The Personal Data Protection Commission recently found that SAP Asia did not take reasonable security measures when it revealed former employees’ personal data to unintended recipients. In April 2020, SAP Asia inadvertently revealed the payroll data of 43 former employees to unintended recipients. Prior to that, SAP sought an external vendor to develop a program that would generate and email multiple payslips to multiple former employees simultaneously, in one execution. However, that was not effectively conveyed to the vendor, and the new program was developed on the mistaken assumption that only one payslip had to be generated for one employee at a time. SAP was found to have breached its protection obligations and a financial penalty of S$13,500 was imposed.
