THE SINGAPORE PDPA DATA PRIVACY LAW

Get compliant today

BOOK A FREE CONSULTATION

By submitting this form, you consent to be contacted about products and services from members of Relentless. Relentless is committed to safeguarding your privacy. If you require  further  information on how we collect and use your personal data, please read our Privacy Policy

THE SINGAPORE PDPA DATA PRIVACY LAW

What is the Personal Data Protection Act (PDPA)?

The Personal Data Protection Act 2012 (PDPA) governs the collection, use and disclosure of personal data. The PDPA was passed by Parliament in October 2012 and came into force in 4 stages between January 2013 and July 2014.

The PDPA recognises both:

  • The right of individuals (natural persons, whether living or dead) to protect their personal data; and
  • The need of organisations (all corporate bodies – e.g. companies – and unincorporated bodies, including those formed or resident outside of Singapore) to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances (see below).

The PDPA covers personal data stored in electronic and non-electronic forms.

The data protection provisions in the PDPA (parts III to VI) generally do not apply to:

  • Any individual acting in a personal or domestic basis.
  • Any employee acting in the course of his or her employment with an organisation.
  • Any public agency or an organisation in the course of acting on behalf of a public agency in relation to the collection, use or disclosure of the personal data. You may wish to refer to the Personal Data Protection (Statutory Bodies) Notification 2013 for the list of specified public agencies.
  • Business contact information. This refers to an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes.

These rules are intended to be the baseline law which operates as part of the law of Singapore. It does not supersede existing statutes, such as the Banking Act and Insurance Act but will work in conjunction with them and the common law.

Data Controller

The PDPA applies to a narrower range of entities. It does not apply to public agencies or organisations
acting on their behalf. Whilst the PDPA technically has extraterritorial effect, in practice, it is not actively
enforced against entities located outside Singapore.

Data Processor

The PDPA does not require processors to be contractually bound to  defined set of obligations
– the only exception is where personal data is transferred by the controller to a processor based outside Singapore. In practice,
processors in Singapore are often subject to contractual processing terms but these
rarely go as far as GDPR’s requirements.

All controllers must appoint a DPO, regardless of the nature of the processing.
Processors do not need to appoint a DPO. Unlike  GDPR, the DPO is responsible only for one
task, i.e. he or she must ensure that the organisation
complies with its data protection obligations under
the PDPA. 

Privacy policies

Organisations must ensure they put/have in place both external and internal privacy policies/guidelines, to ensure and effective data protection compliance programmes. In three recent cases the PDPC has emphasised that internal data protection policies and processes are needed to set minimum data protection standards across an organisation and help employees’ understanding of the organisation’s data protection obligations under the PDPA. Importantly, the PDPC noted that without such written policies it would be difficult for an organisation to evidence that it had met its transparency and accountability requirements under the PDPA.

Organisations operating IoT devices and apps should also review and update their privacy policies in light of guidance given in another recent decision. In this case, the PDPC considered the sufficiency of IoT privacy policies, and recommended specific reference to the IoT device and details of the personal data to be collected, used and disclosed by the IoT device. As regards mobile apps more generally, the PDPC encouraged app privacy policies to explain to users why personal data is being collected, used and disclosed; use clear language (avoiding technical terms), be easily readable, understandable and an appropriate length; be prominently located on the app; and be tailored to the specific app. The PDPC also suggested considering using icons and/or just-in-time notifications to obtain specific consent dynamically.

The PDPC can impose fines of up to $1 million for non-compliance with the data protection requirements in the PDPA. Unlike GDPR, data subjects affected by a data breach can only bring an action against controllers (and not processors) for losses and damages suffered as a result of the breach.
 

Relentless Your PDPA Partner of Choice

Relentless Privacy and Compliance Services provides quality, cost-effective compliance, assurance and global privacy maturity services to companies of all sizes.

 

Through the use of technology and our centralized, streamlined structure, we are able to serve our clients in the timeliest manner and with the highest level of efficiency. And because of our unique model and approach, we are able to deliver this exceptional service at highly competitive rates.

 

We have 20+ years of compliance and assurance experience and are committed to providing a personalized and responsive service.

With a tailor-made approach, we work with our clients in executing each project to their specific need and help maximize the long-term business value of their compliance and privacy assurance strategies ensuring their global operations remain within the law.

Relentless PDPA Service What's Included?

Our Singapore PDPA Service Includes the Following Assessment

  • PDPA Assessment
  • Dedicated DPO
  • Unlimited Support Calls
  • Unlimited Email Support
  • Data Mapping
  • Record of Processing Activities
  • Subject Access Request Service
  • Data Risk Assessments
  • Data Breach Support
  • Data Protection Policy Writing
  • PDPA Framework Design
  • PDPA Privacy Maturity Gap Analysis and Remediation Report
Singapore PDPA Service 2

BOOK A FREE CONSULTATION

At relentless we have helped companies from startups to PLC’s our
services are rich, comprehensive, and built for every budget

RDP 01 scaled
Call Us

+44 (0) 121 582 0192

Reach Us

Colmore House, Queensway, Birmingham B4 6AT

Open Hours

Mon-Fri 08:00 - 18:00

error: Content is protected !!