What is PDPA?
The Personal Data Protection Act (PDPA) is Singapore’s governing data privacy law that governs the collection, use and disclosure of personal data by organizations. It was passed in October 2012 and it has suffered various modifications over the years, the most recent being the Amendment Act of 2020.
Unlike other data privacy laws across the globe, it has been considered a lighter law when compared to, for example, the GDPR, to which it bears little resemblance. Be that as it may, with the Amendment Act the penalties have been increased, data portability has been clearly regulated, and imprisonment for criminal offenses has been added to the text of the law.
Last but not least, it has created a Do Not Call (DNC) Registry, that contains Singapore telephone numbers (mobile, landline, residential, or business) that organizations are banned from using to send marketing messages.
What is Personal Information and what are other key definitions?
The PDPA has a similar definition for ‘personal data’ to that of the GDPR, namely, it means “data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organization has or is likely to have access.”
When it comes to data processors, Singapore’s law calls this a ‘data intermediary,’ defined as “an organization which processes personal data on behalf of another organization but does not include an employee of that other organization.” There is no definition for what a ‘data controller’ is.
Other definitions offered by the text of the law that of ‘organization,’ which is “any individual, company, association or body of persons, corporate or unincorporated, whether or not formed or recognised under the law of Singapore; or resident, or having an office or a place of business, in Singapore,” or ‘public agency’ which is relevant for the purposes of the applicable law, since it is defined as “the Government, including any ministry, department, agency, or organ of State; any tribunal appointed under any written law; or any statutory body specified” by the Minister who may, “by notification in the Gazette, specify any statutory body established under a public Act for a public function to be a public agency for the purposes of this Act.”
There is no definition for what constitutes ‘sensitive personal data’ but the law does state that in determining a financial penalty, the regulating authority, the Personal Data Protection Commission (PDPC), must consider, among other things, the type and nature of the personal data affected.
Who has to comply with the PDPA?
The PDPA applies to any organization located in Singapore or which processes data of Singapore residents, and to any type of data, in both electronic and non-electronic format.
Although the text of the law does not specifically mention this, there are also types of data considered of a more sensitive nature, which should also be protected, such as HIV diagnosis, records of adoption, etc. which are discussed in the PDPC’s advisory guidelines that they publish on their official website.
Who is excluded from PDPA compliance?
The PDPA excludes the following:
- any individual acting in a personal or domestic capacity;
- any employee acting in the course of his or her employment with an organization;
- any public agency;
- any other organizations or personal data, or classes of organizations or personal data, prescribed for the purposes of this provision;
- personal data about an individual that is contained in a record that has been in existence for at least 100 years;
- personal data about a deceased individual, unless the individual who has been dead for 10 years or less;
- business contact information, defined as “an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes.”
How can I keep my organization PDPA compliant?
The PDPA lists a series of obligations which you have to take into account in order for your organization to be compliant with the law. These are as follows:
- Consent Obligation: sections 13 through 17 describe the way consent has to be obtained before collecting, using, or disclosing personal data. However, unlike the GDPR, the PDPA includes deemed consent into the equation, meaning that even if a data subject has not actually given consent, if they have voluntarily provided personal data to your organization, or if it is reasonable that they would voluntarily provide the data, then consent is considered as having been given.
- Purpose Limitation Obligation: according to Section 18 you may only collect, use, or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.
- Notification Obligation: you are required to notify the data subject of the purposes for which you intend to collect, use, or disclose their personal data on or before the collection, use, or disclosure, and you may only collect, use, and disclose personal data for such purposes.
- Access and Correction Obligation: upon request, you must allow a data subject to access and/or correct the personal data you hold about them, and you must also inform them of the ways in which you have used or disclosed their personal data throughout the previous year, as stated in sections 21 and 22.
- Accuracy Obligation: it is your responsibility to ensure that the personal data collected is accurate and complete, especially when such data may be used for decision making that would impact the data subject, or when the data might be disclosed to another organization, according to section 23.
- Protection Obligation: section 24 states that you must protect the personal data in your possession by taking reasonable security steps to prevent unauthorized access, collection, usage, copying, modification, disclosure, disposal, on the one hand, or the loss of storage mediums on which personal data is stored.
- Retention Limitation Obligation: you are required according to section 25 to end data retention or means by which the personal data can be associated with a specific data subject as soon as the legal or business purposes for data retention no longer apply, or when it is reasonable to assume that the initial purposes for the data collection are no longer served by the retention.
