Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Singapore: PDPC fines Yoshi Mobile SGD 21,000 for breach of consent and purpose limitation provisions
The Personal Data Protection Commission ('PDPC') published, on 10 March 2022, its decision in Case No. DP-2013-B8088, as issued on 29 October 2021, in which it imposed a fine of SGD 21,000 (approx. €14,060) to Mr Neo Yong Xiang, the sole proprietor of Yoshi Mobile, for violations of Sections 13 and 18 of the Personal Data Protection Act 2012 (No. 26 of 2012) ('PDPA'), following complaints from individuals who had registered with the Do Not Call ('DNC') register.
Background to the decision
In particular, the PDPC noted that between January and November 2020, there were 3,636 DNC complaints from individuals who had received messages despite being registered under the DNC register, 1,379 of which were sent from 98 SIM cards registered at Yoshi Mobile.
In this regard, the PDPC initiated investigations against the proprietor of Yoshi Mobile for suspected breaches of the PDPA. Notably, the PDPC found that as part of its SIM card registration process, the proprietor had been collecting the identity documents of its customers. Furthermore, the PDPC observed that the proprietor had exploited this registration process in order to use customers' personal data without their consent to register for additional prepaid SIM cards to earn extra profit, estimated at SGD 15,000 (approx. €10,030). As a result, the PDPC indicated that the personal data of 78 individuals had been exploited.
Findings of the PDPC
In its decision, the PDPC concluded that the proprietor had breached the 'consent obligation' under Section 13 of the PDPA, highlighting that these customers had not consented to the use of their personal data for any other purpose except for the initial registration. In addition, the PDPC determined that the proprietor had fraudulently used such personal data for a purpose beyond what is reasonable, thereby breaching the 'purpose limitation obligation' under Section 18 of the PDPA.
In reaching its conclusion, the PDPC referred to a number of aggravating factors, including that:
- the proprietor's breaches were difficult to detect due to a high level of pre-mediation;
- the proprietor was entrusted with customers' personal data;
- the proprietor caused inconvenience to innocent parties; and
- the proprietor had made financial gain as a result of the misuse of personal data.
Outcomes
In light of the above, the PDPC imposed a fine of SGD 21,000 (approx. €14,060) to be paid in 18 monthly instalments. Finally, the PDPC confirmed that it will not issue any further directions.