Data Protection Policy

This Data Protection Policy (“Policy”) sets out the basis which VCLOUDX SINGAPORE PTE. LTD. (“we”, “us”, or “our”) may collect, use, disclose or otherwise process personal data of our customers and other individuals in accordance with the Personal Data Protection Act (“PDPA”). This Policy applies to personal data in our possession or under our control, including without limitation, personal data in the possession of organisations which we have engaged to collect, use, disclose or process personal data for our purposes.

Note: This policy applies to all companies, including dormant ones. While some provisions may not currently be relevant to dormant companies, we have included them for your reference in case your company becomes active in the future. Understanding the importance of data protection is vital for every organization, regardless of its operational status. Even if your company is currently inactive, it is essential to remain informed about data protection practices and regulations. This knowledge will not only prepare you for potential future activities but also ensure that you are compliant with legal obligations should you decide to resume operations.

 

Definitions
  1. As used in this Policy:

    “customer” means any individual person who has either (a) contacted us through any means regarding goods/services that we may provide, or (b) may or has actually entered into a contractual relationship with us, for the provision of goods/services or otherwise; and

    “personal data” means data, whether true or not, about an individual who can be identified: (a) from that data; or (b) from that data and other information to which we have or are likely to have access.

  2. Here are some types of personal data that we may collect:
    • name
    • address
    • email address
    • phone number
    • age
    • date of birth
    • gender
    • marital status
    • photographs
    • video recordings
    • nationality
    • passport /identity card copies
    • employment information
    • cookies/IP addresses
    • other background information such as income data, financial records, tax records
  3. Other terms used in this Policy shall have the meanings given to them in the PDPA
1. Accountability
  • 1.1 Appointment of Data Protection Officer (DPO)
    • We will appoint either a member of senior management or an outsourced data protection service provider as the data protection officer (“DPO”), responsible for overseeing compliance with the PDPA and acting as the main point of contact for all data protection matters.
    • All employees must report data protection-related requests to the DPO immediately. The DPO manages data breaches, conducts training sessions, and performs annual audits to ensure compliance with data protection obligations.
  • 1.2 Internal Policies and Measures
    • 1.2.1. Administrative Measures
      • All employees and contractors must sign confidentiality agreements. Annual training sessions are conducted to ensure that all staff members understand their responsibilities regarding data protection and stay updated on legal obligations and internal policies.
      • A personal data inventory map is maintained and regularly updated. It tracks what personal data is collected, the purposes for collection, methods, storage locations, and disclosure channels.
      • Disciplinary actions are taken against employees who breach data protection policies.
    • 1.2.2. Physical Measures
      • Personal data stored in physical form is kept in locked cabinets accessible only to authorized personnel.
      • Access to the office premises is restricted, and only authorized personnel can enter secured areas. Visitors are limited to designated areas and must be accompanied by staff at all times.
      • CCTV surveillance is conducted for security purposes, with clear notices displayed on our premises to ensure awareness. These notices need not reveal the exact location of the CCTVs.
    • 1.2.3. Electronic Measures
      • Information systems are protected with strong passwords, encryption, and secure network protocols to prevent unauthorized access.
      • Access to sensitive data is restricted based on user roles, and data segmentation is implemented to limit access to authorized personnel only.
      • Regular cybersecurity audits and software updates are conducted to ensure that systems remain secure and free from vulnerabilities.
  • 1.3 Third-Party Management
    • 1.3.1. Contractual Obligations
      • All contracts with third-party service providers where feasible, will include confidentiality clauses. ensuring they handle personal data according to our standards, particularly regarding data protection and retention, unless there are exceptions that we can rely upon under the law.
    • 1.3.2. Data Intermediaries
      • Data intermediaries, such as IT service providers, agents, and professional advisers, are required to adhere to similar or higher data protection standards. We would ensure this for example by contractual agreements or other suitable means of vetting. The DPO conducts regular audits of these third parties.
