Quahe Woo & Palmer LLC
The following law(s) specifically govern personal data / information:
Personal Data Protection Act 2012 (“PDPA”)
The key data protection principles in this jurisdiction are:
- The PDPA comprises of various requirements governing the collection, use, disclosure and care of personal data in Singapore. There are 2 main sections of the PDPA: the Data Protection Provisions and the Do Not Call Provisions. Organisations are required to comply with both sets of provisions.
- In brief, the Data Protection Provisions of the PDPA deal with the following matters:
- Having reasonable purpose, notification of purpose and obtaining consent for the collection, use or disclosure of personal data;
- Allowing individuals to access and correct their personal data;
- Taking care of personal data (which relates to ensuring accuracy), protecting personal data (including protection in the case of international transfers) and not retaining personal data if no longer needed;
- Notifying the Personal Data Protection Commission (“PDPC”) and affected individuals of data breaches; and
- Having policies and practices to comply with the PDPA.
- Organisations are required to comply with the following data protection obligations if they undertake activities relating to the collection, use or disclosure of personal data:
- Accountability Obligation
- Notification Obligation
- Consent Obligation
- Purpose Limitation Obligation
- Accuracy Obligation
- Protection Obligation
- Retention Limitation Obligation
- Transfer Limitation Obligation
- Access and Correction Obligation
- Data Breach Notification Obligation
- Data Portability Obligation (Not yet in force)
- The Do Not Call Provisions contain a number of obligations that apply in relation to persons sending specified messages to Singapore telephone numbers. In brief, such persons are required to comply with the following obligations
- Duty to check the DNC Register – before a person sends a specified message to a Singapore telephone number, the person must check with the DNC Registry established by the Commission under the PDPA (the “DNC Registry”) to confirm that the number is not listed on the DNC Register established by the Commission as part of the DNC Registry, unless the person has obtained clear and unambiguous consent in evidential form from the user or subscriber of the number; and
- Duty to identify the sender of a message – when sending a specified message to a Singapore telephone number, the person must:
- include information identifying the sender and how the recipient can contact the sender; and
- for voice calls, the sender must not conceal or withhold from the recipient the sender’s calling line identity / number.
The supervisory authority / regulator in charge of data protection is:
Personal Data Protection Commission
Is there a requirement to register with a supervisory authority / regulator?
There is no need to register with the PDPC before collecting or processing personal data.
While there is no requirement to register an organisation’s Data Protection Officer, an organisation may register the Data Protection Officer with the PDPC to receive updates on the PDPA.
Is it possible to register with / notify the supervisory authority / regulator online?
Yes - The PDPC may be contacted by email or their online forms (e.g. for feedback, complaints, notification of data breach, voluntary registration of DPO).
Is there a requirement to notify the supervisory authority / regulator?
There is no need to notify the PDPC before collecting or processing personal data.
In the event of a data breach, organisations must take steps to assess if it is notifiable. If the data breach likely results in significant harm to individuals, and/or is of significant scale, organisations are required to notify the PDPC and the affected individuals as soon as practicable.
The key data subject rights under the data protection laws of this jurisdiction are:
Data subjects have the following rights, including but not limited to:
- Right to withdraw consent to the collection, use or disclosure of his/her personal data;
- Right to be informed of the purpose for which an organisation intends to collect, use or disclose an individual’s personal data before such collection, use or disclosure;
- Right to request for an organisation’s data protection policies and practices;
- Right to notification in the event of a data breach;
- Right to access his/her personal data in the possession or control of an organisation; and
- Right to correct his/her personal data in the possession or control of an organisation.
Is there a requirement to appoint a data protection officer (or equivalent)?
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
The PDPC encourages organisations to establish an Enterprise Risk Management (ERM) framework with monitoring and reporting mechanisms (i.e. regular risk reporting and internal audit) that addresses personal data protection issues. This structure provides clarity on the direction and manner in which an organisation manages personal data protection risks, among other things.
Does this jurisdiction have any specific data breach notification requirements?
Yes - In the event of a data breach, organisations must take steps to assess if it is notifiable. If the data breach likely results in significant harm to individuals, and/or are of significant scale, organisations are required to notify the PDPC and the affected individuals as soon as practicable.
The following restrictions apply to the international transfer of personal data / information:
Personal data may only be transferred to another country according to the requirements prescribed under the regulations, to ensure that the standard of protection is comparable to the protection under the PDPA, unless exempted by the PDPC.
The PDPA and the PDPC do not prescribe transfer tools or mechanisms in order to make the transfer “lawful”.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)
Yes – The data privacy obligations are imposed on any “organization”, which is broadly defined under the PDPA to include any individual, company, association or body of persons, corporate or unincorporated, whether or not the organisation:
- was formed or is recognized under the laws of Singapore; or
- is resident or has an office or a place of business in Singapore.
Are there rules that specifically deal with marketing:
Yes - The PDPA regulates the sending of marketing messages to Singapore telephone numbers (Do Not Call Provisions), and the collection, use and disclosure of individuals’ personal data (Data Protection Provisions).
The sending of unsolicited commercial electronic messages in bulk is covered under the Spam Control Act (“SCA”). Among other requirements, the SCA requires organisations to:
- provide an unsubscribe facility within the bulk message; and
- include a header in the subject field of the message, or as the first words in a message with no subject field.
Do different rules apply to business-to-business and business-to-consumer marketing?
Yes – The PDPA generally does not protect business contact information. Business-to-business marketing is excluded from the Do Not Call Provisions of the PDPA.
Are there rules that specifically deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc):
No – The PDPA does not have rules specially dealing with electronic marketing.
Are there rules that specifically deal with cookies:
No – The PDPA does not have rules specially dealing with cookies. The data protection principles under the PDPA apply to cookies if the cookies collect personal data.
The consequences of non compliance with data protections laws (including marketing laws) are:
If the PDPC finds that an organisation has breached any of the PDPA provisions, the PDPC will direct the organisation to take steps to ensure compliance such as, to:
- Stop collecting, using or disclosing personal data in contravention of the PDPA;
- Destroy personal data collected in contravention of the PDPA;
- Provide access to or correct the personal data; and/or
- Pay a financial penalty.
The current maximum financial penalty of S$1million will be increased to the higher of: (i) 10% of its annual turnover in Singapore (if the organisation’s annual turnover in Singapore exceeds S$10 million); and (ii) in any other case, S$1 million. This change will not come into force until at least February 2022.
Individuals may be criminally prosecuted in certain limited circumstances for the egregious mishandling of personal data, including:
- The knowing or reckless unauthorised disclosure of personal data;
- The knowing or reckless unauthorised use of personal data for a gain or to cause a harm or loss to another person;
- The knowing or reckless unauthorised reidentification of anonymised information.
Individuals found guilty of any of these offences are subject to a fine not exceeding S$5,000 or to imprisonment for a term not exceeding two years, or both.
In broad terms, what key factors should multinational organisations be aware of if they process personal data / information from individuals within this jurisdiction, without being located there?
The PDPA has “extra-territorial effect” on organisations outside of Singapore. As such, a foreign organisation that is collecting personal data in Singapore needs to be aware of and comply with the PDPA.
Multinational organisations should be aware of the following upcoming data protection developments:
Yes – Updates on the data portability obligation and increased financial penalties will be announced soon.