Advisory Council
Advisory Council
data:image/gif;base64,R0lGODlhAQABAAD/ACwAAAAAAQABAAACADs=

Data Protection Officer (DPO) Services

Data Protection Officer (DPO) Services Data Protection Officer (DPO) Services Data Protection Officer (DPO) Services

 Practical, trusted data protection support for organizations of all sizes 

Data Protection Officer (DPO) Services

Data Protection Officer (DPO) Services Data Protection Officer (DPO) Services Data Protection Officer (DPO) Services

 Practical, trusted data protection support for organizations of all sizes 

About Data Protection Officer

What is DPO as a Service?

Every organization that collects, uses, or processes personal data is required to appoint a Data Protection Officer (DPO), regardless of whether it is commercial or non-profit in nature. This obligation is set out by the Personal Data Protection Commission (PDPC). Organizations may appoint an internal DPO or engage an external service provider.


Advisory Council provides DPO as a Service, offering organizations clear, practical, and reliable support to meet PDPA requirements without the complexity of managing this role internally.

Why DPO Matters Now?

Data protection expectations in Singapore have evolved significantly following regulatory guidance and enforcement actions by the Personal Data Protection Commission (PDPC). Since the mandatory appointment of a Data Protection Officer (DPO) took effect, organizations are expected to clearly define data protection ownership, decision-making authority, and operational accountability.


Organizations without proper data protection governance may face:

1. Regulatory scrutiny and follow-up actions

2. Complaints and formal investigations

3. Operational disruption and reputational risk


For Management Corporations (MCSTs), data protection obligations are further reinforced through sector-specific guidance issued jointly by the Building and Construction Authority (BCA) and PDPC. These advisories highlight the importance of practical governance measures, including defined policies, reporting structures, access controls, and DPO oversight in estate management operations.


Having a DPO is not just about meeting regulatory requirements. It is about ensuring the organization is prepared, protected, and accountable when data-related issues arise.

Who Needs A DPO?

 

Any organization that handles personal data, including:

1. Corporations and SMEs

2. Management Corporations (MCSTs)

3. Service providers handling third-party data


Regardless of whether an organization is commercial or non-commercial, the responsibility to protect personal data remains the same.

What Advisory Council Does For You?

Our DPO services are aligned with the responsibilities outlined by the Personal Data Protection Commission (PDPC), with a strong focus on practical implementation, not theory. We support organizations by:


1. Acting as your appointed Data Protection Officer (DPO) and serving as the main point of contact for PDPC-related matters

2. Advising management on PDPA obligations and establishing appropriate data protection policies and procedures

3. Implementing practical processes and SOPs to ensure day-to-day compliance across operations

4. Supporting incident management and complaint handling, including guidance on assessment, response, and remediation

5. Monitoring compliance readiness and advising on improvements to data protection practices over time

Our approach is structured, practical, and tailored to how your organisation actually operates.

Business Case

Recent enforcement cases have shown that organizations can face serious consequences when data protection obligations are overlooked. Complaints may arise at any time. When they do, authorities will assess whether reasonable steps, policies, and governance were already in place. Our DPO as a Service is to help ensure that you are well covered before issues arise. 

MCST Case Examples

CCTV Footage Retention and Access

Unauthorized Release of CCTV Footage

CCTV Footage Retention and Access

This case involved a dispute arising from CCTV footage that had been overwritten, coupled with the denial of access to the footage due to the absence of a clearly defined retention and access policy. The lack of documented procedures led to uncertainty in how requests should be handled, resulting in a PDPA breach.


Advisory Council view:

Clear CCTV retention schedules, defined access rights, and documented complaint-handling procedures are essential to prevent disputes and reduce enforcement risk.

Storage of Personal Data on NAS

Unauthorized Release of CCTV Footage

CCTV Footage Retention and Access

In this case, personal data stored on a Network Attached Storage (NAS) device was found to be inadequately protected. Weak security controls exposed the data to potential unauthorized access, leading to a PDPA breach.


Advisory Council view:

Proper engagement of IT vendors, implementation of appropriate technical safeguards, and staff awareness on data handling significantly reduce data exposure risks.

Unauthorized Release of CCTV Footage

Unauthorized Release of CCTV Footage

Unauthorized Release of CCTV Footage

This case concerned the unauthorized disclosure of CCTV footage without proper approval or controls. The absence of clear internal guidelines on who may access or release such footage resulted in a PDPA breach.


Advisory Council view:

Regular staff awareness training and clear disclosure policies help prevent unauthorized release of personal data.

Improper Controls over CCTV Footage

Improper Controls over CCTV Footage

Unauthorized Release of CCTV Footage

Similar to other CCTV-related cases, this matter involved the release of CCTV footage without appropriate internal controls. The lack of consistent procedures contributed to a PDPA breach.


