The Personal Data Protection Act (PDPA) is the principal data protection legislation in Singapore governing the collection, use, and disclosure of individuals’ personal data by organizations. This article gives an overview of the law and its obligations.
Protecting personal data in the digital space has been a serious concern in recent years. Every major country has implemented its own personal data protection laws to regulate the collection and use of personal data by businesses.
If you are a business owner operating in Singapore or handle the personal data of Singapore residents, you should be well informed of Singapore’s Personal Data Protection Regulation. In this article, we will give you a complete overview of Singapore’s data protection law and provide you with guidelines to comply with it.
The Personal Data Protection Act (PDPA) is the data protection regulation in Singapore that regulates the collection, use, and disclosure of personal data by businesses. It also establishes the Do Not Call Register and regulates telemarketing in Singapore.
The act was initially introduced in 2012 and later amended in 2020. It outlines certain obligations for organizations to comply with the law.
Now, let’s have a quick look at the timeline of the PDPA.
| Date | Event |
| 15 October 2012 | PDPA was passed by the Parliament of Singapore |
| 2 January 2013 | The first phase of general provisions came into effect. Personal Data Protection Commission (PDPC) was established |
| 2 January 2014 | Provisions for the Do Not Call Registry came into force |
| 2 July 2014 | Provisions related to the protection of personal data came into force |
| 2 November 2020 | The Parliament of Singapore passed amendments to PDPA |
| 1 February 2021 | Amendments to the PDPA took effect |
| 1 October 2022 | Provision for an increased penalty came into force |
Now, let us look at the definitions of some key terms mentioned in PDPA.
- Personal data: Personal data refers to any information about a person, whether it’s true or not, that can be used to identify them. It also includes any related information the organization can access.
- Individual: Individual refers to any natural person, whether alive or deceased.
- Organization: Organization refers to any individual, company, or group of individuals, whether corporate or unincorporated, regardless of formation or recognition under Singaporean law. It also covers entities residing in Singapore or having an office or place of business there.
- Processing: Processing refers to various operations on personal data, such as recording, holding, organizing, adapting, altering, retrieving, combining, transmitting, erasing, or destroying.
- National interest: National interest refers to activities that include national defense, national security, public security, the maintenance of essential services, and the conduct of international affairs.
Also Read: Personally Identifiable Information: What You Need to Know About Personal Data in GDPR?
The Personal Data Protection Act (PDPA) applies to all private organizations in Singapore or having business with Singapore citizens who collect, use or disclose the personal data of Singaporean citizens.
It does not impose obligations on individuals operating in a personal or domestic capacity, employees conducting duties within their organizational roles, public agencies, or any other entities or categories of personal data as specified for the provision’s purposes.
The provisions of this Act do not extend to (a) personal data concerning an individual found in a record existing for a minimum of 100 years or (b) personal data concerning a deceased individual.
However, it’s important to note that the regulations governing the disclosure of personal data and Section 24 (protection of personal data) are applicable to personal data relating to an individual who has been deceased for a period of 10 years or less.
Also Read: China’s Personal Information Protection Law (PIPL)
The Personal Data Protection Commission (PDPC) is the regulatory body established in 2013 for administering and enforcing the Personal Data Protection Act. The Commission should appoint a Commissioner, Deputy Commissioners, Assistant Commissioners, and Inspectors to regulate the PDPA.
Below are the different functions of the Personal Data Protection Commission:
- Promote awareness of data protection in Singapore.
- Provide consultancy, advisory, technical, managerial, or other specialist services related to data protection.
- Advise the Government on all matters concerning data protection.
- Represent the Government internationally on data protection matters.
- Conduct research, studies, and educational activities on data protection, including organizing seminars, workshops, and symposia, and supporting similar initiatives by other organizations.
- Manage technical cooperation and exchange on data protection with other organizations, including foreign data protection authorities and international or inter-governmental organizations, on behalf of the Government.
- Administer and enforce the provisions of PDPA.
- Fulfill functions conferred on the Commission under any other written law.
- Engage in other activities and perform functions permitted or assigned by the Minister through an order in the Gazette.
Now, let’s have a look at the obligations of businesses under PDPA to protect the personal data of customers and employees.
1. Accountability
Accountability is the fundamental principle of PDPA. Organizations should be responsible for handling the personal data of their customers and employees. They should develop data protection policies for their business. Inform their staff about these policies and encourage a culture of responsibility through regular training.
They should also appoint a data protection officer who should ensure that the organization follows PDPA guidelines. Also, share information about their data protection policies with their customers.
Also Read: How to Draft a Privacy Policy for Your Website?
2. Notification
Organizations must inform users about the purposes intended for collecting, using, or disclosing their personal data.