  • 1.4. Annual Review and Remediation
    • 1.4.1. Annual Review
      • At the end of each financial year, the DPO conducts a comprehensive review of all data protection practices, including verifying compliance with the PDPA, data classification, and security measures.
      • The review includes assessing the effectiveness of existing policies and identifying areas for improvement or updates based on changes in legal requirements or business operations.
    • 1.4.2. Breach Response
      • If a data breach occurs, the DPO must notify management within one business day and initiate an investigation within three business days. A detailed breach report is prepared, and corrective actions are implemented to mitigate the breach. Disciplinary measures may be taken against responsible employees if necessary. Affected individuals and the relevant authorities are notified promptly if the breach meets the reporting threshold, unless there are exceptions that we can rely upon under the law.
2. Notification
  • 2.1. Notification to Individuals
    • 2.1.1. General Notification
      • Before collecting personal data, individuals are informed of the purpose of collection or how the data will be used, and any potential disclosures, unless there are exceptions that we can rely upon under the law. Individuals are provided with clear and concise information about the company's data protection policies at the point of collection, ensuring transparency and informed consent.
      • Some examples of the purposes for collection or use of personal data are as follows:
        1. performing obligations in connection with our provision of the goods and/or services requested by you;
        2. administering your relationship with us;
        3. verifying your identity;
        4. responding to queries, feedback and or complaints;
        5. processing payment;
        6. complying with any applicable laws;
        7. assisting with investigations conducted by any regulatory or law enforcement agency;
        8. any purpose for which you have provided us personal data;
        9. any other incidental business purposes related to or in connection with the above; and
        10. transmitting data to third parties (eg. third party service providers, contractors, agents) whether in Singapore or elsewhere, for any of the abovementioned purposes.
      • The purposes listed above may continue to apply even in situations where individuals relationship with us has been terminated for a reasonable period thereafter (eg. for a period to enable us to enforce our rights under a contract with the individual).
    • 2.1.2. Disclosure
      • We generally do not disclose personal data without first obtaining an individual's consent. Disclosure will then be only for the specific purpose that the individual has been informed about (subject to any exemptions under the law).
      • Notwithstanding the abovementioned, we may however disclose an individual's personal data:
        1. where such disclosure is required for performing obligations in the course of or in connection with our provision of the goods and services requested by the individual; or
        2. to third party service providers, contractors, agents and other parties we have engaged to perform any of the functions in connection with the above mentioned purposes.

          Furthermore, we may disclose an individual's personal data:

        3. to our group/related/affiliated companies;
        4. companies providing services pertaining to insurance and/or reinsurance to us, and associations of insurance companies;
        5. our agents, contractors or third party service providers (eg. telecommunications, business process outsourcing, mail processing, email support, call centres, IT support, data processing, payment assistance, payroll processing, training, market research, storage);
        6. professional advisers (eg. our legal advisers, auditors, bankers); and
        7. the authorities (eg. regulators, law enforcement agencies).
    • 2.1.3. Updates on Data Protection Policies
      • Changes to data protection policies are communicated through legal documentation, the company website, and direct communication with affected individuals. Updates are also provided via letters and email notifications.
    • 2.1.4. Granular Consent Management
      • Before collecting certain types of personal data, we will provide individuals with detailed options to specify their consent for different types of data processing activities. For example, customers can separately consent to:
        1. Receiving marketing communications via email or SMS.
        2. Sharing data with third-party vendors for personalized advertising.
      • Consent for each such specific activity will be tracked and managed through our data consent system. Consent can be withdrawn for any individual activity at any time.
    • 2.1.5. Express Consent for Sensitive Data
      • In circumstances where personal data collected includes sensitive information, such as health data, financial records, racial or ethnic origin, or religious beliefs, we will obtain express written consent from the individual before processing such data.
      • We will also provide a clear explanation regarding the use of this sensitive data, and the security measures implemented to protect it. Any use of such data beyond its original purpose will require renewed consent from the individual.
