In more detail

Key facts and findings

MCST 3615 is responsible for managing and maintaining common areas in a condominium in Singapore, and had engaged a managing agent for the condominium.

In May 2024, the Personal Data Protection Commission (PDPC) became aware of a complaint from a member of the public that: (i) they were denied access to CCTV footage managed by MCST 3615 allegedly containing their personal data, and they had raised an access request for this personal data; and (ii) their access request had not been handled in accordance with the PDPA. The CCTV footage in question concerned footage of an accident that the complainant was involved in.

The PDPC’s investigations revealed that MCST 3615 did not possess the complainant’s personal data. As the complainant could not be identified from the CCTV footage, neither by the footage itself nor with other information that MCST 3615 has or is likely to have access to (i.e., there were no identifying features of the individual in the footage or from the license plate of the vehicle), the CCTV footage did not fall within the definition of “personal data” under the PDPA. Thus, MCST 3615 was not obliged under the access obligation of the PDPA to provide access to the complainant.

However, the PDPC’s investigations also revealed the following:

• MCST 3615 lacked a data protection officer.
• MCST 3615 did not have any data protection policies or internal guidelines.
• MCST 3615 did not communicate clear instructions to its data intermediary (i.e., the managing agent) on how it should handle access requests for personal data.

This was in breach of the accountability obligation under the PDPA, which requires organizations to take measures to ensure that they meet their obligations under the PDPA.

Voluntary undertaking

The PDPC accepted a voluntary undertaking from MCST 3615 to improve its compliance with the PDPA, which includes implementing the following measures:

1. Conducting training for the managing agent (i.e., its data intermediary) and security vendors
2. Providing and documenting instructions to the managing agent regarding access requests for personal data, and reviewing its contract with the managing agent
3. Improving communication protocols with the managing agent and putting them into writing
4. Reviewing the requirements of the access and correction obligations under the PDPA to document suitable practices
5. Reviewing and documenting procedures for recording, retrieving and backing up CCTV footage
6. Reviewing and implementing information security and technical measures to protect personal data
7. Reviewing its newly implemented Privacy Policy and Data Protection Guidance Manual and documenting specific actions that have been taken to comply with the PDPA

The PDPC will verify whether MCST 3615 complies with these undertakings and, if necessary, issue a direction to ensure its compliance.

Key takeaways

This case highlights the importance of robust oversight over data intermediaries, and having policies and procedures in place to meet obligations under the PDPA.

It also serves as a reminder that the PDPC can also conduct investigations into an organization’s compliance with other obligations under the PDPA; it is not limited to making findings related to specific issues or obligations raised in consumer complaints.

* * * * *

© 2025 Baker & McKenzie. Wong & Leow. All rights reserved. Baker & McKenzie. Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "principal" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.