Advisory Council view:

Consistent internal policies, access controls, and staff accountability are critical in preventing improper disclosure of personal data.

Visitor Logbook Exposure

Improper Controls over CCTV Footage

CCTV Footage Viewing Rights

In this case, a visitor logbook containing personal data was left unattended in a common area, making the information accessible to unauthorized individuals. This lapse resulted in a PDPA breach.


Advisory Council view:

Clear visitor and contractor management policies, together with staff awareness, help minimize inadvertent exposure of personal data.

CCTV Footage Viewing Rights

Improper Controls over CCTV Footage

CCTV Footage Viewing Rights

This case involved a dispute over who was entitled to view CCTV footage. While no PDPA breach was found  as the Building Maintenance and Strata Management Act (BSMA) permits subsidiary proprietors to access such footage, the matter highlighted gaps in communication and expectation management.


Advisory Council view:

Well-defined policies and clear communication help manage expectations and reduce unnecessary complaints.

AGM Minutes Display on Notice Board

AGM Minutes Display on Notice Board

AGM Minutes Display on Notice Board

In this instance, AGM minutes were displayed on a notice board for a longer period than expected. No PDPA breach was found, as the BSMA requires such disclosure. However, concerns arose due to the lack of clarity around consent and duration.


Advisory Council view:

Clear communication and data-handling policies help strike an appropriate balance between statutory transparency and data protection considerations.

Why Advisory Council

Advisory Council is a specialized advisory arm spun off from SWiZ Technologies Pte Ltd, with over 20 years of experience supporting organizations in governance, technology, and risk management.


We combine regulatory understanding with operational practicality, delivering trusted DPO services focused on long-term compliance and risk assurance.

Schedule Now

Get in Touch

Protect your organization. Stay compliant. Be prepared.

Speak to us about DPO Services today.

Message us on WhatsApp

Advisory Council

65 Airport Boulevard, #03-34, Changi Airport Terminal 3, Singapore 819663

Email: idea@advisorycouncil.social

Operating Hours

Open today

09:00 – 17:00

Subscribe

Register to receive updates on our soft launch events and advisory initiatives.

Privacy Notice

1. Introduction

Advisory Council (“we”, “us”, or “our”) respects your privacy and is committed to safeguarding personal data entrusted to us. This Data Protection Notice outlines how we collect, use, disclose, and protect personal data in accordance with the Singapore Personal Data Protection Act 2012 (“PDPA”).

This Notice applies to individuals whose personal data is provided to us in the course of business, including clients, partners, vendors, service providers, job applicants, and other external parties who engage with us through our website, communications, or service channels. It applies to personal data in our possession or under our control, including personal data held by organisations that process such data on our behalf.


2. Personal Data We Collect

Personal data refers to data, whether true or not, that can identify an individual from that data, or from that data and other information to which we have or are likely to have access.

The personal data we collect may vary depending on the nature of your interaction with us. For example, it may include:

  • Name, identification number, nationality, contact details, job title, or business contact information;
  • Billing, bank account, or transaction details provided in the context of service engagements;
  • Job application materials such as resumes, education history, employment background, references, and other supporting information;
  • Photographs or audio-visual material captured in business or recruitment settings;
  • Technical or usage data from your interactions with our website or platforms.

This data may be provided directly by you, your authorized representative, or collected from third parties where appropriate.


3. Purpose For Collection, Use, and Disclosure

We collect and use personal data only for purposes that are reasonable, appropriate, and related to our business functions or activities. These purposes include, but are not limited to:

  • Managing and administering contracts, services, or transactions you have with us;
  • Responding to enquiries, service requests, or other communications;
  • Verifying your identity and managing user accounts or system access;
  • Processing payments, invoices, or claims;
  • Evaluating job applications and administering recruitment processes;
  • Complying with legal obligations, industry standards, or regulatory requirements;
  • Protecting our rights, property, and safety, including investigating potential misconduct;
  • Facilitating internal operations such as audits, business continuity, and IT maintenance.

Where appropriate, we may disclose personal data to third-party service providers, professional advisers, or government authorities in Singapore or overseas. Such disclosures are made strictly for the purposes stated above and only where necessary.

From time to time, we may also send you updates, newsletters, or marketing communications relating to our services, promotions, or initiatives. Where required under the PDPA or the Do Not Call provisions, we will obtain your consent before sending such messages. You may opt out at any time by following the unsubscribe instructions or by contacting our Data Protection Officer.


4. Consent and Withdrawal

By engaging with us, whether through our website, submission of a job application, business enquiry, or use of our services, you are deemed to have consented to the collection, use, and disclosure of your personal data for the purposes stated in this Notice.

