Singapore’s data protection act, PDPA, is not a recent addition to the ever-growing list of data privacy laws in the world. Introduced in 2012, the Act was fully enacted in 2014 and amended in 2020. Apart from regulating the handling of personal data, it also regulates telemarketing. It established the “Do Not Call Registry” that helps the users (Singaporeans) to opt out of telemarketing. 

This article will discuss the main points from the PDPA official text (updated), PDP Regulation 2014, and the 2020 amendments.  We will also look into the checklist for making your website compliant with the law.

Blog summary

Singapore’s data protection act, PDPA governs how organizations (that includes websites) collect, use, or disclose the personal data of Singaporeans. 

Like GDPR, the PDPA mandates that you must get user consent before collecting their personal data. However, unlike GDPR, it allows deemed (implied) consent under special circumstances. It allows legitimate interest as a basis if there is no adverse effect on the users because of it. 

The PDPA also requires organizations to take care of the personal data concerning its accuracy, protection, retention, and transfer outside Singapore. 

It gives the users more control over their data by giving them rights to access, correct, or port personal data. 

Like other data protection acts, failing to comply with the PDPA will lead to hefty fines.

What is Singapore’s Personal Data Protection Act (PDPA)?

The Personal Data Protection Act (PDPA) is Singapore’s data privacy and protection act. It was passed in 2012, but it came into effect in 2014. The purpose of PDPA is to govern the collection, use, and disclosure of personal data by organizations and make provisions for the users (Singaporeans) to protect their personal data. 

It applies to any organization (that includes any user, company, association, or body of persons, corporate or unincorporated), whether or not they are located in Singapore, that collects, uses, discloses personal data from inside Singapore. That means PDPA applies to websites as well.

The Singapore PDPA does not apply to:

  • a user processing the data for a personal or domestic purpose;
  • an employee processing the data for his employment with an organization;
  • a public agency; or
  • other organizations or personal data for the purposes of any of the above.

It appoints the data protection authority, Personal Data Protection Commission (PDPC). The PDPC issues guidelines on the PDPA and enforces the Act.

It was amended in October 2020. It introduced some additional framework for personal data regulation, especially related to consent.

Notification of purpose under Singapore PDPA

Under the PDPA, organizations can collect, use, or disclose personal data of the users for a reasonable purpose that the users would consider appropriate. You must provide the users a notification about the purpose before doing so.

You cannot collect, use, or disclose personal data for this purpose if the users withdraw their consent or explicitly refuse to consent.

The notification of purpose must include the following details:

  • The purpose of handling the users’ personal data
  • Any other purpose not already informed before using or disclosing the personal data
  • Upon the users’ request, the contact information of a person, who acts on behalf of the organization, to answer the users’ questions about the collection, use, or disclosure of their personal data

Handling personal data under Singapore PDPA

The PDPA proposes many guidelines for handling the personal data of the user. This is akin to GDPR principles for processing personal data.

Accuracy of personal data

An organization must ensure that the personal data collected by them is accurate. The data should also be accurate especially if this data is used to make decisions that will affect the user or it is going to disclose the data to another organization. 

Protection of personal data

An organization must take appropriate measures to protect the data against any unauthorized access, misuse, or loss of the data.

Retention of personal data

An organization must stop storing personal data or remove it if it is no longer needed for the purpose for which the data was collected.

Transfer of personal data outside Singapore

An organization cannot transfer personal data outside Singapore unless the place it is being transferred to provides the same level of protection as under the PDPA.

Consent under Singapore PDPA

An organization cannot collect, or disclose personal data about a user without their consent unless it is authorized by the Act or any other established law. You must ask for consent before or at the time of personal data collection.

The consent is not valid under the PDPA if

  • you do not provide adequate information about the purpose of data collection, use, or disclosure and
  • If you make providing a product or service conditional on consent and it is beyond reasonable for it
  • obtain or attempt to obtain consent by providing false or misleading information, or by using deceptive or misleading practices

An organization can only collect, use or disclose personal data about a user if they have given consent or “deemed to have given” consent.

The amendments to the bill have made some changes to the specifications of deemed consent. 

Deemed consent

While privacy laws like the GDPR have prohibited implied consent, the PDPA allows it under certain circumstances. The PDPA allows organizations to deem user consent if the users have voluntarily shared their personal data for a defined purpose. The amendments to the bill further expand the circumstances where deemed consent is allowed:

  • Deemed consent for a contract: Consent can be deemed to be given if the collection, use, or disclosure of the users’  personal data is necessary to fulfill a contract between the user and the organization.
  • Deemed consent by notification: Organizations can deem consent if they provide notification of the purpose of collecting, using, or disclosing personal data. However, they must also give a reasonable period for the users to opt out. If the users do not opt out within that period, then they can deem consent to be given. That is unless the users opt out of consent via an explicit manner, the organizations can imply consent to handle their personal data. 