  • 2.2. Access to DPO
    • 2.2.1. Contact Information
      • The DPO's business contact information (email address and phone number) is made publicly available on the company website, in company documentation or on the Singapore company registrar's filing system, enabling individuals to reach out with data protection queries or complaints.
  • 2.3. Automated Monitoring and Surveillance
    • 2.3.1. Notification of Monitoring
      • Individuals are informed if any form of automated monitoring is in place, such as call recordings for training or security purposes, monitoring of internet use, or closed circuit television camera (CCTV) surveillance on premises.
    • 2.3.2. Awareness Measures
      • Prominent notifications are displayed to notify persons of CCTV surveillance to ensure awareness of monitoring activities. Automated or manual phone messages inform callers that their calls may be recorded and the purpose of such recording.
    • 2.3.3. Cookies and Tracking Technology
      • The company uses cookies and other tracking technologies on its website to enhance user experience and perform analytics. Users are notified through a banner and provided with the option to manage their cookie preferences. Consent is required for the use of non-essential cookies, such as those used for targeted advertising.
    • 2.3.4. Automated Decision-Making and Profiling
      • In certain instances, we may process personal data for the purpose of automated decision-making, including profiling (eg. decisions related to loan assessments, credit scoring, or targeted marketing). Where such decisions have significant effects on individuals, the company will ensure that individuals are informed of the use of automated decision-making and profiling. Furthermore, individuals will be given the right to:
        1. Request additional information on how the decision was made
        2. Seek human intervention in the decision-making process
        3. Object to the profiling or automated decisions where these impact their rights or interests
      • Consent for each such specific activity will be tracked and managed through our data consent system. Consent can be withdrawn for any individual activity at any time.
3. Consent
  • 3.1. General Requirement for Informed Consent
    • 3.1.1. Obtaining Consent
      • We obtain consent from individuals before collecting, using, or disclosing their personal data. Consent is obtained through clear and specific means, such as written forms, electronic agreements, or explicit verbal confirmation.
    • 3.1.2. Consent for Third-Party Data
      • When clients provide third-party personal data (e.g., data about family members or business associates), they must ensure that consent has been obtained from the individuals involved, unless there are exceptions that we can rely upon under the law.
    • 3.1.3. Marketing Communications
      • Opt-Out Mechanism: We provide clear options for individuals to opt out of marketing communications at any time.
      • Third-Party Data Sharing: We disclose if personal data will be shared with third-party vendors for marketing purposes, and obtain the customer's consent for this purpose.
    • 3.1.4. Consent for Call Recording
      • We inform customers that their calls may be recorded for quality assurance or training purposes, obtaining consent in advance.
  • 3.2. Deemed Consent
    • 3.2.1. Voluntary Provision of Data
      • Individuals are deemed to have consented when they voluntarily provide their data for specific purposes, such as submitting a job application or engaging in preliminary discussions for services.
    • 3.2.2. Consent via Third Parties
      • Deemed consent also applies when data is shared by a third party under lawful circumstances, such as client referrals or introductions by other business entities.
    • 3.2.3. Usage of Personal Data in situations of deemed consent
      • In situations of deemed consent, we may collect or use personal data, or disclose existing personal data for any reasonable purposes, even if they differ from the primary purpose which it had originally collected pursuant to our earlier notifications. In situations of deemed consent, we may, where feasible, provide the client a reasonable period to opt-out.
    • 3.2.4. Sharing of information between group/related/affiliated entities
      • We will inform clients about the structure of our group companies and the manner in which we may share information between group/related/affiliated companies.
  • 3.3. Exemptions to Consent Requirement
    • 3.3.1. Publicly Available Data
      • Consent is not required for the use of publicly available data, such as information from public directories, unless the data was obtained unlawfully or the individual has expressly stated that they do not wish their data to be used.
