This month, the Commission has issued two Decisions and one Undertaking.

The first Decision resulted in a warning to a financial advisor for using dictionary attack methods to generate telephone numbers, failing to obtain clear and unambiguous consent, and failing to check the DNC Register before making marketing calls to DNC-registered individuals.

The second Decision imposed a financial penalty of $58,000 was imposed on Carousell for failing to put in place reasonable security arrangements to protect the personal data of its platform users in its possession or under its control. Carousell was also directed to review its software testing procedures, processes and procedures for documenting functional and technical specifications of software and rectify any gaps identified from the reviews.

In the Undertaking, one organisation implemented remediation plans to rectify a breach and address systemic shortcomings, ensuring continual compliance with the PDPA. The PDPC has accepted this undertaking having considered the number of affected individuals, the types of personal data involved and the impact of the Incident.

Access the Decisions here and Undertaking here.