M1 Data Protection Policy
The M1 Data Protection Policy describes how the M1 Group of Companies subscribes to the principles, guidelines and requirements of the Personal Data Protection Act 2012 which commenced on 2 January 2013 and all subsequent amendments thereto.
Notwithstanding references to the Group, any obligations in this Policy, where stated, will only extend to the relevant entity within the Group that is providing the Services to the Person or is otherwise in control and possession of the Personal Data.
We will continue to review this Policy and all privacy-related information made publicly available by the Group, to ensure it is relevant and remains current with changing technologies, laws and regulations, and the evolving needs of the Group.
For the purposes of this Policy, the following capitalized terms, unless elsewhere defined in this Policy, shall have
the following meanings:
|| means the Personal Data Protection Act, in force as at the date of this Policy.
|| means data protection officers appointed by M1 pursuant to the Act.
|| means the Act, other Statutes, regulations made thereunder, the Telecommunications Code of Practice, and any other applicable laws, regulations, guidelines, directives, codes of practice or, where the context so requires the order or other lawful request made by any Public Agency.
| "M1 Group of Companies or Group"
|| means M1 Limited and/or its subsidiaries.
|| means our retail outlets, road shows and other distribution channels.
|| means this M1 Data Protection Policy, as may be amended or supplemented by M1 in its discretion from time to time.
|| means any individual to whom the Act applies, and includes an individual customer, prospective customer and any past or present user of our Services, but excludes any corporate entity (including corporate customers) and any other entity that is excluded under the Act
| "Personal Data"
means personal data of a Person that the Group generally collects, uses or discloses which includes the following:
(a) Contact information, including name, address, telephone number and e-mail address and/or other identification information;
(b) Billing information, including payment details, credit history, credit card number, bank account, NRIC, passport or other equivalent identification number; and
(c) Equipment information and other technical information about a Person's use of our network, products, services or websites, including service and usage history;
(d) Your preferences;
(e) Information from other organisations which include fraud prevention agencies, credit reference agencies we believe you may have authorised to provide your personal details on your behalf;
PROVIDED ALWAYS that the Person can be identified from such data.
|| means the Group’s offices, including MOC Building, MiWorld Building, and ROC Building.
| "Public Agency"
|| means any Government body, including any ministry, department, agency (including law enforcement agencies), or organ of State, any judicial or quasi-judicial body or disciplinary, arbitral or mediatory body appointed under any written law in Singapore or any statutory body established under a public Act for a public function that is so appointed by the Minister by notification in the Gazette for the purposes of the Act.
|| means the info-communications and telecommunications services and any other services as may be offered by the Group or third parties (through the Group) to Persons including any updates, upgrades, re-contracting and/or renewals thereto and the sale or supply of goods or products, from time to time; including maintenance, deactivation or de-installation of the same.
| "Telecommunications Code of Practice"
|| means the Code of Practice for Competition in the Provision of Telecommunication Services 2012, as amended or supplemented from time to time.
The scope and application of this Policy is as follows:
• This Policy applies to entities within the Group that is (a) offering Services, and (b) collecting, using or
disclosing the Personal Data; to the extent as may be required by the Act.
• This Policy covers all practices regarding Personal Data.
• This Policy applies to all Persons. The Person who holds the account with the relevant entity within the Group
must ensure that all end users under the same account understand and agree to this Policy.
• The application of this Policy is subject to applicable Laws, and to the extent that any Laws pre-existing the Act
apply, such pre-existing Laws may supersede the applicability of the Act in the event of inconsistency, to the
extent stipulated under the Act.
• This Policy does not supersede or replace any earlier consents you may have provided to the Group, and this
Policy supplements all such pre-existing consents concerning the collection, disclosure and/or use of your
• References to the male gender include a reference to the female gender.
• References to the singular include a reference to the plural as the context so requires.
1. Data Protection Officers
1.1 The DPO have been appointed to oversee compliance with the Act. Other employees within the Group may be delegated to act on behalf of the DPO or to take responsibility for the day-to-day collection and processing of Personal Data.
