DPO Policy - Divergent Insights

DPO Policy

Personal Data Protection Policy

DIVERGENT INSIGHTS PTE. LTD.

Last Updated: July 01 2025 11:51:00

 

This Data Protection Policy (“Policy”) sets out the basis which DIVERGENT INSIGHTS PTE. LTD. (“we”, “us”, or “our”) may collect, use, disclose or otherwise process personal data of our customers and other individuals in accordance with the Personal Data Protection Act (“PDPA”). This Policy applies to personal data in our possession or under our control, including without limitation, personal data in the possession of organisations which we have engaged to collect, use, disclose or process personal data for our purposes.

Note: This policy applies to all companies, including dormant ones. While some provisions may not currently be relevant to dormant companies, we have included them for your reference in case your company becomes active in the future. Understanding the importance of data protection is vital for every organization, regardless of its operational status. Even if your company is currently inactive, it is essential to remain informed about data protection practices and regulations. This knowledge will not only prepare you for potential future activities but also ensure that you are compliant with legal obligations should you decide to resume operations.

 

Definitions

As used in this Policy:

“customer” means any individual person who has either (a) contacted us through any means regarding goods/services that we may provide, or (b) may or has actually entered into a contractual relationship with us, for the provision of goods/services or otherwise; and

“personal data” means data, whether true or not, about an individual who can be identified: (a) from that data; or (b) from that data and other information to which we have or are likely to have access.

Here are some types of personal data that we may collect:

  1. name
  2. address
  3. email address
  4. phone number
  5. age
  6. date of birth
  7. gender
  8. marital status
  9. photographs
  10. video recordings
  11. nationality
  12. passport /identity card copies
  13. employment information
  14. cookies/IP addresses
  15. other background information such as income data, financial records, tax records

Other terms used in this Policy shall have the meanings given to them in the PDPA

1. Accountability

1.1.  Appointment of Data Protection Officer (DPO)

We will appoint either a member of senior management or an outsourced data protection service provider as the data protection officer (“DPO”), responsible for overseeing compliance with the PDPA and acting as the main point of contact for all data protection matters.

All employees must report data protection-related requests to the DPO immediately. The DPO manages data breaches, conducts training sessions, and performs annual audits to ensure compliance with data protection obligations.

1.2.  Internal Policies and Measures

1.2.1. Administrative Measures

All employees and contractors must sign confidentiality agreements. Annual training sessions are conducted to ensure that all staff members understand their responsibilities regarding data protection and stay updated on legal obligations and internal policies.

A personal data inventory map is maintained and regularly updated. It tracks what personal data is collected, the purposes for collection, methods, storage locations, and disclosure channels.

Disciplinary actions are taken against employees who breach data protection policies.

1.2.2. Physical Measures

Personal data stored in physical form is kept in locked cabinets accessible only to authorized personnel.

Access to the office premises is restricted, and only authorized personnel can enter secured areas. Visitors are limited to designated areas and must be accompanied by staff at all times.

CCTV surveillance is conducted for security purposes, with clear notices displayed on our premises to ensure awareness. These notices need not reveal the exact location of the CCTVs.

1.2.3. Electronic Measures

Information systems are protected with strong passwords, encryption, and secure network protocols to prevent unauthorized access.

Access to sensitive data is restricted based on user roles, and data segmentation is implemented to limit access to authorized personnel only.

Regular cybersecurity audits and software updates are conducted to ensure that systems remain secure and free from vulnerabilities.

1.3. Third-Party Management

1.3.1. Contractual Obligations

All contracts with third-party service providers where feasible, will include confidentiality clauses.  ensuring they handle personal data according to our standards, particularly regarding data protection and retention, unless there are exceptions that we can rely upon under the law.

 

1.3.2. Data Intermediaries

Data intermediaries, such as IT service providers, agents, and professional advisers, are required to adhere to similar or higher data protection standards. We would ensure this for example by contractual agreements or other suitable means of vetting. The DPO conducts regular audits of these third parties.

1.4. Annual Review and Remediation

1.4.1. Annual Review

At the end of each financial year, the DPO conducts a comprehensive review of all data protection practices, including verifying compliance with the PDPA, data classification, and security measures.

The review includes assessing the effectiveness of existing policies and identifying areas for improvement or updates based on changes in legal requirements or business operations.

1.4.2. Breach Response

If a data breach occurs, the DPO must notify management within one business day and initiate an investigation within three business days. A detailed breach report is prepared, and corrective actions are implemented to mitigate the breach. Disciplinary measures may be taken against responsible employees if necessary. Affected individuals and the relevant authorities are notified promptly if the breach meets the reporting threshold, unless there are exceptions that we can rely upon under the law.

