Keppel division gets highest fine from Singapore personal-data regulator since PDPA amendment
By Jet Damazo-Santos ( August 5, 2024, 07:52 GMT | Insight) -- Keppel Telecommunications & Transportation has been fined S$120,000 ($90,600) in Singapore for breaching its personal data protection obligation, one of the highest fines the Personal Data Protection Commission has imposed to date. A spokesperson confirmed that the fine is the highest since October 2022, when amendments to the Personal Data Protection Act that raised the maximum penalty went into effect.Keppel Telecommunications & Transportation has been fined S$120,000 ($90,600) in Singapore for breaching its personal data-protection obligations, one of the highest fines the Personal Data Protection Commission, or PDPC, has imposed to date. According to the decision published by the PDPC (see here), the Keppel division failed to delete personal data that was stored on servers held by Geodis Logistics Singapore, formerly Keppel Logistics, which it divested in 2022, for about two years. This negligence led to a data breach that compromised the personal data of over 22,000 current and former employees and shareholders. A PDPC spokesperson confirmed that the fine is the highest the regulator has imposed since October 2022, when amendments to the Personal Data Protection Act, or PDPA, went into effect. Those amendments increased the financial penalty cap from the previously fixed S$1 million to 10 percent of an organization’s annual turnover in Singapore for those whose annual local turnover exceeds S$10 million, whichever is higher (see here). The highest fine ever imposed remains to be the total S$1 million penalty the PDPC imposed in 2019 on SingHealth and the company handling its IT system for security failures that exposed the personal data of 1.5 million patients (see here). In the Keppel decision, the PDPC said “a higher financial penalty is warranted to ensure that the financial penalty meted is proportionate in light of the organization’s long period of non-compliance… and the type and nature of the personal data affected.” As the personal data affected included specimen signatures, full images of identification cards and bank account numbers, the commission said “this exposed certain individuals to greater risks of identity theft or actual financial losses.” The PDPC added that the higher amount was warranted “to ensure that the financial penalty meted will be effective in ensuring future compliance with the PDPA and to achieve the requisite deterrent effect.” Though the amount is the highest fine since October 2022, it is still a fraction of the maximum the PDPC can impose. ...
Prepare for tomorrow’s regulatory change, today
MLex identifies risk to business wherever it emerges, with specialist reporters across the globe providing exclusive news and deep-dive analysis on the proposals, probes, enforcement actions and rulings that matter to your organization and clients, now and in the longer term.
Know what others in the room don’t, with features including:
Daily newsletters for Antitrust, M&A, Trade, Data Privacy & Security, Technology, AI and more
Custom alerts on specific filters including geographies, industries, topics and companies to suit your practice needs
Predictive analysis from expert journalists across North America, the UK and Europe, Latin America and Asia-Pacific
Curated case files bringing together news, analysis and source documents in a single timeline