The PDPA applies to an organisation’s collection, use, disclosure or other processing of personal data in Singapore. This includes situations where personal data is collected in Singapore and transferred to another country for further processing.

Personal data refers to data about an identifiable individual, that is, an individual who can be identified from the data in question or when the data is combined with other information which the organisation can (or likely can) access. The PDPA does not identify specific items of personal data. Based on its general definition, examples would include an individual’s name, contact information, location data, biographical information and physiological information (amongst others).

Organisations subject to the PDPA include any individual, company, association or body of persons, regardless of where they are established, resident or have an office or place of business. However, the PDPA does not apply to individuals acting in a personal or domestic capacity or as an employee. Also, the processing of personal data by public agencies is governed by another law, the Public Sector (Governance) Act 2018.

In general, an organisation may be referred to as either of the following in relation to particular data processing activities:

• Data intermediary: Where an organisation processes personal data on behalf of and for the purposes of another organisation.  
• Data controller: Where an organisation processes personal data for its own purposes or where it engages another organisation (that is, a data intermediary) to process personal data on its behalf and for its purposes.

Data controllers have the following obligations under the PDPA. If a data controller engages a data intermediary to process personal data on its behalf, it must ensure that these obligations are met in the course of processing by its data intermediary.

1. Purpose Limitation Obligation: An organisation may only collect, use and disclose for purposes that a reasonable person would consider appropriate and, if required under the PDPA, have been notified to the individual concerned.

2. Notification Obligation: An organisation must notify individuals of its purposes for collection, use and disclosure of their personal data. In general, notification is not required in situations where an individual is deemed to consent to collection, use or disclosure of their personal data or the collection, use or disclosure (without the individual’s consent) is required or permitted under any written law.

3. Consent Obligation (Legal Bases for Processing Personal Data): An organisation must not collect, use or disclose personal data unless:

1. the individual consents, or is deemed to consent, to the collection, use or disclosure, or
2. collection, use or disclosure without the individual’s consent is required or permitted under any written law.

The PDPA specifies a number of situations where collection, use or disclosure without consent is permitted. These are broadly categorised as follows:

1. Vital interests of individuals
2. Matters affecting the public
3. Legitimate interests of organisations
4. Business asset transactions
5. Business improvement purposes
6. Research

4. Accuracy Obligation: An organisation must make a reasonable effort to ensure that personal data is accurate and complete if it will likely use the data or disclose the data to a third party.

5. Protection Obligation: An organisation must protect personal data in its possession or under its control by using reasonable security arrangements.

6. Data Breach Notification Obligation: In the event of a data breach, an organisation must assess whether the data breach is notifiable under the PDPA and, if so, notify the PDPC as soon as practicable within 3 days. In some cases, the affected individuals must also be notified.

7. Retention Limitation Obligation: An organisation must cease to retain documents containing personal data or anonymise the data when the data is no longer necessary for any business or legal purpose.

A data intermediary must comply with the following obligations in relation to personal data it is processing on behalf of and for the purposes of another organisation.

1. Protection Obligation: A data intermediary must protect personal data in its possession or under its control by using reasonable security arrangements.

2. Data Breach Notification Obligation: In the event of a data breach affecting personal data a data intermediary is processing for another organisation, the data intermediary must notify the other organisation without undue delay.

3. Retention Limitation Obligation: A data intermediary must cease to retain documents containing personal data or anonymise the data when the data is no longer necessary for any business or legal purpose.

Individuals have the following rights under the PDPA in relation to their personal data.

1. Right of access: An individual may make a request for access to their personal data which is in the possession or under the control of an organisation.  Data controllers are responsible for responding to access requests in accordance with the PDPA.

2. Right of correction: An individual may make a request for a correction to be made to an error or omission in their personal data which is in the possession or under the control of an organisation. Data controllers are responsible for responding to correction requests in accordance with PDPA.

3. Right to withdraw consent: An individual may withdraw consent to the collection, use or disclosure of their personal data at any time with reasonable notice. This does not affect the consequences of such withdrawal. Data controllers that receive a withdrawal of consent must cease to collect, use or disclose personal data (as the case may be) unless continued collection, use or disclosure of personal data without the individual’s consent is required or permitted by any written law.

