Personal Data Protection Act (PDPA) Singapore

    Overview

    The Singapore Personal Data Protection Act (PDPA) establishes a comprehensive data protection framework to safeguard personal data while ensuring that businesses can use data responsibly for legitimate purposes. It governs the collection, use, and disclosure of personal data by organizations in Singapore and introduces requirements such as consent, notification, and security measures. Updated in 2020 by the Amendments, the PDPA incorporates provisions for data breach notifications and data portability, aiming to address the evolving landscape of data protection.

     

    Regulation Summary

    Timeline
    • October 15, 2012: Enactment of the PDPA.
    • July 2, 2014: Full enforcement of the PDPA.
    • February 1, 2021: Amendments to strengthen enforcement and introduce mandatory breach notifications.
    What Businesses Are Affected
    • All private sector organizations collecting, using, or disclosing personal data in Singapore.
    • Foreign businesses operating in Singapore or handling the data of Singaporean residents.
    • Excludes government agencies, public authorities, and individuals handling data for personal use.
    Exemptions
    • Personal data collected for personal or domestic purposes.
    • Business contact information used solely for professional communications.
    • Data processed under national security or law enforcement purposes.
    Responsibilities for Businesses
    • Obtain clear and informed consent before collecting personal data.
    • Ensure data is used only for specific, disclosed purposes.
    • Provide individuals with access to and the ability to correct their data.
    • Maintain reasonable security measures to protect against breaches.
    • Notify the PDPC and affected individuals of data breaches.
    • Ensure compliance for international data transfers.
    Specific Responsibilities for Website Owners
    • Implement cookie consent mechanisms.
    • Maintain a clear and accessible privacy policy.
    • Secure online data collection and processing.
    • Provide users with easy access to opt-out and data control mechanisms.
    Additional Requirements
    • Cross-Border Data Transfers: Companies must ensure data transfers provide comparable protection.
    • Privacy Impact Assessments: Required for high-risk processing activities.
    • Data Protection Officers (DPOs): Mandatory for organizations handling significant volumes of personal data.
    Data Subject Rights
    • Access: Request access to personal data held by an organization.
    • Correction: Rectify inaccurate or outdated personal information.
    • Withdrawal of Consent: Opt-out of data processing.
    • Objection: Restrict data use for specific purposes.
    Enforcement
    • Regulatory Authority: Personal Data Protection Commission (PDPC).
    • Penalties: Fines up to SGD 1 million (~USD 740,000) or 10% of annual turnover for serious violations.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596