COLLECTION, USE AND DISCLOSURE OF PERSONAL DATA RELATING TO INDIVIDUALS
If an individual, at any time, has any questions or feedback relating to the Company’s Policy or the Company’s collection, use, processing and protection of their Personal Data, please do not hesitate to contact the Company’s Data Protection Officer at DPO@kddi.com.sg.
1 Introduction to the PDPA
- 1.1 Under the PDPA, “Personal Data” refers to data whether true or not, about an individual who can be identified (a) from that data; or (b) from that data and other information to which the Company has or is likely to have access.
- 1.2 Personal Data covers electronic and non-electronic data.
- 1.3 The Company will collect individuals’ Personal Data in accordance with the PDPA. In general, before the Company collects any Personal Data from individuals, it will notify them of the purposes for which their Personal Data may be collected, used and/or disclosed, as well as obtain their consent for the collection, use and/or disclosure of their Personal Data for the intended purposes.
2 Types of Personal Data Collected
- 2.1 Personal Data which the Company collects include, but is not limited to:
- (a) individual’s name, NRIC, passport or other identification number when it is required under law or when it is necessary to accurately establish or verify the identities of the individuals to high degree of fidelity;
- (b) individual’s telephone number, mailing address, email address and any other information relating to an individual which was provided in any forms submitted to the Company in any mode of communication;
- (c) information about users of the Company websites and services, including URLs and IP addresses, but only to the extent that the Company may identify individuals from such information;
- (d) information relating to job applicants and employees, including their employment history, education background, and income levels; and
- (e) individual’s financial information, such as bank account or credit card information for payment transactions and credit history.
- 2.2 The Company also collects business contact information, which refers to an individual’s name, position name or title, business telephone number, business address, business email address and any other similar information about the individual, not provided by the individual solely for his or her personal purposes. For the avoidance of doubt, the PDPA does not apply to business contact information. Hence, the Company’s disclosure of a person’s business contact information in furtherance of a particular purpose without the person’s consent is not in violation of the PDPA.
3 Collection of Personal Data
- 3.1 The Company collects Personal Data in several ways, including but not limited to the following manners:
- (a) When an individual contacts the Company for enquiries, via any mode of communication;
- (b) When an individual requests the Company to respond in writing or to return a telephone call; and
- (c) When an individual submits Personal Data to the Company for employment purposes.
- 3.2 Further, when the Company collects or attempts to collect Personal Data from its customers, suppliers, vendors, contractors or business associates (the “Business Partners”), the Company shall notify its Business Partners of the intended purpose for which the Personal Data will be used, administered, processed and managed.
4 Purposes for Collection, Use and Disclosure of Personal Data
- 4.1 The Personal Data which the Company collects from individuals may be collected, used and/or disclosed for the following purposes:
- (a) carrying out due diligence or other screening in accordance with any legal or regulatory obligations or the Company’s risk management procedures that may be required by law or that may have been put in place by the Company;
- (b) conducting research, analysis and development activities (including but not limited to data analytics, surveys and/or profiling) to improve the company’s products, services and facilities in order to enhance the business for the Company’s Business Partners’ benefits;
- (c) storing, hosting, backing up (whether for disaster recovery or otherwise) of individual’s Personal Data, whether within or outside Singapore; and
- (d) if it becomes necessary by a Court Order to cooperate with PDPC, complying with or as required by any applicable law, request or direction of any government agency and/or regulatory authority, or public agencies, ministries, statutory boards or other similar authorities. For the avoidance of doubt, this means that the Company may/will disclose Personal Data to the aforementioned parties upon their request or direction.
- (collectively, the “Purposes”)
5 Specific Issues for the Disclosure of Personal Data to Third Parties
- 5.1 The Company respects the confidentiality of the Personal Data that individuals have provided.
- 5.2 In that regard, the Company will not disclose any of individuals’ Personal Data to any third parties without first obtaining their express consent permitting it to do so. However, please note that the Company may disclose individuals’ Personal Data to third parties without first obtaining their consent in certain situations, including, without limitation, the following:
- (a) cases in which the disclosure is required based on the applicable laws and/or regulations;
- (b) cases in which the purpose of such disclosure is clearly in the individuals’ interests, and if consent cannot be obtained in a timely way;
- (c) cases in which the Personal Data is critically required for the protection of a person's life, body, or property, and the consent from the Business Partners cannot be obtained in time;
- (d) cases in which there are reasonable grounds to believe that the health or safety of an individual will be seriously affected and consent for the disclosure of the data cannot be obtained in a timely way, provided that the Company shall, as soon as may be practicable, notify the individual of the disclosure and the purposes of the disclosure;
- (e) cases in which the disclosure is necessary for any investigation or proceedings;
- (f) cases in which the personal data is disclosed to any officer of a prescribed law enforcement agency, upon production of written authorisation signed by the head or director of that law enforcement agency or a person of a similar rank, certifying that the personal data is necessary for the purposes of the functions or duties of the officer; and/or
- (g) cases in which the disclosure is to a public agency and such disclosure is necessary in the public interest.
