pdpc_undertakings: 36
Data source: pdpc.gov.sg/Undertakings
This data as json
_id | _item_id | id | organisation | url | timestamp | description | pdf-url | pdf-content | _commit |
---|---|---|---|---|---|---|---|---|---|
36 | 8d93620fcfdc25bde4a76fc8a9bbf87e0fb80b3e | 3 | HSBC Bank (Singapore) Limited | https://www.pdpc.gov.sg/undertakings/undertaking-by-hsbc-bank-(singapore)-limited | 2020-09-10 | Background On 21 May 2018 and 30 May 2018 respectively, the Personal Data Protection Commission (the “Commission”) received complaints from two individuals that HSBC Bank (Singapore) Limited (“HSBC”) had sent them a marketing email (the “Email”) without their consent (the “Incident”). HSBC reported the Incident to the Commission voluntarily on 25 May 2018. As reported by HSBC, the Email was a “test email”, and it had intended to send the Email only to HSBC’s employees to test their eDM (electronic direct mail) platform. However, due to incorrect configurations set on the eDM platform, The Email was sent to a significant number of email addresses (more than 100,000). This number included email addresses of individuals who had withdrawn their consent to receive marketing emails from HSBC.The individuals had received the Email twice, as it was sent once on two consecutive days. No personal data was disclosed in the Incident. Remedial Actions HSBC rectified the configuration settings immediately upon finding out about the error. In addition, to prevent recurrence of similar incidents, HSBC introduced a checklist to ensure all procedures were adhered to prior to the sending of eDMs. It also cleaned up its existing database. Undertaking The Commission considered the circumstances of the case and accepted an undertaking from HSBC to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 20 January 2020 (the “Undertaking”). The Undertaking provides that HSBC was to: (a) review and update its procedure for the sending of eDMs using its emailing platform to ensure that any error or omission in setting or configuration does not result in the mass dispatch of eDMs to all email addresses stored in its database; (b) review the training provided for its employees involved in the eDM process, particularly in the steps necessary to select and verify the correct email addresses; (c) review the process of retaining and storing email addresses of both current and former customers who have withdrawn consent for the use of their personal data for the sending of marketing or any other EDMs to them, or whose banking accounts have become inactive under HSBC’s applicable terms. (d) propose an implementation plan for fulfilling the above; (e) once the Commission approves the proposed implementation plan, comply with every obligation set out in the implementation plan; (f) appoint individuals of sufficient authority to oversee compliance with the Undertaking and to report the status of compliance to the Commission; and (g) provide a status report to the Commission at a time requested by the Commission confirming whether HSBC has fulfilled each of the specific measures set out in the implementation plan. HSBC has since provided the Commission with the status report referred to at para 5(g) above on 3 April 2020. The Commission has reviewed the matter and determined that HSBC has complied with the terms of the Undertaking. Please click here to view the Undertaking. | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---hsbc.pdf | APPENDIX A LEGALLY BINDING UNDERTAKING TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission by: HSBC Bank (Singapore) Limited UEN: 201420624K Registered Address: 21 Collyer Quay #13-02 HSBC Building, Singapore 049320 By signing this Undertaking, HSBC Bank (Singapore) Limited acknowledges the matters stated herein and agrees to be bound by the terms of this Undertaking. 1. DEFINITIONS 1.1. In this Undertaking: (a) “PDPC” means the Personal Data Protection Commission. (b) “Commissioner” means the Protection. (c) “Commission’s Letter” means the letter dated 12 December 2019 from the Commission to HSBC Bank (Singapore) Limited concerning its investigation under the PDPA, including the appendices thereto. (d) “Data Protection Provisions” means Parts III to VI of the PDPA. (e) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). (f) “Time Frame” has the meaning given to it in paragraph 3.2. (g) “HSBC” means HSBC Bank (Singapore) Limited, a company incorporated in Singapore (UEN: 201420624K). Commissioner for Personal Data Page 1 of 6 2. ACKNOWLEDGEMENTS 2.1. HSBC hereby acknowledges the following matters: (a) PDPC has carried out an investigation into certain acts and practices of HSBC involving