Data Protection Policy
This statement sets out the Data Protection Policy (“DPP”) and practices of Lemonade (“Lemonade”) that will be followed with respect to the collection, storage, processing, disclosure, accessing, reviewing, and/or use of your personal data. This statement is provided in accordance with the Singapore Personal Data Protection Act (Act 26 of 2012) (the “PDPA”).
We are aware of the revised Advisory Guidelines on the PDPA for NRIC and other National Identification Numbers that the Personal Data Protection Commission (PDPC) issued on 31 August 2018, and we will adhere to these guidelines.
Any data collected on behalf of any public agency by Lemonade for the purpose required by the public agency will be exempted from the PDPA.
Please note that this DPP complements, and does not limit or replace, the purposes for which you provide Lemonade with your personal data which may be expressly stated in any form for submission of personal data to Lemonade. Lemonade reserves the right to update this DPP from time to time to ensure that it reflects our current practices and remains consistent with the requirements imposed by law. This DPP was last updated on 22 November 2018.
- What kind of Data will this DPP Apply to
This DPP applies to “personal data” and in line with PDPA, refers to any data, whether true or not, about an individual (i.e. the data subject) who can be identified (a) from that data; or (b) from that data and other information to which we have or are likely to have access to, including data in our records as may be updated from time to time.
The exact type of personal data that may apply will vary depending on how you have interacted with us. Examples of such personal data provided to us include (depending on the nature of your interaction with us) name, NRIC, passport or other identification number, nationality, gender, date of birth, marital status, telephone number(s), mailing address, email address, photographs and other audio-visual information, employment information, financial information and any other information relating to any individuals which you have provided us in any forms you may have submitted to us, or via other forms of interaction with you.
- What is not Personal Data
Personal data does not include data about a data subject which has been anonymised. Anonymisation is the process of removing identifying information such that the remaining data does not identify any particular individual. Techniques can include pseudonymisation1, aggregation, replacement, data reduction2, data suppression3, data shuffling4, or masking5.
1 Replacing identifiers with other references. For example, replacing an individual’s name with a tag or reference number.
2 Removing values that are not required for the purpose. For example, removing ‘Ethnicity’ from a data set of individuals’ attributes.
3 Banding or hiding the value within a given range. For example, replacing age ‘43’ with the range ‘40-50’.
4 Mixing up or replacing values with those of the same type so that the information looks similar but is unrelated to the actual details. For example, the surnames in a customer database could be sanitised by replacing them with those drawn from another database.
5 Removing certain details while preserving the look and feel of the data. For example, representing a full string of numbers on a credit card as 4346 XXXX XXXX 5379 instead of ‘4346 6454 0020 5379’.
- Collection, Use and Disclosure of Personal Data
In providing Lemonade with your personal data (either directly or through a third party), you hereby agree that Lemonade may collect, store, process, disclose, access, review and/or use personal data (including sensitive personal data) about you, whether obtained from you or from other sources (such as our Approved Training Organisations), for the purposes set out below and/or any other administrative or operational purposes and/or the purpose of managing your relationship with Lemonade:
- providing services to you in relation to your transactions with Lemonade;
- verification and identification purposes, including verifying your identity when you attend the assessments conducted by Lemonade;
- enabling the Police Licensing Regulatory Department to carry out the necessary licensing for the private security industry;
- assisting you with your job placement and security clearances when you engage our Business & Employment Services Division;
- processing your request for a loan or fixed deposit when you approach our Financial Services Division;
- enabling your use of the services which Lemonadeprovides, including, where necessary, contacting you (whether by SMS, email or otherwise);
- evaluative purposes, including processing your job application pursuant to Lemonade’s recruitment activities;
- enabling your participation in our lucky draws/contests;
- processing your payment/interest/reservation of retail items with us;
- dealing with enquiries made by you;
- maintenance and updating of the data;
- administrative or operational purposes;
- tax filing preparation;
- processing credit notes and processing refunds;
- collection of fees, charges and expenses for services provided;
- facilitating the making and payment of claims, including payments by cheque, bank transfers or other means;
- carrying out billing, accounting, auditing and the maintenance of proper book-keeping to explain Lemonades operations and business;
- the disclosure of the relevant books, documents, records and information (in hard or soft copy) to the auditors for the preparation of financial reports; and/or
- the disclosure of the relevant books, documents, records and information (in hard or soft copy) to the relevant government authorities pursuant to any written law.
You further agree to be bound by the prevailing terms of this DPP as updated from time to time.
a. Consent Required
Lemonade will not collect, use or disclose your personal data unless:
- you give, or are deemed to give, consent to the collection, use or disclosure of your personal data; or
- the collection, use or disclosure of your personal data without your consent is required or authorized under the PDPA or other written law.
