Singapore Addendum to Privacy Policy

Singapore Addendum to Privacy Policy
Last Updated: 5th December 2019

Introduction
1. This is an addendum (“Addendum”) to the Knowcross Privacy Policy (“Main Policy”), and it addresses specifically our group companies’ approach to matters of personal data in relation to the Singapore Personal Data Protection Act 2012 (the “PDPA“).
2. This Addendum reaffirms our commitment to ensuring compliance with the PDPA where personal data is collected, used and disclosed in Singapore, and to explain important information in addition to the Main Policy.
3. The Main Policy sets out the minimum levels of protection necessary to protect individuals’ personal information. Where this Addendum is in conflict with the Main Policy, and no express resolution is addressed herein, then the higher standard of protection (i.e. the standard that is more protective of a data subject’s rights in personal data) shall apply.
4. As with the Main Policy, this Addendum may be updated from time to time to align with changes to law or practice relevant to Singapore.
5. The terms in this Addendum have the same meaning as the terms in the Main Policy, in addition to the terms specifically defined herein.

Scope of Personal Data
6. Personal data is defined in the PDPA as “data, whether true or not, about an individual who can be identified-
(a) from that data; or
(b) from that data and other information to which the organisation has or is likely to have access.”
This definition supplements the definition given in our Main Policy. The itemised types of data we describe in our Main Policy will also fall within this definition.
7. For Singapore law, the PDPA does not apply to Business Contact Information (“BCI”). BCI is defined under the PDPA to be “an individual’s name; position name or title; business telephone number; business address; business electronic mail address or business fax number; and/or any other similar information about the individual, not provided by the individual solely for his personal purposes.” We will apply and abide by this in our handling of personal data in Singapore.
8. If you are a guest or staff member of any of our customers, it is important to note that we process information on behalf of our customers and in particular, guest data and customer data (“Processed Data”). As with the Main Policy, we do not retain Processed Data for any longer than is required to provide the services to our customers. Additionally:
(a) If you are a guest or staff member of our customers, your personal data will likely be Processed Data, and this would have been collected, used, disclosed or processed according to our customer’s data protection policy / data privacy policy (“Customer DPP”);
(b) Under the PDPA, all of your rights under the PDPA in respect of your Processed Data would be managed and accounted for by our customers, and we will only be accountable in respect of only specific obligations, particularly in respect of the obligation not to retain your Processed Data for longer than is necessary to execute our services or meet legal obligations, and to take reasonable steps to protect your Processed Data; and
(c) In all other respects, you should refer to the Customer DPP as issued by our customers;
(d) Whilst we pride ourselves in executing our roles to the best of our ability, we are only “data intermediaries”1 under the PDPA, and as such, other than in discharging our limited and specific obligations under the PDPA and contract obligations to our customers, we do not administer nor do we manage our customers’ respective data protection / privacy compliance programs, and we would refer you to the relevant customer organisation with whom you have dealt with in respect of your services or dealings;
(e) In our limited role as data intermediaries, there may be queries or issues which relate to the handling of your personal data which only our customers are able to assist you on and for which we are not able, or liable under the PDPA, to address – where we can help you, we will be happy to assist; and
(f) Importantly, if we receive a query that concerns Processed Data, we may not be in a position to respond to it since we may not have full visibility to how your personal data is handled by our customers internally.
9. If you have objections as to the processing of Processed Data by us, please do let us know, and let our customer know. We remain under obligations to our customer, and the objections should be managed by them, but we will afford such assistance as we are lawfully able to do to help facilitate an appropriate response whether by our customer or ourselves.

Right to Withdraw Consent & Retention
10. Under the PDPA, individuals have the right to withdraw their consent for the collection, use or disclosure of their personal data by us, provided that they first give reasonable advance notice of this withdrawal. In compliance with the PDPA, we will not restrict or prevent individuals from withdrawing their consent. However, in accordance with the PDPA’s guidelines, we are entitled to apply the legal consequences that would follow from the withdrawal of consent, including but not limited to, applying any legal terms that would follow from an inability to provide services as caused by the withdrawal. We will apply and abide by this in our handling of personal data in Singapore.
11. In distinction to any “right to be forgotten” or analogous concepts in other laws, the PDPA withdrawal of your consent does entail any obligation on our part to delete or anonymise personal data – we are required to retain such data to meet our legal obligations and the PDPA permits such retention for such and business purposes, although we will not apply purposes for which consent has been withdrawn. We will apply and abide by this in our handling of personal data in Singapore.
12. It should be noted that the rights to “request erasure” as stated in our Main Policy is subject to our legal duties to retain personal data for meeting legal or business purposes as provided for under the PDPA.

