Data Protection Policy
George Hwang LL.C
George Hwang LL.C (‘we’, ‘us’, ‘our’, etc.) respects the right of individuals to protect their personal data. This data protection policy gives you information about how we collect, use and disclose your personal data. It recognises both your right to protect your personal data and our need to collect, use or disclose it for purposes that we believe are reasonable and appropriate in providing legal services in Singapore.
This data protection policy applies to the personal data of all individuals which we collect, use, disclose and/or retain. However, because the Personal Data Protection Act (“PDPA”):
- does not apply to “business contact information”; and
- creates exceptions to the obligation of consent when we collect, use and disclose personal data necessary for the provision of our legal services,
generally, only the following individuals (‘you’, ‘your’, etc.) would fall within the protection of the PDPA in our handling of personal data:
- our clients or our potential clients who are individuals and not directors or shareholders of companies whose personal data accessible by the public from the Register of Companies
- our employees, including interns, trainees, volunteers, and job applicants whether solicited or unsolicited
- online users of our website
If you would like further information about the way we collect, use or disclose your personal data, please do not hesitate to contact our Data Protection Officer (see 11 for contact information).
1. Definitions & Interpretations
‘business contact information’ means an individual’s name, position or title, business telephone number, business address, business email address or business fax number and any other similar information about the individual not provided by the individual solely for personal purposes.
‘client’ means any individual to whom we provide our services and ‘potential client’ means any individual with whom we discuss, verbally or in writing, the possibility of providing our services.
‘data intermediary’ means an organisation that processes personal data on our behalf, but does not include an employee of that other organisation.
‘employee’ means any person employed on any basis by us, by you or by another organisation (as the case requires) and includes a volunteer
‘online users’ means anyone who accesses our website, including to obtain access to articles on it.
‘personal data’ means data, whether true or not, about an individual who can be identified:
- from that data or
- from that data and other information to which we have access or are likely to have access
It excludes business contact information.
‘publicly available’, in relation to your personal data, means personal data that is generally available to the public, and includes personal data which can be observed by reasonably expected means at a location or an event:
- at which you appear and
- that is open to the public
‘services’ means the legal services in relation to the laws of Singapore and other related services (for example, instructing foreign counsels or other professionals) that we provide to our clients, whether in Singapore or elsewhere.
‘our website’ means our website at http://www.georgehwangllc.com/.
‘writing’ includes correspondence by email
At no time should the word “access” in this policy be read as granting physical or virtual access to our database or system storing personal data. We only provide information related to your personal data in a format of our choice, independent of the rest of our database.
2. Purpose(s) for us collecting, using or disclosing personal data
We collect, use and/or disclose personal data to provide our services efficiently and effectively and to comply with our legal obligations.
We endeavour to notify you of the purposes for which we collect, use or disclose your personal data (see 3.3), and then obtain your express consent. This notification might be more specific than the above statement.
3. Our collection, use and disclosure of personal data
3.1 How we collect your personal data
Where possible, we collect personal data directly from you. We do this in various ways, including telephone and in-person meetings and interviews.
If at any time you prefer not to provide some personal data that we request, please let us know. We will explain our purpose for collecting that personal data. If you still do not wish to provide it we will discuss with you whether or not we can proceed without it.
3.2 Consent to us collecting, using or disclosing your personal data
We collect, use, or disclose your personal data only if:
- you give (see 3.3), or are deemed to have given (see 3.4), your consent under the Personal Data Protection Act (PDPA) or
- doing so without your consent is required or authorised under the PDPA (see 3.5) or any other written law
3.3 Collecting, using or disclosing your personal data with your consent
Where we ask for your consent (see 3.2), we will first inform you of our purpose(s) for collecting, using or disclosing that personal data.
We will not use or disclose your personal data for any other purpose(s) without first getting your consent.
We may collect your personal data from another individual or organisation if you have given that other individual or organisation your consent for it to disclose personal data to us. We will use or disclose personal data only for the purpose(s) for which the other individual or organisation disclosed it to us.
3.4 Collecting, using or disclosing your personal data with your deemed consent
You are deemed to have consented to us collecting, using or disclosing your personal data for a purpose if:
- without actually giving us express consent (see 3.3), you voluntarily provide the personal data to us for that purpose and
- it is reasonable that you would voluntarily provide that personal data
We will only collect, use or disclose personal data for the purpose(s) for which you are deemed to have consented to.