4. Right to request for a review: An individual may apply to the PDPC for a review of a failure or refusal by an organisation to provide access or make a correction to their personal data (pursuant to the individual’s rights of access and correction), or a fee imposed by an organisation to respond to an access request.

5. Right to make a complaint: An individual may make a complaint to the PDPC if they believe that an organisation is not complying with the PDPA in relation to the collection, use, disclosure or other processing of their personal data. If the PDPA determines that an organisation has not complied with the PDPA, the PDPA may (amongst other actions) direct the organisation to stop collecting, using or disclosing the personal data in contravention of the PDPA or to destroy personal data collected in contravention of the PDPA.

6. Right to request for reconsideration and appeal: An individual complainant who is aggrieved by a decision or direction of the PDPC under the PDPA may apply to the PDPC for reconsideration of its decision or direction or appeal against that decision or direction to the Data Protection Appeal Panel (with the possibility of further appeals to the courts in certain circumstances).

7. Right of private action: An individual may commence legal proceedings against an organisation where they have suffered loss or damage directly as a result of a contravention of the PDPA by the organisation.

8. Right to data portability (Note: Not yet in force): When the relevant provisions in the PDPA come into force, an individual will be able to request that an organisation transfers any of their personal data which is in the organisation’s possession or under its control to another organisation.

Data controllers that seek to transfer personal data from Singapore to another country or territory must comply with requirements prescribed under the PDPA to ensure that the transferred data is protected to a standard that is comparable to the protection under the PDPA.

In particular, the relevant regulations under the PDPA stipulate that transferring organisations must take appropriate steps before the transfer to ascertain whether, and to ensure that, the recipient of the transferred personal data is bound by legally enforceable obligations to protect the data to the required standard (subject to some exceptions). In this regard, transferring data under a contract or binding corporate rules that meet the requirements of the regulations is a permitted mode of transferring of personal data.

Organisations are responsible for personal data in their possession or under their control in accordance with the PDPA. In meeting its responsibilities under the PDPA, an organisation must consider what a reasonable person would consider appropriate in the circumstances.

The PDPA also requires all organisations to:

• Designate an individual (who may be an employee or an external party) to be responsible for ensuring that the organisation complies with the PDPA (commonly referred to as a data protection officer or DPO);
• Make its DPO’s contact information publicly available (for example, on its website);
• Develop and implement policies and practices that are necessary for the organisation to meet its obligations under the PDPA;
• Develop a process to receive and respond to complaints relating to its application of the PDPA;
• Inform its staff of its data protection policies and practices (including, for example, through appropriate training);
• Make information available about its policies and practices (for example, through a website data protection policy).

In general, organisations should develop appropriate data protection policies, practices, contracts and notices taking into account the types of personal data they process, their purposes for processing personal data and the risks to individuals arising from their processing of personal data. In some situations, organisations are required to assess and mitigate the risks to individuals (for example, using a data protection impact assessment or DPIA).

Some organisational policies which may have an impact on an organisation’s compliance with the PDPA include:

• Website data protection policy
• Employee data protection policy
• Data protection manual (internal – for their staff)
• Security policies
• Data breach management plan
• Business continuity and disaster recovery plan
• Retention and disposal policy
• Data governance and ethics policy

The PDPC may, upon receiving a complaint or of its own motion, conduct an investigation into whether an organisation is complying with the PDPA.

If the PDPC determines that an organisation has not complied with the PDPA, the PDPC may:

• Give the organisation a direction to ensure its compliance with the PDPA; and
• If satisfied that the organisation intentionally or negligently contravened the PDPA, require payment of a financial penalty not exceeding the higher of 10% of the organisation’s turnover in Singapore or S$1 million (a lower maximum may apply in certain situations).

Where the PDPC has reasonable grounds to believe that an organisation has not complied with the PDPA, the PDPC may accept a voluntary undertaking from the organisation (for example, an undertaking to take certain remedial action within a specified time). Failure to comply with an undertaking may result in enforcement action by PDPC.