Singapore’s PDPA (Personal Data Protection Act 2012) sets out various rules governing the collection, use, disclosure and care of personal data.
It recognises the rights of individuals to have their personal data protected, right of access and right to rectification, and the need for organisations to only collect, use or disclose personal data for legitimate and reasonable purposes.
The EU’s GDPR (General Data Protection Regulation) applies to all organisations that process EU residents’ personal data, wherever they are located.
Singapore is the EU’s fourteenth-largest trading partner and the largest trading partner in ASEAN, so the GDPR’s impact on the country is significant.
If your organisation processes EU residents’ personal data, you need to abide by the GDPR’s rules. Failure to do so could result in fines of up to €20 million (around S$31.5 million) or 4% of annual global turnover – whichever is greater.
The PDPA’s standards are largely consistent with those introduced by the GDPR, but there are some notable differences, which are outlined below.
PDPA obligations
The main data protection obligations set out in Parts III–VI of the PDPA are as follows. The term ‘processing’ in this context refers to the collection, use and disclosure of personal data.
Part IV, Division 1: Consent
- Organisations may not process individuals’ personal data unless they give, or are deemed to have given, their consent. There are a number of exceptions to this rule. Individuals are deemed to consent to the processing of their personal data if they voluntarily provide, or it is reasonable that they would voluntarily provide, the data. Individuals have a right to withdraw their consent at any time.
Part IV, Division 2: Purpose
- Purpose limitation
Organisations may only process individuals’ personal data in an appropriate manner and for a reasonable purpose, and only if they have informed the individual of their purpose(s).
- Notification of purpose
Organisations must inform individuals of the purposes for processing their personal data at the point of or before collecting it, except if the individual has already given, or is deemed to have given, consent.
Part V: Access to and correction of personal data
- Access and correction
Individuals have the right to request that organisations provide access to and make corrections to their personal data.
There are some exceptions, such as cases in which providing access would cause immediate harm to the safety, or physical or mental heath, of the individual; threaten the safety, or physical or mental health, of another individual; or reveal another individual’s personal data.
Part VI: Care of personal data
- Accuracy
Organisations must make a reasonable effort to ensure that personal data collected by them, or on their behalf, is accurate and complete if it is likely to be used to make a decision that affects the individual to whom it relates, or is likely to be disclosed to another organisation.
- Protection
Organisations must protect personal data in their possession or control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar activity.
- Retention limitation
Organisations must cease retaining documents containing personal data, or anonymise that data, as soon as it is no longer needed for the purpose for which it was collected, or for other legal or business purposes.
- Transfer limitation
Organisations must not transfer personal data outside Singapore except in accordance with the Act’s requirements, to ensure that they provide it a comparable standard of data protection.
The PDPA also established the national Do Not Call (DNC) Registry. Names on this register must not be sent unsolicited marketing materials from registered organisations in Singapore.
GDPR obligations
Article 5 of the GDPR sets out eight data processing principles.
- Lawfulness, fairness and transparency
Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
- Purpose limitation
Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is permissible.
- Data minimisation
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
- Accuracy
Personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data is erased or rectified without delay.
- Storage limitation
Personal data must be kept in a form that allows data subjects to be identified for no longer than is necessary. Personal data may be stored for longer periods if it will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to appropriate technical and organisational measures being implemented.
- Integrity and confidentiality
Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Article 6 of the Regulation states that processing is lawful only if and to the extent that one of the following applies:
- Consent
The data subject has given their explicit consent to the processing of their personal data for one or more specific purposes.
- Contract
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- Legal obligations
Processing is necessary for compliance with a legal obligation to which the data controller is subject.
- Vital interests
Processing is necessary in order to protect the vital interests of the data subject or of another natural, living person.
- Public task
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Legitimate interests
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data, in particular where the data subject is a child. (This basis doesn’t apply to processing carried out by public authorities in the performance of their tasks.)
The GDPR vs the PDPA
Although the two laws obviously overlap a great deal, there are some notable differences, which are important to check if you process EU residents’ personal data, as you will be held to a higher standard on these points. These include, but are not limited to:
- Consent
Although the PDPA seems to suggest that consent is the only legal basis for processing personal data, the numerous exemptions to this requirement listed in the second, third and fourth schedules prove otherwise, as does the issue of deemed consent, as explained in Section 15.
The GDPR is much more exact in its approach. It requires consent to be “freely given, specific, informed and unambiguous” (Article 4), and does not accept the validity of deemed consent at all. Consent is only one of six lawful bases for processing under the GDPR.
- Purpose
The PDPA requires only that personal data is processed for a reasonable purpose. In contrast, the GDPR requires that personal data is processed for explicit and legitimate purposes that are determined at the time the personal data is collected.
- Data minimisation
The GDPR requires personal data to be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. The PDPA, on the other hand, makes no such stipulation.
- Access, correction and erasure
The PDPA allows individuals to access their personal data and information about its use or disclosure in the year before the date of their request (Section 21). There are a number of exceptions to this rule.
Individuals can also request organisations to correct errors or omissions in their personal data, although organisations can decide not to amend their records if they decide, on reasonable grounds, that they should not do so. If no correction is made, the organisation must annotate the personal data to indicate that a change was requested but not made.
Article 16 of the GDPR requires data controllers to rectify inaccurate personal data without undue delay and complete incomplete personal data. Article 17 of the GDPR gives data subjects the right to erasure or right to be forgotten – which the PDPA does not.
- Accuracy
The GDPR requires personal data to be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data is erased or rectified without delay (Article 5). The PDPA, however, has no such requirement. Section 23 merely requires organisations to make a reasonable effort to ensure that the personal data it collects, or is collected on its behalf, is accurate and complete.
The GDPR sets out a more rigorous approach to processing personal data than the PDPA, and the consequences for failing to comply correctly are significantly harsher.
Understanding what you need to do is therefore essential.
GDPR compliance checklist