SECTION 1 – INTRODUCTION
1. Policy statement
1.1 This Data Protection Policy sets out the basis upon which the Company ("we", "us", or "our") may collect, use, disclose or otherwise process personal data of Data Subjects in accordance with the Personal Data Protection Act 2012 of Singapore ("PDPA") and should be read together with the Company’s Global Privacy Policy, which shall be deemed to be incorporated by reference hereto. This Data Protection Policy shall apply in addition to the Company’s Global Privacy Policy and in the event of any conflict or inconsistency between the terms of this Data Protection Policy and the provisions set out under the Company’s Global Privacy Policy, the relevant provisions under the Company’s Global Privacy Policy shall prevail, subject to compliance with all applicable laws. This Policy applies to Personal Data (as defined below) in our possession or under our control, including Personal Data in the possession of organisations which we have engaged to collect, use, disclose or process Personal Data for our purposes.
1.2 During the course of our business activities, we may collect, use, disclose and process personal information about our customers, prospective customers, employees, consultants and other staff, suppliers and other parties with whom we communicate. From time to time and where required, we may also entrust third parties to process personal information on our behalf.
1.3 This Data Protection Policy is designed to guide us in how to collect, use, disclose, process and protect personal information in compliance with applicable laws and regulations – in particular, the PDPA. Section 2 – Data Handling sets out your obligations in relation to personal information collected and processed by you on behalf of the Company.
1.4 Under the PDPA, the Company has certain responsibilities in relation to the personal information it holds in relation to its Employees. These include holding Personal Data securely and processing it fairly and lawfully. The Company is generally entitled to use the personal information of employees for purposes which are necessary for its business. Section 3 – Employee Data sets out the purposes for which the Company may collect and use the personal information of its Employees.
2. Definitions and terms
Anonymisation refers to the conversion of Personal Data into data that cannot be used to identify an Individual, whether from that data itself or from that data and in combination with other available information to which the Company has or is likely to have access. Information which undergoes Anonymisation is not considered Personal Data.
Business Contact Information refers to an Individual's name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the Individual, not provided by the Individual solely for his/her personal purposes.
Company or we refers to The Great Ocean Line Private Limited (Company Registration No.: 202221751E), a company incorporated under the laws of Singapore with its registered office at 2 Changi South Avenue 1 Singapore 486149, which collects, determines the use of, discloses and keeps information about Individuals.
Data Protection Policy means this data protection policy which governs the way the Company upholds its data protection obligations under Singapore law in accordance with the PDPA, as may be amended and updated from time to time.
Data Subjects for the purpose of this Data Protection Policy include all identified or identifiable Individuals about whom we hold Personal Data. A Data Subject does not need to be a Singapore national or resident. All Data Subjects about whom the Company processes Personal Data have legal rights in relation to such Personal Data.
Employees or you refer to all persons engaged in a contract of service with the Company (whether on a part-time, temporary or full-time basis), including but not limited to any employees, members, consultants and other staff (e.g. interns and trainees working at or attached to the Company), and all references to "employment" shall apply equally to internships and traineeships (as may be applicable). Employees have a duty to protect the information they handle by following our data protection standards and obligations as set out in this Data Protection Policy at all times.
Individual means a natural person, whether living or deceased.
Personal Data means data, whether true or not, about an Individual who can be identified (a) from that data; or (b) from that data and other information to which the Company has or is likely to have access, regardless of whether such data is true or accurate, or whether the data exists in electronic or other form.
Personal Data Protection Commission means the Singapore government statutory body established to administer and enforce the PDPA.
Processing is any activity that involves use of Personal Data. It includes and is not limited to obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes and is not limited to transferring personal data to third parties.
3. Exclusion
This Data Protection Policy governs the collection, holding, destruction and all uses of Personal Data. However, the data protection obligations under the PDPA do not apply to Business Contact Information.
4. How this policy affects you
4.1 This Policy applies to all Employees who collect, possess, use, disclose, transfer, store, or by any other means have access to Personal Data. All Employees are responsible for adhering to this Data Protection Policy. We all play an important role in maintaining confidence in the Company's ability and responsibility to manage Personal Data. This is not only to protect the expectations of the Individuals who provide their Personal Data to us, but also because any failure to comply with this Policy could result in reputational damage to the Company, the imposition of fines and in certain cases, criminal liability of the Company and its officers under the PDPA. Any breach of this Data Protection Policy will be taken seriously and may result in disciplinary action up to and including dismissal, which will be dealt with by the Company's Management at their discretion, considering the nature and severity of the violation. In the event that the Company has applicable disciplinary policies in effect at the relevant time, any breach of this Data Protection Policy would be dealt with by the Company's Management in accordance with those policies.
4.2 This Data Protection Policy may be supplemented by additional guidance with regard to particular departments of the Company or specific business practices. You should make yourself familiar with all other guidance that is applicable to your role and duties.
5. Data Protection Officer
5.1 The Company has appointed a Data Protection Officer who is responsible for ensuring its compliance with the PDPA.
5.2 Any questions, feedback or concerns about the operation of this Data Protection Policy and its procedures (including any breach or potential breach) should be referred to the Data Protection Officer. The current Data Protection Officer's contact details are set out below:
Name: Mr. Gursharan Sran.
