Signup for LITT - Agentic AI for legal, regulatory & Compliance Knowledge work.
Submit Article
Legal Analysis. Regulatory Intelligence. Jurisprudence.
Search articles, case studies, legal topics...
Singapore
By Sushant Shukla 4 min read

Aventis School of Management Pte. Ltd. [2018] SGPDPC 7

Analysis of [2018] SGPDPC 7, a decision of the Personal Data Protection Commission on 2018-04-30.

Case Details

  • Citation: [2018] SGPDPC 7
  • Court: Personal Data Protection Commission
  • Date: 2018-04-30
  • Judges: Tan Kiat How, Commissioner
  • Plaintiff/Applicant: -
  • Defendant/Respondent: Aventis School of Management Pte. Ltd.
  • Legal Areas: Data Protection – Consent obligation, Data Protection – Purpose limitation obligation
  • Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012, Second Schedule of the Spam Control Act, Spam Control Act
  • Cases Cited: [2018] SGPDPC 7
  • Judgment Length: 17 pages, 4,621 words

Summary

This case concerns a complaint filed by an individual (the "Complainant") against the Aventis School of Management Pte. Ltd. (the "Organisation") for sending him marketing emails unrelated to the program he had signed up for, without his consent. The Personal Data Protection Commission (PDPC) found that the Organisation had breached its obligations under the Personal Data Protection Act 2012 (PDPA) by using the Complainant's personal data to send him marketing emails without his consent, and by failing to effect the Complainant's withdrawal of consent in a timely manner.

What Were the Facts of This Case?

The Complainant was interested in a program offered by the Organisation and submitted his name, email address, and contact number through a web form on the Organisation's website titled "Take Action Today – Download Free Brochure". After signing up for the free brochure, the Complainant started receiving numerous marketing emails from the Organisation promoting various courses and programs unrelated to the one he had expressed interest in.

The Complainant made multiple attempts to unsubscribe from these marketing emails by clicking on the "unsubscribe" hyperlink and sending messages to two email addresses found within the emails. However, the Complainant continued to receive the marketing emails until June 2017. The Organisation explained that this was due to a technical and administrative glitch in the process of transitioning from its existing customer relationship management (CRM) system to a new one.

Based on the Commissioner's investigations, the Organisation had used the same web form to collect the personal data of 6,109 individuals and had sent marketing emails to 719 other individuals.

The key legal issues in this case were whether the Organisation had obtained valid consent from the Complainant to use his personal data to send him the marketing emails, and whether the Organisation had failed to give effect to the Complainant's withdrawal of consent in a timely manner.

Under the PDPA, organisations are required to obtain consent from individuals before collecting, using, or disclosing their personal data, and the consent must be for the specific purposes that have been notified to the individual. Additionally, organisations must give effect to an individual's withdrawal of consent.

How Did the Court Analyse the Issues?

The Commissioner examined the content and presentation of the web form used by the Complainant to submit his personal data, as well as the Organisation's Privacy Policy, to determine whether the Complainant had been adequately notified of the purposes for which his personal data would be used and had consented to those purposes.

The Commissioner found that the web form did not indicate that the Organisation would use the Complainant's personal data to send him marketing emails unrelated to the program he had expressed interest in. The web form suggested that the personal data would be used only to provide the Complainant with the free brochure and for a representative of the Organisation to contact him about the program.

The Commissioner also reviewed the Organisation's Privacy Policy and found that it only allowed the Organisation to use the Complainant's personal data for the purposes of providing him with the brochure of the specific program he requested and to contact him about that program. The Privacy Policy did not notify the Complainant that his personal data would be used for sending him marketing emails on unrelated subjects.

Therefore, the Commissioner concluded that the Organisation did not have valid consent from the Complainant to use his personal data for the purpose of sending him the marketing emails.

The Commissioner also considered the issue of the Organisation's delay in removing the Complainant's email address from its mailing list, despite the Complainant's multiple requests to unsubscribe. The Commissioner found that this delay led to the Complainant continuing to receive the marketing emails, which constituted a breach of the Organisation's obligation under the PDPA to give effect to the withdrawal of consent.

What Was the Outcome?

The Commissioner found that the Organisation had breached its obligations under the PDPA by:

  1. Using the Complainant's personal data to send him marketing emails without his consent, in breach of the consent obligation under section 13 of the PDPA and the purpose limitation obligation under section 18 of the PDPA.
  2. Failing to give effect to the Complainant's withdrawal of consent in a timely manner, in breach of section 16(4) of the PDPA.

The Commissioner directed the Organisation to:

  • Cease the use of the Complainant's personal data for the purpose of sending him marketing emails.
  • Implement appropriate policies and practices to ensure compliance with the PDPA's consent and purpose limitation obligations.
  • Conduct a review of its personal data protection practices and make any necessary improvements.

Why Does This Case Matter?

This case is significant for several reasons:

First, it reinforces the importance of obtaining valid consent from individuals before using their personal data for purposes that are different from what they were initially notified of and agreed to. Organisations cannot simply rely on broad or vague privacy policies to justify the use of personal data for purposes that were not clearly communicated to the individual.

Second, the case highlights the need for organisations to have robust processes in place to give effect to individuals' requests to withdraw their consent in a timely manner. Failing to do so can result in a breach of the PDPA, even if the initial collection and use of the personal data was done with valid consent.

Finally, this case serves as a reminder to organisations that they must carefully design their data collection forms and privacy policies to ensure that individuals are fully informed of the purposes for which their personal data will be used. Vague or ambiguous language will not be sufficient to establish valid consent under the PDPA.

Legislation Referenced

  • Personal Data Protection Act
  • Personal Data Protection Act 2012
  • Second Schedule of the Spam Control Act
  • Spam Control Act

Cases Cited

  • [2018] SGPDPC 7

Source Documents

This article analyses [2018] SGPDPC 7 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.

Written by Sushant Shukla
Topics
Singapore SLW Case Law Data Protection – Consent obligation
Share this article
𝕏 in f

More in

Legal Wires

Legal Wires

Stay ahead of the legal curve. Get expert analysis and regulatory updates natively delivered to your inbox.

Success! Please check your inbox and click the link to confirm your subscription.
Already a member? Sign in