The Personal Data Protection Act 2012 (PDPA) is the legal framework governing data protection in Singapore. It specifically oversees the handling of personal data within the private sector.
Effective date: February 1, 2021
What is Singapore PDPA?
The Personal Data Protection Act 2012 (PDPA) is Singapore’s main legislation governing the collection, use, and disclosure of personal data. Enacted initially in 2012 and later amended in 2020, the law was implemented in phases. The first phase of amendments took effect on February 1, 2021. The Amendment Act represented the conclusion of a series of reviews and public consultations, bringing about several changes to the Personal Data Protection Act 2012
The Act outlines rules for data protection in Singapore, with nine initial obligations for organizations.— consent, purpose limitation, notification, access and corrections, accuracy, data protection, retention limitation, data transfer, and accountability. In 2020, a tenth obligation, the data breach notification, was introduced.
Telemarketing is also regulated by the PDPA, introducing the Do Not Call Registry for fax, text, and voice messages. Generally, sending a marketing message of the corresponding type to a number on any of these registers is prohibited.
The PDPA establishes the Personal Data Protection Commission (PDPC) as the regulatory authority responsible for enforcing these rules and offering guidance.
Who does Singapore PDPA apply to?
The PDPA’s main data protection obligations apply to all private sector organizations in Singapore, regardless of size, if they collect, use, or disclose the personal data of Singaporeans. It doesn’t impose obligations on:
- Individuals in personal or domestic capacities
- Employees during their work within an organization
- Public agencies
- Specific organizations or personal data as prescribed in the Act
The PDPA applies to organizations, even if they are not located in Singapore, if they collect, use, or share data within Singapore. For instance, overseas organizations gathering data from people in Singapore online must follow the PDPA’s data protection rules.
What is personal data in Singapore PDPA?
Personal data” is information about a Singapore individual that can identify them, either on its own or when combined with other accessible information held by the organization.
Common examples include:
- Full name and identification numbers
- Contact details like phone number, email address, and physical address
- Photos and video recordings
- Employment information
- Medical records
- Bank account details
- Any combination of data like date of birth, address, and telephone number
Even anonymized data can be considered personal data if an individual can likely be re-identified again.
PDPA Singapore’s definition is similar to GDPR personal data.
What are the key obligations under the Singapore PDPA?
Under the PDPA, organizations have several key responsibilities regarding personal data that they must comply with:
- Consent – Organizations must obtain consent before collecting, using, or disclosing personal data. Individuals can withdraw consent.
- Purpose limitation – Personal data can only be collected, used, or disclosed for the purposes that individuals consent to.
- Notification – Organizations must notify individuals of the purposes for using their personal data.
- Access and correction – Individuals have the right to request access to and correction of their personal data.
- Accuracy – Organizations must make reasonable efforts to ensure personal data is accurate and complete.
- Protection – Organizations must protect personal data through security safeguards.
- Retention limitation – Organizations can only retain personal data for as long as necessary.
- Transfer limitation -The PDPA limits the overseas transfer of personal data. Organizations must meet data protection requirements comparable to the PDPA unless exempted by the PDPC.
- Accountability – Organizations are accountable for complying with the PDPA and must be open about their privacy policies and practices.
- Data breach notification: When there is a data breach, organizations are liable to inform the PDPC within 3 calendar days of determining the severity of the breach.
What are the consent requirements in Singapore PDPA?
An organization can’t collect, use, or disclose personal data about an individual unless the individual gives consent under the law or unless the law permits the collection, use, or disclosure.
For consent to be valid:
- The individual must be provided with the required information about data processing.
- The consent must be provided per the Act’s requirements.
- Organizations cannot make consent a condition for service beyond what is reasonable.
- Organizations cannot obtain consent through deception or misleading practices.
Obtain cookie consent and
Try for free
comply with Singapore PDPA
An individual is “deemed” to consent if they voluntarily provide personal data to an organization and if it’s reasonable to assume such consent.
