Doing Business in Singapore? Missing on PDPA may become a big challenge for your business
Singapore is a global techgiant, topping the rankings of the Global Smart City Performance Index continuously for multiple years. Since launching its Smart Nation initiative in 2014, Singapore has introduced a lot of smart technologies in both public and private sectors.
Lot of data is travelling on the cloud as cloud computing is an integral element for the digital transformation objectives and hence the laws to protect the data becomes mandatory. Singapore's Personal Data Protection Act (PDPA) governs the collection, use, disclosure and care of personal data.
Purpose of the PDPA
“To govern the collection, use and disclosure of personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.”
What is the Personal Data Protection Act (PDPA)?
The Personal Data Protection Act (PDPA) is Singapore's primary law regulating its residents' data handling by businesses.
Businesses should take Singapore's data privacy laws as mandatory for the protection of data. As this has become of utmost importance, laws have installed nine data protection obligations with which every business must comply.
The Nine Data Protection Obligations
1. Consent Obligation
2. Purpose Limitation Obligation
3. Notification Obligation
4. Access and Correction Obligation
5. Accuracy Obligation
6. Protection Obligation
7. Retention Limitation Obligation
8. Transfer Limitation Obligation
9. Accountability Obligation
Scope of PDPA -
All private organisations in respect of the personal data of individuals that they collect, use and/or disclose.
Organisations that are not present in Singapore but collecting, using and disclosing data within Singapore. Related organisations receiving data from these organisations being parent companies or others are not exempted from PDPA.
Who is exempted from the application of PDPA -
1. Individuals acting in a personal or domestic capacity;
2. Employees acting in the course of their employment with an organisation
3. Public agencies
4. Any other organisation or personal data, or classes of organisations or personal data as may be prescribed.
Although the government agencies are not subjected to PDPA as they have their own set of regulations, this exemption is not extended to the private sector organisations working on behalf of the government agencies.
Who regulates data protection?
The PDPC is the regulatory authority responsible for administering and enforcing the PDPA. It is part of the converged telecommunications and media regulator, the Infocomm Media Development Authority ('IMDA'), which is, in turn, a statutory board under the purview of the Ministry of Communications and Information.