- 5.3 The instances listed above are not intended to be exhaustive. For an exhaustive list of exceptions, individuals are encouraged to peruse the Second, Third and Fourth Schedules of the PDPA.
- 5.4 In all other instances of disclosure of Personal Data to third parties with individuals’ express consent, the Company will endeavour to provide adequate supervision over the handling and administration of their Personal Data by such third parties, as well as to provide for adequate forms of protection over such Personal Data.
6 Disclosure of Personal Data
- 6.1 Subject to the provisions of any applicable law, Personal Data of an individual may be disclosed by the Company to third parties, but not limited to the following, whether they are located overseas or in Singapore for one or more of the above stated Purposes:
- (a) KDDI group companies;
- (b) agents, contractors, or third-party service providers;
- (c) business partners;
- (d) banks, financial institutions;
- (e) professional advisers such as consultants, auditors, and lawyers; or
- (f) government or public agencies.
- 6.2 Where the Company transfers Personal Data to an overseas recipient, the Company shall take such steps to ensure that the receiving third party is bound by legally enforceable obligations such as:
- (a) where the receng party is an associated or affiliated organisation or related organisation, a set of binding corporate rules; and
- (b) where the receiving party is an unrelated third party, a contract or written agreement;
7 Request for Access and/or Correction of Personal Data
- 7.1 An individual may apply to access a copy of his/her Personal Data retained by the Company, or request for such Personal Data to be updated or corrected, by sending a written request to the Company’s Data Protection Officer (at DPO@kddi.com.sg). Please be informed that the Company may charge an administrative and service fee to access and recover the Personal Data for the requested purpose and will inform such fee amount to the requester, accordingly.
- 7.2 The Company would usually respond to an access or correction request within a reasonable time. However, if the Company is unable to respond within thirty (30) days after receiving an access or correction request, the Company will inform the requester in writing providing the estimated number of days it will take to revert back. If the Company is unable to provide the requester with access to the requested Personal Data or to make a correction as requested, the Company shall generally inform the requester of the reasons why the Company is unable to do so (except where the Company is not legally required under the PDPA).
8 Request to Withdraw Consent
- 8.1 An individual may withdraw his/her consent for the Company to collect, use, administer, process or disclose his/her Personal Data for any purpose by submitting his/her request to the Company’s Data Protection Officer at DPO@kddi.com.sg. In some cases, withdrawing consent may hinder the Company’s ability to facilitate, process, administer, provide or maintain services to the requester.
- 8.2 The Company will process the individual’s request within a reasonable time from such a request for withdrawal of consent being made, and will thereafter refrain from collecting, using and/or disclosing their Personal Data in the manner stated in their request.
- 8.3 However, the Company may, if necessary, retain Personal Data and records in accordance with the PDPA provisions and regulations although an individual may withdrawn his/her consent.
9 Data Intermediaries
- 9.1 The Company may engage a data intermediary to process individuals’ Personal Data on behalf of the Company.
- 9.2 The Company undertakes an appropriate level of due diligence to assure that the data intermediary engaged by the Company to process Personal Data is compliant with the PDPA.
10 Management and Security of Personal Data
- 10.1 The Company will take reasonable measures to protect Personal Data from any unauthorised access or modification, improper collection, use or disclosure, unlawful destruction or accidental loss.
- 10.2 However, be aware that no method of transmission over the internet or electronic storage is completely secure. While security cannot be guaranteed, the Company will strive to protect the security of the Personal Data and will constantly review and enhance its information security measures.
11 Updates on Policy
- 11.1 As part of the Company’s efforts to ensure that it properly manages, protects and processes individuals’ Personal Data, the Company will be reviewing its policies, procedures and processes from time to time.
- 11.2 The Company reserves the right to amend the terms of this Policy at its absolute discretion.
Last Updated on [October 7th, 2020 Version 1.0]