3. Consent
Organizations should obtain consent before collecting, using, or disclosing personal data from their customers. The data should only be used for the purpose for which consent was granted. Also, provides users with the option to withdraw consent anytime.
Once a user withdraws the consent, it should take effect immediately, prompting the organization to stop collecting or disclosing the personal data of the users.
4. Purpose Limitation
Collect, use, or disclose personal data for reasons that would make sense to most people in a given situation and only with prior consent from the users. Organizations should not obtain consent forcefully by making it mandate for users to share more personal information than needed for delivering a product or service.
5. Data Accuracy
Organizations should ensure that the personal data collected from their customers is accurate and complete.
6. Data Protection
Organizations should implement proper security measures to protect personal data from unauthorized access, collection, use, disclosure, or any other potential risks.
7. Data Retention
Do not collect, use, or disclose personal data when it is no longer necessary for the purpose it was consented to.
8. Data Transfer Limitation
Organizations should only transfer personal data to another country, as per the requirements mentioned under the law. They should also ensure that the other countries have data protection laws with standards similar to those outlined in the PDPA (unless exempted by the PDPC).
9. Access and Correction
Organizations should provide users with access to their personal data upon request. They should also be shared with information on how the data was used or disclosed. Additionally, organizations are required to correct any errors and omissions in an individual’s personal data as soon as possible.
They should also send the corrected information to other organizations that got the wrong data (or to specific organizations, the user consented to) within a year of making the correction.
10. Data Breach Notification
In the event of a data breach, organizations should inform the PDPC and affected individuals as soon as possible, especially if it is likely to cause significant harm to people.
11. Data Portability
Organizations are required to share the personal data of the users with another organization in a machine-readable format when requested by the users.
Also Read: Why Should You Adopt a Privacy-First Approach to Your Business?
The PDPA mentions the provisions of the Do Not Call Registry to regulate telemarketing to Singapore citizens. It restricts organizations from sending marketing communications to Singapore telephone numbers (mobile, fixed-line, residential, and business numbers) listed in the DNC Registry.
The marketing communications or messages include voice calls, text, or fax messages sent to supply, advertise or promote goods or services. It also covers promotion messages from businesses and advertisements on investment opportunities.
When sending marketing messages to residents in Singapore, ensure that you avoid sending them to telephone numbers in Singapore that are registered with the DNC Registry.
For more information, refer to the DNC Registry Business Rules.
What Are the Data Rights Under Singapore PDPA?
Singapore’s PDPA grants certain rights to individuals over their personal data shared with businesses.
- Right to information: Individuals have the right to be informed about data collection and data breaches.
- Right to access: Individuals have the right to access their personal data
- Right to correction: Individuals have the right to ensure the accuracy of their personal data shared with businesses.
- Right to erasure: Individuals have the right to request the deletion or cease the use or disclosure of their personal data.
- Right to opt-out: Individuals have the right to withdraw their consent for collecting, using, or disclosing their personal data at any time.
- Right to data portability: Individuals have the right to request the portability of data from one organization to another.
What Are the Fines and Penalties for Non-compliance Under Singapore PDPA?
If an organization fails to comply with the PDPA, the Personal Data Protection Commission (PDPC) can:
- restrict the collection, usage, or disclosure of personal data.
- destroy the personal data
- provide access to and correction of personal data, and refuse to transmit the data. [section 48H(2)]
The PDPC can also impose financial penalties on organizations, with a maximum of 10% of the organization’s annual turnover in Singapore if the turnover surpasses SGD 10 million or up to SGD 1 million in other cases.
Is GDPR and PDPA the Same?
No. The General Data Protection Regulation (GDPR) is a data protection law that regulates the data processing activities in the European Union, whereas the Personal Data Protection Act (PDPA) is a data protection regulation that applies to the processing of personal data of Singapore citizens.
Even though both are similar data protection laws and have obligations, GDPR applies to a broader context and provides users with more rights and protections.
Also Read: Five Years of GDPR: A Look Back at the Impact of the EU’s Data Protection Law
Conclusion
The Personal Data Protection Act (PDPA) is a comprehensive data protection regulation that governs the collection, use, and disclosure of personal data of Singapore citizens by organizations.
It grants several rights to individuals over their personal data and implements certain obligations for organizations handling the personal data of customers and employees.
The Personal Data Protection Commission is responsible for administering and enforcing the PDPA provisions in Singapore. It has the power to address matters regarding data protection and impose fines and penalties on organizations for non-compliance.
We hope this article has provided you with everything you need to know about Singapore’s data protection regulation. If you have any queries, drop them in the comments section; we’d be happy to help you.
Disclaimer: This article was intended for informational purposes only and does not represent legal advice. We have no intention of obtaining any kind of attorney-client relationship. If you are looking for legal advice, we recommend you contact a professional.
