Singapore: Privacy

Key statutes, regulations and adopted international standards

The Personal Data Protection Act 2012 (PDPA) is the key data protection legislation in Singapore. It governs the collection, use and disclosure of individuals’ personal data by all private sector organisations.

The PDPA comprises two main parts: Parts 3 to 6A (the Data Protection Provisions) set out the general obligations of organisations with regard to their management of personal data, while Part 9 of the PDPA (the DNC Provisions) contains provisions establishing the Do Not Call (DNC) Registry and obligations of organisations that send marketing messages to Singapore telephone numbers.

Several regulations have been issued under the PDPA, including:

  • the Personal Data Protection (PDP) Regulations 2021;
  • the Personal Data Protection (Notification of Data Breaches) Regulations 2021;
  • the Personal Data Protection (Composition of Offences) Regulations 2021;
  • the Personal Data Protection (Do Not Call Registry) Regulations 2013;
  • the Personal Data Protection (Enforcement) Regulations 2021; and
  • the Personal Data Protection (Appeal) Regulations 2021.

The Singapore data protection authority, the Personal Data Protection Commission (PDPC), has issued a number of advisory guidelines detailing how it will interpret the provisions of the PDPA. These range from general guidelines on key concepts in the PDPA and selected topics, to sector-specific advisory guidelines for sectors such as the telecommunications, real estate, education, healthcare and social services and insurance.

The PDPA was amended under the Personal Data Protection (Amendment) Act 2020 (the Amendment Act) on 2 November 2020. Most of the amendments, such as the expansion of the consent obligation, the introduction of a mandatory data breach notification regime and the introduction of criminal penalties for the egregious misuse of personal data, came into force on 1 February 2021. However, some of the amendments, namely the new data portability obligation and the increased maximum financial penalties will only come into force at a later date.

Aside from the PDPA, a number of other legislation and regulatory instruments in Singapore contain sector-specific data protection requirements. For example:

  • in the financial sector, provisions governing customer information obtained by banks are set out in the Banking Act 1970. The Monetary Authority of Singapore (MAS) issues directives and notices concerning data protection for the financial sector, such as the Notices and Guidelines on Technology Risk Management, the Notices on Cyber Hygiene and the Guidelines on Outsourcing;
  • in the healthcare sector, confidentiality of medical information and the retention of medical records are governed by the Private Hospitals and Medical Clinics Act 1980 and the Healthcare Services Act 2020; and
  • in the telecommunications sector, the Telecom and Media Competition Code issued under the Telecommunications Act 1999 regulates the telecommunications licensees’ use of end-user service information.

Other legislation that may have an indirect impact on data protection includes:

  • the Computer Misuse Act 1993, which contains offences for the unauthorised access or modification of computer material and the unauthorised use or interception of computer services; and
  • the Cybersecurity Act 2018, which requires owners and operators of critical information infrastructure to comply with cybersecurity codes of practices and standards of performance, conduct regular audits and risk assessments, and report on cybersecurity incidents.

The rights or obligations under specific legislation are not affected by the general data protection framework under the PDPA. As provided under section 4(6) of the PDPA, in the event of any inconsistency, the provisions of the other specific legislation will prevail.

Adopted international standards

Singapore participates in the Asia-Pacific Economic Cooperation (APEC)’s Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) systems. The APEC CBPR and PRP are multilateral certification schemes that allow participating businesses and other organisations to develop their own internal rules and policies consistent with the specific CBPR and PRP programme requirements to facilitate cross-border data transfers across the participating economies. On 1 June 2020, the PDP Regulations 2014 (which has since been superseded by the PDP Regulations 2021) were amended to recognise the APEC CBPR system and PRP system certifications for overseas transfers of personal data under the PDPA.

Regulatory bodies

The PDPA establishes the PDPC, which is the data protection authority responsible for administering and enforcing the PDPA. The PDPC is under the purview of the telecommunications and media regulator, the Info-communications Media Development Authority (IMDA). Sectoral regulators separately enforce the data protection obligations within their relevant sectors.

The PDPC may give any direction to the organisation to ensure compliance with the PDPA, for example, a direction to:[1]

  • stop collecting, using or disclosing personal data in contravention of the PDPA; or
  • destroy personal data collected in contravention of the PDPA.

Further, if the PDPC is satisfied that the organisation intentionally or negligently contravened the PDPA, it may require the organisation to pay a financial penalty not exceeding S$1 million. (Under the Amendment Act, the financial penalty cap will be raised to up to 10 per cent of an organisation’s annual gross turnover in Singapore or S$1 million, whichever is higher. This is expected to come into force on 1 October 2022.)

In carrying out its investigative functions, the PDPC is empowered to:[2]

  • require any organisation to produce any specified document or information;
  • enter an organisation’s premises without a warrant; and
  • obtain a search warrant to enter an organisation’s premises and search the premises or any person on the premises, and take possession of, or remove, any document and equipment or article relevant to an investigation.

