WHAT IS PDPA?

PERSONAL DATA

The Personal Data Protection Act 2012 (PDPA) is a Singapore law governing the collection, use, disclosure and care of personal data. It applies to individuals and organisations, whether registered or unregistered, for profit or non-profit. There are however exceptions as to whom it applies.

DO NOT CALL REGISTRY

The PDPA also establishes the Do Not Call (DNC) Registry which governs unsolicited telemarketing communications.

S$1 MILLION FINE

The PDPA came into full effect on 2nd July 2014. The highest possible financial penalty for breaching the PDPA is S$1 million.

ENFORCEMENT ACTION

As at September 2019, the Personal Data Protection Commission (PDPC), which administers and enforces the PDPA, fined 26 organisations a total of $1.25 million for violating the PDPA.

The PDPA imposes 9 general obligations.

​1. Consent Obligation

(PDPA sections 13 to 17) An organisation must obtain the consent of the individual before collecting, using or disclosing his personal data for a purpose.

2. Purpose Limitation Obligation

(PDPA section 18) An organisation may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances and, if applicable, have been notified to the individual concerned.

3. Notification Obligation

(PDPA section 20) An organisation must notify the individual of the purpose(s) for which it intends to collect, use or disclose the individual’s personal data on or before such collection, use or disclosure of the personal data.

4. Access and Correction Obligation

(PDPA sections 21 and 22) An organisation must, upon request:

  • provide an individual with his or her personal data in the possession or under the control of the organisation and information about the ways in which the personal data may have been used or disclosed during the past year; and

  • correct an error or omission in an individual’s personal data that is in the possession or under the control of the organisation.

5. Accuracy Obligation
 

(PDPA section 23) An organisation must make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete if the personal data is likely to be –

  • used by the organisation to make a decision that affects the individual concerned; or

  • disclosed by the organisation to another organisation

6. Protection Obligation
 

(PDPA section 24) An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.

7. Retention Obligation
 

(PDPA section 25) An organisation must cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals as soon as it is reasonable to assume that:

  • the purpose for which the personal data was collected is no longer being served by retention of the personal data; and

  • retention is no longer necessary for legal or business purposes.

8. Transfer Limitation Obligation
 

(PDPA section 26) An organisation must not transfer personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA.

9. Openness Obligation
 

(PDPA sections 11 and 12) An organisation must implement the necessary policies and procedures in order to meet its obligations under the PDPA and shall make information about its policies and procedures publicly available.

Unsure if you are PDPA compliant? Try our free self-assessment tool now.

PDPA SINGAPORE COMPLIANCE & TEMPLATES

Need to check / audit if you are compliant with the Singapore Personal Data Protection Act 2012?

Need free legal templates and sample clauses for your data protection policy / standard operating procedures (SOP), standard forms, terms & conditions and contracts / agreements?

This website provides a free self-assessment self-guided tool for your PDPA compliance needs.

Up to $1,000,000 fine

Why risk being penalised up to $1,000,000 for breaching the PDPA?

Why risk losing goodwill, reputation, trust and clients?

Why risk being sued in a civil claim for personal data breaches?

Why risk a regulatory offence inquiry?

Thank you for visiting the PDPA Singapore Compliance & Template site. We intend to provide general information on the law, which should not be construed as legal advice at all. If you are looking for advice on a specific matter, you are encouraged to contact us directly. We strongly advise you to not disclose personal or confidential information until a lawyer client relationship has been established.

PDPA SINGAPORE COMPLIANCE & TEMPLATES

T 6635 8885

F 6635 8720

Covenant Chambers LLC

8 Eu Tong Sen Street #12-96, Clarke Quay Central, Singapore 059818

  • Black Blogger Icon

© RONALD JJ WONG