New Singapore Personal Data Protection Regulator’s Decisions and Undertakings on 10 March 2023

  • Legal Development 13 March 2023 13 March 2023
  • Asia Pacific

  • Data Protection & Privacy

The Singapore Personal Data Protection Commission (“PDPC”) published its latest enforcement decisions and voluntary undertakings last Friday (10 March 2023).

In total, there were 2 enforcement decisions (Eatigo case and Sembcorp Marine case) and 1 voluntary undertaking (Putien Restaurant case) published.

In this client update, we summarise the decisions and undertakings and present our key takeaways.

Key takeaways:

There are several key takeaways from these recent decisions and undertaking:

  1. For an organisation to effectively safeguard the personal data in its possession or control, it must first know what its personal data assets are. The surest way to ensure such visibility is to maintain a comprehensive personal data asset inventory. The Eatigo case demonstrates the consequences of not maintaining a proper personal data asset inventory.
  2. In responding to the PDPC’s queries in an investigation, organisations are advised to respond timely and adequately to the PDPC’s queries (including those in the PDPC’s notices to produce specified information and documents (NTPs)). In the Eatigo case, the PDPC appeared to be frustrated by Eatigo’s inadequate responses to the PDPC’s queries which led to the PDPC expanding substantial time and resources when engaging with Eatigo. This led to the PDPC mentioning this as an aggravating factor when determining the financial penalty imposed.   
  3. In certain circumstances, the PDPC may accept a voluntary undertaking in lieu of a full investigation as seen in the Putien Restaurant case. A benefit of a voluntary undertaking is that it does NOT amount to an admission of breach of the Personal Data Protection Act 2012 (“PDPA”). Although the PDPC has the full and complete discretion to accept (or reject) a voluntary undertaking, organisations under investigation by the PDPC may consider it appropriate to enter into a voluntary undertaking to potentially ‘enjoy’ the benefit of a non-admission of breach of the PDPA and the non-imposition of a financial penalty (as compared to a full blown PDPC investigation).
  4. The Protection Obligation is still the most breached obligation of the PDPA. Nevertheless, if an organisation can demonstrate that it had appropriate (and reasonable) security arrangements in place prior to an incident, the PDPC will more likely than not consider that the organisation has complied with its Protection Obligation. This appears to be the case in the Sembcorp Marine decision; the organisation took robust steps to ensure that it had good cybersecurity policies and practices in place and that these were carried out on a regular basis; these were considered by the PDPC in deciding the outcome of its investigation. 

Name of Decision / Undertaking

Summary of Incident

Type of Potential Breach of the PDPA


Complaint / Self-reported

Number of affected individuals; Types of personal data affected


Eatigo International Pte. Ltd.


Personal data breach


A cache of personal data that was suspected to be from Eatigo’s database was being offered for sale on an online forum.

Protection Obligation


  • Eatigo was held to have failed to maintain the affected database in its personal data asset inventory.


  • This led to the omission of extant security arrangements to the affected database.


Complaint by a third party 

2.74 million individuals


Personal data affected were:

  • name
  • email address
  • telephone number
  • gender
  • password in MD5 hash; and
  • Facebook ID number and token which provide access to users’ Facebook accounts and their Eatigo’s accounts




  • Breach of the Protection Obligation


  • Fine of SGD62,400

Sembcorp Marine Ltd

Personal Data breach


Sembcorp was the subject of a data breach involving an exploitation of the Log4J zero-day vulnerability which affected millions of computers worldwide in late 2021/early 2022.   


Protection Obligation


The PDPC held that Sembcorp Marine had made reasonable security arrangements to protect personal data it possessed and/or controlled because:


  • Good practices in relation to its ICT systems were adopted including
    • a cybersecurity testing programme,
    • regular vulnerability assessment and penetration testing,
    • and cyber security monitoring




25,925 individuals


Personal data affected included:

  • name
  • address
  • email address
  • NRIC number
  • telephone number
  • passport number
  • photograph
  • date of birth
  • bank account details
  • salary
  • medical screening results



  • No breach of the PDPA  


Putien Restaurant Pte. Ltd.

Personal Data Breach


  • Putien suffered a ransomware attack that encrypted personal data of 350 employees.


  • A threat actor used stolen administrator account credentials to access Putien's network through a remote desktop protocol port. As a result, its servers containing personal data were accessed and encrypted by ransomware.



Protection Obligation


  • The PDPC noted that there was no evidence of exfiltration of personal data.


  • Putien took immediate remedial action to address the cause of the personal data breach including:


  • development of IT security policies and procedures
  • implementation of IT security measures
  • conduct of IT audit reviews
  • conduct of cyber/data protection awareness training for key employees who handle personal data


  • A voluntary undertaking was submitted by Putien to the PDPC.



350 individuals


Personal data affected:

  • full names
  • contact numbers
  • NRIC
  • work permit
  • passport numbers
  • birth certificate and education certificate images
  • bank account numbers
  • Voluntary Undertaking; no admission of breach of the PDPA

To discuss what this latest development in data protection enforcement decisions and undertakings may mean to you, please reach out to the author below:


Stay up to date with Clyde & Co

Sign up to receive email updates straight to your inbox!