Address: 2 Changi South Avenue 1, Singapore 486149.
E-mail: gursharan.sran@thegreatoceanline.com
Tel: +65-96410832.
6. Complaints and queries
6.1 You are encouraged to report any actual or suspected violation of this Data Protection Policy directly to the Data Protection Officer to ensure our compliance with the PDPA. Employees who make such a report in good faith should be confident that they will not suffer retaliation, which the Company prohibits and if there is any concern of retaliation, the Employee should contact the Data Protection Officer directly.
6.2 If you wish to make a complaint about our handling of Personal Data, or if you have any queries in relation to this Data Protection Policy, please contact the Data Protection Officer.
6.3 Upon receipt of any complaints or violation, the Company will carry out an investigation and may contact the relevant Employee and/or Data Subject for further information. Subject to timely cooperation from the relevant Individuals, the Company generally endeavours to provide a formal response setting out the results of our investigation within thirty (30) days of receiving the complaint or notice of the violation.
7. Roles and responsibilities
7.1 The responsibilities of Employees include but are not limited to the following:
7.1.1 understanding how this Data Protection Policy and the PDPA affects their daily work; and
7.1.2 adjusting their work routines in order to individually and collectively comply with this Data Protection Policy and the PDPA.
7.2 The responsibilities of the Data Protection Officer include but are not limited to the following:
7.2.1 ensuring compliance with the PDPA when developing and implementing policies and processes for handling personal data;
7.2.2 ensuring compliance with this Data Protection Policy;
7.2.3 being the primary contact point for the Company's data protection matters;
7.2.4 producing (or guiding the production of) a personal data inventory, conducting data protection impact assessments, monitoring and reporting data protection risks;
7.2.5 developing and promoting good policies for handling Personal Data that are in accordance with the Company's needs;
7.2.6 fostering a data protection culture among employees;
7.2.7 providing internal training on data protection compliance;
7.2.8 managing personal data protection-related queries and complaints and answering questions on behalf of the Company relating to the collection, use or disclosure of personal data;
7.2.9 ensuring that any queries from Employees regarding the application of this Data Protection Policy are addressed;
7.2.10 handling any requests, queries or complaints by Employees, Data Subjects and/or any third parties in accordance with this Data Protection Policy;
7.2.11 identifying and alerting management to any risks that might arise with regard to personal data;
7.2.12 handling access and correction requests to personal data;
7.2.13 communicating personal data protection policies to stakeholders and engaging stakeholders on data protection matters; and
7.2.14 liaising with the Personal Data Protection Commission on data protection matters, if necessary.
8. Effect of Policy and Changes to Policy
8.1 This Data Protection Policy applies in conjunction with any other notices, contractual clauses and consent clauses that apply in relation to the collection, use and disclosure of your personal data by us.
8.2 We may review, amend or revise this Data Protection Policy and the way we handle Personal Data from time to time without any prior notice. You may determine if any such revision has taken place by referring to the date on which this Data Protection Policy was last updated. Your continued use of our services / employment constitutes your acknowledgement and acceptance of such changes.
8.3 Please check this Data Protection Policy periodically to inform yourself of any changes. If you are in any doubt as to the application or effect of any such revision as it relates to your role or duties, you should contact the Data Protection Officer for guidance.
9. Governing Law
This Data Protection Policy shall be governed in all respects by the laws of Singapore
SECTION 2 – GROUP PERSONAL DATA HANDLING POLICY
1. About this section
1.1 The Company's collection, use and disclosure of Personal Data is governed by the PDPA. Any use or misuse of Personal Data by you for purposes other than in accordance with properly fulfilling your duties as an Employee of the Company may be dealt with under the Company's disciplinary and performance procedure as set out in your employment contract and policies adopted by the Company. If you have any questions regarding your access and use of third parties' Personal Data, please discuss them with the Data Protection Officer.
1.2 In summary, the PDPA requires that the following ten (10) obligations are complied with:
1.2.1 Consent Obligation: The Company must obtain the consent of a Data Subject before collecting, using or disclosing Personal Data for a purpose;
1.2.2 Purpose Limitation Obligation: The Company may collect, use or disclose Personal Data about a Data Subject only for purposes that a reasonable person would consider appropriate in the circumstances and, if applicable, have been notified to the Data Subject concerned;
1.2.3 Notification Obligation: The Company must notify the Data Subject of the purpose(s) for which it intends to collect, use or disclose the Data Subject's Personal Data on or before such collection, use or disclosure of the Personal Data;
1.2.4 Access and Correction Obligations: The Company must, upon request, (i) provide a Data Subject with his or her Personal Data in the possession or under the control of the Company and information about the ways in which the Personal Data may have been used or disclosed during the past year; and (ii) correct an error or omission in a Data Subject's Personal Data that is in the possession or under the control of the Company;
1.2.5 Accuracy Obligation: The Company must make a reasonable effort to ensure that Personal Data collected by or on behalf of the Company is accurate and complete if the Personal Data is likely to be used by the Company to make a decision that affects the Data Subject concerned or disclosed by the Company to another Company;
1.2.6 Protection Obligation: The Company must protect Personal Data in its possession or under its control by making reasonable security arrangements to prevent (i) unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks; and (ii) the loss of any storage medium or device on which Personal Data is stored;
1.2.7 Retention Limitation Obligation: The Company must cease to retain documents containing Personal Data, or remove the means by which the Personal Data can be associated with particular individuals as soon as it is reasonable to assume that (i) the purpose for which the Personal Data was TGOL Singapore Data Protection Policy Version 1 January 2024 collected is no longer being served by retention of the Personal Data; and (ii) retention is no longer necessary for legal or business purposes;
1.2.8 Transfer Limitation: The Company must not transfer Personal Data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA;
1.2.9 Data Breach Notification Obligation: The Company must assess whether a data breach is notifiable and notify the affected individuals and/or the Personal Data Protection Commission where it is assessed to be notifiable; and
1.2.10 Accountability Obligation: The Company must implement the necessary policies and procedures in order to meet its obligations under the PDPA and shall make information about its policies and procedures publicly available.
