Quahe Woo & Palmer LLC
What law(s) specifically govern personal data / information?
Personal Data Protection Act 2012 (the “PDPA”)
What are the key data protection principles in this jurisdiction?:
The PDPA comprises various requirements governing the collection, use, disclosure and care of personal data in Singapore. The PDPA contains 2 main sets of provisions, covering data protection and a national Do Not Call register.
The personal data obligations under the PDPA are summarised below as follows:
- Consent Obligation – organisations may only collect, use or disclose personal data for purposes which an individual has given his consent to;
- Purpose Limitation Obligation – organisations may only collect, use or disclose personal data for the purposes that a reasonable person would consider appropriate under the given circumstances and for which the individual has given consent;
- Notification Obligation – organisations should notify individuals of the purposes for which their personal data is being collected, used and/or disclosed;
- Access and Correction Obligations – upon request, organisations have to provide individuals with access to their personal data as well as information about how their data was used or disclosed within a year before the request, and correct any error or omission where required by the individual;
- Accuracy Obligation – organisations should make reasonable efforts to ensure that the personal data collected is accurate and complete;
- Protection Obligation – organisations should implement reasonable security arrangements to protect the personal data in their possession to prevent unauthorised access, collection, use, disclosure or similar risks;
- Retention Limitation Obligation – organisations should cease retention of personal data or dispose of it in a proper manner when it is no longer needed for any business or legal purpose;
- Transfer Limitation Obligation – organisations must not transfer any personal data to a territory outside Singapore except in accordance with the requirements prescribed under the PDPA, i.e. to ensure that the standard of protection is comparable to the protection under the PDPA;
- Data Breach Notification Obligation – in the event of a data breach, organisations must take steps to assess if it is notifiable, and if so, notify the PDPC and affected individuals as soon as practicable; and
- Accountability Obligation – organisations must undertake measures to ensure that they meet their obligations under the PDPA such as making information about their data protection policies, practices and complaints process available upon request and designating a data protection officer and making the business contact information available to the public.
The PDPA also deals with the establishment of Singapore’s national Do Not Call Registry and the following obligations of organisations relating to the sending of certain marketing messages to Singapore telephone numbers:
- checking the Do Not Call Register to confirm if the Singapore telephone number is listed on the Do Not Call Register;
- providing information on the individual or organisation who sent or authorised the sending of the marketing message; and
- not concealing or withholding the calling line identity of the sender of the marketing message.
What is the supervisory authority / regulator in charge of data protection?
Personal Data Protection Commission (the “PDPC”)
Is there a requirement to register with a supervisory authority / regulator?
Organisations are not required to register with the PDPC before collecting or processing personal data.
While there is no requirement to register an organisation’s designated data protection officer (“DPO”), an organisation may register its DPO with the Accounting and Corporate Regulatory Authority (“ACRA”), the registry of companies, to meet its obligation of making its DPO’s business contact information publicly available. According to the PDPC, DPO registration with ACRA is unavailable as of 1 December 2024 until further notice, and organisations wishing to register a new DPO or update existing DPO information can do so through the online form available on the PDPC’s website.
Is there a requirement to notify the supervisory authority / regulator?
Organisations are not required to notify the PDPC before collecting or processing personal data.
In the event of a data breach, organisations must take steps to assess if the data breach is notifiable. If the data breach is likely to result in significant harm to individuals, and/or is of significant scale, organisations are required to notify the PDPC and the affected individuals as soon as practicable.
Is it possible to register with / notify the supervisory authority / regulator online?
Yes – The PDPC may be contacted by email or through their online forms (e.g. for feedback, complaints, notification of data breach, voluntary registration of DPO).
What are the key data subject rights under the data protection laws of this jurisdiction?
Under the PDPA, data subjects have certain rights relating to their personal data, including but not limited to the following:
- right to withdraw consent to the collection, use or disclosure of the data subject’s personal data;
- right to be informed of the purpose for which an organisation intends to collect, use or disclose the data subject’s personal data before such collection, use or disclosure;
- right to request for information on an organisation’s data protection policies and practices;
- right to notification in the event of a data breach;
- right to access the data subject’s personal data in the possession or control of an organisation; and
- right to correct the data subject’s personal data in the possession or control of an organisation.
Is there a requirement to appoint a data protection officer (or equivalent)?
Yes – Under the PDPA, organisations must designate at least one data protection officer who shall be responsible for ensuring that the organisation complies with the PDPA, and whose business contact information must be made available to the public.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
There is no standalone requirement to conduct a data protection risk assessment under the PDPA. Notwithstanding, there are certain scenarios in the PDPA in which organisations are required to undertake an assessment, for example, if an organisation seeks to rely on the concept of deemed consent by notification or the legitimate interests exceptions under the PDPA.
The PDPC encourages organisations to conduct a data protection impact assessment to identify, assess and address personal data protection risks based on the organisation’s functions, needs and processes, and suggests that data protection risks are best addressed when an organisation’s system or process is new and in the process of being designed or in the process of undergoing major changes.
Does this jurisdiction have any specific data breach notification requirements?
Yes – In the event of a data breach, organisations must take steps to assess if the data breach is notifiable. If the data breach is likely to result in significant harm to individuals, and/or is of significant scale, organisations are required to notify the PDPC and the affected individuals as soon as practicable.