the erroneous sending of electronic direct mails (the “Incident”). (b) The facts and circumstances relating to the Commission’s investigations are set out in the Commission’s Letter, a copy of which has been furnished to HSBC. (c) HSBC agrees that it has been given the opportunity to submit representations to the Commission in relation to the facts and allegations, and that it has done so in the form of the following documents: i. Response to “NOTICE TO REQUIRE PRODUCTION OF DOCUMENTS AND INFORMATION UNDER THE NINTH SCHEDULE TO THE PERSONAL DATA PROTECTION ACT 2012” dated 20 June 2018; ii. Response to “SECOND NOTICE TO REQUIRE PRODUCTION OF DOCUMENTS AND INFORMATION UNDER THE NINTH SCHEDULE TO THE PERSONAL DATA PROTECTION ACT 2012” dated 16 July 2018 (“Response to the 2nd NTP”); iii. Response to follow-up clarifications from the PDPA sent via electronic mail with the subject title “RE: 2nd Notice to Require Production of Documents and Information for HSBC Bank (Singapore) Limited [Our Ref: DP-1805-B2152]” dated 10 October 2018; and iv. Response to follow-up clarifications from the PDPA sent via electronic mail with the subject title “Clarifications following NTP Responses by HSBC Bank (Singapore) Limited [Our Ref: DP-1805-B2152]” dated 1 November 2018 (“1 November Email Clarification”). (d) HSBC also agrees that it has been given the opportunity to submit representations to the Commission in relation to the form of this binding undertaking. (e) Although the Commissioner has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA, the Commissioner recognises that HSBC has made efforts to address the concerns raised in this case and to improve its personal data Page 2 of 6 protection practices. In addition, HSBC was cooperative in the course of the investigation and was responsive to requests for information. (f) The Commissioner, having carefully considered all the relevant facts and circumstances, is of the view that this is an appropriate case in which to accept a binding undertaking. 3. UNDERTAKINGS 3.1. In consideration of the Commissioner not exercising the powers under section 29 of the PDPA to give a direction in relation to the Incident and the Commission’s investigation, HSBC hereby undertakes as follows. 3.2. HSBC undertakes to take all necessary steps to implement and give effect to the conditions set out below, and to procure and ensure that it takes all necessary steps to implement and give effect to the following within the time frame approved by the Commissioner under paragraph (d): (a) review and update its procedure for the sending of EDMs using [name of emailing platform redacted for confidentiality] or other current emailing platform to ensure that any error or omission in setting or configuration does not result in the mass dispatch of EDMs to all email addresses stored in its database; (b) review the training provided for its employees involved in the EDM process, particularly in the steps necessary to select and verify the correct email addresses; (c) review the process of retaining and storing email addresses of both current and former customers who have withdrawn consent for the use of their personal data for the sending of marketing or any other EDMs to them, or whose banking accounts have become inactive under HSBC’s applicable terms, (d) provide, within fourteen (14) days of the date of acceptance of this Undertaking, a proposed plan of implementation for fulfilling (a) to (c) above, for the Commissioner’s approval. The proposed plan of implementation shall state specific measures that HSBC has taken and/or proposes to take to fulfil (a) to (c) above, as well as the time frame within which HSBC expects to complete each of the specific measures (to the extent that these measures have yet to be completed). The overall time frame within which HSBC proposes to complete all of the specific measures (the “Time Frame”) shall not exceed sixty (60) days beginning from the date of acceptance of this Undertaking. The proposed plan of implementation shall also explain how each of the specific measures proposed would achieve the objectives of (a) to (c) above. HSBC shall make such amendments to the proposed plan of implementation as may be required by the Commissioner, in order to address any further concerns that the Commissioner may have. In deciding whether to approve the plan of implementation, the Page 3 of 6 Commissioner will consider whether the specific measures would adequately address and achieve the objectives of (a) to (c) above; (e) comply and procure that HSBC complies with each and every obligation set out in the approved plan of implementation, which is hereby incorporated into and forms part of this Undertaking, within the specified time frames; (f) appoint an individual of sufficient authority to oversee HSBC’s compliance with the terms of the Undertaking and to report to the Commissioner, and to appoint a replacement in the event of the appointee’s departure from the organisation; and (g) provide a status report to the Commissioner within fourteen (14) days from the end of the Time Frame approved by the Commissioner under paragraph (d) confirming whether HSBC has fulfilled each of the specific measures set out in the approved plan of implementation, and provide details as to when each of the specific measures was completed. 