1.3 Each Employee agrees that they will:
1.3.1 comply with the ten (10) data protection obligations as set out in clause 1.2 above at all times when collecting, using, disclosing, accessing or otherwise processing Personal Data in the course of their employment when performing their relevant roles; and
1.3.2 process the Personal Data only as part of their duties as an Employee and never for any other person or organisation or for their private own use.
2. Your responsibilities
2.1. Personal Data must not be used for a purpose to which that Data Subject has not consented (unless there is a basis in law for doing so).
2.1 Where required under the PDPA, the Company must inform the Individual of the purposes for which his or her Personal Data will be collected, used or disclosed on or before such collection, use or disclosure (as the case may be).
2.2 The Company should state its purposes at an appropriate level of detail for the Individual to determine the reasons and manner in which the Company will be collecting, using or disclosing his or her Personal Data.
2.3 Where the Company wishes to collect, use or disclose Personal Data for purposes which it has not yet informed the Individual or for which it has not yet obtained the Individual’s consent, the Company will first inform the relevant Individual of those purposes by way of a written notice and obtain the Individual's consent to the use of their Personal Data for such purpose.
2.4 For Personal Data to be processed lawfully under the PDPA, the Data Subject must have consented to the collection, use and disclosure of Personal Data for specific purposes, or there must be a legal basis for the collection, use or disclosure (i.e. where such collection, use or disclosure of Personal Data is required or authorised under the PDPA or any other written law). 2.5 Broadly speaking, we may collect, use, disclose or process Personal Data where:
2.5.1 we have obtained the Data Subject's explicit consent;
2.5.2 the Data Subject voluntarily provides Personal Data and it is reasonable that he or she would voluntarily provide such Personal Data;
2.5.3 it is permitted or authorised under the PDPA; or
2.5.4 there is a regulatory requirement, for example, in relation to the reporting of adverse events.
2.6 Personal Data can be collected, used, disclosed or processed without consent in certain specified circumstances set out in the First and Second Schedules of the PDPA, including but not limited to the following:
2.6.1 such collection, use or disclosure is necessary for any purpose which is clearly in the interests of the Data Subject; and consent for the collection, use or disclosure cannot be obtained in a timely way, or the Data Subject would not be reasonably be expected to withhold consent;
2.6.2 such collection, use or disclosure is necessary to respond to an emergency that threatens the life, health or safety of the Data Subject or another Individual;
2.6.3 such collection, use or disclosure is for the purpose of contacting the next‑of‑kin or a friend of any injured, ill or deceased Individual;
2.6.4 the Personal Data is publicly available;
2.6.5 such collection, use or disclosure of Personal Data is in the national interest;
2.6.6 such collection, use or disclosure is solely for artistic or literary purposes;
2.6.7 such collection, use or disclosure is necessary for any investigation or proceedings;
2.6.8 such collection, use or disclosure is necessary for evaluative purposes; and
2.6.9 such collection, use or disclosure is for the Company to recover a debt owed to the Company by the Data Subject or to pay to the Data Subject a debt owed by the Company.
2.7 However, we must not:
2.7.1 sell or otherwise provide copies of our mailing lists/contact details to third parties (unless certain conditions are met);
2.7.2 promote unrelated products and/or services;
2.7.3 disregard the express wishes of Data Subjects; or
2.7.4 process Personal Data in a way which we know the Data Subject will object.
2.8 If you are unsure whether you have consent to collect, use or disclose any Personal Data from a Data Subject or whether any of the exceptions to consent are applicable, you are responsible for checking with the Data Protection Officer about the particular case at hand before you process the Personal Data.
2.9 All channels through which Personal Data is gathered should contain suitable explanation to Individuals on all intended use and/or purpose of the collection, use or disclosure of their Personal Data, even if it appears obvious. Copies of the wording used should be retained until it is envisaged that there will be no further contact with the Individual concerned.
2.10 If a Data Subject asks to know more about our data protection practices, you should refer them to the Data Protection Officer.