This applies to the porting of data as well. That is, if an individual consents to the disclosure of data to one organization, it’s considered consent for that data’s collection, use, or disclosure by another organization. The amendments to the Act introduced additional circumstances where deemed consent is allowed:
Deemed consent for contract: In certain contract situations, consent is assumed for necessary data processing.
Deemed consent by notification: An individual is deemed to have given consent unless they explicitly notify the organization of their refusal within a specified period. However, this doesn’t apply for certain purposes. This does not apply to collection, use, or disclosure for prescribed purposes.
Before collecting, using, or disclosing personal data, the organization must:
- Assess that it is unlikely to negatively affect the individual.
- Inform the individual of:
- The intention to collect, use, or disclose the data.
- The purpose of collection.
- A reasonable timeframe and a way for the individual to withdraw consent.
- Meet any other prescribed requirements.
For the assessment, the organization must:
- Identify any potential negative effects.
- Take reasonable measures to eliminate, reduce likelihood, or mitigate negative effects.
- Meet any other prescribed requirements.
Withdrawal of consent
An individual can withdraw consent at any time after giving notice to the organization. The organization must inform the individual about the consequences of withdrawing consent. However, legal consequences might still arise from the withdrawal.
Organizations do not require consent to process personal data if it is used for the following purposes:
- Vital interests: Covers emergencies or situations clearly in the individual’s interest, requiring prompt notification.
- Public matters: Focuses on publicly available data, national interest, artistic, archival, and news purposes.
- Legitimate interests: Allows for collection based on an organization’s legitimate interest, ensuring steps to minimize adverse effects.
- Business transactions: Describes data handling during business deals, requiring data destruction if transactions don’t proceed.
- Business improvement: Allows data use for improving services and understanding customer behavior under specific conditions.
Additional exemptions include research, public interest, and specific industry-related data handling.
What are the notification of purpose requirements in PDPA?
Organizations are restricted in the collection, use, and disclosure of personal data. They can only do so for purposes that a reasonable person would find appropriate in a given situation. Additionally, individuals must be informed about these purposes.
For the proper use of personal data, organizations must inform the individual about:
- The reasons for collecting, using, or disclosing their personal data at the time of collection.
- Any additional purposes not previously disclosed before the data is used or disclosed for those purposes.
- Providing contact information for inquiries regarding the collection, use, or disclosure of personal data.
Get a legally complaint
What are the data rights under the Singapore PDPA?
Like many other privacy laws, Singapore PDPA also grants individuals certain rights over their personal data.
Right to access
Individuals have the right to request access to their personal data in an organization’s possession or under its control.
Upon receipt of the access request, the organization should respond to it as soon as reasonably possible, with:
- personal data that they have collected
- information about how the personal data has been used or disclosed within a year before the date of the request
The information should be made available in a readable format and organizations may charge a reasonable fee to respond to the requests.
Organizations can refuse access requests under certain circumstances, for instance, when such access will reveal personal data about another individual, when such access will be contrary to the national interest, or when the request is malicious in intent.
Right to correction
Individuals have the right to ask organizations to correct wrong personal data about them that the organization has or controls unless there are legal exceptions. The organization can refuse to correct if it has reasonable grounds. Organizations must also send corrected personal data to other organizations they disclosed it to within a year before the correction unless those organizations don’t need the corrected data.
Unlike access requests, organizations cannot charge fees for correction requests. If an organization cannot comply with an access or correction request within 30 days, it must inform the person in writing when it will respond.
Right to erasure
Under the Retention Limitation Obligation, organizations must stop keeping personal data when it is no longer needed for legal or business reasons.
Right to opt-out
Individuals can withdraw their consent for collecting, using, or sharing their personal data at any time by giving reasonable notice. However, withdrawing consent does not affect any legal consequences from the withdrawal.