    • 3.3.2. Situations of Interest
      • Personal data can be collected, used, or disclosed without consent in situations clearly in the individual's interest, such as emergencies or compliance with legal obligations, unless there are exceptions that we can rely upon under the law. Generally, these situations arise where consent cannot be obtained in a timely manner or the individual would not reasonably be expected to withhold consent.
    • 3.3.3. Evaluative purposes
      • Evaluative purposes means:
        1. for the purpose of determining the suitability, eligibility or qualifications of the individual to whom the data relates:
          1. for employment or appointment to office;
          2. for promotion in employment or office or for continuance in employment or office;
          3. for removal from employment or office; or
          4. for the awarding of contracts, awards or other similar benefits; or
        2. for the purpose of determining whether any contract, award or other similar benefit should be continued, modified or cancelled.
    • 3.3.4. Investigations or legal proceedings
      • These circumstances arise when such data collection, use and/or disclosure is necessary for any investigation or proceedings, if it is reasonable to expect that seeking the consent of the individual would compromise the availability or the accuracy of the personal data.
    • 3.3.5. Public agencies
      • When the disclosure is to a public agency and such disclosure is necessary in the public interest.
    • 3.3.6. AML/CFT
      • In relation to clients, prospective clients and any other relevant persons (such as their representatives or connected persons), for the purposes of complying with our anti-money-laundering and countering-the-financing-of-terrorism ("AML/CFT") obligations, such as in the course of our performing client due diligence, we may, directly or indirectly collect, use, and disclose personal data without the respective individual's consent.
    • 3.3.7. Employees (current or prospective)
      • In relation to current or prospective employees, we are exempted from obligations to obtain consent, when the personal data is included in a document produced in the course, and for the purposes, of the individual's employment, business or profession; and collected for purposes consistent with the purposes for which the document was produced; or when the personal data is collected by us and the collection is reasonable for the purpose of managing or terminating our employment relationship with the individual.
4. Purpose Limitation
  • 4.1. Specific and Legitimate Purposes
    • 4.1.1. Purpose of Collection
      • Personal data is collected only for specific, legitimate purposes that are communicated to the individuals. If the data needs to be used for a different purpose, additional consent is obtained unless there are exceptions that we can rely upon under the law.
    • 4.1.2. Employee Data Handling
      • The company collects and processes employee personal data for purposes such as payroll, performance management, and benefits administration. Employees are informed about the data collected and its use.
    • 4.1.3. Parental Consent for Minors
      • We will obtain explicit parental consent before collecting personal data from minors under the age of 18.
    • 4.1.4. Purpose of collection of Information Unique to Our Industry
      • We specialize in communication solutions that empower our customers to integrate video, voice, SMS, RCS, WhatsApp, and other communication capabilities into their products. As part of our operations, we may collect personal data to streamline services, enhance user experiences, and ensure operational efficiency.
      • The purposes for collecting, using, or disclosing personal data include:
        1. Facilitating platform access and ensuring seamless account management.
        2. Supporting subscription and billing processes.
        3. Communicating service updates and technical support to users.
        4. Enabling compliance with regulatory standards.
      • Types of Personal Data Collected:
        1. Identity Data: Name, job title, organization (for customer accounts).
        2. Contact Data: Email address, phone number, and company address (for invoicing).
        3. Usage Data: Interaction patterns, session logs, and login activities for system usage.
        4. Technical Data: Device information, browser type, cookies, and IP addresses (used for troubleshooting and optimization).