2. Notification

2.1.  Notification to Individuals

2.1.1. General Notification

Before collecting personal data, individuals are informed of the purpose of collection or how the data will be used, and any potential disclosures, unless there are exceptions that we can rely upon under the law. Individuals are provided with clear and concise information about the company’s data protection policies at the point of collection, ensuring transparency and informed consent.

Some examples of the purposes for collection or use of personal data are as follows:

  1. performing obligations in connection with our provision of the goods and/or services requested by you;
  2. administering your relationship with us;
  3. verifying your identity;
  4. responding to queries, feedback and or complaints;
  5. processing payment;
  6. complying with any applicable laws;
  7. assisting with investigations conducted by any regulatory or law enforcement agency;
  8. any purpose for which you have provided us personal data;
  9. any other incidental business purposes related to or in connection with the above; and
  10. transmitting data to third parties (eg. third party service providers, contractors, agents) whether in Singapore or elsewhere, for any of the above mentioned purposes.

The purposes listed above may continue to apply even in situations where individuals relationship with us has been terminated for a reasonable period thereafter (eg. for a period to enable us to enforce our rights under a contract with the individual).

2.1.2. Disclosure

We generally do not disclose personal data without first obtaining an individual’s consent. Disclosure will then be only for the specific purpose that the individual has been informed about (subject to any exemptions under the law).

Notwithstanding the abovementioned, we may however disclose an individual’s personal data:

  1. where such disclosure is required for performing obligations in the course of or in connection with our provision of the goods and services requested by the individual; or
  2. to third party service providers, contractors, agents and other parties we have engaged to perform any of the functions in connection with the above mentioned purposes.

Furthermore, we may disclose an individual’s personal data:

  1. to our group/related/affiliated companies;
  2. companies providing services pertaining to insurance and/or reinsurance to us, and associations of insurance companies;
  3. our agents, contractors or third party service providers (eg. telecommunications, business process outsourcing, mail processing, email support, call centres, IT support, data processing, payment assistance, payroll processing, training, market research, storage);
  4. professional advisers (eg. our legal advisers, auditors, bankers); and
  5. the authorities (eg. regulators, law enforcement agencies).                              

 

2.1.3. Updates on Data Protection Policies

Changes to data protection policies are communicated through legal documentation, the company website, and direct communication with affected individuals. Updates are also provided via letters and email notifications.

2.1.4. Granular Consent Management

Before collecting certain types of personal data, we will provide individuals with detailed options to specify their consent for different types of data processing activities. For example, customers can separately consent to:

  1. Receiving marketing communications via email or SMS.
  2. Sharing data with third-party vendors for personalized advertising.

Consent for each such specific activity will be tracked and managed through our data consent system. Consent can be withdrawn for any individual activity at any time.

 

2.1.5. Express Consent for Sensitive Data
  1. In circumstances where personal data collected includes sensitive information, such as health data, financial records, racial or ethnic origin, or religious beliefs, we will obtain express written consent from the individual before processing such data.
  2. We will also provide a clear explanation regarding the use of this sensitive data, and the security measures implemented to protect it. Any use of such data beyond its original purpose will require renewed consent from the individual.

 

2.2. Access to DPO

2.2.1. Contact Information

The DPO’s business contact information (email address and phone number) is made publicly available on the company website, in company documentation or on the Singapore company registrar’s filing system, enabling individuals to reach out with data protection queries or complaints.

2.3. Automated Monitoring and Surveillance

2.3.1. Notification of Monitoring

Individuals are informed if any form of automated monitoring is in place, such as call recordings for training or security purposes, monitoring of internet use, or closed circuit television camera (CCTV) surveillance on premises.

2.3.2. Awareness Measures

Prominent notifications are displayed to notify persons of CCTV surveillance to ensure awareness of monitoring activities. Automated or manual phone messages inform callers that their calls may be recorded and the purpose of such recording.

2.3.3. Cookies and Tracking Technology

The company uses cookies and other tracking technologies on its website to enhance user experience and perform analytics. Users are notified through a banner and provided with the option to manage their cookie preferences. Consent is required for the use of non-essential cookies, such as those used for targeted advertising.

