This Policy sets out the basis upon which CNP collects, uses and/or discloses Personal Data and applies to all Organisations (as defined below) who provide CNP with Personal Data or where Personal Data is otherwise collected, used and/or disclosed by CNP in connection with and/or for the purposes of its operations or is otherwise required by law.

This Policy supplements but does not supersede or replace any consent which an Individual may have previously provided to CNP or third party Organisation for the use of the Individual’s Personal Data, nor does it affect any rights that CNP may have at law in connection with the collection, use and/or disclosure of any Individual’s Personal Data. Subject to that, CNP will not collect any Personal Data from an Individual unless: the Individual has voluntarily chosen to provide us with the Personal Data; or is deemed to have consented to the collection, use and/or disclosure of the Personal Data by CNP; or the collection, use and/or disclosure of such Personal Data is required for the purposes of providing services to the Individual or by law.

CNP may from time to time update this Policy to ensure that it is consistent with its future developments or business purposes or to accommodate future changes to applicable legal or regulatory requirements. All updates to this Policy will be published at www.cnplaw.com (“CNP Website”) and appropriate notifications of any material revisions will be published on the CNP Website and may be issued separately to such relevant Individuals as may be determined by CNP. Subject to an Individual’s rights at law, the prevailing terms of this Policy from time to time shall apply. By continuing their relationship with CNP after any amendments have been introduced and published on the CNP Website, Individuals shall be deemed to have accepted this Policy as amended and be bound by the prevailing terms as updated from time to time.

For the avoidance of doubt, this Policy forms part of the terms and conditions, if any, governing an Individual’s specific relationship with CNP (“Terms and Conditions”) and should be read in conjunction with such Terms and Conditions. In the event of any conflict or inconsistency between the provisions of this Policy and the Terms and Conditions, the provisions of the Terms and Conditions shall prevail to the fullest extent permissible by law.

Definitions
For the purposes of this Policy:
CCTV” means Closed-circuit Television;
Collects, uses and/or discloses” will also include processing as defined under the PDPA;
Individual” means a natural person, whether living or deceased, and “Individuals” shall be construed accordingly;
Organisation” includes any individual, company, association or body of persons, corporate or unincorporated, whether or not: (a) formed or recognised under the law of Singapore; or (b) resident, or having an office or a place of business, in Singapore;
PDPA” means the Personal Data Protection Act 2012, as amended from time to time;
Personal Data” means data, whether true or not, about an Individual who can be identified: (a) from that data; or (b) from that data and other information to which CNP has or is likely to have access;
Personnel” means any Individual engaged under a contract of service with CNP, a contract for service with CNP, permanent or temporary employees, trainees, and interns engaged by CNP from time to time; and
Potential Personnel” means any Individual who has submitted an application to be engaged by CNP as Personnel.

Personal Data collected by CNP
CNP will only collect, use and/or disclose Personal Data about an Individual which it reasonably considers necessary for the relevant purposes underlying such collection, use and/or disclosure. Depending on the specific nature of an Individual’s interaction with CNP, Personal Data which CNP collects, uses and/or discloses concerning an Individual may include (but is not limited to) the following:
a. the Individual’s name, gender and contact particulars, including telephone number(s), residential/mailing address(es) and email address(es);
b. details of the Individual’s identification documents (such as, NRIC, passport numbers or driving licence numbers), and applicable visa or permits (such as employment pass, dependant pass, work permit, student pass, permanent residency status, long or short term visit pass);
c. details of the Individual’s employment or training history, academic and professional qualifications, certifications, financial information (salary and bonuses) and bank account details;
d. the name and contact particulars of the Individual’s next-of-kin;
e. the Individual’s network usage data and other information gathered automatically by CNP’s computer systems, including the Individual’s computer IP address, links visited and other activities conducted online or using CNP’s computer systems;
f. photographs and video or CCTV recordings of the Individual; and
g. other information which the Individual may provide to CNP, from time to time, in the course of such Individual’s interaction with CNP.

How CNP collects Personal Data
Generally, CNP may collect Personal Data from an Individual in one or more of the following ways or circumstances:
a. when the Individual interacts with CNP’s Personnel via telephone or video calls, emails, other correspondence, and/or face-to-face meetings;
b. when the Individual visits CNP’s premises;
c. when the Individual specifically requests that CNP contact him or her or requests to be included in an email or any mailing list maintained by CNP;
d. when the Individual responds to any request by CNP for the provision of Personal Data;
e. when CNP receives references or referrals from its business partners or other third parties;
f. when the Individual attends or participates in any event organised by CNP;
g. when the Individual submits his or her Personal Data to CNP pursuant to a job application;
h. when the Individual subscribes to CNP’s publication(s); and/or
i. when the Individual submits his or her Personal Data to CNP for any other reason related to CNP’s ordinary course of business operations.