      • Usage and Sharing of Collected Data:
        1. Communicate with customers, including sending service updates or OTPs for account validation.
        2. Manage and fulfill customer requests such as subscriptions or technical support inquiries.
        3. Administer contracts, invoicing, and billing.
        4. Support platform enhancements through user behavior analytics and interaction feedback.
      • Third-Party Sharing of Personal Data:
        1. Customer Support Platforms: To manage inquiries, troubleshoot technical issues, and support user accounts.
        2. Cloud and IT Service Providers: For secure storage, data encryption, and platform functionality support.
        3. Payment Processors: To process subscriptions and billing transactions securely.
        4. Compliance and Regulatory Bodies: To ensure adherence to legal and regulatory requirements.
  • 4.2. Prohibited Activities
    • 4.2.1. Unsolicited Marketing
      • We generally do not engage in unsolicited marketing activities, such as cold calling, email spamming, or mass text messaging, unless the individual has consented or there are exceptions that we can rely upon under the law. We will at all times ensure we specifically comply with all laws pertaining to do-not-call (DNC) registers.
  • 4.3. Business Contact Information
    • 4.3.1. Usage of Business Information
      • Business contact information, such as names, job titles, and business email addresses, is not subject to data protection rules and can be used freely for business purposes, such as client communications.
  • 4.4. Legitimate Interests Exception
    • 4.4.1. Legitimate interests exception explained
      • In line with the legitimate interests exception, we will collect, use or disclose personal data for the following purposes:
        1. Fraud detection and prevention;
        2. Detection and prevention of misuse of services;
        3. Network analysis to prevent fraud and financial crime, and perform credit analysis; and
        4. Collection and use of personal data on company-issued devices to prevent data loss.
5. Protection Obligation
  • 5.1. Security Measures
    • 5.1.1. Administrative Measures
      • Employees are required to sign confidentiality agreements and adhere to strict policies regarding data access and usage. Annual training sessions are conducted to reinforce data protection awareness and understanding of the company's policies and legal obligations.
      • We minimise collection of personal data as much as possible.
    • 5.1.2. Physical Measures
      • Personal data stored physically is secured in locked cabinets accessible only to authorized personnel. Access to sensitive areas is restricted to authorized employees, and all visitors are logged and accompanied at all times.
    • 5.1.3. Technical Measures
      • Information systems are protected by strong passwords, encryption, and secure network protocols. Sensitive data is segmented and access is limited to authorized users based on roles. Regular antivirus and anti-phishing software updates are performed to prevent unauthorized access and ensure system integrity. Where necessary, we will employ data anonymisation techniques.
    • 5.1.4. General disclaimer to data subjects
      • Individuals are made aware, however, that no method of transmission over the internet or otherwise, or method of electronic storage is completely secure.
      • Whilst data security cannot be guaranteed, we strive to protect the security of data and are constantly reviewing and enhancing our information security measures.
  • 5.2. Data Intermediaries
    • 5.2.1. Handling by Third Parties
      • Third-party service providers who handle personal data on our behalf are required to adhere to our data protection standards equivalent to ours. These may be ensured by way of contracts of engagement or we may assess the suitability of third parties based on other generally accepted industry practices.
    • 5.2.2. Encryption Standards for Data Transfers
      • We ensure that when personal data is transferred to third parties, especially across borders, it is encrypted in accordance with AES-256 encryption standards. This encryption applies both to data at rest and during transmission. Third-party vendors involved in such transfers are required to implement encryption and security protocols equivalent to acceptable industry standards.
      • Where personal data is transferred to jurisdictions with lower data protection standards, we will take additional measures, such as encryption, anonymization, or contractual clauses, to ensure data security.
    • 5.2.3. Cross-Border Data Transfer Documentation
      • The company ensures that when personal data is transferred outside of Singapore, the recipient country has equivalent data protection standards. Where necessary, additional safeguards such as encryption or contractual clauses are implemented. All cross-border transfers are documented and reviewed to ensure compliance with data protection laws.
  • 5.3. Data Access and System Security
    • 5.3.1. Access Control
      • Role-based access control is implemented to limit access to personal data based on employee roles and responsibilities. Data access is monitored and audited regularly to ensure compliance with internal policies and legal requirements.
