Advoke International

CONNECT
LOG IN

Personal Data Protection Act (PDPA), Singapore

The Personal Data Protection Act (PDPA) Singapore governs the collection, use, and disclosure of personal data by organizations. It emphasizes consent, purpose limitation, and data protection obligations. The Personal Data Protection Commission (PDPC) enforces compliance, with penalties for breaches. The law includes the Do Not Call (DNC) Registry and data breach notification requirements.

The Personal Data Protection Act (PDPA) is Singapore’s comprehensive legislation for data protection, enacted in 2012 and significantly amended in 2021. It aims to safeguard personal data while enabling businesses to use such data responsibly to deliver services. The PDPA also supports Singapore’s vision of being a trusted data hub in the global economy.

Improvements in the 2021 Amendment

The 2021 amendments introduced critical updates to enhance the PDPA’s framework:

  • Mandatory Data Breach Notification: Organizations are required to notify the Personal Data Protection Commission (PDPC) and affected individuals if data breaches cause significant harm or affect at least 500 individuals.
  • Increased Penalties: Maximum fines were raised to ensure greater accountability. Organizations can now face penalties of up to 10% of their annual turnover in Singapore if their turnover exceeds S$10 million, or up to S$1 million for others.
  • Deemed Consent Provisions: Expanded mechanisms for deemed consent allow for data use in contractual performance and business enhancements, provided transparency requirements are met.
  • Data Portability Obligation: Phased implementation of data portability allows individuals to request transfer of their data between organizations.

Key Components of the PDPA

The PDPA is built on several key components that guide organizations in handling personal data responsibly:

  1. Consent: Organizations must obtain consent before collecting, using, or disclosing personal data.
  2. Purpose Limitation: Personal data should only be collected for lawful and notified purposes.
  3. Access and Correction Rights: Individuals have the right to access their personal data held by an organization and request corrections if necessary.
  4. Retention Limitation: Data should not be retained longer than necessary.
  5. Data Breach Management: Organizations must adopt measures to identify, mitigate, and report data breaches promptly.
  6. Transfer Limitations: Cross-border data transfers are restricted unless adequate safeguards are in place.

Who Does the PDPA Apply To?

The PDPA applies to:

  • Organizations: All private sector entities, including companies, partnerships, and non-profits operating in Singapore, that handle personal data.
  • Individuals: Persons acting in a business capacity, though exemptions exist for purely personal or domestic uses.

Certain government agencies and public sector bodies are excluded from the PDPA’s scope as they are governed by internal regulations.

Enforcement Body and Penalties

The Personal Data Protection Commission (PDPC) is the regulatory authority responsible for enforcing the PDPA. It oversees compliance, provides guidance, and investigates complaints or breaches.

Penalties for Non-Compliance

The PDPA includes strict penalties for organizations and individuals that fail to meet their obligations:

  1. Financial Penalties:
  2. Up to 10% of annual turnover in Singapore for organizations with turnover exceeding S$10 million.
  3. Up to S$1 million for other organizations.
  4. Do Not Call (DNC) Provisions:
  5. Individuals: Fines up to S$200,000.
  6. Organizations: Fines up to S$1 million.
  7. Address-Harvesting and Dictionary Attacks:
  8. Individuals: Fines up to S$200,000.
  9. Organizations: Up to 5% of annual turnover (if turnover exceeds S$20 million) or S$1 million.

With its recent amendments, it reflects Singapore’s commitment to upholding robust data protection standards in a dynamic digital era. Businesses are encouraged to ensure full compliance not only to avoid penalties but also to foster trust and accountability in their operations.

PDPA Solutions

Advoke International provides comprehensive solutions tailored to support your organization in achieving full compliance with the PDPA.

Frequently Answered Questions

What should organizations do if a data breach occurs?

Organizations must promptly assess the breach and notify the Personal Data Protection Commission (PDPC) within three days if the breach results in significant harm or affects at least 500 individuals. Affected individuals should also be informed if their data could be misused.

How does the PDPA handle marketing and advertising activities?

The PDPA includes Do Not Call (DNC) provisions, which prohibit organizations from sending marketing messages to individuals who have registered their numbers on the DNC Registry. Violations can result in penalties of up to S$1 million.

What is “data portability”, and why is it important?

Data portability allows individuals to request their data be transferred between organizations in a commonly used format. This empowers individuals to switch service providers while maintaining control over their personal data, fostering competition and innovation.

Can personal data be anonymized under the PDPA?

Yes, organizations can anonymize data to remove identifiers and comply with the PDPA. Once anonymized, the data is no longer considered “personal data” and is not subject to the Act.

What should small businesses know about the PDPA?

Small businesses are equally required to comply with the PDPA. They should:

  • Clearly inform customers about data collection purposes.
  • Avoid collecting unnecessary personal data.
  • Store data securely and for only as long as necessary.
  • Regularly educate staff about data protection practices.