The changes under the Amendment Act strengthen the PDPC’s enforcement powers by providing additional recourse to compel attendance of witnesses, the provision of information, and the production of documents. Criminal sanctions may also be imposed on individuals and organisations for obstructing or hindering the investigations of the PDPC or providing any false or misleading statements or information to the PDPC.[3] In particular, individuals may be liable to a fine of up to S$10,000 and imprisonment for a term of up to 12 months, or both; while organisations may be liable to a fine of up to S$100,000.

The PDPC also has the power to:

  • discontinue investigations and simply issue an advisory notice where the impact is assessed to be low;
  • initiate an undertaking process, which includes a written agreement between the organisation and the PDPC in which the organisation voluntarily commits to remedy the breaches and take steps to prevent recurrence; or
  • issue an expedited breach decision in certain circumstances where there is an upfront, voluntary admission of liability for breaching the PDPA.

The PDPC has been active in its enforcement of the PDPA. As at 15 July 2022, the PDPC had issued a total of 218 decisions, with a significant majority relating to breaches of the protection obligation. Of those decisions, some of the most common breaches of the PDPA have arisen from inadequate technical security arrangements, human error, technical faults and insufficient data protection policies.

The effect of local laws on foreign businesses

Subject to its detailed scope, the PDPA applies to all organisations (and persons) that are not public agencies (including those not formed or recognised under Singapore law, or without residency or an office or place of business in Singapore). As such, the applicability of the PDPA can extend to foreign businesses. In particular, an organisation, including a foreign company, would have to ensure compliance with the PDPA in respect of its activities involving personal data in Singapore, namely, the collection, use, disclosure or other processing of personal data in Singapore. This could extend to foreign companies collecting personal data of individuals based in Singapore or the hosting of personal data in Singapore (which originated overseas).

Separately, the application of the PDPA does not depend on whether the personal data is of Singaporeans or non-Singaporeans. In particular, the PDPA does not apply merely by virtue of Singaporeans’ data being processed where this occurs outside of SIngapore.

In Re Cigna Europe Insurance Company SA-NV [2019] SGPDPC 18, the PDPC investigated a Belgium-based company, which was offering health insurance solutions and coverage in Singapore through a registered branch office, for two data breach incidents in 2017 and 2018. Ultimately, the PDPC found that the organisation was not in breach of its data protection obligations.

The PDPC is also a participant of the APEC Cross-border Privacy Enforcement Arrangement, which is a framework for the voluntary sharing of information and provision of assistance for privacy enforcement-related activities among privacy regulators.

Core principles on personal data

Definition of personal data

‘Personal data’ is broadly defined under the PDPA as ‘data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access’.

The PDPC refers to certain types of personal data that, on its own, can identify an individual, as ‘unique identifiers’. Examples would include full names; National Registration Identity Card (NRIC) and passport numbers; personal mobile phone numbers; facial images of individuals; voices of individuals; fingerprints; DNA profiles; and iris images.

While the PDPA does not distinguish between specific categories of personal data, the PDPC has taken the position in several enforcement decisions that a higher standard of protection is required for personal data that is more sensitive in nature. These types of personal data include NRIC numbers, insurance data, medical data, financial data and children’s data.[4]

Data protection obligations

The Data Protection Provisions contain, at present, 10 main obligations that organisations are required to comply with if they undertake activities relating to the collection, use or disclosure of personal data. There is another data protection obligation, namely, the data portability obligation, that is not presently in force, but will come into force at a later date.

Consent obligation

An organisation must obtain the consent of an individual before collecting, using or disclosing their personal data for a purpose, unless an exception in the First or Second Schedule to the PDPA applies.[5] Some examples of exceptions to consent include where the personal data is publicly available; or the collection, use or disclosure is necessary to respond to an emergency that threatens the life, health or safety of the individual. The Amendment Act introduced two new exceptions to the consent requirement, the ‘legitimate interests’[6] and ‘business improvement’[7] exceptions.

For consent to be considered validly given, the organisation must first inform the individual of the purposes for which their personal data will be collected, used or disclosed. These purposes have to be what a reasonable person would consider appropriate in the circumstances. Fresh consent needs to be obtained where personal data collected is to be used for a different purpose than that to which the individual originally consented.

Consent may also be deemed to have been given where an individual has voluntarily provided their data to an organisation for a purpose, and it is reasonable that the individual do so.[8] The onus is on the organisation to establish that the individual was aware of the purposes for which the personal data was provided. The concept of deemed consent under the PDPA has also recently been expanded to include deemed consent by contractual necessity[9] and deemed consent by notification.[10]

Consent obtained in the following ways does not constitute valid consent for the purpose of the PDPA:

  • where consent is obtained as a condition of providing a product or service, and such consent is beyond what is reasonable to provide the product or service to the individual; or
  • where false or misleading information is provided, or deceptive or misleading practices are used, to obtain or attempt to obtain the individual’s consent for collecting, using or disclosing personal data.[11]

Individuals may also withdraw any consent given or deemed to have been given at any time by giving reasonable notice to the organisation.[12]

Notification obligation

Organisations are obliged to inform individuals of the purposes for the collection, use or disclosure of their personal data, on or before collecting the personal data; and any other purpose for the use or disclosure of personal data that has not been notified to the individual, before such use or disclosure of personal data. The PDPA does not prescribe the manner or form in which individuals have to be notified.