1.2 The Group shall make known, upon request, the title of the person or persons designated as DPO.
The DPO may be contacted at:
The Office of the Data Protection Officer
10 International Business Park Singapore 609928
Email : email@example.com
2. Collection of Personal Data
2.1 Personal Data may be collected from you in the following ways:
• A Person gives it to us upon completing a service application form, when a Person makes a purchase or subscribes or applies for our Services, or when a Person enquires with us about our Services, at our Outlets, or which is otherwise volunteered to us in any way;
• When you use our network and our other Services or products;
• Automatically, when a Person visits our websites and other websites which we own or manage, using technologies such as cookies (either by M1 or a third party), contracts with us or with any third parties via our websites, or downloads and/ or uses any of our application programs/ software;
• During recordings of calls when telephone contact is made between a Person and M1 (for example, via our Customer Service hotlines) which may be recorded for training, quality control, business and/or other lawful purposes;
• During CCTV recordings when a Person visits our Outlets and our Premises;
• We obtain it from our mobile base stations and other equipment that may collect usage information, including location-based information;
• We obtain it from other entities within the Group;
• We obtain it from other sources, such as employers, credit agencies, law enforcement agencies and/or other Public Agency;
• We obtain it from other telecommunications licensees for the purposes of facilitating interconnection and inter-operability between telecommunications licensees for the provision of Services;
• We obtain it from other service providers for the purposes of providing billing services on behalf of these service providers;
• When you participate in a competition, lucky draw or survey, or register your interest for any specific products or Services;
• When you purchase or obtain third party services or products through us;
• When we receive references from third parties, where you have been referred by them;
• When we lawfully seek information from third parties about you in connection with the products and services you have applied for;
• When you submit your Personal Data to us for any other reasons; and/or
• We collect it by other lawful means.
2.2 Unless permitted by Laws, the Group shall not collect Personal Data without the consent of the Person.
2.3 All Persons warrant and represent to the Group that Personal Data which he discloses to the Group, or to another entity that subsequently provides it to the Group, is accurate and complete.
2.4 A Person who volunteers Personal Data of another person to the Group also warrants and represents to the Group that he is authorized by such other person to disclose such Personal Data to us, and that such Personal Data is accurate and complete.
2.5 The collection of your Personal Data is necessary for the Group to provide you with the Services. If you are unable to provide the Personal Data, the Group is unable to provide the Services requested by you.
3. Purposes for Collection, Use and Disclosure of Personal Data
3.1 The Group provides a range of Services, which includes :
(a) Mobile services (prepaid and postpaid) include local and overseas voice calls (including international roaming and IDD services), local and international messaging, broadband services (including data roaming services) and a range of complementary and value-added services;
(b) Fixed services include local and overseas voice calls (including IDD services), broadband services,fibre services, internet protocol television (IPTV) services and a range of complementary and value -added services; and
(c) Services ancillary to the foregoing.
Depending on the Services which you subscribe to, your Personal Data may be collected, used and/or disclosed for the following purposes:
• To verify your identity, and to process orders and applications for Services;
• To provide the Services and to facilitate interconnection and inter-operability between service providers including telecommunications licensees in providing the Services;
• To respond and deal with enquiries or complaints and for other customer-care activities;
• To generate bills, facilitate the payment of bills, manage accounts and for debt-recovery functions;
• To carry out credit checks, for the preparation of credit reports and for the evaluation of creditworthiness;
• To manage, develop and improve our business and operations to serve you better;
• To provide delivery and directory assistance services;
• To provide complementary or value added services;
• To offer and administer customer loyalty benefits, reward benefits, promotional benefits, contests and lucky draws;
• To provide self-service channels for customer-care and account management activities;
• To carry out market research and customer surveys;
• To conduct investigations or take action in relation to bad debts, crime and fraud prevention, detection or prosecution, risk management, or to prevent you or the Group from harm, illegal or unlawful activities;
• To conduct investigations or take action in relation to any violation of any of our terms and conditions for Services, including our General Terms and Conditions, or our Acceptable Use Policies;
• To third parties who perform Services on our behalf, but only to the extent necessary for the Services to be performed;
• To facilitate third party services if purchased, obtained, administered or processed through us;
• To improve your user experience and/or our product and service delivery to you;
• To keep you informed of our Services and products and the services and products of our partners;
• To protect and maintain the Personal Data, and to have access to it including for making corrections to the Personal Data;
• To comply with legal and regulatory requirements imposed by any Public Agency, and otherwise with Laws;
• Any other purpose necessary, ancillary or consequential to the above specified purposes.
