XDel's Data Protection Policy
This document is strictly for XDel Singapore Pte Ltd and XDel Hub Pte Ltd (collectively referred as "XDel") internal use. Copies of this document shall not be made or published unless permission has been obtained from at least the relevant department head of XDel.
Chapter 1: Overview
The purpose of this policy is to set out XDel’s procedures on protection of personal data of individuals under the company’s custody. It contains important information about how and why XDel collects, uses and discloses personal data of individuals. This policy takes into consideration the Personal Data Protection Act 2012 (“PDPA”) and all applicable PDPA advisory guidelines.
Chapter 2: Personal Data Protection Act 2012
The PDPA establishes a data protection law in Singapore that comprises various rules governing the collection, use, disclosure, access to, correction and care of individuals’ personal data by organisations. It recognises both the rights of individuals to protect their personal data, including rights of access and correction, and the needs of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.
The PDPA contains 2 main sets of provisions, covering data protection (effective 2 July 2014) and a Do Not Call (“DNC”) Registry (effective 2 January 2014).
The DNC provisions generally prohibits organisations from sending certain marketing messages (in the form of voice calls, text or fax messages) to individuals with Singapore telephone numbers, registered with the DNC Registry. As XDel currently does not send marketing messages to individuals, the DNC provisions are not applicable to the company.
XDel intends to comply with all applicable provisions covering data protection by implementing certain procedures as set out below.
Chapter 3: Definitions
3.1 Personal Data
Personal data refers to data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access.
This includes unique identifiers (e.g. NRIC number, passport number, fingerprint); as well as any set of data (e.g. name, age, address, telephone number, occupation, etc) which when taken together would be able to identify the individual.
3.2 Data Protection Officer
Data Protection Officer (“DPO”) means an individual designated by the organisation under Section 11(3) of the Personal Data Protection Act 2012 (“Act”) responsible for ensuring that the organisation complies with this Act or an individual to whom the responsibility of the data protection officer has been delegated under section 11(4) of the Act.
Chapter 4: XDel’s Personal Data Inventory
4.1 XDel has the following personal data in our custody:
XDel collects personal data of our employees including but not limited to name, address, telephone numbers, e-mail address, NRIC number, passport number, FIN (Foreign Identification Number), date and place of birth, nationality, gender, resume, education background, employment history etc in connection with the employees’ employment or job applications with XDel.
XDel’s Customers and Their Customers
XDel collects personal data of our customers and their customers including but not limited to name, address, telephone numbers, e-mail address, NRIC number, FIN (Foreign Identification Number), etc for delivery and verification purposes.
It is important to note that the PDPA does not apply to business contact information. Business contact information refers to individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by him or her solely for his or her personal purposes.
For the avoidance of doubt, XDel is not required to obtain consent before collecting, using or disclosing any business contact information or comply with any other obligations in the Data Protection Provisions in relation to business contact information.
Chapter 5: Collection of Personal Data
5.1 Generally, XDel collects personal data from the following sources:
The personal data that we collect and process on our employees is sourced from:
- information provided by employees and/or relevant third parties in the course of a potential employee applying for a position with us; and
- information provided by employees, relevant third party information sources, or information otherwise generated upon a potential employee being hired and in the course of employment with us.
XDel’s Customers and Their Customers
XDel collects customers’ personal data from the following sources:
Personal data provided by the customers:
- through customers’ relationship with us, for example information provided in application forms, meeting proxy forms and/or agreements entered into with us, when using our products or services;
- through verbal and written communications with us;
- through XDel’s Hotline and Enquiries Mailbox.
Personal data from third party sources connected with customers:
- from any relevant third parties connected with the customers, such as organisations that are our clients and/ or from any other sources which the customer has consented to as provided for in our terms and conditions and/or application form or where lawfully permitted.
Unless permitted under the PDPA or any other laws, regulations and guidelines, XDel shall not collect personal data without the consent of the individual.
Chapter 6: Purposes for the Collection, Use and Disclosure of Personal Data
Generally, XDel collects, use and discloses personal data for the following purposes as described below.
