An Introduction to Singapore Personal Data Protection Act (PDPA)
2 min Read
In Singapore, the collection, use, and disclosure of personal data are governed by the Personal Data Protection Act (PDPA). It covers all electronic and non-electronic personal data, regardless of whether the personal data is true or false. Earlier this year, the Act underwent its first comprehensive revision since its promulgation in 2012. Most provisions under the Act came into effect on February 1, 2021.
This article will further discuss the Personal Data Protection Act, including its scopes and what it covers, which changes have come into effect and which have not, and more.
What are the scopes of the PDPA?
There are three scopes under the Personal Data Protection Act:
The PDPA generally applies to all private organizations concerning the personal data of individuals that they collect, use and/or disclose.
However, the following categories of organizations are excluded from the application of PDPA:
- Any individual acting on a personal or household basis;
- Any individual acting in their capacity as an employee of an organization;
- Any public agency associated with the collection, use, or disclosure of personal data; and
- Any other organization or other personal data, or the class of organization or personal data as specified.
The PDPA also applies to organizations without a physical presence in Singapore, as long as they collect, use, or show an individual’s personal information in Singapore. For example, an organization located in Japan that collects data from individuals in Singapore via online channels or platforms will be subject to the Data Protection Provisions under the PDPA.
Other types of organizations that are subject to the Data Protection Provisions are:
- Organizations that transfer personal data to their parent company or subsidiaries; and
- Organizations that are involved in the cross-border transfer of personal data from Singapore to overseas locations.
The PDPA regulates the collection, use, and publication of personal data by organizations. However, the PDPA expressly excludes the following categories of personal data from its application:
- business contact information, which is defined as an individual’s name, position or title name, business e-mail address or business fax number, and other similar information about the individual, is not provided by the individual solely for their personal purposes unless expressly stated in PDPA;
- personal data contained in records that have existed for at least 100 years; and
- personal data about deceased individuals who have been dead for more than ten years.
You may also want to read a related article:
New changes that have come into effect
The Personal Data Protection Act is constantly being reviewed and created to meet the rapidly changing digital economy landscape and ensure that Singapore’s personal data protection laws align with international standards, such as the General Data Protection Regulation (GDPR).
The following is a list of some of the amendments effective February 1, 2021:
- Mandatory violation notice;
- Principle of accountability;
- Error handling of personal data;
- Unsolicited messages;
- Volunteer effort;
- Alternative dispute resolution;
- Do Not Call violation;
- Business upgrade exception;
- Research & development exclusion;
- Exceptions to legitimate interests; and
- Contract requirements.
Upcoming changes that are yet to take effect
Not all provisions under the PDPA have come into effect. Below are two changes to the PDPA that are yet to take effect.
Higher maximum financial penalties
The enhanced financial penalty regime that enables the PDPA to impose financial penalties of up to 10% of an organization’s annual gross turnover (or S$1 million, whichever is higher) will take effect on a further date to be notified.
The revision of financial penalties aligns the PDPA with similar penalty mechanisms in other jurisdictions, notably the EU, Australia, and other local laws such as the Competition Act.
A new data portability obligation will allow individuals to request copies of their personal data to be sent in a commonly used machine-readable format to other organizations, enabling consumers to switch to a new service provider more easily.
How do the changes to the PDPA affect organizations in Singapore?
In order to meet the new requirements and expectations of individuals, regulators, and society, Singapore organizations will need to adapt or change their approach to PDPA compliance and data protection in general.
In addition, organizations also need to review existing company policies on consumer data and strengthen gaps where necessary. Moreover, they also need to carry out adjustments and coordination to manage data breach reporting policies and procedures.
Tips on protecting your personal data according to the PDPA
As an individual living in Singapore, you have a responsibility to protect your own personal data. Here are a few tips on protecting your personal information according to the PDPA.
1. Know why you should give your personal data
You have the right to ask any organization why they need your personal data. Therefore, if you are an organization, you need your clients’ consent before collecting, using, or disclosing their personal data. If you voluntarily provide your personal data for a specific purpose, you may also allow the organization to collect, use, or show your details. This is known as “considered consent.”
2. Choose what details to provide
Sometimes, you may not need to provide your personal data as the PDPA allows individuals to choose not to give their consent. However, if you decide to provide your details to an organization that wants to provide products or services to you, make sure you only provide relevant information.
3. You have the right to withdraw your consent
You can tell an organization to stop collecting, using, or revealing your details. Correspondingly, the organization must notify you of the possible consequences of your withdrawal before processing the request. However, note that the organization may still retain your details for as long as there is a business or legal need.
4. Have access to your personal information
You can request to see the personal data that the organization has about you. Besides, you can also check how your information has been used or disclosed. Note that organizations may charge an administration fee for each access request or deny a request if it is deemed frivolous.
Likewise, if you are an organization, you cannot grant access to your clients if it can:
- cause immediate or serious harm to their safety or physical/mental health;
- threaten the safety or physical/mental health of others;
- leak other people’s personal data;
- reveal the identity of the person who provided their personal information; or
- be contrary to the national interest.
5. You may request correction
You can request to correct errors or omissions in your personal info held by an organization. However, note that the organization can choose not to make corrections if they have a valid reason. Otherwise, the organization must revise the data and send it to other parties that have received it; or if you agree, only to specific ones who may have collected it.
If your organization involves collecting personal data of individuals in Singapore, it is important to learn about the PDPA and how you can comply with it. Failure to comply with the Act can cause severe consequences to your organization. For more detailed information about the PDPA, please visit the Personal Data Protection Commission (PDPC) website at www.pdpc.gov.sg.
Should you need any information about regulatory compliance for Singapore companies, feel free to contact us. We offer corporate secretarial services that can help your company meet all the statutory requirements without a hassle.
Subscribe to Our Newsletter
Stay up-to-date with our useful guides on company incorporation, accounting & taxation and business management!
Subscribe to Our Newsletter
Need advice on the best structure
for your business
Biz Atom helps entrepreneurs and international business make the right choice when setting up in Singapore.