Right to data portability
Not applicable right now, however, under the the new data portability obligation soon to be in effect, individuals can ask organizations to port their data to another organization. Unless an exception applies, organizations must send the requested data to the receiving organization following any requirements set.
There is no defined ‘right to be informed’ right under PDPA. However, under the Notification Obligation, organizations must notify individuals of the purposes for collecting, using, or disclosing their personal data before doing so. Organizations must also provide information about how personal data was used or disclosed in the past year.
Under the Accountability Obligation, organizations must have policies to meet PDPA obligations and make them available on request.
Under the Data Breach Notification Obligation, organizations must notify affected individuals about data breaches that cause or may cause significant harm, unless exceptions apply.
What is notifiable data breach in PDPA Singapore?
A data breach is defined in the PDPA as the unauthorized access, collection, use, disclosure, copying, modification, or disposal of personal data, or the loss of storage devices or media where personal data is stored and unauthorized access to the data is likely to occur.
If an organization has reason to believe a data breach affecting personal data has occurred, it must conduct an assessment reasonably and promptly to determine if the breach meets the thresholds to be considered a notifiable data breach.
A data breach is considered notifiable under the PDPA if
- It results in, or is likely to result in, significant harm to any affected individual. Harm is deemed significant in prescribed circumstances related to the breach of certain types of sensitive data.
- It affects a significant number of individuals, deemed as not fewer than a prescribed minimum number of affected individuals.
- Other prescribed circumstances apply that render the breach notifiable.
If the organization assesses the breach to be notifiable, they must notify PDPC within 3 calendar days of the assessment. This notification must contain prescribed details about the breach.
Organizations should notify each affected individual, unless exempted. Exemptions apply if actions are taken to prevent harm, law enforcement agencies instruct otherwise, or the PDPC grants a waiver.
The notifications to PDPC and affected individuals must be done as soon as practicable.
What are the fines and penalties under the Singapore PDPA?
The PDPC is responsible for enforcing the PDPA. If an organization violates the PDPA rules, the PDPC has the power to direct remedial measures which may include:
- Restricting collection, usage, or disclosure of personal data
- Removing or deleting personal data collected
- Providing access to or correcting personal data
Depending on the severity of the violation, the PDPC could also sanction a financial penalty of a maximum of 10% of the organization’s annual turnover in Singapore if the turnover exceeds SGD 10 million or up to SGD 1 million in other cases.
EU GDPR vs Singapore PDPA [Infographic]
Let’s have a look at the main differences and similarities between GDPR and PDPA Singapore
Checklist for Singapore PDPA compliance
- Obtain consent before collecting, using, or disclosing personal data
- Only collect, use, or disclose personal data for purposes that individuals consent to
- Notify individuals about the purposes for collecting, using or disclosing their personal data
- Allow individuals to access and correct their personal data upon request
- Take reasonable steps to ensure personal data is accurate and complete
- Implement security measures to protect personal data
- Only retain personal data as long as necessary
- Limit overseas transfers of personal data to countries with comparable protection
- Notify authorities and individuals promptly in case of a data breach
FAQ on Singapore PDPA
What is considered PDPA in Singapore?
The PDPA is Singapore’s main data protection law that governs the collection, use, and disclosure of personal data by organizations. It was implemented in phases starting in 2012.
What are the personal data examples in Singapore?
Personal data refers to any data that can be used to identify an individual. Common examples include driver’s licenses, email addresses, home addresses, employee details, medical records, data related to race, religion, politics, browsing history, biometrics (fingerprint, facial features, voice), etc.
What is covered under PDPA Singapore?
The Personal Data Protection Act (PDPA) establishes a comprehensive data protection framework in Singapore that applies to organizations collecting, using or disclosing personal data of individuals in Singapore, regardless of the organization’s location. It sets out key obligations relating to consent, purpose limitation, notification, individual rights like access and correction, accuracy, security, data retention and transfers, accountability, and data breach notification. Non-compliance can result in investigations, directions, and financial penalties imposed by the PDPC.