PDPC published 3 enforcement actions in Jul and Aug 2025. Summaries can be found below.

1. Ezynetic Pte. Ltd. [3 Jul 2025] SGPDPCS 2

• A ransomware attack exposed personal and financial data of 190,589 individuals from its moneylending system.

• Weak system administrator password and lack of vulnerability testing were key lapses.

• Outcome: $17,500 financial penalty + directive to obtain CSA Cyber Trustmark certification within 9 months.

• For PDPC’s decision, please refer to: https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/gd_ezynetic-pte-ltd_03032025.pdf

2. Institute of Mental Health [31 Jul 2025] SGPDPC 1

• Complaint over patient’s data being used for research recruitment without consent.

• PDPC found no breach, as IMH had long-standing clinic notifications and the patient’s continued attendance amounted to implied consent.

• However, PDPC noted best practice would have been to obtain express consent, especially where sensitive medical information is involved.

• For PDPC’s decision, please refer to: https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/gd_institute-of-mental-health_21052025.pdf

3. MCST 4599 (The Scotts Tower) [7 Aug 2025] SGPDPC 3

• A resident’s access request for CCTV footage was denied and the footage was later overwritten.

• Failures: No DPO appointed, no internal data protection policy, and no SOPs for handling CCTV access requests.

• Outcome: Found in Breach of Accountability Obligation; ordered to implement policies, procedures, and appoint DPO.

• For PDPC’s decision, please refer to: https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/gd_mcst-4599_19052025.pdf

⚖️ Key Takeaways for Organisations

1. Cyber hygiene matters: enforce strong passwords, periodic security testing, and independent certifications.

2. Consent practices must be clear: implied or deemed consent may suffice in limited cases, but express consent is always safer when handling sensitive data.

3. Governance is critical: every organisation—including MCSTs—must appoint a DPO, implement contextualised policies, and prepare for access requests.

Data protection is not just about compliance—it’s about safeguarding trust. Organisations should review their data protection programmes regularly to ensure they meet PDPA requirements and evolving regulatory expectations.

At P2D Solutions Pte Ltd, we empower organisations to build trustworthy and resilient data protection frameworks that go beyond legal compliance to deliver operational excellence.

Let’s work together to strengthen your data governance and achieve seamless PDPA compliance.