2.3.4. Automated Decision-Making and Profiling

In certain instances, we may process personal data for the purpose of automated decision-making, including profiling (eg. decisions related to loan assessments, credit scoring, or targeted marketing). Where such decisions have significant effects on individuals, the company will ensure that individuals are informed of the use of automated decision-making and profiling. Furthermore, individuals will be given the right to:

  1. Request additional information on how the decision was made
  2. Seek human intervention in the decision-making process
  3. Object to the profiling or automated decisions where these impact their rights or interests

3. Consent

3.1. General Requirement for Informed Consent

3.1.1. Obtaining Consent

Clear and informed consent is obtained before collecting, using, or disclosing personal data, preferably in writing. If verbal consent is obtained, it is documented internally for record-keeping.

3.1.2. Consent for Third-Party Data

When clients provide third-party personal data (e.g., data about family members or business associates), they must ensure that consent has been obtained from the individuals involved, unless there are exceptions that we can rely upon under the law.

3.1.3. Marketing Communications

Opt-Out Mechanism: We provide clear options for individuals to opt out of marketing communications at any time.

Third-Party Data Sharing: We disclose if personal data will be shared with third-party vendors for marketing purposes, and obtain the customer’s consent for this purpose.

3.1.4. Consent for Call Recording

We inform customers that their calls may be recorded for quality assurance or training purposes, obtaining consent in advance.

3.2. Deemed Consent

3.2.1. Voluntary Provision of Data

Individuals are deemed to have consented when they voluntarily provide their data for specific purposes, such as submitting a job application or engaging in preliminary discussions for services.

3.2.2. Consent via Third Parties

Deemed consent also applies when data is shared by a third party under lawful circumstances, such as client referrals or introductions by other business entities.

3.2.3. Usage of Personal Data in situations of deemed consent

In situations of deemed consent, we may collect or use personal data, or disclose existing personal data for any reasonable purposes, even if they differ from the primary purpose which it had originally collected pursuant to our earlier notifications. In situations of deemed consent, we may, where feasible, provide the client a reasonable period to opt-out.

3.2.4. Sharing of information between group/related/affiliated entities

We will inform clients about the structure of our group companies and the manner in which we may share information between group/related/affiliated companies.

3.3. Exemptions to Consent Requirement

The following and all other exemptions under applicable laws permit us to collect, use or disclose personal data without obtaining prior consent from individuals. This list is non-exhaustive.

3.3.1. Publicly Available Data

Consent is not required for the use of publicly available data, such as information from public directories, unless the data was obtained unlawfully or the individual has expressly stated that they do not wish their data to be used.

3.3.2. Situations of Interest

Personal data can be collected, used, or disclosed without consent in situations clearly in the individual’s interest, such as emergencies or compliance with legal obligations, unless there are exceptions that we can rely upon under the law. Generally, these situations arise where consent cannot be obtained in a timely manner or the individual would not reasonably be expected to withhold consent.

3.3.3. Evaluative purposes

Evaluative purposes means

  1. for the purpose of determining the suitability, eligibility or qualifications of the individual to whom the data relates:
    1. for employment or appointment to office;
    2. for promotion in employment or office or for continuance in employment or office;
    3. for removal from employment or office; or
    4. for the awarding of contracts, awards or other similar benefits; or
  2. for the purpose of determining whether any contract, award or other similar benefit should be continued, modified or cancelled.
3.3.4. Investigations or legal proceedings

These circumstances arise when such data collection, use and/or disclosure is necessary for any investigation or proceedings, if it is reasonable to expect that seeking the consent of the individual would compromise the availability or the accuracy of the personal data.

 

3.3.5. Public agencies

When the disclosure is to a public agency and such disclosure is necessary in the public interest.

3.3.6. AML/CFT

In relation to clients, prospective clients and any other relevant persons (such as their representatives or connected persons), for the purposes of complying with our anti-money-laundering and countering-the-financing-of-terrorism (“AML/CFT”) obligations, such as in the course of our performing client due diligence, we may, directly or indirectly collect, use, and disclose personal data  without the respective individual’s consent.

3.3.7. Employees (current or prospective)

In relation to current or prospective employees, we are exempted from obligations to obtain consent, when the personal data is included in a document produced in the course, and for the purposes, of the individual’s employment, business or profession; and collected for purposes consistent with the purposes for which the document was produced; or when the personal data is collected by us and the collection is reasonable for the purpose of managing or terminating our employment relationship with the individual.

4. Purpose Limitation

4.1. Specific and Legitimate Purposes

4.1.1. Purpose of Collection

Personal data is collected only for specific, legitimate purposes that are communicated to the individuals. If the data needs to be used for a different purpose, additional consent is obtained unless there are exceptions that we can rely upon under the law.