6. Accuracy Obligation
  • 6.1. Ensuring Data Accuracy
    • 6.1.1. Data Verification
      • Reasonable efforts are made to ensure that personal data is accurate and up-to-date, especially when used for decisions that significantly impact individuals. Individuals are encouraged to provide updated information as needed, by informing our DPO by email.
    • 6.1.2. Presumption of Accuracy
      • Personal data provided directly by individuals is presumed to be accurate unless there is reason to believe otherwise. In such cases, additional verification is conducted to confirm the accuracy of the data.
  • 6.2. Data Protection Impact Assessment
    • 6.2.1. Data Protection Impact Assessment (DPIA)
      • Prior to launching any new project, product, or service that involves the processing of personal data, we will conduct a Data Protection Impact Assessment (DPIA). This assessment will evaluate potential privacy risks associated with the processing, including the scope of data collection, the intended use, and the security measures in place. The DPIA will be reviewed and approved by the Data Protection Officer (DPO), and any identified risks will be mitigated before the project proceeds.
  • 6.3. Correction Requests
    • 6.3.1. Request Handling
      • Individuals can request corrections to their data if they believe it is inaccurate or incomplete. The request is verified, and the data is updated if necessary. If a correction request is denied, the data is annotated with the requested changes and the reason for refusal.
7. Retention Limitation
  • 7.1. Data Retention Policy
    • 7.1.1. Retention Guidelines
      • Personal data is retained only for as long as reasonably necessary to fulfill the purposes for which it was collected or to comply with legal requirements. Once no longer needed, data is securely deleted or anonymized, unless there are exceptions that we can rely upon under the law.
    • 7.1.2. Legal Obligations
      • Certain regulations, such as AML/CFT laws, the Companies Act, and tax laws, require us to retain personal data for at least five years (following termination of our business relationship or completion of the relevant client transaction) or more. This includes client records, accounting documents, and business transaction records. This Policy is also subject to our archiving and records retention policies.
  • 7.2. Annual Data Review and Disposal
    • 7.2.1. Disposal Process
      • At the end of each financial year, the DPO reviews all personal data to identify records that should no longer be retained. Data that no longer serves the original purpose and is not subject to any legal retention requirements is securely destroyed or anonymized.
    • 7.2.2. Documentation of Disposal
      • All disposal actions are documented to ensure transparency and accountability. The disposal records include details of the data destroyed, the method of destruction, and the date of disposal.
  • 7.3. Special Retention Circumstances
    • 7.3.1. Extended Retention
      • In special cases, such as ongoing investigations, legal disputes, or AML/CFT compliance, data may be retained beyond the usual retention period. The DPO maintains a list of data that must be preserved due to these circumstances and notifies management of any extended retention requirements.
    • 7.3.2. Post-Retention Procedures
      • Once the reason for extended retention is no longer applicable, the data is reviewed again and securely disposed of if it is no longer required for legal or business purposes.
  • 7.4. Data Retention During Business Asset Transactions
    • 7.4.1. Transfer and Disposal
      • During business transactions involving the sale or transfer of assets, personal data of employees, clients, or shareholders collected for the transaction is either securely transferred to the new owner or destroyed if the transaction does not proceed.
  • 7.5. Data Retention Policy for Communications
    • 7.5.1. Call logs and message records
      • Call logs and message records will be retained for 5 years in order to meet our compliance obligations.
  • 7.6. Deceased Individuals
    • 7.6.1. General treatment of data of deceased individuals
      • In the case of individuals who have passed away, for a period of ten (10) years, we will continue to ensure rights pertaining to non-disclosure and protection of his/her personal data shall still apply. The deceased individual's rights may be exercised by his/her personal representative or nearest relative.
8. Transfer Limitation
  • 8.1. Data Transfers to Third Parties
    • 8.1.1. Safeguarding Data Transfers
      • Personal data is only transferred to third parties when necessary for business operations and under strict safeguards, such as confidentiality agreements, unless there are exceptions that we can rely upon under the law. All third-party recipients are required to adhere to data protection standards equivalent to ours.