3.5 Collecting, using or disclosing your personal data without your consent
Under the PDPA, we are permitted to collect, use or disclose your personal data without your consent. This includes the following circumstances:
- it is publicly available or it is business contact information
- collecting, using or disclosing it is in your interests and/or there is an emergency
- collecting, using or disclosing it is necessary for our provision of legal services to another person or for us to obtain legal services
- its collection, use or disclosure is necessary for any investigation or proceedings, and it is reasonable to expect that seeking your consent would compromise the availability or the accuracy of the personal data
- we collect, use or disclose it to recover a debt owed to us by you or for us to pay you a debt owed by us
- it is included in a document produced in the course, and for the purposes, of your employment, business or profession and we collect, use or disclose it for purposes consistent with the purposes for which the document was produced
- we disclose it to any officer of a prescribed law enforcement agency, upon production of written authorisation signed by the head or director of that law enforcement agency or a person of a similar rank, certifying that the personal data is necessary for the functions or duties of that officer
3.6 Collecting personal data from online users
If you browse our website, we do not currently capture any data that allows us to identify you.
4. Withdrawing your consent to us collecting, using or disclosing your personal data
4.1 Your right to withdraw consent to us collecting, using or disclosing your personal data
On giving reasonable notice to us, you may at any time withdraw any consent you have given (see 3.3), or are deemed to have given under the PDPA (see 3.4), to us collecting, using or disclosing your personal data for any purpose.
You may exercise this right by notifying us in writing sent to our Data Protection Officer (see 11). We will inform you in writing of the likely consequences of withdrawing your consent for the specified purpose.
4.2 Our actions when you withdraw your consent
If you still wish to withdraw your consent:
- we will cease (and cause any and all of our data intermediaries to cease) collecting, using or disclosing the personal data, unless doing so without your consent is required or authorised under the PDPA or any other written law and
- we will cease to retain our documents containing that personal data, or remove the means by which the personal data can be associated with you, as soon as it is reasonable for us to assume that retention is no longer necessary for our legal or business purposes
5. Access to and correction of personal data
5.1 Your right to request access your personal data and/or information
Upon your request, we will as soon as reasonably possible provide you with:
- Your personal data in our possession or under our control and
- information about the ways in which we have, or may have, used or disclosed that personal data within a year before the date of your request
Any such request should be made in writing sent to our Data Protection Officer (see 11).
There are some circumstances where we are not required to provide you with information (see 5.3), where we are not allowed to provide you with information (see 5.4) and where we may be able to provide you with limited information (see 5.5).
We may charge you a fee for providing you with access. Any such fee will reflect our incremental costs associated with responding to your request, such as the cost of making physical copies of the personal data requested. You may obtain information about the fee from our Data Protection Officer (see 11)
5.2 How we provide you with access and/or information
We will provide you with your personal data by giving it to you in any readable format which we deem fit. If personal data (for example, your name and address details) is duplicated across our databases or files, we will generally provide it once, rather than multiple times. We reserve the right to provide you your personal data in a redacted form if we are of the opinion that the law entitles us to do so e.g. protecting the privacy of another individual.
5.3 When we are not required to provide access or information
In some circumstances, the PDPA does not require us to give you access to your personal data or information about how we have, or may have, used it within the year before your request (see 5.1). This includes the following circumstances:
- if you are not able to satisfactorily prove that you are the person whose data you are requesting
- if you are not able to provide us with sufficient information for us to trace the personal data in our record
- if the request would unreasonably interfere with our operations because of the repetitious or systematic nature of requests from you
- if the burden on, or expense to, us of providing access would be unreasonable or disproportionate to your interests
- if the information does not exist or we cannot find it
- if the information is trivial
- if the request is otherwise vexatious or trivial
- if a document is related to a prosecution and all proceedings related to the prosecution have not been completed
- if the personal data is subject to legal privilege
- if the request relates to personal data which, if disclosed, would reveal confidential commercial information that could, in the opinion of a reasonable person, harm our competitive position
- if the request relates to personal data collected, used or disclosed without consent for the purposes of an investigation if the investigation and associated proceedings and appeals have not been completed
- if the request falls under other exemptions found in the Fifth Schedule of the PDPA
5.4 When we are not allowed to provide access or information
The PDPA does not allow us to give you access in a range of circumstances, such as where our doing so could reasonably be expected to:
- threaten the safety or physical or mental health of an individual other than you
- cause immediate or grave harm to your safety or to your physical or mental health
- reveal personal data about another individual
- reveal the identity of an individual who has provided your personal data and the individual providing the personal data does not consent to the disclosure of their identity
Also under certain circumstances, if we have disclosed your personal data to a prescribed law enforcement agency, the PDPA does not allow us to disclose to you that we have done so. If you would like information about the circumstances in which this prohibition applies, please contact our Data Protection Officer (see 11).