Right to Request Transfer
13. The PDPA and its guidelines do not currently, as at the date of this Addendum, require organisations to transfer personal data to you or a third party. Should this right become implemented, we will be happy to assist subject to such legal requirements or framework as the PDPA may be provide.
14. In respect of Processed Data, any request for transfer of Processed Data in respect of personal data covered by the PDPA should be directed to our customer as we have no legal authority to transfer the personal data of our own volition, and we are required to abide by legal restrictions under the PDPA and in our agreements with our customers in respect of the same.

The Consent Obligation
15. We have stated in our Main Policy that generally we do not rely on consent as a legal basis for processing your personal data. This remains true for Singapore and under the PDPA and in relation to our customer’s data (e.g. hotel guests, etc), in and to the extent that we are “data intermediaries” under the PDPA. In such situations, we only act strictly within the scope of our customer’s instructions to us and engagement terms with us, and we process such personal data in relation to customer’s purposes. To the extent that we do not do so, we will seek appropriate consents where necessary for the purposes of fulfilling our legal obligations under the PDPA.
16. The lawful grounds by which we may process your personal data under EU law, General Data Protection Regulation (“GDPR”), as stipulated in the Main Policy are not generally applicable under the PDPA, but where there is an applicable exception from the consent obligation under the PDPA, including but not limited to the exceptions provided to “data intermediaries” under the PDPA, we will apply and abide by this in our handling of personal data in Singapore.

Marketing
17. In addition to our statements concerning marketing in our Main Policy, options to be included in marketing emails will be provided to all data subjects based in Singapore on an “opt-in” basis.

Do Not Call Provisions

Knowcross does not send “specified messages” (in the form of voice calls, text or fax messages) to Singapore telephone numbers registered with the Do Not Call Registry (“DNC Registry”) without the explicit written consent from you consumers who agree to be contacted for this.

Knowcross’s policy is to check the DNC Registry before sending these specified messages, unless clear and unambiguous consent is obtained, or another exception under the PDPA can be relied on.

For the purposes of this provision, we note that “Specified message” refers to a message if at least one of the purposes of the messages is to sell, advertise or promote goods and services, this is a specified message under the DNC Provisions. Specified messages also include voice calls.

Some exceptions to specified messages include:

(a)  Informational messages e.g. to confirm or complete a transaction with an individual

(b)  Notification messages e.g. notifications regarding a change of terms of a membership or subscription with an individual

(c)   Business to business messages

Use of personal data in calling: All personal data used to send specified messages e.g. phone numbers of individuals are also governed by the Data Protection Obligations.

The Exemption:  We will apply and comply with the Personal Data Protection (Exemption From Section 43) Order 2013 which provides an exemption from checking the DNC Registry or obtaining clear and unambiguous consent to send a specified message, under certain conditions.

When sending specified messages, Knowcross is also required to identify the sender of the message, by not withholding the calling number when it is a voice call, and for other types of messages, to identify the sender and provide contact details.

NOTE: This does not apply to B2B specified messages which we are entitled to issue.

The Access Obligation
18. Where applicable, we will comply with our obligations under the PDPA to provide you with information concerning your personal data, in respect of collection, use, disclosure or other processing of it within the preceding 12 months.
19. It should be noted that this does not apply to Processed Data, since the obligation to respond to access requests for Processed Data rests with our customers.
20. Executing a response to the access requests under the PDPA can take time and we will comply with our obligations to respond to your requests, within the time frame permitted, specifically within thirty (30) days from the date the request is received, with either the substantive response within that time or at least an indication of what further reasonable time will be required for that purpose.

