Personal Data Protection Act Singapore

December 20, 2022 By CBS Off

Personal data protection is an important consideration for businesses and individuals alike. In Singapore, the Personal Data Protection Act (PDPA) helps protect individuals’ personal data from misuse and abuse while ensuring that organizations are held responsible for its use. This blog post will provide an overview of the PDPA and how it affects businesses in Singapore.

Overview of the Personal Data Protection Act


The Personal Data Protection Act (PDPA) is a law that establishes a baseline standard of protection for personal data in Singapore. It applies to the processing of personal data by organisations within Singapore, whether such data is collected, used or disclosed inside or outside of Singapore. The PDPA also complements sector-specific legislative and regulatory frameworks such as the Banking Act and the Telecommunications Act.

The main provisions of the PDPA include the following:
•Regulations on the collection, use and disclosure of personal data by organisations
•Establishment of the Do Not Call registry
•Requirements for organisations to appoint a Personal Data Protection Officer
•Obligations of organisations and individuals under the PDPA
•Requirements for access and correction of personal data
•Limitations on overseas transfers of personal data
•Penalties for breaches of the PDPA
•Safe harbour provisions in Singapore’s PDPA
• Record-keeping obligations for organisations
•Right for individuals to make complaints about breaches of the PDPA
•Cybersecurity obligations under the PDPA

The Do Not Call Registry


The Do Not Call (DNC) Registry is a database where individuals can register their Singapore telephone numbers to avoid receiving organisation marketing messages. Under the Personal Data Protection Act (PDPA), organisations must check the DNC Registry before sending any marketing messages. It is important for organisations to check the registry to ensure compliance with the PDPA and protect consumers from unwanted marketing messages. The registry also allows individuals to have more control over the kind of messages they receive on their telephone, mobile phone or other devices.

What is a Personal Data Protection Officer?

A Personal Data Protection Officer (PDPO) is an appointed individual responsible for ensuring that an organisation complies with the Personal Data Protection Act (PDPA) and other related regulations. The PDPO oversees the organisation’s collection, use, and disclosure of personal data and must ensure that appropriate measures are taken to protect the data from unauthorized access and misuse. The PDPO is also responsible for monitoring compliance with the PDPA, handling queries and complaints related to personal data protection, and providing advice on data protection matters.

Obligations of Organisations and Individuals Under the PDPA

Organisations are responsible for personal data in their possession or under their control and must comply with the data protection obligations set out in the Personal Data Protection Act (PDPA). These obligations include obtaining an individual’s consent before collecting, using, or disclosing their personal data and taking reasonable security measures to protect the personal data from misuse, loss and unauthorized access.


Individuals also have certain rights and responsibilities when it comes to collecting and using their personal data. These include the right to access personal data held by organisations, correct errors or omissions in the personal data, and withdraw consent for collecting, using or disclosing personal data. Individuals are also responsible for ensuring that they provide accurate information to organisations when providing their personal data.

Requirements for Collection, Use and Disclosure of Personal Data


Under the Personal Data Protection Act 2012 (PDPA), organisations must obtain individuals’ consent to collect, use, or disclose their personal data unless such collection, use, or disclosure is required or authorised under the PDPA or any other written law. Section 18 of the PDPA provides that an organisation may collect, use or disclose personal data about an individual only for purposes that are reasonable and directly related to the purpose for which it was collected. Furthermore, organisations must take reasonable steps to ensure the personal data collected is accurate and up-to-date. Additionally, organisations must inform individuals of the purposes for which their personal data is collected, used and/or disclosed.

Organisations must also take reasonable steps to protect personal data from unauthorised access, collection, use, disclosure and similar risks. They must also inform individuals on whom they have collected personal data of any access or correction requests made regarding that personal data. Finally, organisations may collect, use and disclose personal data without consent if one of the statutory exceptions in the PDPA applies, including where the collection, use or disclosure is necessary for legal compliance or for a legitimate purpose.

Accessing and Correcting Your Personal Data


You may request to access and/or correct the personal data currently in our possession or control by submitting a written request to us. We will assess your request in accordance with the provisions of the Personal Data Protection Act. If you can demonstrate that the personal data in our possession or control is inaccurate, outdated, incomplete, irrelevant or misleading, we will take all reasonable steps necessary to correct the data as soon as practicable. Please note that in certain circumstances, we may not be able to provide you with access to certain personal data.