Organizations must make sure that the collection, use, or disclosure of personal data must not have any adverse effect on the users. They must take reasonable measures to eliminate, reduce the likelihood of, or mitigate the adverse effect on the users.

Legitimate interest under Singapore PDPA

An organization can use legitimate interest as a basis for collecting, using, or disclosing the personal data of the users. You must be sure that the legitimate interest weighs over any adverse effects on the users. You must assess the possible risks and implement reasonable measures to deal with them. The reason for relying on legitimate interest for collecting, suing, or disclosing personal data must be clearly informed.

With appropriate measures, you can prioritize legitimate interest over obtaining consent. 

Rights of users under Singapore PDPA

The PDPA grants several rights to its users, such as

Access to personal data

On the users’ request, which should be made in writing, an organization must provide them access to the personal data they hold or the ways they have used or disclosed it within a year before the date of request.

The organization can refuse to give them the access if it may:

  • threaten the safety or physical or mental health of another person
  • cause harm to the safety or the physical or mental health of the user
  • disclose personal data of another person
  • disclose the identity of an individual who has provided personal data about another individual and the individual providing the personal data does not consent to the disclosure of his identity
  • be contrary to the national interest

Correction of personal data

The users can request an organization to correct their inaccurate personal data. Upon receiving such a request, the organization must verify and correct the data as soon as possible. It must also share the corrected data with other organizations it has disclosed the data.

Portability of personal data inside Singapore

The users located in Singapore can request an organization to port or transfer their personal data to another organization in Singapore.

The organization can refuse to port the data if it may:

  • threaten the safety or physical or mental health of another person
  • cause harm to the safety or the physical or mental health of the user
  • Be contrary to the national interest

For requests to exercise the above-mentioned PDPA rights, the users must send it in writing and give sufficient details about them and the personal data. The request must be sent to the organization’s data protection officer or any other person/channel acceptable to the organization. 

The organization must respond within 30 days after receiving the request. If it is unable to do so, it must inform the user in writing the time by which it will be able to respond. The PDPA allows the organization to charge a fee to respond to the request if it has provided an estimate of the fee or the fee is not higher than the estimate.

The users must be provided with a copy of the personal data and the use and disclosure information in a document format. Or, it can be any other form request by the users that is acceptable to the organization.

Data breach notification under Singapore PDPA

The PDPA defines a data breach as unauthorized access, collection, use, disclosure, copying, modification, or disposal of personal data. It also includes the loss of a storage medium where the data is stored that could lead to these unauthorized activities. 

An organization must conduct an assessment to determine if the breach must be notified. You must notify the breach to the PDPC in case the breach has or is likely to cause harm to the affected users or is of severe nature. The organization must notify the PDPC within 3 calendar days after the day it makes the assessment.

The Commission will decide the next course of action and whether the organization must notify the affected users.

Financial penalties for Singapore PDPA violations

Failing to comply with the PDPA will cost an organization — whose annual turnover in Singapore exceeds $10 million — 10% of its annual turnover in Singapore, or $1 million, whichever is higher.

EU GDPR vs Singapore PDPA

Here are the key differences and similarities between the EU GDPR and Singapore PDPA:

U GDPR vs Singapore PDPA

How to make your website comply with Singapore PDPA?

The definition of an organization also includes websites. Follow the below steps to start making your website PDPA compliant.

  1. Identify if your website needs to collect, use, or disclose personal data from Singapore users.
  2. Do not collect data not required for your intended purpose.
  3. Keep the data accurate and safe and do not store it longer than necessary for the intended purpose. 
  4. Notify the users about the purpose before or at the time of collecting, using, or disclosing personal data.
  5. Obtain user consent before or at the time of data collection.
  6. Provide an opt-out option for the users to withdraw or deny consent.
  7. For cookies, you may use a cookie consent banner or notice to inform users about cookies that collect personal data.
  8. The cookie consent banner must come with an opt-out button or link.
  9. Add a privacy policy page to disclose information about who and why your website collects, uses, or discloses personal data.
  10. Implement a system for the users to submit their requests to exercise their rights and for you to verify and respond.

How can CookieYes help you?

CookieYes, a cloud-based cookie consent solution, will help you to achieve cookie compliance for data protection and privacy laws like GDPR, ePrivacy Directive, and CCPA. Therefore, it will help you to manage cookie consent for PDPA compliance as well.

Its customizable consent banner makes sure that the visitors to your website are aware of the cookies and their purpose. You can let them choose their preferences using the granular option for cookie categories. You can also let them opt out of cookies.

CookieYes auto-scans the website for cookies and identifies the different types of cookies. It auto-blocks third-party cookies prior to user consent. Therefore, these cookies will not collect personal data unless the users give their consent. You can manually add third-party cookies scripts for the app to block it prior to receiving user consent.

The consent logging feature helps to record the user consent that you can use to demonstrate proof of consent. 

It also lets you generate a privacy policy page free of cost with a few clicks. 

Sign up for free and be cookie compliant!