Resources
Blog
Blog
No One Is Exempt: Why MCSTs Must Have Their Own DPO and Policy
Data Protection Tips

No One Is Exempt: Why MCSTs Must Have Their Own DPO and Policy

Many MCSTs wrongly assume their agent’s PDPA policy covers them. Learn why appointing a DPO and having your own policy is a legal must—not a nice-to-have.

Written by
Steven Choong
Published on
October 10, 2025
MCSTs remain accountable under the PDPA. Learn why appointing a DPO and writing your own data policy is essential for every condo council.
In this article
Share this article

Delegation does not transfer responsibility.

Many MCSTs assume their managing agent’s PDPA policy covers them — this case proves otherwise.

When the Personal Data Protection Commission (PDPC) released its decision against a condominium’s Management Corporation Strata Title (MCST), it revealed a familiar yet costly misunderstanding:

The MCST believed its managing agent’s PDPA policy and practices were sufficient.

They were not.

The Finding: Accountability Can’t Be Outsourced

In the case, the PDPC found that the MCST did not appoint a Data Protection Officer (DPO) and had no internal data protection policy. While the managing agent had its own PDPA procedures, the MCST itself — as the legal entity collecting and using residents’ personal data — remained accountable.

This distinction is crucial:

  • The managing agent acts as a data intermediary, processing data on the MCST’s behalf.
  • The MCST, however, is the data controller — the one who determines why and how personal data is collected.

That means the MCST cannot delegate accountability under the PDPA, even if day-to-day tasks are handled by the agent.

The PDPC’s message was clear:

“Delegation does not transfer responsibility.”

What Went Wrong

The MCST had no formal DPO appointment or documented policy. Staff and council members relied on the managing agent’s practices and verbal assurances. When a data incident occurred, there were no clear procedures, no point of contact for PDPA matters, and no evidence of internal oversight.

This lack of governance exposed the MCST to enforcement action and reputational risk — something that could have been avoided with a few simple steps.

What Every MCST Should Do Now

Here’s a practical checklist to ensure your MCST is compliant and confident:

1. Appoint a Data Protection Officer (DPO)

  • The DPO can be a council member, the managing agent, or an external service provider.
  • Record the appointment formally in the meeting minutes.
  • Publish the DPO’s contact details on your condo notice board or website.

2. Develop a Simple Data Protection Policy

  • Outline how personal data (e.g. resident contact details, CCTV footage, access card records) is collected, used, and protected.
  • Include data retention periods and breach reporting procedures.
  • Make the policy available to residents upon request.

3. Brief Your Managing Agent and Vendors

  • Ensure contracts clearly state the agent’s role as a data intermediary.
  • Require vendors (CCTV, security, IT) to follow your PDPA policy and report any breaches immediately.
  • Conduct an annual review to ensure compliance remains up to date.

4. Train Council Members and Staff

  • Basic awareness of PDPA obligations prevents accidental breaches.
  • A short annual briefing can go a long way toward ensuring everyone knows their role.

Don’t Let This Happen to Your Condo

PDPA compliance isn’t just for big corporations — every MCST is a legal entity, accountable for the personal data it holds. The good news? Compliance doesn’t have to be complicated.

Appoint a DPO.

Write down your policy.

Brief your vendors.

These three steps can save your council from unnecessary fines — and even more importantly, build trust with your residents.

Bottom Line

If you’re part of an MCST council, ask this today —

Who is our DPO?

Where is our data protection policy?

If the answer is silence, it’s time to act.

Reference

This article draws on the PDPC’s published decision on 7 Aug 2025, where the Commission found that the MCST had failed to appoint a DPO and lacked an internal data protection policy.

Read the full decision on the PDPC website.

Steven Choong
October 10, 2025
4
min read
Data Protection Tips

Launch Your Business with Confidence

We're here for you every step of the journey. From company formation to compliance, we've got your back. Let’s get it right, from the start.

Book a call

Related Articles

One unlocked laptop can expose your entire business. Learn 3 quick fixes to make screen locks a non-negotiable habit across your team.
Data Protection Tips
May 20, 2025

Lock It or Leak It: Why Your Screen Is a Security Risk

One unlocked laptop led to lost trust and a lost client. Learn how three screen-lock habits can prevent your team from causing the next avoidable breach.

Still sharing logins with past vendors or freelancers? Learn how to reduce risk and tighten third-party access with 4 simple, business-friendly security steps.
Data Protection Tips
May 15, 2025

Who Still Has the Keys to Your Digital Front Door? You Might Be Surprised.

Forgotten vendor logins and ex-freelancer access can quietly expose your business. Learn 4 steps to take control of third-party access before it turns into a breach.

Spear phishing can fool even smart teams. Learn how startups are targeted—and the 5 simple actions you can take to protect your business from costly attacks.
Data Protection Tips
May 7, 2025

Urgent: Transfer $9,800 to our new supplier today.

Think your team would spot a fake CEO email? One startup didn’t—and nearly lost $9,800. Learn what spear phishing is and 5 steps to stop it before it hits.

NEW!
Try the Stellar Company Assistant Now
Click here
Stellar Company Assistant (AI)
Stellar helps business owner to manage corporate services such as incorporation, tax filing and more.
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept