Data Protection Policy
A. Introduction
The Personal Data Protection Act (PDPA) was passed by the Parliament in October 2012. It is a data protection law which comprises various rules governing the collection, use, disclosure and care of personal data. It recognises both the rights of individuals to protect their personal data, including rights of access and correction, and the needs of organisations to collect, use or disclose personal data for legitimate and reasonable purposes. The law safeguards consumers’ personal data against misuse.
The Act includes the Do Not Call (DNC) Registry, in which the individuals are given the choice to opt out of receiving marketing phone calls, mobile text messages such as SMS and faxes from organisations.
B. Objective
To ensure that Luye Medical complies with the Personal Data Protection Act 2012 (“PDPA”) in the collection, use, disclosure, maintenance of accuracy, handling and security of personal data in a manner that recognises both the right of individuals to protect their personal data and the need of the organisation to collect, use and disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.
C. General Principles
Luye Medical shall:
1. Responsibility: Be responsible for personal data in its possession or under its control.
2. Consent: Get consent to collect, use or disclose personal data. Written consent should be sought.
3. Use: Only use or disclose personal data about an individual for the purposes for which the data was obtained. Always ensure that use is objectively reasonable and extent of use limited to carrying out purpose. Employees’ personal information may have to be disclosed to governmental or judicial authorities, but this will only be done under proper authority or notice to the individual.
4. Access to personal data: Seek to ensure that the individual has reasonable (and justified access to his or her personal data) and has an opportunity to correct it.
5. Care of personal data: Seek to ensure that the personal data is accurate, properly protected, properly retained (and accessible by authorised or appropriate person/s).
D. Consent
1. When collecting information (e.g. in registration forms) clearly state and seek consent for the following:
  • • the purpose for the collection of data collected.
  • • the ways the personal data will be disclosed.
  • • the contact information of a person who is able to answer on behalf of Luye Medical the individual’s questions about the collection, use or disclosure of the personal data.
2. Seek written consent where personal data is to be passed on to another organisation within the Luye group of companies.
Do note that consent can be withdrawn by the individual. Please contact Luye Medical’s Data Protection Officer with details provided below. Such withdrawal of consent to be recorded in the consent register maintained by the administrator who is keeping the information.
E. Access
1. Follow principle in paragraph C(4).
2. Ensure access by individual. Verify who the individual is.
3. As a rule reasonable access must be given but not if the provision of that personal data or other information, as the case may be, could reasonably be expected to:
(a) threaten the safety or physical or mental health of an individual other than the individual who made the request;
(b) cause immediate or grave harm to the safety or to the physical or mental health of the individual who made the request;
(c) reveal personal data about another individual;
(d) reveal the identity of an individual who has provided personal data about another individual and the individual providing the personal data does not consent to the disclosure of his identity; or
(e) be contrary to the national interest.
4. Allow reasonable opportunity to rectify incorrect information. When corrected, Luye Medical sends corrected information to any other organisation provided with the incorrect information within a year of correction, unless that other organisation does not need the corrected personal data for any legal or business purpose.
F. Care
Note the general principle in paragraph C(5).
(1) Confidentiality
– Luye Medical will keep all personal data confidential and accessible to only authorised personnel on a need-to-know basis.
(2) Staff Working Area

Staff working area must be secure. This includes:

  • – Work desks
  • – Meeting/ Discussion areas
  • – Filing cupboards
  • – Printers
  • – Fax machine
  • – Password protected computers
Access to work areas must be through locked doors such that visitors do not have access to such areas.
(3) Databases and registration files/forms
  • – Soft copy databases must be password protected where applicable.
  • – Access to the softcopy databases should only be given to authorized staff.
  • – All staff is not allowed to save any copies of databases in their own computer hard drives or portable storage drives.
  • – Records of consent obtained (or withdrawal of) must be kept with the administrator who is keeping the information.
  • – Hardcopy registration files/forms containing personal information must be kept strictly in locked cupboards with access given to the administrator and one authorized staff.
Due care should be taken to ensure that personal data is protected, secured and accessible by the appropriate person(s).
(4) Retention
  • – Luye Medical may retain personal data for as long as it is necessary to fulfil the purpose for which it was collected, or as required or permitted by applicable laws.
  • – Luye Medical will cease retention of personal data or anonymise personal data when it is no longer necessary for any business or legal purposes.
(5) Transfers of Personal Data Outside of Singapore
– If personal data is required to be transferred to countries outside of Singapore, Luye Medical will apply best efforts in ensuring that such personal data continues to be protected by standards comparable to that under the PDPA. Consent of the affected individuals will be obtained, unless the transfer is necessary for the performance of a contract between the individual and the organization receiving the transfer.
G. “Personal data” is data that can be used to identify a natural person. Some examples of personal data that the company may collect are:-
  • (a) personal particulars (e.g. name, contact details, residential address, date of birth, identity card or passport details, education details);
  • (b) specimen signature or signatures;
  • (c) financial details (e.g. CPF balances, credit history);
  • (d) employment details (e.g. occupation, directorships and other positions held, employment history, salary benefits);
  • (e) tax information;
  • (f) banking information (e.g. account numbers).
H. Data Protection Officer
  • Luye Medical has designated a Data Protection Officer to handle:
  • (a) queries relating to the PDPA;
  • (b) requests to access and/or rectify personal data in Luye Medical’s systems;
  • (c) complaints regarding Luye Medical’s or anyone’s application of the PDPA;
  • (d) withdrawal of consent to use and/or transfer of personal data.
The Data Protection Officer can be contacted at:
You can contact at via luyemedical.dpo@luye.com.