pdpc_decisions: 243
Data source: pdpc.gov.sg/All-Commissions-Decisions
This data as json
| _id | _item_id | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _commit | financial_penalties |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 243 | 9066f37814011e1990672ee58da7723bab0431b0 | Directions were issued to Tipros for failing to use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate. | [
"Consent",
"Notification",
"Purpose Limitation",
"Directions",
"Others"
] |
14 Dec 2023 | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/gd_tipros_080623.pdf | Consent, Notification, Purpose Limitation | Breach of the Purpose Limitation Obligation by Tipros | https://www.pdpc.gov.sg/all-commissions-decisions/2023/12/breach-of-the-purpose-limitation-obligation-by-tipros | 2023-12-14 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPC 7 Case No. DP-2207-C0019 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Tipros … Organisation DECISION Page 1 of 8 Tipros Yeong Zee Kin, Deputy Commissioner — Case No. DP-2207-C0019 8 June 2023 Introduction 1. On 21 July 2022, the Personal Data Protection Commission (the “Commission”) received a complaint that Tipros (the “Organisation”), a sole proprietorship in the wholesale of and repair of electrical appliances, had unreasonably disclosed the personal data of the complainant when responding to the complainant’s review on the Organisation’s Google reviews page (the “Incident”). 2. The Commission commenced investigations to determine the Organisation’s compliance with the Personal Data Protection Act 2012 (“PDPA”) and for suspected breaches of the same. Facts of the Case 3. The complainant had engaged the Organisation to repair a refrigerator. Following the repairs made, the complainant gave a “1-star” review on a Google reviews page “24hr fridge refrigerator #1 Quick repair service Trusted in Singapore”, which has since been renamed “Tipros.sg”. 4. The Organisation promptly responded to the complainant’s review. What is problematic was that the Organisation included the complainant’s personal data, including the complainant’s residential address and mobile number in their Page 2 of 8 response. The complainant filed a complaint with the Commission as the complainant was of the view that there was no reason for the Organisation to disclose her personal data in the course of responding to the review she left on the Organisation’s Google reviews page. 5. Apart from the Organisation’s response to the complainant’s review, the Commission found 13 other responses on the Organisation’s Google reviews page which disclosed, in a similar fashion, the personal data of other customers who had given reviews. Our Investigations 6. The Commission commenced investigations. In the course of investigations, it was ascertained that the Organisation’s place of business was vacant and its registered office was occupied by another business which was not related to the Organisation. Thus, a Notice to Produce Documents and Information for Investigation (“NTP”) was delivered by hand on 25 October 2022 to the residential address belonging to the Organisation’s sole proprietress, one Er Lee Cheng @ Angela Er Wei Leng (“Angela”). The Organisation failed to respond by the stated deadline. 7. Thereafter, the Commission issued three further notices to Angela to attend interviews, which were delivered by hand to Angela’s residential address on 8 November 2022, 15 December 2022, and 10 January 2023. Page 3 of 8 8. Following these notices, an individual claiming to be Angela contacted the Commission through an unlisted number on various occasions, namely 11 November 2022, 17 November 2022, and 27 December 2022, and declined our request to attend an interview, or to schedule any other alternative dates for an interview. 9. The Commission is satisfied that the Organisation had received due notice of our investigative proceedings. Given the Organisation’s refusal to respond to our NTP and our notices to attend an interview, the Commission proceeded with its investigations based on the evidence available to it. 10. The Commission is satisfied on a balance of probabilities that the Organisation’s responses which disclosed the complainant’s personal data had been posted by the Organisation for the following reasons: First, The Google reviews page reflects the name of the Organisation; and second, the Organisation has a direct and material interest in the reviews given by the complainant and other individuals on the Organisation’s Google reviews page. Findings and Basis for Determination 11. Based on the circumstances disclosed above, the Commission’s investigations centered on whether the Organisation had breached the Purpose Limitation Obligation under section 18 of the PDPA. Page 4 of 8 The Purpose Limitation Obligation under section 18 of the PDPA 12. Under section 18(a) of the PDPA, organisations may collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances and — under section 18(b) — that the individual had been informed prior to the intended collection, use or disclosure (the “Purpose Limitation Obligation”). 