3. Third party disclosures
3.1 Personal Data should never be disclosed to anybody who does not reasonably require the information for the purpose for which it was collected.
3.2 For example, the Personal Data of a customer, prospect or other Individual should never be disclosed to a party outside the Company unless the relevant Individual has specifically consented to such disclosure or such disclosure is permitted under the PDPA. Equally, no Personal Data should be disclosed to an Employee if the reasons for such an Employee requesting the information appear unclear or doubtful.
3.3 In general, no Personal Data which we collect about an Individual should be transferred outside the Company. However, in order to effectively carry out our business and/or to meet our legal obligations, we may need to make certain disclosures from time to time, such as where Personal Data is transferred to a third party to process that information on behalf of the Company:
3.4 The Company may make other disclosures including:
3.4.1 using third parties to undertake processing activities on its behalf, e.g. a payroll or IT services provider;
3.4.2 passing a Data Subject's Personal Data to a third party in order to fulfil a contract;
3.4.3 in the event that we have offered services or organised events (e.g. conferences) jointly with a third party, passing the Personal Data of Data Subjects who have bought the services or attended the event to the third party for marketing purposes connected with the services/event. However, we will ensure in such a case that we have obtained each Data Subject's consent to pass on their personal details;
3.4.4 disclosing a Data Subject's Personal Data when required by law. If the Company is contacted by a national or local government agency to provide Personal Data for auditing or any legal purpose, we are required to provide such Personal Data to the extent compelled by the applicable law and regulation. However, it is important that no Personal Data be disclosed in this way without prior consent from the relevant Data Subject; and
3.4.5 otherwise permitted by applicable law.
3.5 In the case of any transfer of Personal Data to a third party, there must be an appropriate written contract in place between the parties to ensure compliance with their respective obligations. This contract must contain strict provisions ensuring that such third parties have technical and organisational security measures in place to safeguard the Personal Data.
3.6 Please see clause 8 of this Schedule 2 regarding transfers of Personal Data.
4. Accuracy of Personal Data
4.1 Personal Data should be kept accurate and complete at all times.
4.2 Requests from Individuals to update personal records should be actioned as soon as reasonably practicable and cross‑referred to any other databases or files containing Personal Data about them. We should be actively encouraging Individuals to inform us of changes to their Personal Data through contact with our Data Protection Officer.
5. Retention of Personal Data
5.1 Personal Data should be kept for the minimum time necessary (i.e. for as long as it is necessary to fulfil the purposes for which they were collected), or as required or permitted by applicable laws, and destroyed appropriately thereafter.
5.1.1 The Personal Data held by the Company should be the minimum required for the purpose for which the Personal Data is collected. We should not collect or store Personal Data which we do not intend to use.
5.1.2 All Personal Data should be the subject of formally agreed and documented retention periods. Following a review to ensure compliance with applicable legal, operational and regulatory requirements, the Company should dispose of Personal Data at the end of the retention period in a manner appropriate to its sensitivity. The Company should also use reasonable efforts to dispose of all back-up copies of such Personal Data.
5.1.3 Where a Data Subject withdraws his or her consent for the Company to process Personal Data, that Data Subject's personal details should be removed immediately from, or flagged for removal or suppression in, any relevant systems, including third party systems.
5.1.4 However, the minimum details necessary to identify the Data Subject in question as well as their request not to be contacted may be kept in the relevant system in order to ensure that we do not in future accidentally contact them again.
5.2 You should cease to retain Personal Data, or remove the means by which the data can be associated with the Data Subject, as soon as it is reasonable to assume that such retention no longer serves the purposes for which the Personal Data were collected, and are no longer necessary for legal or business purposes.
6. Direct marketing and unsolicited communications
6.1 We will obtain the Individual's consent for sending marketing materials to such Individual (whether by post, text, voice call, email or otherwise) or using the Individual's Personal Data for any other marketing activities by the Company. Please note that the Individual should generally be provided with the option whether or not to give consent for such marketing purposes.
6.2 If a Data Subject makes a particular request not to be included in our marketing campaigns, you must respond appropriately and promptly inform the relevant department so that the appropriate action can be taken.
6.3 All marketing initiatives which involve widespread communication with our customers and potential customers must be discussed and agreed with the our Data Protection Officer first.
7. Data Subjects' rights
7.1 Personal Data must be processed in line with Data Subjects' rights. Data Subjects have a right to:
7.1.1 request access to any Personal Data held about them;
7.1.2 withdraw any consent which was previously given or deemed to have been given;
7.1.3 prevent the processing of their Personal Data for direct marketing purposes; and
7.1.4 ask to have inaccurate Personal Data amended.
7.2 Please remember that Data Subjects can request access to all Personal Data we hold on them, including documents and emails that relate to them.
7.3 Personal Data should at all times be kept secure from unauthorised access, loss or destruction.
7.4 Withdrawal of Consent:
7.4.1 A Data Subject may at any time, on giving reasonable notice in writing to the Company, withdraw any consent, whether it was previously given or deemed to have been given, in respect of the collection, use, disclosure, or processing of his or her Personal Data for any purpose by the Company and all such requests must be honoured.