What restrictions apply to the international transfer of personal data / information?
The PDPA provides that an organisation must not transfer any personal data to a country or territory outside Singapore except in accordance with requirements prescribed under the PDPA, i.e. to ensure that organisations provide a standard of protection to transferred personal data that is comparable to the protection under the PDPA.
The Personal Data Protection Regulations 2021 specify the conditions under which an organisation may transfer personal data overseas. In essence, an organisation may transfer personal data overseas if it has taken appropriate steps to ensure that the overseas recipient is bound by legally enforceable obligations or specified certifications to provide the transferred personal data a standard of protection that is comparable to that under the PDPA.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes – While the PDPA does not contain express provisions on its territorial effect, the PDPA is intended to apply to any “organisation” (which is broadly defined to cover natural persons, corporate bodies (such as companies) and unincorporated bodies of persons (such as societies / associations), regardless of whether they are formed or recognised under the law of Singapore or whether they are resident or have an office or place of business in Singapore) in respect of activities relating to the collection, use and disclosure of personal data in Singapore.
What rules specifically deal with marketing?
Generally, an organisation that wishes to send marketing messages should first obtain the clear and unambiguous consent of the individual to the sending of such marketing messages.
In the absence of such consent, organisations must, prior to sending marketing messages to a Singapore telephone number, check and ensure that the Singapore telephone number is not on Singapore’s national Do Not Call Registry. There are also other requirements, including a duty to identify the sender of the marketing message and provide clear and accurate contact information, as well as a duty not to conceal the calling line identity of any voice calls containing such marketing messages.
The sending of unsolicited commercial electronic messages in bulk is covered under the Spam Control Act 2007, which provides, amongst others, that organisations are required to:
- provide an unsubscribe facility within the bulk message; and
- include a header in the subject field of the message, or as the first words in a message with no subject field.
Do different rules apply to business-to-business and business-to-consumer marketing?
Yes – The PDPA generally does not protect business contact information, and business-to-business marketing is excluded from the Do Not Call provisions of the PDPA.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
The PDPA does not have rules that specifically deal with electronic marketing. The data protection principles under the PDPA apply to all forms of marketing insofar as they involve the collection, use and disclosure of personal data. Generally, an organisation that wishes to send marketing messages should first obtain the clear and unambiguous consent of the individual to the sending of such marketing messages.
In addition, the PDPA contains provisions relevant to telephone (calls, SMS and MMS) and fax marketing. In the absence of clear and unambiguous consent of the individual to receiving marketing messages at a Singapore telephone number, organisations must, prior to sending such marketing messages, check and ensure that the Singapore telephone number is not on Singapore’s national Do Not Call Registry. There are also other requirements, including a duty to identify the sender of the marketing message and provide clear and accurate contact information, as well as a duty not to conceal the calling line identity of any voice calls containing such marketing messages.
The sending of unsolicited commercial electronic messages in bulk is covered under the Spam Control Act 2007, which provides, amongst others, that organisations are required to:
- provide an unsubscribe facility within the bulk message; and
- include a header in the subject field of the message, or as the first words in a message with no subject field.
What rules specifically deal with cookies?
The PDPA does not have rules that specially deal with cookies. However, the PDPC has provided guidance on the safe use of cookies, which suggests that if the data collected from monitoring or profiling activities constitutes personal data, the organisation would be required to comply with the PDPA.
What are the consequences of non compliance with data protections laws (including marketing laws)?
If the PDPC finds that an organisation has breached any of the PDPA provisions, the PDPC will direct the organisation to take steps to ensure compliance such as, to:
- stop collecting, using or disclosing personal data in contravention of the PDPA;
- destroy personal data collected in contravention of the PDPA;
- provide access to or correct the personal data; and/or
- pay a financial penalty.
The maximum financial penalty that may be imposed in the event of a breach of the data protection obligations under the PDPA is 10% of the organisation’s annual turnover in Singapore if the organisation’s annual turnover in Singapore exceeds S$10 million and S$1 million in any other case.
The maximum financial penalty that may be imposed in the event of a breach of the do not call registry provisions under the PDPA is S$1 million. For more egregious cases, the financial penalty amount may be up to 5% of the organisation’s annual local turnover. Individuals in breach shall pay a financial penalty of up to S$200,000.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
The PDPA has territorial and extraterritorial applicability and applies to any organisation that collects, uses and discloses personal data in Singapore.
Organisations which are data intermediaries are partially excluded from the application of the data protection provisions under the PDPA. A data intermediary that processes personal data on behalf of and for the purposes of another organisation pursuant to a contract which is evidenced or made in writing will only be subject to the data protection provisions relating to the:
- protection of personal data (i.e. the “Protection Obligation”);
- retention of personal data (i.e. the “Retention Limitation Obligation”); and
- notifying the organisation of data breaches as part of notification of data breaches (i.e. the “Data Breach Notification Obligation”).
What upcoming data protection developments should multinational organisations be aware of?
Singapore intends on introducing an additional data protection obligation – namely the data portability obligation, pursuant to which an organisation, upon receiving a data porting request from an individual, must transmit the applicable data specified in the data porting request to the organisation specified in the request, in accordance with any prescribed requirements, such as requirements relating to technical, user experience, and consumer protection matters.