- Transfer Limitation Obligation: you must ensure that any transferred data outside Singapore will benefit from the same standards of protection as those set out in the PDPA, according to section 26. Following the issuance of the Amended Act, it is in the same section (26F - 26J) that data portability was introduced and regulated.
- Accountability Obligation: sections 11 and 12 list the responsibilities your organization has in order to be accountable, such as appointing a Data Protection Officer (DPO), developing policies and practices that are necessary to meet the requirements of the PDPA, or communicating to your staff information regarding these as well as informing data subjects about them and about the complaint process, upon request.
- Data Breach Notification Obligation: sections 26A through E mandate that your organization has an obligation to assess any data breaches and notify the regulatory authorities, the PDPC, as well as the affected data subjects, if the data breach is of a notifiable nature, meaning that it “results in, or is likely to result in, significant harm to an affected individual; or is, or is likely to be, of a significant scale.”
What data access rights does PDPA grant?
The PDPA grants 4 rights to data subjects:
- Right to access - detailed in section 21
- Right to correct - detailed in section 22
- Right to data portability - added via the Amended Act in section 26H in 2020
- Right to object / opt-out - according to Section 16, data subjects can withdraw their consent at any point and your organization has to inform them of the potential consequences of doing so.
There is no specific Right to be informed, however your organization has an obligation to inform data subjects of the purposes for collecting, using, or disclosing their personal data, and to provide them with policies and practices of data processing, as well as of the complaint submission process, on request.
The Right to delete is also not provided to data subjects in a specific manner by the text of the law, but your organization has to comply with the retention limitation obligation which means that once the personal data is no longer necessary for the purposes it was collected, it has to be deleted.
There is no Right to object to automated decision-making given to data subjects, however the DNC Registry does offer some protection to data subjects against marketing messages.
How to address data subject access requests under PDPA?
The PDPA does not mandate any time frame for answering a DSAR, instead using the phrasing “as soon as reasonably possible.”
In the case of a request for access, unless one of the exceptions outlined in the text of the law or in the Fifth Schedule apply, if your organization is able to provide the data subject with the required information, it should do so. If a rejection of the request applies, you must, “within the prescribed time and in accordance with the prescribed requirements, notify the individual of the rejection.”
In the case of a request for correction, unless one of the exceptions outlined in the text of the law or in the Sixth Schedule apply, your organization should correct the data as soon as practicable and also inform any other organization to which the personal data was disclosed throughout the past year, of the corrections made. If a refusal applies, you must, “within the prescribed time and in accordance with the prescribed requirements, notify the individual of the rejection.”
Sections 26F through 26J outline the way a data portability request should be carried out, unless there are exceptions that would prevent your organization from giving effect to the request. As a porting organization, you must ensure that the request satisfies any prescribed requirements and that at the time you receive the data porting request, you have an ongoing relationship with the data subject.
Enforcement and penalties
The regulatory authority, the PDPC, has the authority to issue guidance notes on the application of the law, as well as enforce the actual law.
Penalties vary depending on whether we are referring to an individual or an organization, as the party guilty of a violation of the law.
For individuals, the penalties range from fines of up to approx. $,3,700 and/or imprisonment between 1 and 2 years. For violations for which there is no prescribed penalty, the fines can go up to approximately $7,500, imprisonment for 3 years, or both, and for continued violations, a further fine up to $750 for every day or part of a day during which the violation is ongoing, after conviction.
For organizations, the fines range from approximately $37,000 to approximately $74,000 for minor offenses, and between approximately $740,000 and 10% of the annual turnover in Singapore of the organization if the organization has an annual turnover in Singapore that exceeds SGD 10 million (approx. $7,500,000).
In the event of a breach related to the DNC Registry, organizations may be fined up to SGD 1 million (approx. $740,000), for more serious offenses it can go up to 5% of the annual local turnover, and for individuals the financial penalty can go up to SGD 200,000 (approx. $148,000).
Data Subject Rights - GDPR vs. PDPA
- Right to access data
- Right to correct inaccurate data
- Right to the portability of data
- Right to delete personal information
- Right to information about how entities are sharing your data
- Right to restrict processing
- Right to object to processing
- Right to object to automated processing
- Right to access data
- Right to correct inaccurate data
- Right to object to processing
- Right to the portability of data
How can Clym help?
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- Ready Compliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.