7.4.2 Upon receipt of a Data Subject's written request in relation to a withdrawal of consent, the Company must inform the Data Subject of the likely consequences of withdrawing consent, including any legal consequences which may affect the Data Subject's rights and liabilities to the Company, and must not prohibit any Data Subject from withdrawing consent. In general, the Company shall seek to process and effect any requests to withdraw consent within ten (10) business days from the day such withdrawal notice is received.
7.4.3 Upon withdrawal of consent, the Company and all Employees shall cease (and cause its data intermediaries and agents, if any, to cease) collecting, using, disclosing or processing Personal Data (as the case may be), unless the collection, use, disclosure or processing of such personal data without consent is required or authorised under the PDPA or any other written law.
7.5 Adequate steps, including but not limited to the following, should be taken to protect any Personal Data. Some examples are:
7.5.1 If leaving your desk (even for very short periods of time), always remember to lock your computer using "Control", "Alt" & "Del" as well as clear any documents containing Personal Data away from your desk and lock them away from view and ready access.
7.5.2 Keep access to Personal Data strictly to those who clearly have a need to know/access that data.
7.5.3 Do not remove hard copies of Personal Data from the office unless absolutely required.
7.5.4 You must always keep Personal Data confidentially in your possession and under your strict personal control and return any hard copies promptly.
7.5.5 Always use the appropriate disposal methods provided within the Company (e.g. shredding physical documents), and do not dispose hard copies containing Personal Data within your home.
7.5.6 When working from home, always use a VPN-access to the Company's internal intranet, and do not send documents to your personal email accounts.
8. Transfers of Personal Data
8.1 If the Company is required to share any Personal Data to any of our affiliates, group or associated companies, vendors, professional advisers and/or third parties within or outside of Singapore, the Company will obtain the relevant Data Subject's consent for the transfer to be made and will take all reasonable steps to ensure that the Personal Data to be transferred continues to receive a standard of protection that is at least comparable to that provided under the PDPA and that such transfers comply with the PDPA or the requirements of applicable data protection laws.
8.2 The Company will also take reasonable steps to ensure that third parties acknowledge the confidentiality of the Personal Data to be transferred and undertake to comply with the PDPA (or the requirements of the applicable data protection laws) and this Data Protection Policy.
9. Access to and Correction of Personal Data
9.1 We recognise the importance of allowing Data Subjects to request access to a copy of the Personal Data about them that is in the Company's possession.
9.2 Under the PDPA, a Data Subject may request for a copy of the Personal Data about the individual that is in the possession or under the control of the Company, and information about the ways in which that Personal Data has been or may have been used or disclosed by the Company within a year before the date of the request.
9.3 The Company need not provide access to information it no longer has or which is no longer under its control when the request is received. It is also not required to provide information on the source of the personal data.
9.4 Any requests for access to information should be in writing, and should ideally be made by the requesting Data Subject. If the request is oral, such requesting Data Subject should immediately be asked to provide the request in writing. Requests should then be forwarded immediately to the Data Protection Officer. No information in response to requests should be provided to those individuals without written confirmation and advice from the Data Protection Officer.
9.5 Further, the Company may charge a reasonable fee to cover the administration costs when dealing with any requests for access, which we must inform any such relevant Data Subject of in advance.
9.6 In this regard, we will endeavour to disclose and/or correct such Personal Data in accordance with our legal obligations, and where we refuse, we will, where possible, provide the Data Subject and you (as the case may be) with reasons for doing so.
9.7 Employees should understand and be equipped to carry out their responsibilities when handling Personal Data of external Individuals.
9.8 Sufficient training and guidance shall be provided to enable all Employees to comply with this Data Protection Policy and applicable legislation.
10. Disposal of Personal Data
10.1 Care should be taken when disposing of any Personal Data which, if it were to come into the wrong hands, could potentially cause embarrassment, distress or damage to the Individual which it concerns.
10.2 As a general rule, the Company aims for the physical deletion (including shredding of hard copy data, deletion of electronic files, documents, spreadsheets, video, and film clips) of Personal Data as soon as it is no longer necessary for the purposes for which it was originally collected.
10.3 However, in the complex world of IT systems, it is not always possible to completely delete information from all equipment under the control of the Company or any of its third parties. In such complex situations, providing that demonstrable steps have been taken to delete data, the following situations may be deemed appropriate:
10.3.1 The Personal Data has been deleted but may still exist in the "electronic ether". Provided that the Company has no intention to use or access the data again, it is no longer considered to be live.
10.3.2 Personal Data on a live system cannot be deleted without also deleting other information held in the same batch. In this case, the Company may be prohibited by law from using the Personal Data in a way that it might use live information.
10.4 To support the act of deletion, a record of this should be maintained but without retaining any Personal Data.
11. Training
11.1 Training on this Data Protection Policy is mandatory for all personnel. Any person undertaking new Personal Data processing activities is required to inform the Data Protection Officer immediately.
11.2 It is important that the Data Protection Officer is aware of anyone who will be processing Personal Data so that the individual can be provided adequate ongoing training and awareness.
12. Data Breach Notification
12.1 Where a data breach has occurred, and such data breach is assessed to be notifiable, you are required to notify the affected Individuals and/or the Personal Data Protection Commission.
