Singapore’s Personal Data Protection Act (PDPA), Compliance

Singapore’s Personal Data Protection Act or PDPA for short is a data protection law that was passed in Singapore in 2012. The PDPA was passed with the goal of creating a baseline standard for the protection of personal data and information within the country of Singapore. What’s more, the PDPA also complements other regulatory and legislative frameworks within the country, such as Singapore’s Banking and Insurance Acts. In contrast to many other privacy laws around the world, such as the California Privacy Rights Act or CCPA and the EU’s General Data Protection Regulation of GDPR, the PDPA also established a National Do Not Call or DNC, allowing Singaporean citizens to opt-out of receiving unwanted calls and telemarketing messages from businesses and organizations.

What is the scope of the PDPA?

The PDPA applies to all businesses entities and organizations within Singapore that collect, use, or disclose the personal information of Singaporean citizens. Furthermore, the PDPA also applies to businesses and organizations that are not physically located within Singapore but nevertheless collect, use, or disclose the personal information of Singaporean citizens. Moreover, the PDPA also applies to cross-border transfers of personal information, in instances where the personal data of a Singaporean citizen is transferred to another country or overseas location. Despite all of this, there are certain businesses and organizations that are exempted from the jurisdiction of the PDPA. These businesses and organizations are as follows:

• Individuals acting in either a domestic or personal capacity.
• Public agencies.
• Employees performing actions in the context of their employment with a particular business or organization.
• Government agencies.
• Any other organization or category if personal data that may be prescribed.

Data intermediaries within Singapore are also exempt from the scope and jurisdiction of the PDPA, provided that such intermediaries are processing the personal data of Singaporean citizens on behalf of and for the purposes of another business or organization, that is pursuant to a contract that is made in writing or otherwise evidenced, and as such only have obligations to the PDPA in relation to the following:

• The protection of personal data under their control or in their possession, by taking reasonable security measures and arrangements to prevent the unauthorized collection, access, use, copying, modification, disclosure, or disposal of said personal data.
• The retention of personal data, by the means of ceasing to retain documents that contain personal data, or by removing the means by which said personal data can be associated with particular individuals, i.e. the destruction or anonymization of personal data, as soon as it is reasonable to assume that the purposes for which this personal data was collected is no longer being served by its retention, and said retention is no longer necessary for either legal or business purposes.
• The notification of a data breach, by the means of notifying the public agency, business, or organization that it is processing personal data on behalf of, of the occurrence of a said data breach without any undue delay, where the data intermediary in question also has reason to believe that a data breach affecting the personal data of Singaporean citizens has occurred.

What are the requirements of businesses and organizations under the PDPA?

The PDPA sets forth various principles in regards to how businesses and organizations should go about the practice of engaging in data protection obligations. These principles include:

• Consent obligation– Businesses and organizations are responsible for obtaining consent from individuals before collecting, using, or disclosing said personal information for a specific purpose.
• Purpose limitation obligation– A business or organization is only permitted to collect, use, or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances for which said data was collected.
• Notification obligation– Businesses and organizations are required to notify individuals of the purposes for which they intend to collect, use, or disclose the personal data of said individuals before said collection, use or disclosure. Businesses and organizations must also use said data for no other purpose than what was initially intended.
• Access and correction obligation– Businesses and organizations are required to, upon request, allow for an individual to both access and correct any information pertaining to them that said business or organization may hold. Businesses and organizations are also obliged to provide individuals with information relating to the ways in which said individuals personal information has been used or disclosed within the past calendar year.
• Accuracy obligation– All businesses and organizations must take reasonable measures to ensure that all personal information that is collected is both accurate and complete, if said business or organization is likely to use such personal information in a manner that will affect the individual concerned, or disclose this personal information to another organization or third party.
• Protection obligation– A business or organization is required to protect all personal information in its possession or under its control by implementing reasonable safeguards and security measures to prevent the unauthorized access, use, collection, modification, copying, or disposal of said information, as well as prevent the loss of any storage device or medium in which personal information has been stored.
• Retention limitation obligation– Businesses and organizations must cease to retain documents that contain personal information, or remove the means by which this personal data can be assigned or associated with particular individuals, as soon as it is reasonable to assume such retention of an individual’s personal data no longer serves the purpose for which it was originally collected and is no longer necessary for legal or business purposes.
• Transfer limitation obligation– A business or organization must not transfer personal data or information to a territory or country outside of Singapore, unless such a transfer is in accordance with requirements prescribed by the provisions of the PDPA to ensure that such transferred data afforded a standard of protection to that of the PDPA.
• Accountability obligation– All businesses or organizations must appoint an individual to be held responsible for ensuring that said business or organization is complying with the PDPA at all times, otherwise known as a Data Protection Officer or DPO. This DPO must both develop, implement, and maintain practices and policies that are necessary to maintain compliance under the PDPA, including a process by which consumers can make complaints. Additionally, businesses and organizations are required to communicate information about such practices and policies to their staff members, as well as make this information available to the public upon request.
• Data breach notification obligation– A business or organization must assess data breach incidents that have affected personal data that is in their possession or under their control, notify the Personal Data Protection Commission or PDPC as well as all affected individuals, of the occurrence of said data breaches.
• Data portability obligation– Upon a businesses or organizations receipt of data porting request from a consumer or individual, the porting organization must transmit all applicable data specified in the data porting to the organization receiving said porting request, in accordance with any requirements that may have been prescribed, such as specific requirements related to consumer protection, technical aspects, or the overall user experience.

What are the penalties for violating the PDPA?

In addition to establishing specific requirements or principles that organizations and businesses must adhere to at all times, the PDPA also established the Personal Data Protection Commission or PDPC for the purposes of enforcing the law. As such, penalties that can be imposed against businesses or organizations found to be in violation of PDPA on the part of the PDPC include the following:

• The stoppage of collection, use, or disclosure of personal data that is in violation of the PDPA.
• The destruction of personal data that is found to be in violation of the PDPA.
• Require that a business or organization provide access to or correct personal data.
• Require that a business or organization produce specific information or document in writing.
• Enter into a particular business or organization premises without a warrant, by giving at least two working days advance notice of such intended entry.
• Obtain a search warrant to enter a business or organization’s premises to take possession of or remove documents.
• A financial penalty of up to SGD 1 million ($735,545)

As countries around the world continue to pass legislation related to protecting the data privacy rights of their citizens, Singapore joins one of the many nations to pass a comprehensive data privacy law in the past decade. Compared to many U.S. state privacy laws such as the Virginia Consumer Data Protection Act or VCDPA, as well as international privacy regulations such as the EU’s General Data Protection Regulation or GDPR, the PDPA has considerable scope and applicability within the country of Singapore. As the PDPA allows the PDPC to obtain a warrant to enter the premises of businesses or organizations that are found to be noncompliant, Singaporean citizens are afforded a level of data protection that few other countries offer. As such, citizens of Singapore can have the peace of mind that their personal data privacy rights are being upheld to the utmost degree of fortitude.