The Correction Obligation
21. The Correction Obligation is two-fold – unless Knowcross is satisfied on reasonable grounds that the correction requested by the individual should not be made, it must:
(a) correct the personal data as soon as practicable; and
(b) send the corrected personal data to every other organisation to which the personal data was disclosed by Knowcross within a year before the date of the correction request, unless that other organisation does not need the corrected personal data for any legal or business purpose.
22. As with the Access Obligation, it should be noted that this does not apply to Processed Data, since the obligation to respond to correct or update Processed Data communicated by our customers to third parties, rests with our customers.
23. To the extent that the Access Obligation applies, Knowcross is responsible for determining whether another organisation to which personal data was disclosed by Knowcross must be corrected, and if so, Knowcross will send the corrected personal data to that other organisation. It is then up to the other organisation to determine whether or not it in fact has any legal or business purpose for the corrected data, and therefore whether it should correct the personal data in its own records.

Exceptions to Access and Correction Obligations
24. The PDPA does apply certain restrictions around when the access and correction obligations can be insisted on and we will abide by such exceptions and restrictions as may be applicable. Hence, if your request falls under a particular exception, we will take appropriate measures to ensure that the exceptions are abided by.

Transfer Limitation Obligation
25. Knowcross may transfer personal data out of Singapore, and where so, we will comply with our PDPA obligations to ensure that:
(a) We have taken appropriate steps to ensure that it will comply with the provisions of the Personal Data Protection Regulations 2014 in respect of the transferred personal data while such personal data remains in its possession or under its control;
(b) If the personal data is transferred to a recipient in a country or territory outside Singapore, then the recipient is bound by legally enforceable obligations to provide to the personal data transferred a standard of protection that is comparable to that under the PDPA; and
(c) In respect of Processed Data, we will only transfer personal data to the extent such transfer is covered under appropriate agreements, including data transfer agreements, data processing agreements, service agreements or other relevant documentation and legally binding arrangements in accordance with the guidelines issued by the Personal Data Protection Commission of Singapore (“PDPC”).
26. In this regard, where referenced in this Addendum, “legally enforceable obligations” include obligations imposed on the recipient of personal data under:
(a) any law;
(b) any contract that:
(i) requires the recipient to provide to the personal data transferred to the recipient a standard of protection that is at least comparable to the protection under the PDPA; and
(ii) specifies the countries and territories to which the personal data may be transferred under the contract;
(c) any binding corporate rules that:
(i) require every recipient of the transferred personal data to provide to the personal data transferred to the recipient a standard of protection that is at least comparable to the protection under the PDPA; and
(ii) specify the recipients of the transferred personal data to which the binding corporate rules apply; the countries and territories to which the personal data may be transferred under the binding corporate rules; and the rights and obligations provided by the binding corporate rules; or
(d) any other legally binding instrument.
27. In this regard, please note also that the Addendum, where it is applicable, may vary from the Main Policy since the scope of “legally enforceable obligations” is a different standard as may be under other data protection laws, though we will continue to apply the most stringent standards which are applicable.

Compliance with Guides issued by the PDPC
28. Knowcross embraces and supports the implementation and application of guidance issued by the PDPC from time to time, and in this regard, Knowcross is always mindful of, and will continue to apply where feasible and applicable, such guidance as the PDPC may issue, including in respect of privacy-by-design, data breach enforcement standards, dispute resolution standards.

In-region contact particulars for the Data Protection Officer (“DPO”)
29. Knowcross has regional offices including in Singapore, but in addition, our data protection offices have regional presence as well and the DPO’s team will be available to assist on issues arising in Singapore.
30. Contact particulars are as follows:
Email: SGDPO@knowcross.com

Singapore contact person:Anthony Poppe

Knowcross Pte Ltd

60 Anson Road

Singapore 079914

In-Region contact person:Rahul Agrawal

Knowcross Solutions Pvt Ltd

7, Kapashera Estate

New Delhi, 110037 India


[1] Defined in the PDPA as “an organisation which processes personal data on behalf of another organisation but does not include an employee of that other organisations”; with “processing” as used meaning “in relation to personal data,”… “the carrying out of any operation or set of operations in relation to the personal data, and includes any of the following: (a) recording, (b) holding, (c) organisation, adaptation or alteration, (d) retrieval, (e) combination, (f) transmission, (g) erasure of destruction”