XDel may collect, process and use, and retain employees’ (including potential employees) personal data for our legitimate activities, including but not limited to:
- assessing employee’s suitability for the job;
- verifying employee’s information and conducting reference checks;
- conducting background checks if the employee is offered a job;
- general administrative and record keeping purposes;
- headcount and payroll planning;
- workforce development, training and certification;
- performance management;
- approving and monitoring employee benefits and entitlements;
- posting employee’s photograph on the intranet and email directory;
- maintain emergency contact details;
- audit, risk management and security and/or compliance purposes;
- internal investigations and legal proceedings;
- purposes as required by regulators; and/ or
- other purposes as may be required by any laws, regulations and guidelines.
XDel may collect, use and disclose customers’ personal data for one or more of the following purposes:
- to confirm and verify the customer’s identity;
- to assess application(s) /inquiry(s) for our products and services;
- to pick and delivery shipments entrusted to us;
- to manage our business and the customer’s relationship with us;
- to respond to customers’ enquiries and complaints and generally to resolve disputes;
- to update, consolidate and improve the accuracy of our records;
- to produce data, reports and statistics which have been anonymised or aggregated in a manner that does not identify the customer as an individual;
- to conduct research for analytical and/or statistical assessments;
- to facilitate audit, risk management and/or compliance;
- to provide to relevant regulatory authorities and for any other purpose that is required or permitted by any laws, regulations and guidelines.
XDel may continue to use personal data about an individual collected before 2 July 2014, the effective date of the data protection provisions of the PDPA, for the purposes for which the personal data was collected unless the employee or the customer has withdrawn consent.
XDel may disclose personal data for the purposes indicated above to our employees, third parties, service providers, related entities, which includes, without limitation, the following persons or entities:
To the extent necessary, XDel may disclose employees’ personal data to a limited number of XDel’s employees whose job necessitates that they maintain, compile or otherwise have access to employees’ personal data. XDel may also disclose employees’ personal data to third parties that XDel deals with for the purpose of providing our products and services to our customers and generally operating our business.
XDel’s Customers and Their Customers
XDel may disclose customers’ personal data (to the extent necessary) to the following third parties:
- companies and/or organisations that act as our agents and/or contractors;
- companies and/or organisations that assist us in processing and/or otherwise fulfilling transactions that the customer has requested;
- any person notified by the customer as authorised to give instructions on his/ her behalf; and/ or
- any competent authority(s) and/or regulator(s), subject at all times to any laws (including regulations, guidelines and/or obligations) applicable to XDel.
Unless permitted under the PDPA or any other laws, regulations and guidelines, XDel shall not use or disclose the personal data for any other purpose, without first identifying and documenting the other purpose and obtaining the consent of the affected employee or customer.
Chapter 7: Withdrawal of Consent
Employees or customers are able to withdraw their consent to XDel’s continued use and disclosure of personal data as described in this Policy at any time. Such withdrawal should be made formally in writing to any of the Data Protection Officers (“DPOs”) of XDel.
If consent is withdrawn by an employee, XDel may need to discontinue his/her employment with the company. If consent is withdrawn by a customer, XDel may no longer be able to provide the requested products or services and our relationship with the customer may have to be terminated.
Chapter 8: Protection of Personal Data
XDel places great importance on ensuring the security of our personal data against risks of authorised access, collection, use, disclosure, copying, modification, disposal or destruction. XDel has implemented security measures which include computer safeguards and password-protected files to enhance the security of our personal data stored. In addition, all employees’ hardcopy personal files are maintained by the HR Department under lock and key. XDel will regularly review and implement appropriate security measures when processing and retaining personal data.
Employees of XDel are required to handle the personal data securely and with strict confidentiality, failing which they may be subject to disciplinary action.
Further, XDel will impose compliance with data confidentiality requirements on our contractors and third party service providers in our working relationships and/ or agreements with these parties.
Chapter 9: Access to Personal Data
To the extent required by PDPA, upon request by a customer, XDel shall provide information relating to how the customer’s personal data has been or may have been used or disclosed within a year before the date of such request. XDel may also provide a standard list of possible third parties as part of its response to all access requests for information relating to the disclosure of personal data during such period.
Employees who wish to access their personal data should contact the HR Department.
XDel may not be able to provide access to all of the personal data that they hold about an individual. For example, XDel may not provide access to personal data if such provision could reveal personal data about another individual, if such information is subject to legal privilege or if provision will be contrary to national interest or where such refusal is permitted under the PDPA. If access to personal data cannot be provided, the reasons for denying access will be provided to the customer within 30 days subject to any legal or regulatory constraints.