Purposes of collection, use and/or disclosure of Personal Data
Generally, CNP collects, uses and/or discloses Personal Data from Individuals for one or more of the following purposes (“Purposes”):

Provision of services
a. administering and managing the Individual’s relationship with CNP;
b. providing the Individual with information about CNP’s services and/or the services of any external vendor that is providing services and/or products in partnership or collaboration with CNP;
c. responding to the Individual’s complaints, queries and/or requests;
d. facilitating and/or organising events;
e. informing the Individual of changes and/or updates to the law, regulations, codes of practice or guidelines, including government policies, CNP’s policies, terms and conditions and/or other administrative information;

Security measures
a. verifying the Individual’s identity or monitoring the Individual’s activities, including without limitation, via CCTV observation and/or recording;
b. preventing, detecting and investigating fraud, misconduct, any unlawful action, omission or dispute, and whether or not there is any suspicion of the aforementioned;
c. managing the security of CNP’s premises, facilities and computer or IT systems, including installing anti-virus software and updates;

General business operations of CNP
a. Personnel training, quality assurance and performance evaluation;
b. improving and/or customising the Individual’s experience with CNP by remembering the Individual’s preferences;
c. record-keeping;
d. legal purposes (including but not limited to the Individual obtaining legal advice, dispute resolution, the issuance of invoices by and the recovery of any debts owed to CNP);
e. meeting or complying with any applicable rules, laws, regulations, codes of practice or guidelines which are binding on CNP (including but not limited to responding to regulatory complaints, disclosure to regulatory bodies and conducting audit checks, due diligence, investigations and/or legal proceedings);

Managing Personnel
a. administering, managing and/or terminating CNP’s relationship with Personnel;
b. evaluating the performance of Personnel;
c. undertaking Personnel training and quality assurance activities;
d. providing Personnel with services, facilities and/or other benefits being offered or made available by CNP to such Personnel as well as information about such services, facilities and benefits;

Managing Potential Personnel
a. administering and managing CNP’s relationship with Potential Personnel;
b. evaluating the suitability and eligibility of Potential Personnel to be engaged by CNP, including performing background checks, verifying credentials, qualifications, and obtaining employment references;

Marketing
a. where CNP circulates CNP’s publications or marketing information to an Individual or to any Individual who may disseminate it to another Individual relating to services offered by CNP (whether by CNP or CNP’s business partners) which CNP thinks is or may be of benefit or interest to him/her via postal mail, electronic transmission to his or her email address(es), and/or voice call or phone call and/or fax to his or her telephone number(s);
b. for promotional and publicity purposes, including recording or taking photographs of participants at events or functions organised, hosted, or participated by CNP;

Others
a. for transfer to third party data intermediaries to facilitate any of the aforesaid purposes;
b. for any purposes reasonably related to any of the above purposes; and
c. for any other purposes in relation to which CNP has specifically obtained the Individual’s consent.

Consent
Unless otherwise permitted or authorised under the PDPA or any other applicable law, CNP will not collect, use and/or disclose an Individual’s Personal Data without his or her consent. CNP may, collect, use and/or disclose an Individual’s Personal Data without consent in the following circumstances or for the following purposes, subject to any condition in the First or Second Schedule of the PDPA. Without limiting the foregoing, this will include, inter alia:
a. where the Personal Data is publicly available or its collection, use and/or disclosure is necessary in the national interest;
b. where the collection, use and/or disclosure is necessary for any investigation or proceedings, including disclosure to a public agency or any public officer or law enforcement agency;
c. where the collection, use and/or disclosure is for evaluative purposes including archival, historical, or research purposes as permitted under the PDPA;
d. where the collection, use and/or disclosure is necessary to recover a debt owed to CNP, for the provision of legal services by CNP or for CNP to obtain legal services;
e. where Personal Data was provided to CNP by another Organisation to enable CNP to provide a service to that other Organisation;
f. where the collection, use and/or disclosure is in the legitimate interests of CNP as permitted under the PDPA; and
g. the Personal Data is used for any of the business improvement purposes permitted under the PDPA.

CNP will take reasonable steps to notify the purposes relevant to an Individual, by appropriate means, at the point or time of collection of the Personal Data from such Individual, including:
a. via express provisions in contracts, application forms and/or registration forms to be signed with or submitted to CNP;
b. via notifications on CNP’s website(s); and
c. in the course of verbal communications.

Where feasible, CNP will inform the Individual of purposes that are intrinsic to the relationship between CNP and the Individual or to the provision of services to such Individual, as well as purposes that are optional.

Insofar as any purpose(s) are intrinsic to the relationship or provision of services, CNP reserves the right to decline to engage in the relevant relationship or to provide the relevant services to the Individual if he or she does not consent to CNP’s collection, use and/or disclosure of his or her Personal Data for such purpose.
Individuals who:
a. voluntarily provide their Personal Data to CNP for the Purposes;
b. use or access CNP’s website(s) or computer network;
c. enter CNP’s premises or use any of the facilities thereon; and/or
d. attend or participate in events or programmes organised by CNP,
will be deemed to have agreed and consented to CNP collecting, using and/or disclosing their Personal Data in the manner and for the Purposes set forth in this Policy.