12.2 Once the Company has credible grounds to believe that a data breach has occurred (whether through self-discovery, alert from the public or notification by its data intermediary), the Company is required to take reasonable and expeditious steps to assess whether the data breach is notifiable under the PDPA. While there may be varying circumstances that would affect the time taken to establish the facts of a data breach and determine whether it is notifiable, organisations should generally do so within thirty (30) calendar days. If the Company is unable to complete its assessment within thirty (30) days, it would be prudent for the Company to be prepared to provide the Personal Data Protection Commission an explanation for the time taken to carry out the assessment. If necessary, the Data Protection Officer will report on any data breaches to the Privacy Manager and/or the Privacy National & International department in accordance with the Company's Global Privacy Policy.
12.3 Unless otherwise provided under the PDPA, a data breach is notifiable if it would result in significant harm to affected Individuals if compromised in a data breach.
12.4 Where a data breach involves any of the following prescribed personal data, the Company will be required to notify the affected Individuals and the Personal Data Protection Commission of the data breach: an Individual’s full name or alias or full national identification number in combination with any of the following:
12.4.1 financial information which is not publicly disclosed;
12.4.2 identification of vulnerable individuals;
12.4.3 life, accident and health insurance information which is not publicly disclosed;
12.4.4 specified medical information;
12.4.5 the provision of treatment to an individual for or in respect of the donation or receipt of a human egg or human sperm; or any contraceptive operation or procedure or abortion;
12.4.6 the suicide or attempted suicide of an Individual;
12.4.7 domestic abuse, child abuse of sexual abuse involving or alleged to involve an Individual;
12.4.8 information related to adoption matters;
12.4.9 any private key used to authenticate or sign an electronic record or transaction; and
12.4.10 an Individual’s account identifier and data for access into the account (without their name, alias or full identification number), amongst others.
12.5 The prescribed personal data or classes of personal data, or other prescribed circumstances excludes any personal data that is publicly available and any personal data that is disclosed under any written law.
12.6 Even if the data breach does not involve any prescribed personal data in clause 11.4 above, a data breach is notifiable where it involves the Personal Data of five hundred (500) or more individuals and the Company is required to notify the Personal Data Protection Commission.
12.7 For the avoidance of doubt, a data breach that relates to the unauthorised access, collection, use, disclosure, copying or modification of personal data within the Company is not a notifiable data breach.
12.8 Unless otherwise provided under the PDPA, upon determining that a data breach is notifiable, the Company must notify:
12.8.1 the Personal Data Protection Commission as soon as practicable, but in any case, no later than 72 hours or three (3) calendar days; and
12.8.2 where required, affected individuals as soon as practicable, at the same time or after notifying the Personal Data Protection Commission.
12.9 Any unreasonable delays in notifying the relevant parties will be a breach of the Data Breach Notification Obligation under the PDPA.
12.10 If you believe that an incident pertaining to breach of security of Personal Data has occurred, you must report it to the Data Protection Officer immediately. This helps to contain the incident and assists with managing its impact. Under certain circumstances, we may be required to notify clients, consumers, and others if sensitive Personal Data is compromised.
12.11 If you lose or suspect you have lost any confidential information (whether or not containing personal data), a laptop, blackberry, iPhone, iPad or any other device that contains or accesses any of the Company's confidential information, (whether or not the device is owned by the Company), you must take the following steps:
12.11.1 notify the IT Department and the Data Protection Officer immediately;
12.11.2 provide as much detail as you can about the information, data and/or device that has potentially been lost or stolen;
12.11.3 provide any assistance requested internally; and
12.11.4 as instructed, delete or change any passwords that you are able to delete or change remotely.
SECTION 3 – EMPLOYEE DATA
1. Application
1.1 This Section 3 applies to all employees.
2. How we collect your Personal Data
2.1 We generally collect and process Personal Data that (a) you knowingly and voluntarily provide in the course of or in connection with your employment or job application with us, or via a third party who has been duly authorised by you to disclose your Personal Data to us (your "authorised representative", which may include your job placement agent), after (i) you (or your authorised representative) have been notified of the purposes for which the data is collected, and (ii) you (or your authorised representative) have provided written consent to the collection and usage of your Personal Data for those purposes, or (b) collection and use of Personal Data without consent is permitted or required by the PDPA or other laws. We shall seek your consent before collecting any additional Personal Data and before using your Personal Data for a purpose which has not been notified to you (except where permitted or authorised by law).