4.1.2. Employee Data Handling

The company collects and processes employee personal data for purposes such as payroll, performance management, and benefits administration. Employees are informed about the data collected and its use. Upon termination, any personal data no longer required is securely deleted or anonymized, unless retention is required for legal reasons.

4.1.3. Parental Consent for Minors

We will obtain explicit parental consent before collecting personal data from minors under the age of 18.

4.1.4. Purpose of collection of Information Unique to Our Industry

Divergent Insights Pte. Ltd. is a market research and insights firm conducting qualitative and quantitative studies to analyse consumer behaviour, preferences, and trends. In delivering these services, the organisation collects, uses, discloses, and processes personal data from stakeholders including employees, research respondents, clients, vendors, and freelancers.

Types of Personal Data Collected
Personal data is collected, used, and disclosed solely for defined business purposes, including:
– Employee Data: Names, NRIC/passport numbers, bank details, CPF numbers, contact details, payroll, onboarding documents, and tax information.
– Research Respondents: Full name and contact details; demographic information (e.g., age, gender, location); employment status and personal preferences; behavioral responses and survey inputs; data from minors (collected solely for specific projects and with parental or guardian consent); and audio/video recordings (with consent).
– Client Data: Contact names and emails, billing details, signed contracts or service agreements.
– Vendor/Freelancer Data: Full name and contact information, signed contracts and NDAs, bank account details for payment, identification numbers where applicable.
– System Data: IP address, browser information, interaction logs and usage analytics, preference selections during surveys or panel participation.

Purpose of Collection, Use, and Disclosure
We collect, use, and disclose personal data for reasonable business purposes, including:
– Administering HR processes, payroll, CPF/tax submissions.
– Conducting market research, digital panels, and participant profiling.
– Processing incentives for survey respondents.
– Managing contracts, invoicing, and payments for vendors and freelancers.
– Fulfilling client contracts, communications, and billing.
– Generating anonymised research insights and business reports.
– Meeting regulatory and compliance obligations (e.g., to banks, CPF Board).

Collection Medium
Personal data is collected through various methods depending on context and stakeholder type, including:
– Email: Used for employee onboarding documents, client communications, vendor/freelancer engagements, and financial correspondence.
– Hard Copies: Used in HR processes and compliance documentation.
– Signed PDFs: Used for vendor/freelancer contracts and NDAs.
– Online Forms: Used for collecting research participant data and survey inputs.
– System Logs: Automatically captured via digital platforms and survey systems.

Internal Data Collectors
The collection and initial handling of personal data are conducted by the following internal roles and teams:
– Human Resource Manager: Responsible for collecting and managing employee-related personal data.
– Research Team: Handles respondent data from surveys, panels, and digital research tools.
– Account Managers: Collect and manage client data for contracting, invoicing, and service delivery.
– Vendor Management Team: Manages vendor and freelancer information, including contracts and payment details.

Storage of Personal Data
Personal data is stored using both physical and electronic means, depending on the nature of the data and operational requirements.

– Physical Storage
– Temporary KYC Bin: Used for short-term storage of physical documents, primarily for compliance or identity verification during onboarding.
– HR File: Used to maintain physical copies of employee records for payroll, statutory compliance, and onboarding.

– Electronic Storage
– Google Drive: Used for storing encrypted documents, including payroll-related data.
– OneDrive: Used across departments (HR, Accounts, Research, Projects) for general business operations and document management.
– Zoho: Used for HR and accounting processes.
– Hrone: Used for managing HR records, including tax, CPF, and payroll data.
– MongoDB: Used by the Data Analytics and Research Team for storing research data, including demographic and preference information.
– ERP System: Used for client account coordination, project tracking, and billing information.

Data Accuracy
Accuracy and completeness of personal data are maintained through the following measures:
– Validating data during collection
– Allowing data subjects to update their information
– Verifying third-party data through documents or direct contact

Consent and Notification:
– Explicit and informed consent is obtained prior to any collection of personal data.
– Fresh consent is obtained when new purposes arise.
– Withdrawal of consent may be requested via the support channel, with data deleted or anonymised within 7 working days. No fees are charged for such requests.
– Participation in research is voluntary, and individuals may withdraw at any time.
– For minors or legally represented individuals, consent is obtained from authorised guardians.
– The Company currently operates based on explicit consent and has not adopted reliance on deemed consent or statutory exceptions under the PDPA.

