In which situation would a data intermediary based in Singapore be liable for breaches against the PDPA?
In which situation would a data intermediary based in Singapore be liable for breaches against the PDPA?
A data intermediary in Singapore would be liable for breaches against the PDPA when it processes data contrary to the provisions established in the contract. This is because the intermediary is required to comply with specific contractual obligations regarding the protection, retention, and notification of personal data breaches. Processing data contrary to these agreed-upon provisions would directly violate the PDPA and make the intermediary liable for breaches.
Obligations of data intermediaries The PDPA provides that a data intermediary that processes personal data on behalf of and for the purposes of another organisation pursuant to a contract which is evidenced or made in writing will only be subject to the Data Protection Provisions relating to (a) protection of personal data (later referred to as the “Protection Obligation”); (b) retention of personal data (later referred to as the “Retention Limitation Obligation”); and (c) notifying the organisation of data breaches as part of notification of data breaches (later referred to as the “Data Breach Notification Obligation”), and not any of the other Data Protection Provisions. Where a data breach is discovered by a data intermediary , the data intermediary is required to notify the organisation without undue delay from the time it has credible grounds to believe that the data breach has occurred.
correction - D. When it processes data contrary to the provisions established in the contract.