Data Protection Policy

Comm360 Pte Ltd — Data Protection Policy
Effective Date: May  2,2025

1. Purpose

This policy outlines Comm360 Pte Ltd’s commitment to safeguarding personal data and ensuring compliance with the Personal Data Protection Act (PDPA) of Singapore, specifically Sections 13 to 26.

2. Scope

This policy applies to:

• All Comm360 employees, contractors, and third-party service providers.
• All systems and processes involving the collection, use, or disclosure of personal data.
• All data subjects including clients, users, suppliers, and employees.

3. Definitions

• Personal Data: Information that identifies an individual.
• Processing: Any operation on personal data (collection, use, disclosure, deletion).
• Data Subject: The individual whose data is processed.
• DPO: Data Protection Officer appointed by Comm360.

4. Data Protection Principles

Comm360 adheres to the following principles:

1. Consent
2. Purpose Limitation
3. Notification
4. Access and Correction
5. Accuracy
6. Protection
7. Retention Limitation
8. Transfer Limitation
9. Accountability

5. Legal Bases for Processing

We process personal data based on:

• Individual consent
• Contractual necessity
• Compliance with legal obligations
• Legitimate interests (balanced against individual rights)

6. Data Collection and Use

Data is collected for:

• Customer support and account management
• HR and employee administration
• Website operations and analytics
• Legal and compliance purposes

7. Disclosure and Third-Party Sharing

Data may be shared with:

• Affiliates, service providers, and hosting partners
• Government agencies where required
  All third parties must sign a Data Processing Agreement (DPA).

8. International Transfers

We ensure all transfers outside Singapore are protected by:

• Countries with comparable data protection standards
• Standard Contractual Clauses (SCCs)

9. Data Security

Security measures include:

• Access controls and authentication
• Encryption at rest and in transit
• Regular vulnerability testing
• Staff training and awareness

10. Data Breach Response

In the event of a data breach:

• Containment and assessment take place immediately
• PDPC and affected individuals are notified within 72 hours (if applicable)
• Remedial actions are implemented

11. Data Retention and Disposal

• Data is retained per internal retention schedules
• Secure deletion and physical destruction are enforced for obsolete data

12. Rights of Individuals

Individuals may:

• Access or correct their personal data
• Withdraw consent
• Request deletion under qualifying conditions
• File a complaint to PDPC

13. Roles and Responsibilities

• Board of Directors: Oversight and accountability
• DPO: Policy implementation and compliance
• Employees: Daily adherence to policy and reporting breaches

14. Monitoring and Review

This policy is reviewed annually or upon changes in business or legal obligations.

This policy is prepared in accordance with the Personal Data Protection Act (PDPA) 2012, Sections 13 to 26.