal data found to be inaccurate or incomplete as soon as practicable. Any unresolved differences as to accuracy or completeness of his/her personal data shall be noted in the customer’s records.

10.2) Employees who wish to correct or update their personal data should contact the HR Department. Potential employees who were subsequently not employed by the Company or former employees of the Company should complete the said form as mentioned

10.3) The Company may refuse to correct or update personal data as requested in the said form in certain instances. For example, the Company is unable to confirm the customer’s identity or where such refusal is permitted under the PDPA. If the Company denies customer’s correction request, the Company will inform the customer the reason for the refusal within 30 days of receipt of the said form, subject to any legal or regulatory

11) Offences and Penalties

11.1) An organisation or person commits an offence if the organisation or person —

(a) with an intent to evade a request under section 21 or 22, disposes of, alters, falsifies, conceals or destroys, or directs another person to dispose of, alter, falsify, conceal or destroy, a record containing:-

(i) personal data; or

(ii) information about the collection, use or disclosure of personal data;

(b) obstructs or impedes the Commission* or an authorised officer in the exercise of their powers or performance of their duties under this Act; or

(c) knowingly or recklessly makes a false statement to the Commission*, or knowingly misleads or attempts to mislead the Commission*, in the course of the performance of the duties or powers of the Commission* under this

* Personal Data Protection Commission

11.2) An organisation or person that commits an offence under section 1 (a) above is liable:-

(a) in the case of an individual, to a fine not exceeding $5,000; and

(b) in any other case, to a fine not exceeding $50,000.

An organisation or person that commits an offence under Chapter 11.1 (b) or (c) is liable:-

(a) in the case of an individual, to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 12 months or to both; and

(b) in any other case, to a fine not exceeding $100,000.

11.3) Where an offence under this Act committed by a body corporate^ is proved:-

(a) to have been committed with the consent or connivance of an officer#; or

(b) to be attributable to any neglect on his part, the officer as well as the body corporate^ shall be guilty of the offence and shall be liable to be proceeded against and punished accordingly.

Where the affairs of a body corporate^ are managed by its members, section 11.3 (a) shall apply in relation to the acts and defaults of a member in connection with his functions of management as if he were a director of the body corporate^.

^ includes a limited liability partnership

# in relation to a body corporate, means any director, partner, member of the committee of management, chief executive, manager, secretary or other similar officer of the body corporate and includes any person purporting to act in any such capacity;

the officer or member shall be guilty of the offence and shall be liable to be proceeded against and punished accordingly.

11.4) Any act done or conduct engaged in by a person in the course of his employment (“the Employee”) shall be treated for the purposes of this Act as done or engaged in by his employer as well as by him, whether or not it was done or engaged in with the employer’s knowledge or

In any proceedings for an offence under this Act brought against any person in respect of an act or conduct alleged to have been done or engaged in, as the case may be, by an Employee of that person, it is a defence for that person to prove that he took such steps as were practicable to prevent the Employee from doing the act or engaging in the conduct, or from doing or engaging in, in the course of his employment, acts or conduct, as the case may be, of that description.

12) Retention of Personal Data

12.1) The Company will retain employees and/or customers’ personal data as set out below:

• for the duration of the employee and/or customers’ relationship with us;
• for such period as may be necessary to protect the Company’s interests and/or our customers or employees;
• where otherwise required by laws, regulations and guidelines; and/or
• where required by the Company in order for us to perform our duties in the discharge of our duties and obligations.

13) Data Protection Officer

13.1) Please refer to Appendix B for the appointed Data Protection Officer of the Company. Business contact information of the Data Protection Officers will be available on the Company’s website. Under the PDPA, the Data Protection Officer is responsible for facilitating the Company’s compliance with the PDPA. For the avoidance of doubt, primary responsibility for compliance with the PDPA remains with the Company.

14) Complaints Procedures

14.1) If a customer or an employee of the Company has reason to believe that his/her personal data has been misused by the Company, the customer or the employee is advised to lodge a complaint with the Data Protection Officer of the Company who will handle the complaints.

Appendices

Appendix A – Data access and correction request form

What is covered under PDPA?

What are the exception of the PDPA?

What are the 9 PDPA obligations?

Does PDPA cover photos?