This Policy explains how we collect, use, disclose and protect personal data, including personal data in the possession of service providers which we have engaged to collect, use, disclose or process personal data for our purposes.

Your personal data privacy is important to us and CET Global Pte. Ltd. ("CET Global") is committed to respecting and protecting personal data in our possession or under our control in line with this Policy and the Personal Data Protection Act 2012 of Singapore ("PDPA").

​

Details on Personal Data We Handle

Depending on your relationship with CET Global (for example, as a client contact, prospective client, job applicant, employee, freelance associate consultant, vendor, or event participant), we may collect and process different categories of personal data, such as:

• Contact details (e.g. name, job title, business contact information such as email address, telephone number and office address);

• Identification details where required for due diligence or onboarding (e.g. date of birth, nationality, identification document details as permitted by law);

• Professional information (e.g. employer name, role, qualifications, work history and skills profiles);

• Financial and transactional information where needed for invoicing, payment administration or reimbursements;

• Information you provide to us in the course of our engagements, such as responses to surveys, workshop inputs, assessments and feedback;

• Technical and usage data relating to your interactions with our systems, websites or collaboration tools (e.g. IP address, device and browser information, access logs and cookies or similar technologies where applicable).

We may collect personal data directly from you (for example, when you submit forms, communicate with us, participate in our programmes or use our services), from your employer or organisation, from publicly available sources, or from third parties such as our partners and service providers, in each case only where such collection is reasonably necessary for our business and in accordance with applicable law.

​

1. Purpose

The objectives of this Policy are to:

• Define CET Global's data protection and information security governance framework;

• Ensure that personal data in our possession or under our control is protected against unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks;

• Describe the roles, responsibilities, and controls implemented to meet PDPA and client contractual requirements; and

• Provide assurance to clients and data subjects that CET Global manages personal data securely and responsibly.

 

2. Scope

This Policy applies to all CET Global employees, directors, temporary staff, contractors, consultants, and third-party service providers who process personal data on behalf of CET Global, whether in Singapore or overseas. It covers all forms of personal data, regardless of the medium or system in which such data is stored or processed (e.g. paper, electronic systems, cloud services, portable media).

​

3. Key Definitions

• "Personal Data" means data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which CET Global has or is likely to have access.

• "Processing" means any operation or set of operations performed on personal data, including collection, recording, organisation, storage, adaptation, alteration, retrieval, consultation, use, disclosure, transmission, erasure or destruction.

• "Data Subject" means an identifiable individual whose personal data is processed by CET Global.

• "Client Data" means personal data that CET Global receives from or on behalf of a client, or accesses in the course of providing services to a client.​

 

4. Governance and Accountability

CET Global is accountable for personal data in its possession or under its control, including personal data handled by third parties on its behalf. To demonstrate accountability, CET Global shall maintain governance structures, documented policies and procedures, and evidence of implementation for key data protection and information security controls.

 

4.1 Data Protection Officer (DPO)

CET Global has designated a Data Protection Officer ("DPO") who is responsible for overseeing compliance with the PDPA, this Policy, and related data protection and information security requirements. If you are concerned about the handling of your Personal Data, or if you have any concerns or queries related to your Personal Data or our Privacy Policy, please contact CET Global’s Data Protection Officer (“DPO”) at enquiries@cetglobal.com.sg.  The DPO may delegate specific operational responsibilities to authorised personnel or external service providers, but overall accountability for data protection remains with CET Global. All staff must cooperate with the DPO in fulfilling these responsibilities.

​

5. PDPA Data Protection Principles

CET Global adheres to the data protection obligations under the PDPA and aligns its practices to the following key principles. Detailed procedures are maintained in supporting standard operating procedures and guidelines.

 

5.1 Notification and Consent

• CET Global will notify individuals of the purposes for which their personal data is collected, used, or disclosed, and will obtain consent where required by law, unless an exception under the PDPA applies.

• CET Global relies on its clients to ensure that they have obtained all necessary consents and provided appropriate notifications to data subjects before disclosing Client Data to CET Global.

 

5.2 Purpose Limitation

• Personal data will only be collected, used, or disclosed for purposes that a reasonable person would consider appropriate in the circumstances, and that have been notified to the data subject or client.

 

5.3 Accuracy and Retention

• CET Global will take reasonable steps to ensure that personal data it uses or discloses is accurate and complete, where the data is likely to be used to make a decision affecting the individual or disclosed to another organisation.

• Personal data will be retained only for as long as necessary to fulfil the purposes for which it was collected or as required by applicable laws and contractual obligations. Thereafter, CET Global will securely delete, anonymise, or archive such data.

 

5.4 Access and Correction

• Upon request, and subject to legal and contractual limitations, CET Global will provide individuals with access to their personal data in CET Global's possession or control and information about how such data has been used or disclosed, within a reasonable time.

• CET Global will correct or update personal data where it is satisfied that the data is inaccurate or incomplete and where reasonable to do so.

 

5.5 Transfer Limitation

• Where personal data is transferred outside Singapore, CET Global will ensure that the recipient provides a standard of protection comparable to that under the PDPA, through appropriate contractual clauses or other legally permitted mechanisms.

