Singapore PDPA

Who is excluded from PDPA compliance? 

The PDPA excludes the following: 

• any individual acting in a personal or domestic capacity;
• any employee acting in the course of his or her employment with an organization;
• any public agency;
• any other organizations or personal data, or classes of organizations or personal data, prescribed for the purposes of this provision;
• personal data about an individual that is contained in a record that has been in existence for at least 100 years; 
• personal data about a deceased individual, unless the individual who has been dead for 10 years or less;
• business contact information, defined as “an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes.”
  
  

How can I keep my organization PDPA compliant? 

The PDPA lists a series of obligations which you have to take into account in order for your organization to be compliant with the law. These are as follows:  

• Consent Obligation: sections 13 through 17 describe the way consent has to be obtained before collecting, using, or disclosing personal data. However, unlike the GDPR, the PDPA includes deemed consent into the equation, meaning that even if a data subject has not actually given consent, if they have voluntarily provided personal data to your organization, or if it is reasonable that they would voluntarily provide the data, then consent is considered as having been given. 
• Purpose Limitation Obligation: according to Section 18 you may only collect, use, or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.
• Notification Obligation: you are required to notify the data subject of the purposes for which you intend to collect, use, or disclose their personal data on or before the collection, use, or disclosure, and you may only collect, use, and disclose personal data for such purposes. 
• Access and Correction Obligation: upon request, you must allow a data subject to access and/or correct the personal data you hold about them, and you must also inform them of the ways in which you have used or disclosed their personal data throughout the previous year, as stated in sections 21 and 22. 
• Accuracy Obligation: it is your responsibility to ensure that the personal data collected is accurate and complete, especially when such data may be used for decision making that would impact the data subject, or when the data might be disclosed to another organization, according to section 23. 
• Protection Obligation: section 24 states that you must protect the personal data in your possession by taking reasonable security steps to prevent unauthorized access, collection, usage, copying, modification, disclosure, disposal, on the one hand, or the loss of storage mediums on which personal data is stored.
• Retention Limitation Obligation: you are required according to section 25 to end data retention or means by which the personal data can be associated with a specific data subject as soon as the legal or business purposes for data retention no longer apply, or when it is reasonable to assume that the initial purposes for the data collection are no longer served by the retention. 
• Transfer Limitation Obligation: you must ensure that any transferred data outside Singapore will benefit from the same standards of protection as those set out in the PDPA, according to section 26. Following the issuance of the Amended Act, it is in the same section (26F - 26J) that data portability was introduced and regulated. 
• Accountability Obligation: sections 11 and 12 list the responsibilities your organization has in order to be accountable, such as appointing a Data Protection Officer (DPO), developing policies and practices that are necessary to meet the requirements of the PDPA, or communicating to your staff information regarding these as well as informing data subjects about them and about the complaint process, upon request. 
• Data Breach Notification Obligation: sections 26A through E mandate that your organization has an obligation to assess any data breaches and notify the regulatory authorities, the PDPC, as well as the affected data subjects, if the data breach is of a notifiable nature, meaning that it “results in, or is likely to result in, significant harm to an affected individual; or is, or is likely to be, of a significant scale.”
  
  

What data access rights does PDPA grant? 

The PDPA grants 4 rights to data subjects: 

• Right to access - detailed in section 21
• Right to correct - detailed in section 22
• Right to data portability - added via the Amended Act in section 26H in 2020
• Right to object / opt-out - according to Section 16, data subjects can withdraw their consent at any point and your organization has to inform them of the potential consequences of doing so.

There is no specific Right to be informed, however your organization has an obligation to inform data subjects of the purposes for collecting, using, or disclosing their personal data, and to provide them with policies and practices of data processing, as well as of the complaint submission process, on request. 

The Right to delete is also not provided to data subjects in a specific manner by the text of the law, but your organization has to comply with the retention limitation obligation which means that once the personal data is no longer necessary for the purposes it was collected, it has to be deleted. 

There is no Right to object to automated decision-making  given to data subjects, however the DNC Registry does offer some protection to data subjects against marketing messages. 

How to address data subject access requests under PDPA?

The PDPA does not mandate any time frame for answering a DSAR, instead using the phrasing “as soon as reasonably possible.”

In the case of a request for access, unless one of the exceptions outlined in the text of the law or in the Fifth Schedule apply, if your organization is able to provide the data subject with the required information, it should do so. If a rejection of the request applies, you must, “within the prescribed time and in accordance with the prescribed requirements, notify the individual of the rejection.”

In the case of a request for correction, unless one of the exceptions outlined in the text of the law or in the Sixth Schedule apply,  your organization should correct the data as soon as practicable and also inform any other organization to which the personal data was disclosed throughout the past year, of the corrections made. If a refusal applies, you must, “within the prescribed time and in accordance with the prescribed requirements, notify the individual of the rejection.”

Sections 26F through 26J outline the way a data portability request should be carried out, unless there are exceptions that would prevent your organization from giving effect to the request. As a porting organization, you must ensure that the request satisfies any prescribed requirements and that at the time you receive the data porting request, you have an ongoing relationship with the data subject.  

Enforcement and penalties

The regulatory authority, the PDPC, has the authority to issue guidance notes on the application of the law, as well as enforce the actual law. 

Penalties vary depending on whether we are referring to an individual or an organization, as the party guilty of a violation of the law. 

For individuals, the penalties range from fines of up to approx. $,3,700 and/or imprisonment between 1 and 2 years. For violations for which there is no prescribed penalty, the fines can go up to approximately $7,500, imprisonment for 3 years, or both, and for continued violations, a further fine up to $750 for every day or part of a day during which the violation is ongoing, after conviction.

For organizations, the fines range from approximately $37,000 to approximately $74,000 for minor offenses, and between approximately $740,000 and 10% of the annual turnover in Singapore of the organization if the organization has an annual turnover in Singapore that exceeds SGD 10 million (approx. $7,500,000).

In the event of a breach related to the DNC Registry, organizations may be fined up to SGD 1 million (approx. $740,000), for more serious offenses it can go up to 5% of the annual local turnover, and for individuals the financial penalty can go up to SGD 200,000 (approx. $148,000).

Data Subject Rights - GDPR vs. PDPA