3.3. In addition, HSBC undertakes to provide, and will ensure that its provides all necessary assistance that the Commissioner may require to verify the completion of the specific measures under the plan of implementation, including (without limitation) granting the Commissioner and its representatives physical access to HSBC’s premises, providing information and documentation to the Commissioner, and arranging for meetings and/or interviews with HSBC staff, contractors and/or consultants. 4. COMMENCEMENT, TERM AND TERMINATION 4.1. This Undertaking shall take effect upon the acceptance by the Commissioner of HSBC’s fully executed Undertaking. 5. GOVERNING LAW 5.1. This Undertaking shall be governed by Singapore law. Each party irrevocably submits to the exclusive jurisdiction of the Singapore courts any dispute or claim arising in any way out of or in connection with this Undertaking (including a dispute regarding the existence, validity or termination of this Undertaking), and waives any right to oppose any such Singapore action or proceedings on any jurisdictional basis, and agrees not to oppose the enforcement against it in any other jurisdiction of any judgment or order duly obtained from a Singapore court. 6. VARIATION 6.1. This Undertaking may be varied only with the express written agreement of the Commissioner. 7. OTHER MATTERS Page 4 of 6 7.1. HSBC acknowledges that the Commissioner may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commissioner may issue public statements referring to this Undertaking and/or its contents in whole or in part. 7.2. For the avoidance of doubt, nothing in this Undertaking shall constrain or fetter the Commissioner’s rights in any manner, and the Commissioner shall be fully entitled to exercise all its statutory powers including, but not limited to, the powers under section 29 and section 50 of the PDPA to carry out enforcement action against HSBC in respect of its findings herein, should there be a failure by HSBC to comply with any term of this Undertaking or if the Commissioner has reasonable grounds for suspecting that any of the information provided by HSBC in connection with the investigation in this case was incomplete, false or misleading in a material particular. Furthermore, nothing in this Undertaking shall fetter or constrain the Commissioner’s rights in any manner, nor be construed as creating any expectation that the Commissioner will take or not take any particular course of action in the future, should HSBC be suspected or found to have contravened its obligations under the PDPA after the signing and acceptance of this Undertaking. 7.3. It is further acknowledged that the Commissioner’s acceptance of this Undertaking is on a one-off and exceptional basis, and is strictly confined to the particular facts of the present case, on the basis of the information provided by HSBC. The Commissioner’s acceptance of this Undertaking shall not be construed as establishing any precedent, shall not create any legitimate expectations on the part of any parties (whether or not a party to this Undertaking), and shall not bind the Commissioner in respect of any other case involving a breach or suspected breach of the PDPA. All of the Commissioner’s rights in the foregoing respects are expressly reserved. Page 5 of 6 7.4. For the avoidance of doubt, acceptance of this Undertaking does not derogate from any rights and remedies available to any other person arising from conduct described in this Undertaking. SIGNED By ) Name: ______________________________ ) Designation: _________________________ ) for and on behalf of ) HSBC Bank (Singapore) Limited ) Date: ______________________________ ) ACCEPTED By ) Name: ______________________________ ) Designation: _________________________ ) for and on behalf of the Commissioner, ) Personal Data Protection Commission ) Date: _______________________________ ) Page 6 of 6 | 1007 |
Links from other tables
- 1 row from _item in pdpc_undertakings_version