Air Sino-Euro Associates Travel Pte. Ltd. [2025] SGPDPC 5

Case Details

• Citation: [2025] SGPDPC 5
• Court: Intellectual Property Office of Singapore
• Date: 2025-10-31
• Judges: Lew Chuen Hong, Commissioner
• Plaintiff/Applicant: -
• Defendant/Respondent: Air Sino-Euro Associates Travel Pte. Ltd.
• Legal Areas: Data Protection – Protection Obligation, Data Protection – Accountability Obligation
• Statutes Referenced: Advisory Guidelines on Key Concepts in the Personal Data Protection Act, Guide on managing and notifying data breaches under the Personal Protection Act, Personal Data Protection Act, Personal Data Protection Act 2012, Personal Protection Act
• Cases Cited: [2002] SGPDPC 8, [2017] SGPDPC 15, [2017] SGPDPC 4, [2020] SGPDPC 2, [2021] SGPDPC 12, [2021] SGPDPC 11, [2021] SGPDPC 8, [2021] SGPDPCR 1, [2022] SGPDPC 3, [2022] SGPDPC 9
• Judgment Length: 20 pages, 4,815 words

Summary

In this case, the Personal Data Protection Commission (PDPC) investigated Air Sino-Euro Associates Travel Pte. Ltd. (the "Organisation") for breaching its obligations under the Personal Data Protection Act 2012 (PDPA) in relation to a data breach incident. The PDPC found that the Organisation had failed to meet its Accountability Obligation by not having adequate internal data protection policies and practices, as well as its Protection Obligation by not making reasonable security arrangements to prevent unauthorized access to the personal data in its possession. As a result, the Organisation's customer data was accessed and exfiltrated by a threat actor. The PDPC determined that the Organisation had negligently breached both its Accountability and Protection Obligations under the PDPA.

What Were the Facts of This Case?

Air Sino-Euro Associates Travel Pte Ltd (the "Organisation") is a Singapore travel agency that offers outbound travel services. On 21 December 2023, the PDPC was notified of an online news article reporting that a threat actor ("TA") had targeted the Organisation and allegedly extracted data from the Organisation during a cyberattack (the "Incident"), which was then published online. No ransom was sought from the Organisation.

The Organisation collects personal data of customers for tour group and air ticket bookings, which are stored in its legacy booking system (the "OB System"). The Organisation engages third-party vendors ("Vendors") to maintain its IT infrastructure and the OB System. During the material time, the Organisation had an external-facing privacy and data protection policy, but no internal data protection practices or policies.

On 20 December 2023, three employees of the Organisation were locked out of their company-issued laptops, which were then reset by the IT Vendors. The IT Vendors also scanned the servers, including the OB System, and reset the administrative passwords as a precaution, but did not detect any malware or abnormalities.

On 21 December 2023, the Organisation received a media inquiry about an online news article alleging that the TA had successfully exfiltrated the Organisation's data, including customer information and company financials. The Organisation's internal investigation, including engaging a forensic expert, confirmed that the TA had accessed the OB System without authorization and exfiltrated the personal data of 336,759 individuals stored in the system.

What Were the Key Legal Issues?

The key legal issues in this case were whether the Organisation had breached its obligations under the PDPA, specifically:

(a) The Accountability Obligation under Sections 11 and 12 of the PDPA, which requires organisations to develop and implement internal data protection policies and practices, appoint a data protection officer, and communicate these to their employees.

(b) The Protection Obligation under Section 24 of the PDPA, which requires organisations to make reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, or disposal of personal data in their possession or control.

How Did the Court Analyse the Issues?

In analysing the Accountability Obligation, the PDPC found that the Organisation had only an external-facing privacy and data protection policy, but no internal data protection policies, practices, or communication to its employees. The PDPC drew parallels to its previous decision in Stylez Pte Ltd [2021] SGPDPC 8, where it had found that an organisation cannot rely solely on an external policy without corresponding internal policies and practices to give effect to its data protection obligations.

The PDPC also found that the Organisation had failed to appoint a Data Protection Officer (DPO) until after the Incident, which is a basic requirement under the Accountability Obligation. The PDPC emphasized the important role of a DPO in guiding an organisation to develop data protection policies and identify personal data protection risks.

In analysing the Protection Obligation, the PDPC noted that the Organisation was in possession of the personal data stored in the OB System, even though the IT management was outsourced to a vendor. The PDPC found that the Organisation's security arrangements, such as firewall protection and administrative access controls, were insufficient to prevent the unauthorized access and exfiltration of the personal data by the TA.

What Was the Outcome?

The PDPC determined that the Organisation had negligently breached both its Accountability Obligation and Protection Obligation under the PDPA. The PDPC did not specify any financial penalties or other orders in the judgment, as the matter was handled under the Expedited Decision Procedure.

Why Does This Case Matter?

This case is significant as it reinforces the PDPC's stance on the Accountability Obligation under the PDPA. Organisations cannot rely solely on external-facing data protection policies without corresponding internal policies, practices, and communication to their employees. The appointment of a DPO is also a crucial requirement to ensure an organisation's compliance with the PDPA.

Furthermore, the case highlights the importance of implementing reasonable security arrangements to protect personal data in an organisation's possession or control. Merely having some security measures in place, such as firewalls and access controls, may not be sufficient if they do not effectively prevent unauthorized access and data exfiltration.

This judgment serves as a valuable precedent for organisations in Singapore to review and strengthen their data protection practices, policies, and security measures to ensure compliance with the PDPA and avoid potential regulatory enforcement actions.

Legislation Referenced

• Advisory Guidelines on Key Concepts in the Personal Data Protection Act
• Guide on managing and notifying data breaches under the Personal Protection Act
• Personal Data Protection Act
• Personal Data Protection Act 2012
• Personal Protection Act

Cases Cited

• [2002] SGPDPC 8
• [2017] SGPDPC 15
• [2017] SGPDPC 4
• [2020] SGPDPC 2
• [2021] SGPDPC 12
• [2021] SGPDPC 11
• [2021] SGPDPC 8
• [2021] SGPDPCR 1
• [2022] SGPDPC 3
• [2022] SGPDPC 9

Source Documents

• Original Judgment (PDF) — Singapore Law Watch
• Archived Copy (PDF) — Litt Law CDN

This article analyses [2025] SGPDPC 5 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.