Singapore: Issued PDPC decision on complaint against RedMart for alleged breach of the Personal Data Protection Act

On 18 January 2023, Singapore’s Personal Data Protection Commission (PDPC) issued its decision on a complaint against RedMart, an online supermarket, for the collection of images of physical National Registration Identity Cards (NRICs) and other identification documents of suppliers making deliveries of goods and produce to its warehouses. RedMart said it collected photographs of identification documents of suppliers seeking access to areas where food safety risks had to be managed in order to deter acts that could compromise food safety and facilitate investigations of food safety incidents. The PDPC found that although RedMart failed to obtain consent and inform its suppliers of the purpose for collecting images of the physical NRICs and other identification documents, RedMart met the requirements to rely on the legitimate interest exception. In particular, the PDPC accepted RedMart’s interest in deterring food security incidents as legitimate and found there may be a legitimate interest served in implementing enhanced identification requirements to regulate access to high-risk areas. Finally, the PDCP was satisfied that RedMart met the requirements for reliance on the legitimate interest exception.