The PDPA Singapore Data Protection LawThe PDPA imposes obligations on organisations in respect of the collection, use and disclosure of personal data in Singapore.
What is the Singapore PDPA
What is the Personal Data Protection Act (PDPA)?
The Personal Data Protection Act 2012 (PDPA) governs the collection, use and disclosure of personal data. The PDPA was passed by Parliament in October 2012 and came into force in 4 stages between January 2013 and July 2014.
The PDPA recognises both:
- The right of individuals (natural persons, whether living or dead) to protect their personal data; and
- The need of organisations (all corporate bodies – e.g. companies – and unincorporated bodies, including those formed or resident outside of Singapore) to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances (see below).
Who Does the PDPA Apply To
The data protection provisions in the PDPA (parts III to VI) generally do not apply to:
- Any individual acting in a personal or domestic basis.
- Any employee acting in the course of his or her employment with an organisation.
- Any public agency or an organisation in the course of acting on behalf of a public agency in relation to the collection, use or disclosure of the personal data. You may wish to refer to the Personal Data Protection (Statutory Bodies) Notification 2013 for the list of specified public agencies.
- Business contact information. This refers to an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes.
These rules are intended to be the baseline law which operates as part of the law of Singapore. It does not supersede existing statutes, such as the Banking Act and Insurance Act but will work in conjunction with them and the common law.
How Are Data Controllers and Data Processors treated
The PDPA applies to a narrower range of entities. It does not apply to public agencies or organisations
acting on their behalf. Whilst the PDPA technically has extraterritorial effect, in practice, it is not actively
enforced against entities located outside Singapore.
The PDPA does not require processors to be contractually bound to defined set of obligations
– the only exception is where personal data is transferred by the controller to a processor based outside Singapore. In practice,
processors in Singapore are often subject to contractual processing terms but these
rarely go as far as GDPR’s requirements.
Do you need to appoint a DPO
Processors do not need to appoint a DPO. Unlike GDPR, the DPO is responsible only for one
task, i.e. he or she must ensure that the organisation
complies with its data protection obligations under
the PDPA. .
What Privacy Policies need to be in place
Organisations must ensure they put/have in place both external and internal privacy policies/guidelines, to ensure and effective data protection compliance programmes. In three recent cases the PDPC has emphasised that internal data protection policies and processes are needed to set minimum data protection standards across an organisation and help employees’ understanding of the organisation’s data protection obligations under the PDPA. Importantly, the PDPC noted that without such written policies it would be difficult for an organisation to evidence that it had met its transparency and accountability requirements under the PDPA.
Organisations operating IoT devices and apps should also review and update their privacy policies in light of guidance given in another recent decision. In this case, the PDPC considered the sufficiency of IoT privacy policies, and recommended specific reference to the IoT device and details of the personal data to be collected, used and disclosed by the IoT device. As regards mobile apps more generally, the PDPC encouraged app privacy policies to explain to users why personal data is being collected, used and disclosed; use clear language (avoiding technical terms), be easily readable, understandable and an appropriate length; be prominently located on the app; and be tailored to the specific app. The PDPC also suggested considering using icons and/or just-in-time notifications to obtain specific consent dynamically.
What are the penalties?
protection requirements in the PDPA. Unlike GDPR, data subjects affected by a data
breach can only bring an action against controllers (and not processors) for
losses and damages suffered as a result of the breach.
Relentless Your APPI Partner of Choice
We have 20+ years of compliance and assurance experience and are committed to providing a personalized and responsive service.
With a tailor made approach, we work with our clients in executing each project to their specific need and help maximize the long term business value of their compliance and privacy assurance strategies ensuring their global operations remain within the law.
Relentless PDPA Service What's Included?
Our PDPA Service Includes the Following
- PDPA Assessment
- Dedicated Support Consultant
- Unlimited Support Calls
- Unlimited Email Support
- Data Mapping
- Record of Processing Activities
- Subject Access Request Service
- Data Breach Support
- DPO Service
Enforcement around SB 220 lies with the Attorney General. If it’s believed an operator has violated the law, the Attorney General can issue a temporary or permanent injunction or impose a civil penalty of no more than $5,000 per violation. There will be a 30-day cure period for violations other than those with respect to the opt-out right.
Relentless provides all Global Privacy implementation services for organisations to ensure compliance. We are currently providing a joint California, Navada and Delaware privacy compliance package