An Organisation who provides CNP with Personal Data relating to a third party (e.g. information of the Individual’s spouse or children) for any particular purpose, represents to CNP that the Organisation has obtained the consent of the relevant third party to CNP collecting, using and/or disclosing such Personal Data for that particular purpose.

Insofar as CNP collects Personal Data of an Individual from any third party(ies), CNP will deem that the Individual has provided the third party(ies) the consent for such disclosure for the intended purpose.

Disclosure of Personal Data
In carrying out one or more of the Purposes, CNP may need to disclose Individuals’ Personal Data to the following third parties for one or more of the Purposes:
a. CNP’s third party service providers or agents;
b. any external vendor that is providing services or products in partnership or collaboration with CNP;
c. CNP’s auditors and professional advisors;
d. any Individual to whom disclosure is permitted or required by any statutory provision or law;
e. any permitted assigns; and/or
f. any local or foreign regulatory body, government agency, statutory board, ministry, department or other government body and/or its officials.

Withdrawal of Consent
Any Individual who wishes to withdraw his or her consent to any use or disclosure of his or her Personal Data by CNP as set out in this Policy may do so in writing by contacting CNP’s Data Protection Officer at dpo@cnplaw.com.

Depending on the extent to which an Individual withdraws consent to the use and/or disclosure of his or her Personal Data by CNP, such withdrawal of consent may result in CNP’s inability to provide services to the Individual and may be considered as a termination by the Individual of any agreement between CNP and the Individual. CNP’s legal rights and remedies are expressly reserved in such event. Please note that the withdrawal of consent by an Individual does not affect CNP’s right to continue to process Personal Data where such processing is permitted or required under applicable laws.

Insofar as an Individual’s data is being collected by cookies, the Individual may disable the use of cookies on his or her internet browser when accessing CNP’s website. However, this may result in the loss of functionality, restrict the Individual’s use of the website and/or delay or affect the way in which CNP’s website operates.

Verification of Personal Data & Notification of Changes
Where feasible, CNP will take reasonable steps to verify the accuracy of Personal Data received at the point of collection but Individuals remain primarily responsible and liable to ensure that all Personal Data submitted by them to CNP is complete and accurate. Information voluntarily provided by an Individual to CNP shall prima facie be deemed complete and accurate.

CNP will also take reasonable steps to periodically verify Personal Data in its possession, taking into account the exigencies of its operations, but Individuals are nonetheless responsible for notifying CNP of any applicable changes to Personal Data submitted by such Individuals as soon as reasonably practicable.

CNP shall not be held liable for any inability on its part to provide services to an Individual who fails to ensure that his or her Personal Data submitted to CNP is complete and accurate or who fails to notify CNP of any relevant changes to such Personal Data.

Activities undertaken prior to 2 July 2014
CNP may continue to use Personal Data of an Individual that was collected before 2 July 2014 for purposes for which the Personal Data was collected unless consent is withdrawn by that Individual.

Individuals who wish to withdraw their consent to CNP’s use of their Personal Data may contact CNP’s Data Protection Officer at dpo@cnplaw.com.

Protection of Personal Data
CNP shall make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks to Personal Data in its possession.
If CNP transfers Personal Data outside Singapore, CNP will take reasonable steps to ensure that such Personal Data transferred receives a standard of protection comparable to the protection received under the PDPA and that such transfer shall be subject to this Policy.
CNP will ensure that third parties who receive Personal Data from CNP protect such Personal Data in a manner consistent with this Policy and not use such Personal Data for any purposes other than those specified by CNP, by incorporating appropriate contractual terms in its written agreements with these third parties.
CNP is not responsible in any way for the security and/or management of Personal Data shared by Individuals with third party websites accessible via links on CNP’s website.

Retention of Personal Data
CNP may retain the Individual’s Personal Data for as long as it is necessary to fulfil the Purpose(s) for which it was collected, or as required or permitted by applicable laws.

Contacting CNP – Access and Correction of Personal Data
Any Individual who:
a. has questions or feedback relating to this Policy;
b. would like to obtain access to his or her Personal Data held by CNP;
c. would like to obtain information about the ways in which his or her Personal Data held by CNP has been or may have been used or disclosed by CNP in the year preceding the request; and/or
d. would like to update or make corrections to his or her Personal Data held by CNP,
should contact CNP’s Data Protection Officer in writing at dpo@cnplaw.com.
Individuals should note that CNP is not required, under the PDPA, to provide access and correction to Personal Data in certain exempted situations as set out in the PDPA.
The PDPA allows and CNP reserves the right to charge a reasonable fee for the handling and/or processing of access requests by an Individual pursuant to paragraphs (b) or (c) above.

Updated 15 March 2024