Access, Correction, and Withdrawal:
– Requests for access or correction of personal data may be submitted to the appointed Data Protection Officer (DPO).
– Identity is verified prior to release through the registered email or contact before releasing any data.
– Requests are acknowledged within 3 business days and fulfilled within 7 business days.
– If a request is rejected, data is retained for at least 30 days for dispute resolution.
– Individuals may also request withdrawal of consent, upon which data is deleted or anonymised within 7 working days.
– No fees are imposed for these services.

Data Retention and Disposal:
– Personal data is retained in accordance with applicable legal, regulatory, and business requirements. Where appropriate, data is deleted or anonymised after the purpose for which it was collected has been fulfilled.
– Disposal methods include secure deletion from physical folders and cloud platforms (e.g., Google Drive). Intermediaries are contractually required to delete personal data after the business purpose ends, though specific retention practices may vary based on project terms.
– The company aims to align its data retention and disposal practices with legal and business requirements, and is reviewing its processes to ensure consistency across all categories of personal data.

Data Security and Safeguards
A combination of technical, physical, and administrative safeguards protects the integrity, confidentiality, and availability of personal data.
– Electronic Security: Personal data is protected through encryption both at rest and in transit. Data is stored in secure cloud platforms including OneDrive, Zoho, MongoDB, and Google Drive. Access is controlled through role-based permissions, supported by audit logging, firewalls, and multi-factor authentication.
– Physical Security: Physical records are safeguarded through restricted access measures, including biometric entry to office premises, secure storage of HR files, and designated KYC bins for sensitive hardcopy documents.
– Administrative Controls: The company maintains active oversight through its appointed Data Protection Officer (DPO). A formal Data Protection Policy has been developed and adopted as part of the company’s PDPA compliance efforts. Formal PDPA training has been undertaken by the designated compliance lead to strengthen internal awareness and compliance.

Data Intermediaries and Third Parties
We engage third-party platforms and vendors for HR, research, IT, and analytics services. Third-party service providers will be required, through contract, to implement security and data protection measures consistent with the PDPA. Where relevant, contractual clauses will specify obligations relating to access control, retention, and breach notification.

Data Transfers:
– Personal data may be transferred internationally (e.g., to APAC, EU, UK, US) depending on project scope.
– Transfers are executed via encrypted emails or secure file protocols.
– We implement Standard Contractual Clauses (SCCs) where required to safeguard data privacy across borders.

Data Breach Management:
– A documented Data Breach Management Plan is in place, outlining defined roles, escalation procedures, timelines, and response actions.
– Breach monitoring is conducted via both automated and manual checks.

Data Governance and Accountability:
– A Data Protection Officer (DPO) has been formally appointed to oversee all data protection and compliance matters. The DPO’s business contact information is made publicly available through appropriate channels.
– A comprehensive Data Protection Policy has been developed and adopted to guide the company’s handling of personal data in alignment with PDPA obligations.”
– An operational Data Protection Management Programme (DPMP) is currently under development to further embed data protection into day-to-day operations. The DPMP will document the company’s internal data protection policies, assigned responsibilities, risk mitigation measures, and operational procedures in a structured, auditable format.
– As part of the company’s implementation phase, the designated compliance lead has received formal PDPA training to support the company’s compliance efforts.

Policy Review
The company recognises the importance of keeping its Data Protection Policy relevant and responsive to changing operational and regulatory landscapes.
The company will review the Data Protection Policy periodically, or if there are significant changes to legal requirements, business processes, or data handling practices, to ensure it remains up to date and aligned with legal and operational requirements. This review will be overseen by the Data Protection Officer (DPO) in consultation with relevant stakeholders.

4.2. Prohibited Activities

4.2.1. Unsolicited Marketing

We generally do not engage in unsolicited marketing activities, such as cold calling, email spamming, or mass text messaging, unless the individual has consented or there are exceptions that we can rely upon under the law. We will at all times ensure we specifically comply with all laws pertaining to do-not-call (DNC) registers.

4.3. Business Contact Information

4.3.1. Usage of Business Information

Business contact information, such as names, job titles, and business email addresses, is not subject to data protection rules and can be used freely for business purposes, such as client communications.

4.4. Legitimate Interests Exception

4.4.1. Legitimate interests exception explained

In line with the legitimate interests exception, we will collect, use or disclose personal data for the following purposes:

  1. Fraud detection and prevention;
  2. Detection and prevention of misuse of services;
  3. Network analysis to prevent fraud and financial crime, and perform credit analysis; and
  4. Collection and use of personal data on company-issued devices to prevent data loss.

