In brief
On 1 April 2026, the Personal Data Protection Commission (PDPC) announced that Management Corporation – Strata Title Plan No. 4869 (MCST 4869) had breached its obligations under the Personal Data Protection Act 2012 (PDPA) and issued directions to MCST 4869 for remediation.
The PDPC also accepted a voluntary undertaking from Asia Properties & Assets Consultancy Pte. Ltd., the Managing Agent for the Condominium (MA), to implement procedures and policies for handling emails and requests for personal data.
The case highlights the importance of management corporations taking responsibility for compliance of their obligations under the PDPA as such responsibility cannot be automatically delegated away to an agent or another organisation.
In more detail
Pursuant to an investigation on the facts, the PDPC found that MCST 4869 did not have a Data Protection Officer (DPO), did not develop any operational data protection policies or procedures on how the personal data in its possession or under its control should be handled, and did not give any specific instruction to the MA on how to handle requisitions to convene extraordinary general meetings and the personal data contained in such requisitions.
The PDPC also found that MCST 4869 did not make any security arrangements for the protection of personal data when handling emails and left such matters entirely to the MA, with no oversight.
These amounted to the following breaches of the PDPA:
- Section 11(3) of the PDPA to designate one or more individuals to be responsible for ensuring compliance with the PDPA;
- Section 12 of the PDPA to develop and implement policies and practices for ensuring compliance with the PDPA; and
- Section 24 of the PDPA to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised disclosure (“Protection Obligation”).
The PDPC held that a management corporation’s appointment of an MA does not automatically delegate the Accountability Obligation to the MA, and as separate organisations, the MA’s Data Protection Officer is not automatically MCST 4869’s Data Protection Officer.
In relation to the Protection Obligation, the PDPC affirmed that where an organisation engages a data intermediary to process personal data on its behalf, it must still comply with the Protection Obligation as if it is processing that personal data itself.
Key takeaways
The decision underscores that engaging professional managing agents does not displace an organisation’s responsibilities under the PDPA. Organisations should implement data protection policies that set out clear, practical procedures governing email communications, handling of sensitive attachments and verification of recipients and also implement, monitor and audit such practices to ensure compliance with the PDPA.
Sanil Khatri, Daryl Seetoh, and Natalie Joy Huang, Local Principals, have contributed to this legal update.
* * * * *
© 2026 Baker & McKenzie. Wong & Leow. All rights reserved. Baker & McKenzie. Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "principal" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.