top of page

Lessons from the Clarins Data Security Incident: How to Protect Personal Data

Updated: Apr 22, 2023

Cosmetics company Clarins recently experienced a data security incident that may have affected its Singaporean customers' personal information. This incident is just one in a series of data breaches that have occurred in Singapore and around the world in recent years. In this blog post, we will explore what went wrong with Clarins' data security measures, what obligations the company breached, and what we can learn from this incident.

What Happened?

Clarins reported that they had discovered an unauthorized access to its customer data system in May 2020, which may have led to unauthorized access to some of its customers' personal information. The company's initial investigation showed that the data accessed may have included customers' names, addresses, email addresses, contact numbers, and order history. The company assured its customers that no payment or credit card information was affected by the breach.

Which Obligations were Breached?

Under Singapore's Personal Data Protection Act (PDPA), organizations are required to take appropriate measures to protect personal data against unauthorized access, collection, use, disclosure, copying, modification, disposal, or other similar risks. In addition, they must also notify affected individuals and the Personal Data Protection Commission (PDPC) of any data breaches that may result in significant harm or impact to the affected individuals.

In this case, Clarins may have breached several obligations under the PDPA, including failing to implement adequate security measures to prevent unauthorized access, failing to conduct regular risk assessments, and failing to notify affected individuals and the PDPC in a timely manner.

What Can We Learn from This?

Data breaches can have serious consequences for organizations, including loss of customer trust, financial loss, and legal penalties. To prevent data breaches and protect personal data, organizations must take a proactive approach to data security.

Some key steps that organizations can take to improve their data security include:

  • Conducting regular risk assessments to identify potential vulnerabilities and threats.

  • Implementing robust security measures to protect against unauthorized access, such as two-factor authentication, encryption, and access controls.

  • Ensuring that all employees are trained on data protection policies and procedures.

  • Having a clear and comprehensive data breach response plan in place, including notification procedures and communication protocols.

  • Regularly reviewing and updating security measures to stay ahead of evolving threats.


The Clarins data security incident highlights the importance of taking data security seriously and complying with relevant data protection regulations. By implementing strong security measures and taking a proactive approach to risk management, organizations can better protect their customers' personal data and avoid potentially damaging data breaches.



Disclaimer: The information provided on all our blog post is intended for general informational purposes only and does not constitute legal advice. The author and publisher are not liable for any damages or losses resulting from reliance on this information. It is recommended to consult with a legal professional for specific advice regarding PDPA compliance and other related data privacy obligations.

bottom of page