 

5. Protection Obligation

5.1. Security Measures

5.1.1. Administrative Measures

Employees are required to sign confidentiality agreements and adhere to strict policies regarding data access and usage. Annual training sessions are conducted to reinforce data protection awareness and understanding of the company’s policies and legal obligations.

We minimise collection of personal data as much as possible.

5.1.2. Physical Measures

Personal data stored physically is secured in locked cabinets accessible only to authorized personnel. Access to sensitive areas is restricted to authorized employees, and all visitors are logged and accompanied at all times.

5.1.3. Technical Measures

Information systems are protected by strong passwords, encryption, and secure network protocols. Sensitive data is segmented and access is limited to authorized users based on roles. Regular antivirus and anti-phishing software updates are performed to prevent unauthorized access and ensure system integrity. Where necessary, we will employ data anonymisation techniques.

5.1.4. General disclaimer to data subjects

Individuals are made aware, however, that no method of transmission over the internet or otherwise, or method of electronic storage is completely secure.

Whilst data security cannot be guaranteed, we strive to protect the security of data and are constantly reviewing and enhancing our information security measures.

5.2. Data Intermediaries

5.2.1. Handling by Third Parties

Third-party service providers who handle personal data on our behalf are required to adhere to our data protection standards equivalent to ours. These may be ensured by way of contracts of engagement or we may assess the suitability of third parties based on other generally accepted industry practices.

5.2.2. Encryption Standards for Data Transfers

We ensure that when personal data is transferred to third parties, especially across borders, it is encrypted in accordance with AES-256 encryption standards. This encryption applies both to data at rest and during transmission. Third-party vendors involved in such transfers are required to implement encryption and security protocols equivalent to acceptable industry standards.

Where personal data is transferred to jurisdictions with lower data protection standards, we will take additional measures, such as encryption, anonymization, or contractual clauses, to ensure data security.

5.2.3. Cross-Border Data Transfer Documentation

The company ensures that when personal data is transferred outside of Singapore, the recipient country has equivalent data protection standards. Where necessary, additional safeguards such as encryption or contractual clauses are implemented. All cross-border transfers are documented and reviewed to ensure compliance with data protection laws.

5.3. Data Access and System Security

5.3.1. Access Control

Role-based access control is implemented to limit access to personal data based on employee roles and responsibilities. Data access is monitored and audited regularly to ensure compliance with internal policies and legal requirements.

6. Accuracy Obligation

6.1. Ensuring Data Accuracy

6.1.1. Data Verification

Reasonable efforts are made to ensure that personal data is accurate and up-to-date, especially when used for decisions that significantly impact individuals. Individuals are encouraged to provide updated information as needed, by informing our DPO by email.

6.1.2. Presumption of Accuracy

Personal data provided directly by individuals is presumed to be accurate unless there is reason to believe otherwise. In such cases, additional verification is conducted to confirm the accuracy of the data.

6.2. Data Protection Impact Assessment

6.2.1. Data Protection Impact Assessment (DPIA)

Prior to launching any new project, product, or service that involves the processing of personal data, we will conduct a Data Protection Impact Assessment (DPIA). This assessment will evaluate potential privacy risks associated with the processing, including the scope of data collection, the intended use, and the security measures in place. The DPIA will be reviewed and approved by the Data Protection Officer (DPO), and any identified risks will be mitigated before the project proceeds.

6.3. Correction Requests

6.3.1. Request Handling

Individuals can request corrections to their data if they believe it is inaccurate or incomplete. The request is verified, and the data is updated if necessary. If a correction request is denied, the data is annotated with the requested changes and the reason for refusal.

 

7. Retention Limitation

7.1. Data Retention Policy

7.1.1. Retention Guidelines

Personal data is retained only for as long as reasonably necessary to fulfill the purposes for which it was collected or to comply with legal requirements. Once no longer needed, data is securely deleted or anonymized, unless there are exceptions that we can rely upon under the law.

7.1.2. Legal Obligations

Certain regulations, such as AML/CFT laws, the Companies Act, and tax laws, require us to retain personal data for at least five years (following termination of our business relationship or completion of the relevant client transaction) or more. This includes client records, accounting documents, and business transaction records. This Policy is also subject to our archiving and records retention policies.

7.2. Annual Data Review and Disposal

7.2.1. Disposal Process

At the end of each financial year, the DPO reviews all personal data to identify records that should no longer be retained. Data that no longer serves the original purpose and is not subject to any legal retention requirements is securely destroyed or anonymized.

7.2.2. Documentation of Disposal

All disposal actions are documented to ensure transparency and accountability. The disposal records include details of the data destroyed, the method of destruction, and the date of disposal.