2.2 We may also retain Personal Data relating to you that is in the public domain.
3. Personal Data we collect
3.1 During your employment or engagement with the Company, the Company may collect, store and use your Personal Data, including (but not limited to) the following types of Personal Data:
3.1.1 name or alias, gender, NRIC/FIN or passport number, date of birth, nationality, country and city of birth, marital status;
3.1.2 details of your next-of-kin, spouse and other family members or dependents;
3.1.3 mailing address, telephone numbers, email address and other contact details;
3.1.4 employment and training history, educational qualifications, professional qualifications, certifications, and recruitment records including your application form, resume, and any employment references received;
3.1.5 salary and pay records and financial information such as bank account, credit card, debit card, and any other payment instrument details;
3.1.6 work-related health issues and disabilities;
3.1.7 records on leave of absence from work;
3.1.8 performance records (including appraisal forms and performance assessments) and disciplinary records;
3.1.9 any additional information provided to us by you as a job applicant;
3.1.10 photographs and other audio-visual information, including images of you that are captured on CCTV systems that are in operation inside of and outside of the Company’s premises (whether operated by the Company, on our behalf or to which we have access);
3.1.11 biometric information (which includes information obtained from analysing human body characteristics, such as finger prints, eye retinas, voice patterns, facial patterns, hand measurements, DNA, etc.);
3.1.12 records of telephone calls or text message conversations made via any company communication device or platforms (e.g. communications via your office email and through your work telephone including voice calls, text messages, WhatsApp messages and WeChat messages, other communications on internal chat messaging programs, and telephone calls made via company landlines);
3.1.13 records of emails sent and received via your work email address;
3.1.14 information about complaints made against you;
3.1.15 details of any complaints or concerns raised by you;
3.1.16 any detail relating to the above information as provided to the Company for providing services or managing the relevant relationship between the Company and you; and
3.1.17 any of the information received under the above clauses by the Company for processing, stored or processed under a lawful contract or otherwise.
4. Consent and Withdrawal of Consent
4.1 Under Singapore law, the Company is entitled to use your Personal Data for purposes which are necessary for its business. For other purposes, the Company may need your consent to use or process your Personal Data. If your consent is required, we will provide you with a consent form.
4.2 The consent that you provide for the collection, use and disclosure of your Personal Data will remain valid until such time it is being withdrawn by you in writing. You may withdraw consent and request us to stop using and/or disclosing your Personal Data for any or all of the purposes listed above by giving reasonable notice in writing via email to our Data Protection Officer.
4.3 Upon receipt of your written request to withdraw your consent, we may require reasonable time (depending on the complexity of the request and its impact on our relationship with you) for your request to be processed and for us to notify you of the consequences of us acceding to the same, including any legal consequences which may affect your rights and liabilities to us. In general, we shall seek to process and effect your request within ten (10) business days from the day such withdrawal notice is received.
4.4 Upon withdrawal of consent, the Company and all Employees shall cease (and cause its data intermediaries and agents, if any, to cease) collecting, using, disclosing or processing Personal Data (as the case may be), unless the collection, use, disclosure or processing of such personal data without consent is required or authorised under the PDPA or any other written law.
5. How we use your Personal Data
5.1 The Personal Data we collect and process will be used primarily to administer your employment at the Company and to deal with any problems or concerns you may have, or to deal with and assist the Company in upholding or enforcing our professional obligations, working practices, standards and policies.
5.2 In particular, in relation to your employment, we may collect, use and disclose your Personal Data for the following purposes:
5.2.1 performing obligations under or in connection with your contract of employment with us, including payment of remuneration and tax;
5.2.2 all administrative and human resources related matters within our organisation, including administering payroll, granting access to our premises and computer systems, processing leave applications, administering your insurance and other benefits, processing your claims and expenses, investigating any acts or defaults (or suspected acts or defaults) and developing human resource policies;
5.2.3 managing and terminating our employment relationship with you, including monitoring your internet access and your use of our intranet email to investigate potential contraventions of our internal or external compliance regulations, and resolving any employment related grievances;
5.2.4 assessing and evaluating your suitability for employment or continued employment in any position within our organisation;
5.2.5 ensuring the safety and security of the Company's premises; and
5.2.6 ensuring business continuity for our organisation in the event that your employment with us is or will be terminated.
5.3 In addition, your personal data may be collected and used by us for the following purposes relating to our business operations, and we may disclose your personal data to our affiliates and to other third parties where necessary for these purposes:
5.3.1 performing obligations under or in connection with the provision of our goods or services to our clients;
5.3.2 facilitation of business transactions, including any purchase, sale, lease, or any other disposal, acquisition or financing of or relating to or in connection with us and/or our affiliates;
5.3.3 facilitating any proposed or confirmed merger, acquisition or business asset transaction involving any part of our organisation, or corporate restructuring process;
5.3.4 meeting our legitimate business interests; and
5.3.5 facilitating our compliance with any laws, customs and regulations which may be applicable to us.
5.4 The purposes listed in the above clauses may continue to apply even in situations where your relationship with us (for example, pursuant to a contract) has been terminated or altered in any way, for a reasonable period thereafter (including, where applicable, a period to enable us to enforce our rights under any contract with you).
5.5 If, at any time, you have any queries about, or wish to object to, the way the Company uses your Personal Data, please contact the Data Protection Officer in the first instance.
6. Third party disclosures
6.1 The Company takes all reasonable steps to keep your Personal Data secure and confidential, and will not usually disclose Personal Data about you to any person outside the Company, other than Business Contact Information.