When Can an Organisation Transfer Your Data Overseas?


When Can an Organisation Transfer Your Data Overseas?
Organisations in Singapore are subject to the Personal Data Protection Act 2012 (PDPA) when collecting, using or disclosing personal data. The Transfer Limitation Obligation, as stated in Section 26 of the PDPA, restricts an organisation’s capacity to transfer personal data outside of Singapore. Singapore has recognised regional certification for transferring personal data overseas.

For an organisation to transfer personal data outside of Singapore, the Transfer Limitation Obligation can be discharged in the following ways: (1) the recipient of the data provides the same standard of protection required by the PDPA; (2) the individual whose data is being transferred has given his or her written consent; or (3) the transfer is necessary for any investigation or proceedings. Organisations cannot transfer personal data outside of Singapore unless the recipient provides the same protection standard required by the PDPA.

The Act has an extraterritorial effect, meaning it applies to organisations collecting, using or disclosing personal data in Singapore, whether or not they are based in Singapore. Thus, where personal data is collected overseas and subsequently transferred to Singapore, the Data Protection Provisions will apply for such transfer. A data protection law will also enhance Singapore’s competitiveness and allow an organisation to transfer personal data to an overseas organisation that may not be subject to similar laws.

What Are the Penalties for Breaching the PDPA?


Organisations must adhere to the provisions of the PDPA, and failure to do so could lead to severe penalties. The amended PDPA empowers the Personal Data Protection Commission (PDPC) to impose fines for serious breaches of the Act. In addition, criminal sanctions may be imposed on individuals guilty of misusing personal data. For example, a financial penalty was imposed on Nature Society (Singapore) for breaches of the PDPA. The organisation failed to stop collecting, using or disclosing personal data in contravention of the Act and failed to destroy personal data collected in contravention of the data protection provisions. The new PDPA also makes it a criminal offence for individuals (including employees) to mishandle personal data or hide information concerning its collection, use, or disclosure. Penalties for such offences include fines or imprisonment of up to two years or both.

Safe Harbour Provisions in Singapore’s PDPA

The invalidation of the EU-US Safe Harbour regime effectively means that all transfers of personal data to the US by organisations in the European Union must now be done under the EU’s Model Clauses or Binding Corporate Rules. In light of this, Singapore has introduced Safe Harbor provisions in its Personal Data Protection Act 2012 (PDPA). The provisions set a framework for organisations to transfer personal data from Singapore to the US in compliance with the PDPA.

Organisations wishing to transfer personal data from Singapore to the US must apply for certification from the US Department of Commerce and demonstrate that their privacy policies and practices are substantially similar to those set out in the US-EU Safe Harbour Framework. Once certified, these organisations will be deemed as having provided adequate data protection as prescribed in the PDPA.

The PDPA requires organisations to keep records of consent and other matters. This includes documents that show when, how and why personal data was collected, used and disclosed. The organisations must also maintain records of the purposes for which personal data is used and the source of the personal data. These records must be kept for not less than one year.

Organisations must also ensure that any information they collect, use or disclose is accurate, complete and updated. They are also required to take reasonable steps to protect the personal data they hold from any unauthorised or accidental access. In addition, organisations must have a policy or practice to ensure personal data security. This includes having security measures such as access control and encryption.

Making a Complaint to the PDPC

The Personal Data Protection Commission (PDPC) is the government agency responsible for administering Singapore’s Personal Data Protection Act (PDPA). Individuals who complain against organisations that have mishandled their personal data can file a complaint with the PDPC. Complaints can be filed via the PDPC’s online feedback form. Complainants will be asked to provide information about their complaints and the organisation involved. The PDPC will contact the organisation to investigate and respond to the complaint. If the organisation does not comply, the PDPC may impose a penalty or take other necessary action. The PDPC also encourages individuals to raise their concerns with the organisation before filing a complaint with the PDPC.

Cybersecurity Obligations Under the PDPA

The Cybersecurity Act of 2018 is a law that requires organisations to take measures to protect their systems and networks from unauthorised access, interference, or harm. Under the Cybersecurity Act, organisations must designate a cybersecurity officer and develop and implement an appropriate cybersecurity management program. The PDPA also requires organisations to perform due diligence on service providers and ensure reasonable steps are taken to protect personal data when transferred overseas. Organisations must also report data breaches to the Personal Data Protection Commission (PDPC) within 72 hours of becoming aware of them.