Where required under the PDPA, additional or explicit consent may be obtained through written agreements, electronic submissions, or other clear affirmative actions.

Should you wish to withdraw your consent for the collection, use, or disclosure of your personal data, you may do so at any time by submitting a written request to our Data Protection Officer. Upon receiving such a request, we will inform you of any potential consequences, which may include our inability to continue providing you with services or processing your application. We aim to process such requests within thirty (30) to forty-five (45) business days, depending on the nature and complexity of the request.

Please note that withdrawing consent does not affect our right to continue to retain and use personal data where such retention or use is permitted or required under applicable laws.


4.1 Legitimate Interest

In specific instances allowed under the PDPA, we may collect, use, or disclose personal data without obtaining consent, if the action is necessary for our legitimate business interests or those of another person.

These legitimate interests may include:

  • Detecting or preventing fraud and misuse of systems;
  • Performing network monitoring, data loss prevention, and IT security reviews;
  • Ensuring operational continuity and service quality through audit, backup, and troubleshooting activities.

Before relying on this basis, we will assess that such use is reasonable and not expected to cause any undue impact or harm to the individuals involved.


5. Access and Correction of Personal Data

You may request access to the personal data that we hold about you, and you may also request correction or updates to ensure that the information is accurate, complete, and current.

All such requests should be submitted in writing to our Data Protection Officer. We may charge a reasonable administrative fee for access requests, and if so, you will be informed of the fee before we proceed.

Our aim is to respond to your request within thirty (30) business days. If we are unable to do so within this time frame, we will inform you of the estimated time required and the reason for the delay. In cases where we are unable to provide access or make a correction as requested, we will generally explain the reason, unless we are not required to do so under applicable law.


6. Accuracy of Personal Data

We rely on the personal data provided by individuals to be accurate and complete in order to deliver services effectively and maintain compliance with regulatory obligations.

You are encouraged to notify us promptly if there are any changes to your personal data. This helps ensure that our records remain accurate, complete, and up-to-date.


7. Protection of Personal Data

We implement robust administrative, technical, and physical safeguards to protect personal data under our care against unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks.

These measures include but are not limited to:

  • Role-based access and internal authorization controls;
  • Secure transmission protocols and encryption;
  • Antivirus software, intrusion prevention tools, and system patching;
  • Anonymisation or secure deletion where applicable;
  • Regular security reviews and audits.

Personal data is only disclosed to authorised personnel or third parties on a need-to-know basis. While no method of electronic storage or transmission over the internet is fully secure, we are committed to maintaining up-to-date security practices in accordance with industry standards.

In addition, we ensure that our employees, offshore members, and authorised personnel are bound by internal policies and trained to uphold personal data protection responsibilities in compliance with the PDPA.


8. Retention of Personal Data

Personal data is retained only for as long as it is necessary to fulfil the purposes for which it was collected, or as required or permitted by applicable laws and regulations.

When data is no longer needed for business or legal purposes, we will securely dispose of it, anonymise it, or remove the means by which the data can be associated with any individual.


9. Transfers of Personal Data Outside of Singapore

We operate in a global environment and engages with offshore employees, partners, and service providers. As part of our business operations, personal data may be transferred to or accessed from locations outside Singapore, including jurisdictions where our offshore personnel are based or where technical support is provided.

In such cases, we take all reasonable steps to ensure that any transfer or remote access complies with the requirements of the Personal Data Protection Act 2012. This includes:

  • Ensuring that the overseas recipient is contractually bound to provide a standard of protection that is comparable to that under Singapore’s PDPA;
  • Limiting access to authorised personnel for business-related purposes only;
  • Implementing encryption, secure access protocols, and audit trails for cross-border data access;
  • Reviewing data handling practices of offshore teams as part of our compliance and security controls.

By engaging with us, you acknowledge and consent to such cross-border transfers where necessary for service provision, internal administration, or personnel support.


10. Data Protection Officer

 If you have any questions, feedback, or requests relating to your personal data or this Notice, please contact our appointed Data Protection Officer:


Attention To: Data Protection Officer

Email Address: dpo@advisorycouncil.social

Subject: Data Protection Concern


11. Updates to This Notice

  We may update this Data Protection Notice from time to time to reflect changes in legal or regulatory requirements, or in our internal policies. Any revisions will be published on our official website at www.advisorycouncil.social, and the updated Notice will supersede previous versions.

Your continued engagement with us constitutes your acknowledgement and acceptance of any such updates.


Effective Date: 18 August 2024

Last Updated: 8 September 2025

Copyright © 2026 Advisory Council - All Rights Reserved.

Powered by

This website uses cookies.

We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.

Accept