6.2 Generally, your Personal Data may be disclosed to the following third parties:
6.2.1 our affiliates (regardless of the country of residence of the entity to whom the data is to be transferred) if required or permitted by applicable law;
6.2.2 agents, contractors or third party service providers who provide operational services to us, such as telecommunications, information technology, payment, payroll, processing, training, storage, archival or other services;
6.2.3 in the event of default or disputes, any debt collection agencies or dispute resolution centres;
6.2.4 any business partner, investor, assignee or transferee (actual or prospective) to facilitate business asset transactions (which may extend to any merger, acquisition or asset sale), where the Personal Data is necessary for the prospective party to determine whether to proceed with the business asset transaction, and the Company and prospective party has entered into an agreement that requires the prospective party to use or disclose the Personal Data solely for purposes related to the business asset transaction;
6.2.5 anyone to whom we transfer or may transfer our rights and duties;
6.2.6 our professional advisors such as our auditors and lawyers;
6.2.7 relevant government regulators or authority or law enforcement agency to comply with any laws or rules and regulations imposed by any governmental authority; and
6.2.8 any other party to whom you authorise us to disclose the your personal data to.
6.3 If you have any questions about the circumstances in which we may disclose your Personal Data to third parties, please contact the Data Protection Officer.
7. Accuracy of Personal Data
7.1 We aim to ensure that the details we hold about you are accurate at all times.
7.2 We generally rely on Personal Data provided by you (or your authorised representative). In order to ensure that your Personal Data is current, complete and accurate, please update us if there are changes to your personal data by informing our Data Protection Officer in writing or via email.
8. Retention of Personal Data
8.1 We may retain your Personal Data for as long as it is necessary to fulfil the purposes for which they were collected, or as required or permitted by applicable laws.
8.2 We will cease to retain your Personal Data, or remove the means by which the data can be associated with you, as soon as it is reasonable to assume that such retention no longer serves the purposes for which the Personal Data were collected, and are no longer necessary for legal or business purposes.
9. How we protect your Personal Data
9.1 The Company takes all reasonable steps to keep your Personal Data secure and confidential.
9.2 The Company will not usually disclose Personal Data about you to any person outside the Company, other than Business Contact Information.
9.3 The Company also processes your Personal Data for the administration of your employment and associated benefits. For example, we may need to disclose information about you to the providers of the Company's benefit schemes. We may also need to disclose personal information for regulatory purposes. Your Personal Data may also be passed to third parties to comply with the law or assist in a criminal or regulatory investigation.
9.4 To safeguard your personal data from unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks, we have introduced appropriate administrative, physical and technical measures such as up-to-date antivirus protection, encryption and the use of privacy filters to secure all storage and transmission of personal data by us, and disclosing personal data both internally and to our authorised third party service providers and agents only on a need-to-know basis.
9.5 You should be aware, however, that no method of transmission over the Internet or method of electronic storage is completely secure. While security cannot be guaranteed, we strive to protect the security of your information and are constantly reviewing and enhancing our information security measures.
9.6 If you have any questions about the circumstances in which we may disclose your Personal Data to third parties, please contact the Data Protection Officer.
10. Transfers of Personal Data
10.1 If the Company is required to share your Personal Data to any of our affiliates, group or associated companies, vendors, professional advisers and/or third parties within or outside of Singapore, the Company will obtain your consent for the transfer to be made and will take all reasonable steps to ensure that the Personal Data to be transferred continues to receive a standard of protection that is at least comparable to that provided under the PDPA and that such transfers comply with the PDPA or the requirements of applicable data protection laws.
10.2 The Company will also take reasonable steps to ensure that third parties acknowledge the confidentiality of the Personal Data to be transferred and undertake to comply with the PDPA (or the requirements of the applicable data protection laws) and this Data Protection Policy.
11. Access to and Correction of Personal Data
11.1 You are entitled to request access to a copy of the Personal Data about you that is in the possession or under the control of the Company, and information about the ways in which that Personal Data has been or may have been used or disclosed by the Company within a year before the date of the request.
11.2 If you wish to make (a) an access request for access to a copy of the personal data which we hold about you or information about the ways in which we use or disclose your personal data, or (b) a correction request to correct or update any of your personal data which we hold, you may submit your request in writing or via email to our Data Protection Officer at the contact details provided below.
11.3 Please note that a reasonable fee may be charged for an access request. If so, we will inform you of the fee before processing your request.
11.4 We will respond to your access request as soon as reasonably possible. Should we not be able to respond to your access request within thirty (30) days after receiving your access request, we will inform you in writing within thirty (30) days of the time by which we will be able to respond to your request. If we are unable to provide you with any personal data or to make a correction requested by you, we shall generally inform you of the reasons why we are unable to do so (except where we are not required to do so under the PDPA).
11.5 The Company need not provide access to information it no longer has or which is no longer under its control when the request is received. It is also not required to provide information on the source of the personal data.
11.6 Depending on the request that is being made, we will only need to provide you with access to the personal data contained in the documents requested, and not to the entire documents themselves. For example, we may not be obliged to provide you with access to documents such as disciplinary records, investigation reports, or decisions to terminate (where relevant) that the Company has created for evaluative purposes of its Employees. In those cases, it may be appropriate for us to simply provide you with confirmation of the personal data that our organisation has on record, if the record of your personal data forms a negligible part of the document.