 

6. Information Security Controls

CET Global implements physical, technical, and organisational measures to protect personal data and client information against unauthorised access, loss, misuse, alteration, or destruction. Key control areas are set out below; further details are documented in supporting procedures, asset registers, and system configuration standards.

 

6.1 Access Control and User Management

• Access to systems and repositories containing personal data is granted on a need-to-know and least-privilege basis.

• Unique user IDs are assigned to all authorised users. Sharing of accounts and passwords is prohibited.

• Strong authentication is enforced, including minimum password standards and, where feasible, multi-factor authentication (MFA).

• User access rights are reviewed periodically and promptly revoked or adjusted upon role changes or termination.

 

6.2 Encryption and Data Protection

• Industry-standard encryption protocols are used to protect personal data transmitted over public or untrusted networks.

• Where appropriate, encryption or other access controls are applied to personal data stored on laptops, portable media, and cloud storage.

• Encryption keys are managed securely and restricted to authorised personnel.

 

6.3 Backup and Business Continuity

• Critical systems and data, including personal data required for service delivery, are backed up at a frequency consistent with business and contractual requirements.

• Backups are protected against unauthorised access and tested periodically for successful restoration.

• Business continuity and disaster recovery procedures are documented, communicated, and periodically exercised.

 

6.4 Physical Security

• Office premises and any on-premise facilities hosting systems with personal data are secured through reasonable physical controls (e.g. locks, access cards, visitor registration).

• Paper records containing personal data are stored in locked cabinets or restricted areas when not in use.

• Secure disposal methods (e.g. shredding, secure bins) are used for documents and media containing personal data.

 

7. Third-Party and Cloud Service Providers

• CET Global conducts due diligence on third-party service providers, including cloud service providers, who may process personal data on its behalf, with a focus on data protection and information security controls.

• Personal data is shared with third parties only under written agreements that include obligations to protect personal data in accordance with the PDPA and client requirements.

• Third-party performance and compliance with contractual data protection and security requirements are monitored and reviewed on a risk-based basis.

 

8. Data Breach Management

A "data breach" includes any incident leading to unauthorised access, collection, use, disclosure, copying, modification, disposal, loss, or unavailability of personal data. CET Global maintains a documented Data Breach Response Procedure that sets out roles, responsibilities, and steps for detection, containment, assessment, notification, and remediation.

• All staff must immediately report suspected or actual data breaches to the DPO or designated incident response contact.

• The DPO will coordinate breach assessment, determine whether notification to the PDPC, affected individuals, and/or clients is required, and ensure that such notifications are made within legally prescribed timelines.

• Root cause analysis will be conducted and corrective and preventive actions implemented to reduce the likelihood of recurrence.

 

9. Training and Awareness

• All new employees and relevant contractors receive onboarding training on this Policy, PDPA obligations, and key information security practices.

• Refresher training and awareness activities are conducted periodically, and whenever there are material changes to data protection or security requirements.

• Staff in roles with elevated data protection responsibilities (e.g. system administrators, project managers) receive additional, role-specific training.

 

10. Records, Audits, and Monitoring

• CET Global maintains records of data processing activities where required by law or client contract, including categories of data subjects, personal data, processing purposes, and data recipients.

• Internal reviews or audits of data protection and information security controls are conducted on a risk-based basis to assess effectiveness and identify gaps.

• Findings from audits and reviews are documented and tracked to closure.

 

11. Data Subject Requests and Complaints

• Individuals may submit requests for access, correction, withdrawal of consent, or data portability (where applicable) to the DPO using the published contact details.

• CET Global will respond to such requests within a reasonable timeframe and in accordance with the PDPA and any applicable contractual obligations with clients.

• Complaints or queries regarding CET Global's handling of personal data will be investigated by the DPO, and appropriate remedial measures taken where warranted.

 

12. Policy Review and Exceptions

• This Policy is reviewed at least annually, or more frequently where required due to changes in legal, regulatory, or client requirements, or significant changes in CET Global's business or systems.

• Any exceptions to this Policy must be approved by senior management in consultation with the DPO and documented, including the rationale and compensating controls.

 

13. Staff Acknowledgement

All CET Global personnel who handle personal data are required to read, understand, and comply with this Policy and related procedures. Breaches of this Policy may result in disciplinary action, up to and including termination of employment or contract, and potential legal consequences.

 

14. Marketing Communications and Consent Management

Where permitted by law or with your consent, CET Global may use your contact details to send you information about our services, insights, events, workshops or other content that we believe may be relevant to you or your organisation.

You may at any time opt out of receiving marketing communications from us by following the unsubscribe instructions in our communications or by contacting us using the details provided in this Policy. Even if you opt out of marketing communications, we may still contact you for other purposes permitted by law, such as to administer our existing relationship with you or your organisation.

 

15. Updates to this Policy

CET Global may update this Policy from time to time to reflect changes in our practices, legal or regulatory requirements, or operational needs. The updated Policy will be made available on our website and/or by other appropriate means. Your continued interactions with us, or use of our services, after any such updates will be deemed acceptance of the updated Policy, subject always to applicable legal requirements.