3.2 Your Personal Data will be disclosed for the purposes indicated above to our officers and employees, third parties, service providers, advisors, which includes without limitation, the following persons or entities:
• External service engineers, contractors, service providers and third parties for service installation, and maintenance and support of the Services;
• Banks, credit card companies, and payment vendors for the processing of payment;
• Vendors for provision of services including document storage and printing of bills;
• Debt collection agencies;
• Credit information companies and credit bureaus;
• Courier services companies;
• Channel partners;
• Public Agencies;
• Advisors, including auditors and lawyers who advise us;
• Any data intermediaries;
• Our business partners and vendors we work with to deliver the products and services you have subscribed to;
• Our other partners whom we work with to improve and enhance your customer experience; and
• Any other party to whom you authorize us to disclose Personal Data to.
Where this involves the transfer of your Personal Data outside Singapore, we will comply with the Act and take steps to ensure that your Personal Data continues to receive a standard of protection that is at least comparable to that provided under the Act.
3.3 Unless permitted by Laws, the Group shall not use or disclose the Personal Data for any other purpose, without first identifying and documenting the other purpose and obtaining the consent of the Person.
3.4 Upon request by a Person, our employees collecting Personal Data shall explain this Policy.
4. Deemed Consent
4.1 Persons are deemed to have given their consent for the collection, use and disclosure of Personal Data in the following circumstances:
(a) When the Person voluntarily provides his Personal Data to us;
(b) When the Person is aware of the purposes for which he is providing his Personal Data to us;
(c) It is reasonable for the Person to have provided the Personal Data to us in the circumstances; and
(d) Where the collection, use or disclosure is reasonably necessary for the conclusion of a contract between the Person and us;
(e) When the Person is made aware of our intention to collect, use or disclose the personal data and the purposefor the same and does not notify us of its non-consent within a reasonable time;
(f) In any other circumstances where consent is deemed under the Act.
5. Limiting Collection, Use and Disclosure of Personal Data
5.1 The Group collects Personal Data primarily from Persons who are our customers (including prospective customers). The collection of Personal Data is limited to that which is necessary for the identified purposes.
5.2 Unless permitted by Laws, the Group will not disclose Personal Data to other persons or entities for the advertising, promotion or marketing of such other party's products and services, and the Group will not sell for payment the Personal Data to anyone for any marketing purpose; without your consent.
5A. Collection, Use and Disclosure of Personal Data Without Consent
5A.1 The Group may collect, use or disclose Personal Data without the consent of the Person where permitted or required by Laws.
5A.2 Subject to any applicable requirements under the Laws, the Group may collect, use and/or disclose Personal Data without consent:
• in reliance of the legitimate expectations exception under the Laws for the purposes listed under Part 3 of the First Schedule of the Act;
• Detecting or preventing illegal services such as fraud and money laundering or threats to physical safety and security (including IT and network security); preventing misuse of Services; and carrying out other necessary corporate due diligence; and
• For business improvement purposes such as improving or enhancing goods or services or developing new goods or services, improving or enhancing business processes, or customisation of goods and services.
5A.3 Persons may write in to the Office of the DPO for more information regarding the Group’s reliance on exceptions to the requirement for consent for the collection, use or disclosure of Personal Data.
6. Retention of Personal Data
6.1 The Group will collect, and retain Personal Data via the procedures described in this Policy and/or other reasonable controls and practices in the Group's discretion, for as long as such Persons remain our customers and for as long as it is necessarily required or relevant for business or legal purposes.
7. Withdrawal of Consent
7.1 Persons are able to withdraw their consent to our continued use and disclosure of Personal Data as described in this Policy at any time. Such withdrawal should be made formally in writing to the Office of the DPO. We shall process your withdrawal request within a reasonable time (depending on the
complexity of the request and its impact on our relationship with you), and in any event no later than within ten (10) business days of receiving your request.
7.2 If consent is withdrawn, the Person acknowledges that the Group may no longer be able to provide the Services. Accordingly, the Group may, insofar as such consent is integral to the provision of the Services, cease to provide the Services to the Person. Notwithstanding any withdrawal of consent, (a) unless
otherwise agreed by the Group, Persons will still be bound by their contract(s) for Services with the relevant entity in the Group, and should the Person choose to terminate the relevant contract(s), early termination charges and other charges, penalties or contractual consequences may apply in accordance with
the contract(s) or under Laws and the Group reserves its rights thereof, and (b) the Group has the right to terminate the contracts in its discretion, without liability to the Person.
7.3 Persons may write in to the Office of the DPO for more information regarding the implications of withdrawing consent.
