Organizations typically rely on robust data transfer agreements and binding corporate rules, as well as the active enforcement of the terms of these documents, to ensure compliance with applicable transfer restrictions. On May 22, 2019, the CPDP published a Guide to Active Enforcement, explaining the new approach of the CPDP in the exercise of its enforcement powers. In particular, the Guide introduces two other enforcement options – commitments and expedited decisions – that can be pursued instead of an in-depth investigation. The organizational process includes a written agreement between the organization concerned and the CPDP, in which the organization voluntarily commits to remedying violations and taking steps to prevent their recurrence. A company may be available if it achieves a similar or better enforcement outcome for the CPDP, or if the organization can demonstrate that it has responsible privacy practices, such as DPTM certification, and that it has an effective recovery plan that it is ready to implement. With respect to the latter, the DPDP may consider an expedited decision if the organization concerned admits in advance its responsibility for its role in the cause of the breach. Due to the inherent uncertainty about the scope of this exception, it is common for employers to include appropriate clauses in their privacy policies, employment manual, or employment contracts in order to obtain explicit consent from their employees before they begin monitoring employees or using video surveillance. It is also not uncommon for organizations to make visible signs at the entrance to their premises to warn visitors that their premises are being monitored by video surveillance. These indications should indicate the purpose of the video surveillance. There is no strict requirement for an agreement between the organization and the data intermediary under PDPA.
However, it should be noted that the designation of a data intermediary for the processing of personal data does not release the organisation from its obligations and responsibilities under the PDPA, since it is assumed that the organisation `has the same obligation under [the PDPA] with regard to personal data processed on its behalf and for its purposes by a data intermediary, as if the personal data were processed by the organisation itself`. Improvement of the company. If the purpose of such use is to improve, improve or develop goods or services provided for the provision of goods or services or operational methods or processes, to know the behaviour and preferences of the person and his preferences with regard to the goods or services provided, or to identify goods and services, that may be suitable for the person or another person, or to personalize or personalize such goods and services. Those purposes must also be those which a reasonable person considers appropriate in the circumstances and which cannot be achieved without the use of personal data. In addition, for intra-group sharing of personal data, affiliates must also be required by contracts or other binding corporate agreements or rules to implement and maintain adequate safeguards for personal data. Improving « business » or « services » has been recognised as lawful processing of « legitimate interest » in certain circumstances, including under the GDPR. 8.2 If it is necessary to conclude an agreement, what are the formalities of this agreement (e.B in writing, signed, etc.) and what issues should it deal with (e.B. only the processing of personal data in accordance with the relevant instructions, the security of personal data, etc.) ? If it is intended that personal data will be transferred abroad, the agreement may contain assurances to ensure that personal data is protected according to a standard comparable to PDPA, as well as other policies and practices (for example.B. assurances of compliance with relevant industry standards/certifications). See Transfer Restriction Obligation in section 11 below. Nevertheless, the DPDP is empowered to enter into a cooperation agreement with a foreign data protection authority on data protection issues such as cross-border cooperation. In particular, according to Article 10 of the PDPA, cooperation agreements may be concluded for the following purposes: 8.1 If a company hires a processor to process personal data on its behalf, does the company have to enter into any form of agreement with that processor? Since relations between employers and unions are largely subject to the provisions of the collective agreement, the need to notify or consult the union about video surveillance and employee surveillance depends on the terms of the collective agreement.
There are generally no legal requirements under Singapore law that require or hear information or consultation of works councils/unions/employee representatives. The DPDP may also provide information to a foreign data protection authority in accordance with a cooperation agreement, provided that certain prescribed conditions are met. Since the organization remains responsible for compliance with the PDPA, regardless of whether a data intermediary processes personal data on its behalf, it may be desirable for the organization to impose specific obligations on its data intermediary through a written agreement, including restricting what the data intermediary can do with the disclosed personal data and on sufficient security measures to protect the data. Disclosed. personal data. and the introduction of audits, inspections or other types of random checks to verify that the data intermediary complies with the PDPA. By performing your obligations under this Agreement, you may have access to personal information about school staff, students, parents and/or other contacts. You must (and must ensure that your employees, agents, contractors and agents) keep all such information secure and protected from improper disclosure or use as described in this Agreement. Definitions:. Last year (2019), the CPDP issued more than 50 enforcement decisions, the vast majority of which concerned breaches of the obligation to protect. With respect to these cases, the CPDP issued a warning or direction requiring the offending organization to take corrective action and pay fines. 15.4 What are the maximum penalties for data breaches? As regards the timing, data subjects whose data have been compromised should be informed as soon as possible.
The PDPAA expands the investigative powers of the CPDP to force the presence of the persons concerned and the presentation of documents in the custody or control of the person. Individuals can be fined up to S$10,000 or up to 12 months in prison, or both, while organizations can be fined up to S$100,000 for providing false or misleading statements or information to the CPDP. .