Chapter 10: Accuracy and Correction of Personal Data
A customer may make a request to correct or update his/her residential address which is in XDel’s possession or control. XDel will correct or update his/her residential address found to be inaccurate or incomplete as soon as practicable. Any unresolved differences as to accuracy or completeness of his/her residential address shall be noted in the customer’s records.
Employees who wish to correct or update their personal data should contact the HR Department.
XDel may refuse to correct or update personal data as requested in certain instances. For example, XDel is unable to confirm the customer’s identity or where such refusal is permitted under the PDPA. If XDel denies customer’s correction request, XDel will inform the customer the reason for the refusal within 30 days of receipt subject to any legal or regulatory constraints.
Chapter 11: Offences and Penalties
An organisation or person commits an offence if the organisation or person —
with an intent to evade a request under section 21 or 22, disposes of, alters, falsifies, conceals or destroys, or directs another person to dispose of, alter, falsify, conceal or destroy, a record containing:-
personal data; or
information about the collection, use or disclosure of personal data;
obstructs or impedes the Commission* or an authorised officer in the exercise of their powers or performance of their duties under this Act; or
knowingly or recklessly makes a false statement to the Commission*, or knowingly misleads or attempts to mislead the Commission*, in the course of the performance of the duties or powers of the Commission* under this Act.
* Personal Data Protection Commission
An organisation or person that commits an offence under Chapter 11.1 (a) above is liable:-
- in the case of an individual, to a fine not exceeding $5,000; and
- in any other case, to a fine not exceeding $50,000.
An organisation or person that commits an offence under Chapter 11.1 (b) or (c) is liable:-
- in the case of an individual, to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 12 months or to both; and
- in any other case, to a fine not exceeding $100,000.
Where an offence under this Act committed by a body corporate^ is proved:-
- to have been committed with the consent or connivance of an officer#; or
- to be attributable to any neglect on his part, the officer as well as the body corporate^ shall be guilty of the offence and shall be liable to be proceeded against and punished accordingly.
Where the affairs of a body corporate^ are managed by its members, Chapter 11.3 (a) shall apply in relation to the acts and defaults of a member in connection with his functions of management as if he were a director of the body corporate^.
^ includes a limited liability partnership
# in relation to a body corporate, means any director, partner, member of the committee of management, chief executive, manager, secretary or other similar officer of the body corporate and includes any person purporting to act in any such capacity;
the officer or member shall be guilty of the offence and shall be liable to be proceeded against and punished accordingly.
Any act done or conduct engaged in by a person in the course of his employment (“the employee”) shall be treated for the purposes of this Act as done or engaged in by his employer as well as by him, whether or not it was done or engaged in with the employer’s knowledge or approval.
In any proceedings for an offence under this Act brought against any person in respect of an act or conduct alleged to have been done or engaged in, as the case may be, by an employee of that person, it is a defence for that person to prove that he took such steps as were practicable to prevent the employee from doing the act or engaging in the conduct, or from doing or engaging in, in the course of his employment, acts or conduct, as the case may be, of that description.
Chapter 12: Retention of Personal Data
XDel will retain employees and/or customers’ personal data in compliance with the terms and conditions of our services, customers’ agreement(s) with XDel and as set out below:
- for the duration of the employee and/or customers’ relationship with us;
- for such period as may be necessary to protect XDel’s interests and/or our customers or employees;
- where otherwise required by laws, regulations and guidelines; and/or
- where required by XDel in order for us to perform our duties in the discharge of our fiduciary obligations.
Chapter 13: Data Protection Officer
13.1 Personal Data
Under the PDPA, the Data Protection Officers are responsible for facilitating XDel’s compliance with the PDPA. For the avoidance of doubt, the compliance with the PDPA remains the responsibility of XDel. The contact details as follows.
Andrew Tan Lee Meng
207 Henderson Road #01-03 Singapore 159550
9.00am to 6.00pm, Mondays to Fridays, excluding Public Holidays.
Chapter 14: Complaints Procedures
14.1 Personal Data
If a customer or an employee of XDel has reason to believe that his/her personal data has been misused by XDel, the customer or the employee is advised to lodge a complaint with any of the Data Protection Officers of XDel who will handle the complaints.