5.5 When we may only provide limited information
There will be situations when we are only able to provide you with limited information related to your personal data and information about how we have, or may have, used it. In such situations, we will not provide you with information that:
- we are not required to (see 5.3) and/or
- we are not permitted to. (see 5.4).
6. Correction of errors in, or omissions from, your personal data
6.1 Your right to request us to correct personal data
You may request us to correct an error or omission in your personal data (see 6.1). Any request should be made in writing, signed by yourself (the data subject) and sent to our Data Protection Officer (see 11) in a letter which clearly identifies yourself (the writer) and your contact details.
There are some circumstances where we do not make a correction (see 6.4) and other circumstances where we are not required to act on such a request (see 6.5).
6.2 When we will correct your personal data
If you request us to correct your personal data (see 6.1), we will:
- correct the personal data as soon as practicable and
- send the corrected personal data to every other organisation to which we have disclosed the personal data within a year before the date we made the correction
However, we do not have to send the corrected personal data to another organisation if that other organisation does not need the corrected personal data for any legal or business purpose. In addition, we do not have to send the corrected personal data to every other organisation if you consent to us sending it only to specific organisations.
6.3 Where another organisation notifies us about corrected personal data
Another organisation that has disclosed your personal data to us might notify us that it has corrected your personal data. If this happens, unless we are satisfied on reasonable grounds that we should not make the correction, we will correct your personal data that is in our possession or under our control.
We would like to clarify that we do not purchase personal data for marketing purposes.
6.4 Where we do not correct your personal data
Where we are not satisfied that we should correct your personal data (see 6.2 and 6.3) we will:
- write to you to tell you why we have not made the correction and
- annotate your personal data in our possession or under our control with the correction that was requested but not made
6.5 When we are not required to correct personal data
The PDPA sets out certain circumstances in which we are not required to correct your personal data. If you would like information about this exception or the other circumstances where correction is not required, please contact our Data Protection Officer (see 11).
7. Accuracy of personal data
We make reasonable efforts to ensure that personal data that we collect about you or that is collected on our behalf is accurate and complete if:
- we are likely to use that personal data to make a decision that affects you or
- we are likely to disclose that personal data to another organisation
8. Protection of personal data
We take reasonable steps to ensure the security of your personal data that is in our possession or under our control and to protect it against risks such as loss or unauthorised access, destruction, use, modification or disclosure.
9. Retention of personal data
We cease to retain documents containing your personal data, or we remove the means by which the personal data can be associated with you, as soon as it is reasonable to assume that:
- the purpose for which we collected that personal data is no longer being served by retention of the personal data and
- retention is no longer necessary for our legal or business purposes
10. Complaints procedure
10.1 Our commitment to handling complaints
We strive for excellence in providing services to our clients and in all our interactions with society. This includes our compliance with the PDPA.
Please direct any queries or complaints you have about the way in which we collect, use or disclose your personal data to our Data Protection Officer (see 11). Generally, we are unable to deal with anonymous complaints because we are unable to investigate them. We will nevertheless note the matter raised and, if possible, try and investigate and resolve it appropriately.
10.2 Resolution of the complaint
Immediately upon receiving a complaint (see 10.1) our Data Protection Officer must investigate it and within five business days advise you of:
- the outcome of the complaint and the reasons for that outcome or
- write to you advising you that the Data Protection Officer needs more time to investigate the complaint and stating when the Data Protection Officer expects to resolve the complaint
The Data Protection Officer must in any event complete the investigation of your complaint within 20 business days.
10.3 Communicating the outcome of a complaint to you
If a complaint (see 10.1) is settled to your complete satisfaction, our Data Protection Officer is not required to advise you in writing of the outcome of the complaint, unless you request a written response.
If a complaint is not settled to your complete satisfaction, our Data Protection Officer will advise you of the outcome of the complaint and the reason(s) for that outcome in writing.
If you are not satisfied with the outcome, you may take your complaint to the Personal Data Protection Commission.
11. Data Protection Officer
Please contact our appointed Data Protection Officer to raise any questions or comments or complaints that you may have about the way we collect, use or disclose personal data and/or about any aspect of this data protection policy.
To contact our Data Protection Officer:
- send an email to firstname.lastname@example.org
- call +65 6533 2535
- write to us at 163 Tras Street, #08-01 Lian Huat Building, Singapore 079024
12. Changes to this data protection policy
We reserve the right to review, amend and/or update this data protection policy at any time, and from time to time.
If we decide to make any significant changes to this data protection policy, we will post them on our website.