GDPR Compliance Statement

Last Updated: May 25, 2026

1. Our Commitment to GDPR

Although Prefeo CMI is based in Singapore and primarily operates under Singapore's Personal Data Protection Act (PDPA), we recognize that some of our clients and website visitors may be located in the European Union. We are committed to complying with the General Data Protection Regulation (GDPR) when processing personal data of EU residents.

This statement outlines how we handle personal data in accordance with GDPR principles and your rights under this regulation.

2. Data Controller Information

For the purposes of GDPR, the data controller is:

Prefeo CMI
152 Beach Road, #12-06 Gateway East
Singapore 189721
Email: [email protected]

3. Legal Basis for Processing

We process personal data under the following lawful bases as defined in GDPR Article 6:

  • Consent (Article 6(1)(a)): Where you have given explicit consent for processing your personal data for specific purposes
  • Contract (Article 6(1)(b)): Processing is necessary for the performance of a contract to which you are a party, such as legal service engagements
  • Legal Obligation (Article 6(1)(c)): Processing is necessary to comply with legal obligations under Singapore law and legal practice regulations
  • Legitimate Interests (Article 6(1)(f)): Processing is necessary for our legitimate interests in operating our business, responding to inquiries, and improving services, provided these interests do not override your fundamental rights

4. Your Rights Under GDPR

If you are an EU resident, you have the following rights regarding your personal data:

4.1 Right to Access (Article 15)

You have the right to request confirmation of whether we process your personal data and to obtain a copy of that data.

4.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data and completion of incomplete data.

4.3 Right to Erasure (Article 17)

You have the right to request deletion of your personal data under certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected. Note that legal practice regulations may require us to retain certain records for specified periods.

4.4 Right to Restriction of Processing (Article 18)

You have the right to request restriction of processing in certain situations, such as when you contest the accuracy of the data or object to processing.

4.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

4.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

4.7 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

4.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority in your EU member state if you believe we have violated your data protection rights.

5. Exercising Your Rights

To exercise any of the rights listed above, please contact us at [email protected] with the subject line "GDPR Data Subject Request." Please include:

  • Your full name and contact information
  • Description of your request
  • Verification of your identity (we may request additional information to confirm your identity)

We will respond to your request within one month of receipt. In complex cases, we may extend this period by two additional months and will inform you of the extension.

6. Data Protection Principles

In accordance with GDPR Article 5, we process personal data in compliance with the following principles:

  • Lawfulness, Fairness, and Transparency: We process data lawfully, fairly, and in a transparent manner
  • Purpose Limitation: We collect data for specified, explicit, and legitimate purposes
  • Data Minimization: We collect only data that is adequate, relevant, and limited to what is necessary
  • Accuracy: We take reasonable steps to ensure personal data is accurate and kept up to date
  • Storage Limitation: We retain data only for as long as necessary for the purposes for which it was collected
  • Integrity and Confidentiality: We implement appropriate security measures to protect data
  • Accountability: We are responsible for and can demonstrate compliance with these principles

7. International Data Transfers

As we are based in Singapore, personal data of EU residents may be transferred outside the European Economic Area (EEA). Singapore is not currently recognized as providing adequate data protection under GDPR. However, we implement appropriate safeguards to protect your data, including:

  • Compliance with Singapore's Personal Data Protection Act, which provides comparable protections
  • Contractual clauses ensuring adequate data protection standards
  • Technical and organizational security measures

By using our services or providing your personal data, you acknowledge and consent to this transfer.

8. Data Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of personal data in transit and at rest
  • Regular security assessments and vulnerability testing
  • Access controls and authentication mechanisms
  • Staff training on data protection obligations
  • Incident response procedures

9. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with GDPR Article 34.

10. Automated Decision-Making and Profiling

We do not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects individuals.

11. Third-Party Service Providers

We may engage third-party service providers who process personal data on our behalf. When we do so, we ensure:

  • Service providers process data only according to our instructions
  • Appropriate data processing agreements are in place
  • Service providers implement adequate security measures
  • Service providers comply with GDPR requirements

12. Children's Data

Our services are not directed to children under 16 years of age. We do not knowingly collect or process personal data from children. If you believe we have collected data from a child, please contact us immediately.

13. Updates to This Statement

We may update this GDPR compliance statement to reflect changes in our practices or legal requirements. The "Last Updated" date indicates when the statement was last revised. Material changes will be communicated through our website or by direct notification where appropriate.

14. Contact Information

For questions, concerns, or requests regarding GDPR compliance or your data protection rights, please contact us:

Prefeo CMI
152 Beach Road, #12-06 Gateway East
Singapore 189721
Email: [email protected]
Subject Line: GDPR Inquiry

15. Supervisory Authority

If you are an EU resident and have concerns about how we handle your personal data, you have the right to lodge a complaint with the supervisory authority in your EU member state. A list of supervisory authorities can be found at: https://edpb.europa.eu/about-edpb/board/members_en