If you disclose the personal data of third parties to Lemonade, you represent that you have obtained the consent of the relevant third parties to have their personal data collected, used and/or disclosed by Lemonade for the applicable purposes listed in clause 1.
b. Provision of Consent
Lemonade will not obtain or attempt to obtain your consent for collecting, using or disclosing personal data by providing false or misleading information with respect to the collection, use or disclosure of your personal data.
c. Withdrawal of Consent
- You may at any time withdraw your consent for any of the purposes which you have previously consented to by providing us with notice through a request submitted to the Data Protection Officer in writing or via the email at the content details provided below.
- Please be aware that once we receive confirmation that you wish to withdraw your consent, it may take up to ten (10) working days for your withdrawal to be reflected in our systems. During this period of time, your personal data will continue to be collected, used and/or disclosed pursuant to the purposes set out at clause 3 above.
- On receipt of such notice, Lemonade will inform you of the likely consequences of withdrawing your consent and we may no longer be in a position to continue to provide our services to you. Such a withdrawal may therefore result in the termination of any relationship that you may have with us.
- At the same time, it should be noted that your withdrawal of consent will not prevent us from exercising our legal rights (including any remedies, or undertaking any steps as we may be entitled to by law).
- The withdrawal of consent in itself may not result in the deletion or destroying of your personal data. Any retention of data will be based on Lemonade’s business needs as deemed legitimate under the PDPA provisions.
- Data Quality
Lemonade will take reasonable steps to make sure that the personal data it collects, uses or discloses is accurate, complete and up to date.
We generally rely on personal data provided by you (or your authorised representative). In order to ensure that your personal data is current, complete and accurate, please update us if there are any changes to your personal data by informing our Data Protection Officer in writing or via the email at the content details provided below.
- Data Security & Retention
To safeguard your personal data from unauthorised access, collection, use, copying, modification, disclosure, disposal or similar risks, Lemonade takes appropriate administrative, physical and technical measures.
You should be aware, however, that no method of transmission over the Internet or method of electronic storage is completely secure. While security cannot be guaranteed, we strive to protect the security of your information and are constantly reviewing and enhancing our information security measures.
Lemonade will not keep personal data for longer than is necessary to fulfil the purpose for which it was collected, or as required or permitted by applicable laws, and will take reasonable steps to securely dispose of personal data if it is no longer needed.
- Access and Correction
You are entitled to have access to the personal data about you that is in the possession or under the control of Lemonade and information about the ways in which the personal data has been or may have been used or disclosed within a year before the date of the request. This can be done by you making a written application to our Data Protection Officer or via the email at the content details provided below requesting for any such information. Lemonade reserves the right to estimate a fee before processing your request (representing its costs in administering your request) for supplying such information and to refuse requests which, in its opinion, occur with unreasonable frequency.
Lemonade will also, where you have requested that it correct an error or omission in the personal data about you that is kept with Lemonade, correct such data as soon as practicable and send the corrected personal data to every organisation to which the personal data was sent before it had been corrected, if applicable, unless that organisation does not need the corrected personal data for any legal or business purpose.
Lemonade will respond to your request as soon as reasonably practicable. Should we not be able to respond to your request within twenty (20) working days after receiving your request, we will inform you in writing within twenty (20) working days of the time by which we will be able to respond to your request. If we are unable to provide you with any personal data or to make a correction requested by you, we shall generally inform you of the reasons why we are unable to do so. Lemonade may however choose not to provide you with access to or correct such information, in accordance with the exceptions under the PDPA. This would include cases where:
- Lemonade is satisfied on reasonable grounds that the correction should not be made;
- The request for access is frivolous or vexatious or the information requested is trivial;
- The personal data is related to a prosecution and all the proceedings related to the prosecution have not been completed;
- The personal data, if disclosed, would reveal confidential commercial information that could, in the opinion of a reasonable person, harm the competitive position of the organisation; and
- The personal data was collected, used or disclosed for the purposes of an investigation and associated proceedings and appeals have not been completed.
Please note that depending on the request that is being made, we will only need to provide you with access to the personal data contained in the documents requested, and not to the entire documents themselves. In those cases, it may be appropriate for us to simply provide you with confirmation of the personal data that our organisation has on record, if the record of your personal data forms a negligible part of the document.
- Transborder Data Flows
We generally do not transfer your personal data to countries or territories outside of Singapore. However, if we do so, for instance, if your personal data is required to be transferred for administrative or operational purposes by Lemonade, we will ensure that the recipients thereof provide a standard of protection to your personal data so transferred that is comparable to that which is provided herein.
- Enquiries and Complaints
Lemonade has designated a Data Protection Officer who will be responsible for ensuring Lemonade’s compliance with applicable data protection laws. If you have any queries or requests or wish to make any applications concerning your personal information or data, please contact the Data Protection Officer:
Contact Person: Data Protection Officer
Address: 175A Bencoolen Street, Burlington Square #12-08, Singapore 189650
Please note that if your personal data has been provided to us by a third party, you should contact such party directly to make any queries, feedback, and access and correction requests.