7.4 Persons who have indicated their consent to receiving marketing communications from the Group may separately withdraw such consent via the unsubscribe options as stated on the SMS or email marketing message, via Manage My Account (MMA) on our website or by calling our Customer Service Hotline at 1627.
8. Protection of Personal Data
8.1 To the extent required by the Act, the Group shall protect Personal Data in its possession or under its control, as well as storage media or devices in which Personal Data is stored, against risks of unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction, through reasonable and appropriate security measures.
9. Accuracy and Correction of Personal Data
9.1 To the extent required by the Act, the Group will use reasonable efforts to ensure that the Personal Data it uses is sufficiently accurate and complete to minimize the possibility that incorrect Personal Data may be used to make a decision that impacts the Person to whom the Personal Data relates, or if such Personal Data is likely to be disclosed to a third party. However, you acknowledge that there may be circumstances where the Group is entitled to assume such accuracy and completeness, in accordance with Laws.
9.2 We encourage Persons to inform us when there are any changes to the Personal Data which they have provided to the Group, so as to ensure that we have the most current, accurate and complete information. Upon request by a Person, the Group may, in accordance with the Act, correct or complete any Personal
Data found to be inaccurate or incomplete as soon as practicable. Any unresolved differences as to accuracy or completeness of Personal Data shall be noted in the Person’s records. Save as otherwise required under the Act, the Person may only correct any Personal Data which the Person has provided to
the Group. The Group reserves the right to not correct Personal Data where permitted under the Act.
9.3 We will respond to your correction request as soon as reasonably possible, and in any event no later than within ten (10) days of receiving the request. You may call our Customer Service Hotline at 1627 to request a correction.
10. Access to Personal Data
10.1 To the extent required by the Act, upon request, the Group shall provide a Person with an account of his Personal Data which is in the Group's possession or control. Such information requested for shall be provided within a reasonable time (and in any event no later than within thirty (30) days) and at reasonable cost to the individual.
10.2 To the extent required by the Act, upon request by a Person, the Group shall provide information relating to how the Person’s Personal Data has been or may have been used or disclosed within a year before the date of such request. The Group may also provide a standard list of possible third parties as part of its response to all access requests for information relating to the disclosure of Personal Data during such period, and the same shall suffice as performance of the Group's obligation in respect thereof. Such information requested for shall be provided within a reasonable time and at reasonable cost to the individual.
10.3 Subject to the Act, the Group may not be able to provide access to all of the Personal Data that they hold about a Person. For example, the Group may not provide access to Personal Data if such provision could reveal Personal Data about another person, if such information is subject to legal privilege or if such provision will be contrary to national interest. If access to Personal Data cannot be provided, the reasons for denying access will be provided upon request, to the extent permitted under Laws.
10.4 Persons may seek access to their Personal Data by writing in to the Office of the DPO.
11. Procedures and Practices
11.1 The Group has implemented the following procedures to give effect to this Policy:
• Implementing procedures to protect Personal Data and to oversee compliance with the Act; including means to access and/or correct Personal Data and to facilitate withdrawal of consent;
• Establishing procedures to receive and respond to inquiries or complaints in relation to Personal Data;
• Training and communicating to employees about this Policy;
• Developing public information to explain this Policy; and
• Notifying changes to this Policy on the Group's website.
12.1 The Group may revise and/or amend and/or supplement this Policy at its discretion from time to time. Such changes will be published on this website. Persons are advised to check back periodically to ensure that they are aware of any such changes. To the fullest extent permissible under Laws, you agree to be bound by the prevailing terms of this Policy.
12.2 Persons acknowledge that in addition to the exceptions under the Act, this Policy, or pre-existing consents; under the Telecommunications Code of Practice, the Group may collect, use and disclose his Personal Data in the following instances without consent:
• Collection or use of Personal Data for planning requirements in relation to network operations or network maintenance for any telecommunication service provided by the Group;
• Collection, use or disclosure of Personal Data for facilitating interconnection and inter-operability between telecommunication licensees for the provision of telecommunication services; and
• Collection, use or disclosure of Personal Data for the provision of mobile roaming-related information to in-bound mobile roaming customers in Singapore.
12.4 For more information on the Personal Data Protection Act 2012 or to contact the Personal Data Protection Commission (PDPC) please visit http://www.pdpc.gov.sg/.
Last Updated: 16 April 2021
Last Reviewed: 25 April 2022