Hello Friends,
A Data Principal has the right to request for correction, completion, updating, and erasure of his or her personal data. This right holds even if the data principal had previously consented to such processing. On receiving such a request, a data fiduciary shall correct the inaccurate data, complete the incomplete data, and update such personal data.
By proactively addressing DPDPA compliance, we not only mitigate legal risks but also reinforce trust and credibility with our customers.
"Given the urgency of this matter, we propose starting the compliance process by taking up privacy assessments today to know the organisational gaps and expedite your efforts in aligning with DPDPA requirements. Taking immediate action will help you to be on the path towards compliance.”
Enjoy reading!
Privacy Enforcement
Singapore PDPC fines PPLingo for violation of accountability and protection obligations.
The Personal Data Protection Commission (PDPC) issued a fine of SGD 74,000 to PPLingo Pte. Ltd. for violation of the Personal Data Protection Act following a data breach. The personal data of the PPLingo students, parents, teachers, and other staff was stored in the operation support system where a data breach occurred and accessed the personal data of 557,144 individual. This included identification data, financial data, and the data of minors.
Greece HDPA imposes a fine on MEP and on the Ministry of Interior for GDPR violations.
The Greece Hellenic Data Protection Authority (HDPA) said that it received complaints regarding unsolicited political communication via email from the MEP. HDPA imposed a fine of €40,000 on the MEP and ordered it to delete all data of foreign voters. Furthermore, the HDPA fined the Ministry of Interior €400,000 since the file containing personal data of registered foreign voters was leaked.
Singapore PDPC issues SGD 28,000 fine on Horizon Fast Ferry for data breach.
PDPC was notified of unauthorized access and exfiltration of personal data of 108,488 individuals who had booked tickets using Horizon Fast Ferry’s website. It found Horizon Fast Ferry to have violated PDPA for failure to ensure reasonable security arrangements to protect the personal data in its possession. PDPC also found an absence of written policies and procedures for vendor management, absence of ICT policy covering IT security and ensuring security solutions were implemented for its web server.
Data Breach
Japan’s Sekisui House announced unauthorized access affecting 800,000 individuals
Sekisui House announced that its membership website had been subjected to unauthorized access and a total of 830,000 pieces of information has been leaked or is at risk of being leaked. This information pieces related to customers, employees and others registered in the website’s database including email addresses, login IDs and passwords. The incident is reported to the Personal Information Protection Commission (PIPC)
Regulations
Colorado Privacy Act to add protections for biometric data.
The Colorado Privacy Act is set to be amended to include protections for biometric data by requiring data controllers to adopt a written policy establishing a retention schedule for biometric identifiers. The bill also prohibits data controllers from collecting a biometric identifier unless the controller first satisfies certain disclosure and consent requirements.
Minnesota Consumer Data Privacy Act receives approval of the Governor.
The Minnesota Consumer Data Privacy Act applies to legal entities that conduct business in Minnesota or produce products or services targeting Minnesota residents. The Act outlines consumer personal data rights, including the right to access, rectification, erasure, portability, and opt-out from targeted advertising, sale of personal data, or profiling. The Act will become effective on July 31, 2025, and will be enforced by the Minnesota Attorney General.
NIST finalizes guidelines for protecting ‘controlled unclassified information’.
The National Institute of Standards (NIST) finalized guidelines for protecting controlled unclassified information (CUI) for consistency and ease of use. To do business with federal government, contractors and other organizations are required to follow NIST guidelines for protecting sensitive information they handle. It also stated its intentions to revise other supporting publications associated with CUI of high-value assets and critical programs in the coming months.