7.3. Special Retention Circumstances

7.3.1. Extended Retention

In special cases, such as ongoing investigations, legal disputes, or AML/CFT compliance, data may be retained beyond the usual retention period. The DPO maintains a list of data that must be preserved due to these circumstances and notifies management of any extended retention requirements.

7.3.2. Post-Retention Procedures

Once the reason for extended retention is no longer applicable, the data is reviewed again and securely disposed of if it is no longer required for legal or business purposes

7.4. Data Retention During Business Asset Transactions

7.4.1. Transfer and Disposal

During business transactions involving the sale or transfer of assets, personal data of employees, clients, or shareholders collected for the transaction is either securely transferred to the new owner or destroyed if the transaction does not proceed.

 

7.5. Data Retention Policy for Communications

7.5.1. Call logs and message records

Call logs and message records will be retained for 5 years in order to meet our compliance obligations.

7.6. Deceased Individuals

7.6.1. General treatment of data of deceased individuals

In the case of individuals who have passed away, for a period of ten (10) years, we will continue to ensure rights pertaining to non-disclosure and protection of his/her personal data shall still apply.  The deceased individual’s rights may be exercised by his/her personal representative or nearest relative.

8. Transfer Limitation

8.1. Data Transfers to Third Parties

8.1.1. Safeguarding Data Transfers

Personal data is only transferred to third parties when necessary for business operations and under strict safeguards, such as confidentiality agreements, unless there are exceptions that we can rely upon under the law. All third-party recipients are required to adhere to data protection standards equivalent to ours.

8.1.2. Verification of Third-Party Standards

Before transferring data to any third party, especially those outside Singapore, we verify that they have adequate data protection measures in place. This includes reviewing their data protection policies, contractual obligations, and security practices.

8.2. Cross-Border Transfers

8.2.1. Overseas Data Transfers

Data is transferred outside Singapore only when necessary and with the individual’s consent, unless exceptions apply. We ensure the recipient country has comparable data protection standards or take necessary steps to provide additional protection.

8.2.2. Notification and Consent

Affected individuals are informed of the extent to which their personal data will be protected in the foreign jurisdiction. Their consent is sought before transferring data, except where exemptions under the law apply.

8.3. Documentation of Transfers

8.3.1. Record-Keeping

All data transfers, particularly those involving cross-border data flow, are documented. This includes the nature of data transferred, recipient details, and the legal basis for transfer. These records are maintained to ensure compliance with data protection regulations and transparency.

9. Breach Notification Obligation

9.1. Data Breach Management

9.1.1. Breach Response

In the event of a data breach, the DPO shall initiate an investigation within three business days of becoming aware of the breach, to assess the scope, cause, and impact of the breach. Immediate steps are taken to contain the breach and mitigate any harm to affected individuals. The assessment shall be conducted swiftly, within a reasonable period, generally within 30 days from our becoming aware of the breach.

9.1.2. Notification to Authorities

If the breach poses a significant risk to individuals or affects a large number of people, the PDPC is notified within the prescribed time frame (as soon as practicable, but no later than 3 calendar days), unless there are exceptions that we can rely upon under the law. If the breach is likely to result in significant harm to individuals, we will notify the affected individuals as soon as practicable after completing the assessment.

9.2. Reporting and Remediation

9.2.1. Reporting to Affected Individuals

If the breach is likely to result in significant harm to individuals, the affected individuals are notified as soon as possible, with information on the nature of the breach, potential consequences, and steps they can take to protect themselves.

9.2.2. Documentation and Follow-Up

A comprehensive report detailing the breach, the actions taken, and the measures implemented to prevent future breaches is prepared. The DPO follows up to ensure all corrective measures are effectively implemented and documented.

9.3. Preventive Measures

9.3.1. Data Breach Simulations

Regular data breach simulation exercises are conducted to test and improve our breach response plan and the readiness of employees to respond to potential data breaches. These simulations help identify gaps in the response plan and enhance our overall data security posture.

9.3.2.  Annual Penetration Testing

The company conducts annual penetration tests performed by independent security professionals to identify potential vulnerabilities in its data protection systems. Any issues identified during the tests are promptly addressed to ensure the ongoing security of personal data.

10. Access and Correction

10.1. Right to Access

10.1.1. Access Requests

Individuals can submit written requests to access their personal data held by us. The DPO will verify the identity of the requester and provide the data as soon as reasonably practicable. We endeavour to do so within thirty (30) days, unless exceptions that we can rely upon under the law apply. If additional time is needed, the requester is informed of the reason and the expected completion date. A reasonable fee can be charged for such requests. We will inform the individual of such fees before processing the request.