    • 8.1.2. Verification of Third-Party Standards
      • Before transferring data to any third party, especially those outside Singapore, we verify that they have adequate data protection measures in place. This includes reviewing their data protection policies, contractual obligations, and security practices.
  • 8.2. Cross-Border Transfers
    • 8.2.1. Overseas Data Transfers
      • Data is transferred outside Singapore only when necessary and with the individual's consent, unless exceptions apply. We ensure the recipient country has comparable data protection standards or take necessary steps to provide additional protection.
    • 8.2.2. Notification and Consent
      • Affected individuals are informed of the extent to which their personal data will be protected in the foreign jurisdiction. Their consent is sought before transferring data, except where exemptions under the law apply.
  • 8.3. Documentation of Transfers
    • 8.3.1. Record-Keeping
      • All data transfers, particularly those involving cross-border data flow, are documented. This includes the nature of data transferred, recipient details, and the legal basis for transfer. These records are maintained to ensure compliance with data protection regulations and transparency.
9. Breach Notification Obligation
  • 9.1. Data Breach Management
    • 9.1.1. Breach Response
      • In the event of a data breach, the DPO shall initiate an investigation within three business days of becoming aware of the breach, to assess the scope, cause, and impact of the breach. Immediate steps are taken to contain the breach and mitigate any harm to affected individuals. The assessment shall be conducted swiftly, within a reasonable period, generally within 30 days from our becoming aware of the breach.
    • 9.1.2. Notification to Authorities
      • If the breach poses a significant risk to individuals or affects a large number of people, the PDPC is notified within the prescribed time frame (as soon as practicable, but no later than 3 calendar days), unless there are exceptions that we can rely upon under the law. If the breach is likely to result in significant harm to individuals, we will notify the affected individuals as soon as practicable after completing the assessment.
  • 9.2. Reporting and Remediation
    • 9.2.1. Reporting to Affected Individuals
      • If the breach is likely to result in significant harm to individuals, the affected individuals are notified as soon as possible, with information on the nature of the breach, potential consequences, and steps they can take to protect themselves.
    • 9.2.2. Documentation and Follow-Up
      • A comprehensive report detailing the breach, the actions taken, and the measures implemented to prevent future breaches is prepared. The DPO follows up to ensure all corrective measures are effectively implemented and documented.
  • 9.3. Preventive Measures
    • 9.3.1. Data Breach Simulations
      • Regular data breach simulation exercises are conducted to test and improve our breach response plan and the readiness of employees to respond to potential data breaches. These simulations help identify gaps in the response plan and enhance our overall data security posture.
    • 9.3.2. Annual Penetration Testing
      • The company conducts annual penetration tests performed by independent security professionals to identify potential vulnerabilities in its data protection systems. Any issues identified during the tests are promptly addressed to ensure the ongoing security of personal data.
10. Access and Correction
  • 10.1. Right to Access
    • 10.1.1. Access Requests
      • Individuals can submit written requests to access their personal data held by us. The DPO will verify the identity of the requester and provide the data as soon as reasonably practicable. We endeavour to do so within thirty (30) days, unless exceptions that we can rely upon under the law apply. If additional time is needed, the requester is informed of the reason and the expected completion date. A reasonable fee can be charged for such requests. We will inform the individual of such fees before processing the request.
      • We will provide the application with the following:
        1. information on the personal data in our possession or controlled by us; and
        2. information on how we have or may have used or disclosed such data within 1 year of the date of such request.
    • 10.1.2. Mandatory Denial of Access
      • Access requests will be denied if providing the data could:
        • Threaten the safety or health of another individual
        • Reveal personal data about another individual without their consent
        • Be contrary to national security or public interest
        • Data pertaining to ongoing prosecution / investigations
        • Other legitimate reasons for denial
      • If access is denied, individuals are informed of the reasons unless exceptions under the law apply.