13. I had previously discussed the ambit of when it would be acceptable for an organisation to disclose personal data when responding to public comments in M Stars Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15 and in Big Bubble Centre [2018] SGPDPC 25. In Re M Stars Movers, I stated at [18] and [19] as follows: “The Deputy Commissioner advises caution in disclosing personal data when responding to public comments. An organisation should not be prevented or hampered from responding to comments about it using the same mode of communications that its interlocutor has selected. In some situations, it may be reasonable or even necessary to disclose personal data in order to advance an explanation. … An individual who makes false or exaggerated allegations against an organisation in a public forum may not be able to rely on the PDPA to prevent the organisation from using material and relevant personal data of the individual to explain the organisation’s position on the allegations through the same public forum. The following observations may be made in this context about the approach that the Commission adopts. First, the Commission will not engage in weighing Page 5 of 8 allegations and responses on golden scales in order to establish proportionality. The better approach is to act against disclosures that are clearly disproportionate on an objective standard before the Commission intervenes in what is essentially a private dispute…” 14. When an individual chooses a public platform to pass comments about an organisation, the organisation is fully entitled to respond on the same platform in a proportionate and reasonable manner. In such circumstances, the individual had initiated the communication and selected the public platform. The nature of the individual’s comments will determine whether a response from the organisation is necessary. Where the nature of the individual’s comments invites a response for the purpose of advancing an explanation, such a purpose is considered reasonable in the circumstances under section 18(a). In advancing an explanation, it may be necessary to use or disclose relevant facts in order for the explanation to be effective. Such disclosure is reasonable in the circumstances provided that the extent of disclosure is proportionate. 15. Further, the requirement under section 18(b) read with section 20(1)(b) that the individual be informed of the purpose prior to use or disclosure is also met in these circumstances. The raison d’être for this requirement is to keep the individual informed of the purposes for which his or her personal data is to be used or disclosed, unless such use or disclosure is for purposes that are authorised by law. In cases such as the present, the individual initiated the communication and the nature of his or her comments shapes the organisation’s response. As long as the organisation’s response is for a reasonable purpose that is a natural consequence Page 6 of 8 of the individual’s comments, the individual is deemed to have been informed of such purpose. Thus, where an individual makes a complaint on a public platform in relation to an interaction with the organisation, it is natural that the organisation responds on the same platform for the purpose of providing an explanation. And if use or disclosure of personal data is necessary for such a purpose, the individual is deemed to have been informed prior to such user or disclosure since it is the individual’s earlier actions that had elicited the response. 16. In the present case, I am of the view that the Organisation’s disclosure of the complainant’s personal data was unreasonable and disproportionate. The complaint related to the poor standard of service that the Organisation delivered. 17. The complainant alleged that two weeks after the Organisation repaired his or her refrigerator, the refrigerator stopped working. The complainant was aggrieved that the Organisation sought a payment of $80 ($20 transport fees and $60 checking fees) to check on the refrigerator two weeks after the Organisation fixed the refrigerator, and that the Organisation’s technician was supposedly not available over the weekend when the complainant had only engaged the Organisation because the Organisation had supposedly advertised itself as providing round-theclock service. Given the grievances flagged in the complainant’s review, there was no issue about the location for delivery of the service. Thus, it was unnecessary for the Organisation to disclose the complainant’s residential address. In the same vein, I do not see how disclosure of the complainant’s mobile number was necessary to advance an explanation in response to the complaint. Page 7 of 8 The Commission’s Decision 18. Based on the facts established, the Commission finds the Organisation in breach of its obligation under section 18(a) of the PDPA. The Organisation’s failure to respond to NTP and refusal to attend for an interview are duly considered as aggravating factors. As the Organisation had not taken any action to remove or amend its response to the complaint, there is no mitigating factors to speak of. 19. In the circumstances, I hereby direct the Organisation to: (a) Remove the disclosure of the complainant’s residential address and mobile number in its response to the complainant’s comments on the Organisation’s Google reviews page; and (b) Review the 13 other responses on the Organisation’s Google reviews page where it had also disclosed personal data of other customers in response to their reviews, and to remove disclosure of personal data if such disclosure is not reasonable or proportionate in order for the Organisation to respond to the Google reviews. The Organisation is given 30 days to comply with these directions. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION Page 8 of 8 | Directions | 1026 | {
"sum": 0,
"max": 0
} |
Links from other tables
- 2 rows from _item in pdpc_decisions_version