We will provide the application with the following:

  1. information on the personal data in our possession or controlled by us; and
  2. information on how we have or may have used or disclosed such data within 1 year of the date of such request.
10.1.2. Mandatory Denial of Access

Access requests will be denied if providing the data could:

  1. Threaten the safety or health of another individual
  2. Reveal personal data about another individual without their consent
  3. Be contrary to national security or public interest
  4. Data pertaining to ongoing prosecution / investigations
  5. Other legitimate reasons for denial

If access is denied, individuals are informed of the reasons unless exceptions under the law apply.

10.1.3. Discretionary Denial of Access

We may at our discretion deny access to the data in the following circumstances:

  1. Opinion data pertaining to prospective, current or past customers which we retain for evaluation purposes
  2. Data that reveals commercial information that harms our commercial competitive position
  3. Opinion data pertaining to prospective, current or past employees (eg. suitability for positions or promotions)
  4. Any other opinion data that we retain for evaluation purposes

 

10.2. Correction Requests

10.2.1. Data Amendment

Individuals can request corrections to their personal data if they believe it is inaccurate or incomplete. We verify the request and update the data if necessary. If a correction request is refused, we annotate the data to reflect the requested changes and the reason for refusal.

10.2.2. Notification of Corrections

After correcting the data, we inform every organization to which the data has been disclosed within the past year, unless it is impracticable or involves disproportionate effort.

10.3. Withdrawal of Consent

10.3.1. Withdrawal Process

Individuals can withdraw consent for the collection, use, or disclosure of their personal data at any time by submitting a written notice conveyed by email, to our DPO. Upon receiving the notice, within reasonable period, we will inform the individual of the potential consequences of the withdrawal, such as the impact on service provision or employment (ie. cessation of provision of products and/or services, or termination of employment). Within reasonable period, we will cease using or disclosing the data as soon as reasonably practicable, unless retention is required for legal obligations or legitimate business purposes. The period depends on the complexity of the case. In general we try to process the request within thirty (30) days.

10.3.2. Notification to Third Parties

Third parties who have been provided with the individual’s personal data are notified to cease using or disclosing the data, unless exceptions that we can rely upon under the law apply.

 

10.4. Consequences of Withdrawal

10.4.1. Service Impact

Withdrawal of consent may limit or prevent the provision of certain services. The individual is informed of these limitations before the withdrawal is processed.

10.4.2. Employment Impact

For employees, withdrawing consent may result in changes to job responsibilities, limitations in processing payroll, or even termination of employment if the data is essential for the employment relationship.

 

10.5. Dispute Resolution

10.5.1.  Complaints Handling

Individuals can submit complaints about our handling of personal data. The DPO acknowledges the complaint within three (3) business days and conducts an investigation. A response is provided within thirty (30) business days. If the resolution is unsatisfactory, the complaint is escalated to senior management for review.

10.5.2. External Resolution

If internal resolution is not satisfactory, individuals are informed of their right to refer the complaint to the Personal Data Protection Commission or seek alternative dispute resolution through mediation or arbitration.

 

11. Execution

11.1. Disclosure of Policy and Procedures

11.1.1. Policy Availability

Information on our personal data protection policies and practices is made available to individuals through legal documentation, our website, and direct communications. The DPO’s contact information is published to enable individuals to request information or submit complaints.

 

11.2. Training and Awareness

11.2.1. Employee Training

Employees are trained annually on data protection best practices, the company’s policies, and the PDPA’s requirements. Training sessions include scenarios on data handling, breach response, and identifying potential threats to data security.

11.3. Personal Data Inventory Map

11.3.1. Data Mapping

A personal data inventory map is maintained, tracking the types of personal data collected, the purposes of collection, collection channels, storage locations, and data recipients. The inventory is reviewed and updated annually to reflect any changes in data handling practices.

11.4. Remedial Plan

11.4.1. Breach Mitigation

In the event of a policy breach, the DPO immediately notifies management and takes appropriate actions to remedy and mitigate the consequences. An investigation is conducted, and corrective measures are implemented. Disciplinary actions are taken if necessary.

11.5. Annual Review and Transition

11.5.1. Policy Review

Annually, we review our personal data policies and practices to ensure ongoing compliance and effectiveness. Adjustments are made as needed to address changes in regulations or business processes.

 

To Opt Out of Data Sharing, click here

This website stores cookies on your computer. Cookie Policy