    • 10.1.3. Discretionary Denial of Access
      • We may at our discretion deny access to the data in the following circumstances:
        • Opinion data pertaining to prospective, current or past customers which we retain for evaluation purposes
        • Data that reveals commercial information that harms our commercial competitive position
        • Opinion data pertaining to prospective, current or past employees (eg. suitability for positions or promotions)
        • Any other opinion data that we retain for evaluation purposes
  • 10.2. Correction Requests
    • 10.2.1. Data Amendment
      • Individuals can request corrections to their personal data if they believe it is inaccurate or incomplete. We verify the request and update the data if necessary. If a correction request is refused, we annotate the data to reflect the requested changes and the reason for refusal.
    • 10.2.2. Notification of Corrections
      • After correcting the data, we inform every organization to which the data has been disclosed within the past year, unless it is impracticable or involves disproportionate effort.
  • 10.3. Withdrawal of Consent
    • 10.3.1. Withdrawal Process
      • Individuals can withdraw consent for the collection, use, or disclosure of their personal data at any time by submitting a written notice conveyed by email, to our DPO. Upon receiving the notice, within reasonable period, we will inform the individual of the potential consequences of the withdrawal, such as the impact on service provision or employment (ie. cessation of provision of products and/or services, or termination of employment). Within reasonable period, we will cease using or disclosing the data as soon as reasonably practicable, unless retention is required for legal obligations or legitimate business purposes. The period depends on the complexity of the case. In general we try to process the request within thirty (30) days.
    • 10.3.2. Notification to Third Parties
      • Third parties who have been provided with the individual's personal data are notified to cease using or disclosing the data, unless exceptions that we can rely upon under the law apply.
  • 10.4. Consequences of Withdrawal
    • 10.4.1. Service Impact
      • Withdrawal of consent may limit or prevent the provision of certain services. The individual is informed of these limitations before the withdrawal is processed.
    • 10.4.2. Employment Impact
      • For employees, withdrawing consent may result in changes to job responsibilities, limitations in processing payroll, or even termination of employment if the data is essential for the employment relationship.
  • 10.5. Dispute Resolution
    • 10.5.1. Complaints Handling
      • Individuals can submit complaints about our handling of personal data. The DPO acknowledges the complaint within three (3) business days and conducts an investigation. A response is provided within thirty (30) business days. If the resolution is unsatisfactory, the complaint is escalated to senior management for review.
    • 10.5.2. External Resolution
      • If internal resolution is not satisfactory, individuals are informed of their right to refer the complaint to the Personal Data Protection Commission or seek alternative dispute resolution through mediation or arbitration.
11. Execution
  • 11.1. Disclosure of Policy and Procedures
    • 11.1.1. Policy Availability
      • Information on our personal data protection policies and practices is made available to individuals through legal documentation, our website, and direct communications. The DPO's contact information is published to enable individuals to request information or submit complaints.
  • 11.2. Training and Awareness
    • 11.2.1. Employee Training
      • Employees are trained annually on data protection best practices, the company's policies, and the PDPA's requirements. Training sessions include scenarios on data handling, breach response, and identifying potential threats to data security.
  • 11.3. Personal Data Inventory Map
    • 11.3.1. Data Mapping
      • A personal data inventory map is maintained, tracking the types of personal data collected, the purposes of collection, collection channels, storage locations, and data recipients. The inventory is reviewed and updated annually to reflect any changes in data handling practices.
  • 11.4. Remedial Plan
    • 11.4.1. Breach Mitigation
      • In the event of a policy breach, the DPO immediately notifies management and takes appropriate actions to remedy and mitigate the consequences. An investigation is conducted, and corrective measures are implemented. Disciplinary actions are taken if necessary.
  • 11.5. Annual Review and Transition
    • 11.5.1. Policy Review
      • Annually, we review our personal data policies and practices to ensure ongoing compliance and effectiveness. Adjustments are made as needed to address changes in regulations or business processes.