A Privacy Guide for Businesses to Comply with Singapore’s Personal Data Protection Act (PDPA)

Sameer Ahirrao -

Singapore’s Personal Data Protection Act (PDPA) regulates the collection, use, and disclosure of personal data. Personal data under the PDPA is data, whether true or not, that can be used to identify an individual. The PDPA creates rights for individuals in the handling of their personal information while also requiring organizations to safeguard the data they have collected.

Who is covered: The PDPA has broad coverage and generally applies to all private organizations and the personal information they collect. However, there are a few exceptions:

  1. Any individual acting in a personal or domestic capacity
  2. Any employee working in the course of their employment with an organization
  3. Any public agency
Obligations for a business:

Consent (PDPA §13 to §17):

An organization must obtain an individual’s consent before collecting, using, or disclosing personal data for any purpose, with some exceptions (vital interest, affects the public, legitimate interest, and specific business reasons).

Purpose Limitation (PDPA §18):

An organization may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate.

Notification (PDPA §20):

An organization must notify the individual of the purpose(s) for collecting, using, or disclosing the individual’s personal data. An organization will also have to notify the Personal Data Protection Commission (PDPC).

Access and Correction (PDPA §21 and §22):

An individual may request that an organization (i) provide them with what personal data has been collected and information about how the personal data has been used or disclosed during the past year; and (ii) correct an error or omission in an individual’s data. There is no exact time required for a business to comply with the requests, but an organization must comply as “soon as reasonably possible.”

Accuracy (PDPA §23):

If an organization plans to use personal information to make a decision or send that information to another company, it must make a reasonable effort to ensure that personal data collected by the organization is accurate and complete.

Protection (PDPA §24):

An organization must make security arrangements to prevent personal information from unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks. An organization must also take additional steps to prevent the loss of any storage medium or device on which personal data is stored.

Retention Limitation (PDPA §25):

An organization must cease retaining an individual’s personal data as soon as it is no longer necessary for any legal or business purpose.

Transfer Limitation (PDPA §26):

An organization may not transfer personal data to a country outside Singapore if that destination country or organization does not provide a standard of protection comparable to the measures required by the PDPA.

Data Breach Notification (PDPA §26A to §26E):

In case of a data breach, the first step for an organization is to assess whether the data breach is notifiable. An organization must notify an individual or group if the breach involved personal information or affected a significant amount of people.

Accountability (PDPA §11 and §12):

An organization must implement necessary policies, such as designating an individual to ensure compliance with the PDPA and make information about its policies and practices to secure personal information publicly available.

Private Right of Action and Penalties (§48):

An organization that neglectfully or intentionally disregards the obligations stated above can be fined up to $1 million. Additionally, any individual who suffered damages due to a business mishandling their data may privately sue that organization, where a court will decide the financial award for the individual.

About Ardent Privacy

Ardent Privacy is an "Enterprise Data Privacy Technology" solutions provider based in the Maryland/DC region of the United States and Pune, India. Ardent harnesses the power of AI to enable companies with data discovery and automated compliance with DPB (India), RBI Security Guidelines, GDPR (EU), CCPA/CPRA (California), and other global regulations by taking a data-driven approach. Ardent Privacy's solution utilizes machine learning and artificial intelligence to identify, inventory, map, minimize, and securely delete data in enterprises to reduce legal and financial liability.

For more information visit https://ardentprivacy.ai/and for more resources here.

Ardent Privacy articles should not be considered legal advice on data privacy regulations or any other specific facts or circumstances.