Purpose limitation obligation

An organisation may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances and, if applicable, have been notified to the individual concerned.[13]

Access and correction obligations

Under the access obligation, an organisation must allow an individual to access their personal data in its possession or under its control upon request as soon as reasonably possible, subject to the exceptions in section 21(3) of the PDPA and in the Fifth Schedule to the PDPA.[14] The organisation is also obliged to provide the individual with information about the ways in which the personal data may have been used or disclosed during the past year.

Under the correction obligation, individuals also have the right to request an organisation to correct any inaccurate data that is in the organisation’s control, subject to the exceptions in section 22 of the PDPA and the Sixth Schedule to the PDPA.[15] The organisation, if satisfied on reasonable grounds that a correction must be made, is required to correct the individual’s personal data as soon as practicable and send the corrected or updated personal data to specific organisations to which the data was disclosed within a year before the correction was made.

The PDP Regulations 2021 set out further details on the access and correction obligations, for example, how an access or correction request may be made, the time frame for providing a response, and whether a fee may be charged for responding to a request.

Accuracy obligation

Organisations must make a reasonable effort to ensure that the personal data they collect is accurate and complete, if the personal data is likely to be used by the organisation to make a decision that affects the individual or is likely to be disclosed by the organisation to another organisation.[16]

Protection obligation

An organisation must make reasonable security arrangements to protect personal data in its possession or under its control, in order to prevent (1) unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks; and (2) the loss of any storage medium or device on which personal data is stored.[17]

Retention limitation obligation

An organisation must cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals as soon as it is reasonable to assume that the purpose for which the personal data was collected is no longer being served by retention of the personal data, and the retention is no longer necessary for legal or business purposes.[18]

Transfer limitation obligation

An organisation must not transfer personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA and Part 3 of the PDP Regulations 2021 to ensure that the transferred personal data will be accorded a standard of protection that is comparable to that under the PDPA.[19]

In particular, organisations must ensure that the recipients of that personal data are bound by legally enforceable obligations to protect the transferred personal data to a standard that is at least comparable to that under the PDPA. These ‘legally enforceable obligations’ include obligations imposed under law, contract or binding corporate rules, or any other legally binding instrument.[20]

Data breach notification obligation

An organisation may be required to notify certain data breaches to one or more of the following:

  • affected individuals;
  • the PDPC; or
  • the organisation (including a public agency) on whose behalf they are processing personal data when acting as data intermediary.[21]

See the section on ‘Data protection breaches’ for further detail.[22]

Accountability obligation

Organisations must take responsibility for the personal data in their possession or control and be able to demonstrate that they do so.[23] This includes developing and implementing data protection policies; communicating to and informing their staff of those policies; implementing processes and practices that are necessary to meet their obligations under the PDPA; making information about their data protection policies and practices available to individuals upon request; and appointing a data protection officer (DPO) to be responsible for ensuring that the organisation is in compliance with the PDPA.[24]

The PDPC also recommends that organisations conduct a data protection impact assessment (DPIA) to assess if their handling of personal data is in compliance with the PDPA. A DPIA would involve identifying, assessing and addressing personal data protection risks based on the organisation’s functions, needs and processes.

Data intermediaries

The PDPA makes provision for the processing of personal data by data intermediaries, defined as an organisation that processes personal data on behalf of and for the purposes of another organisation pursuant to a contract that is evidenced or made in writing. Data intermediaries are only subject to the protection and retention limitation obligations.[25] When an organisation employs a data intermediary to process personal data on its behalf and for its purposes, that organisation has the same obligation under the PDPA as if the personal data were processed by the organisation itself.

Automated processing, profiling and data analytics

The PDPC does not have express provisions on automated individual decision-making, data analytics and profiling. If an organisation wishes to carry out automated processes, it will need to ensure that it complies with all generally applicable data protection and privacy laws, including obtain necessary consents from the individuals in question unless an exception under the PDPA applies.

Communications and marketing

Sending specified messages

The DNC Provisions[26] under the PDPA prohibit organisations from sending specified messages to Singapore telephone numbers registered in the DNC registry. Individuals may choose to opt out of receiving specified messages via voice calls (No Voice Call Register); specified text messages, including any text, sound or visual message, such as SMS, MMS or WhatsApp messages (No Text Message Register); and specified fax messages (No Fax Register).

Subject to certain exceptions, a message constitutes a ‘specified message’ under section 37 of the PDPA if one of the purposes of the message is:

  • to advertise, promote, or offer to supply or provide:
    • goods or services;
    • land or an interest in land; or
    • a business or investment opportunity; or
  • to advertise or promote a supplier or provider, or prospective supplier or provider for the above or any other prescribed purpose.[27]

In most instances, a marketing message of a commercial nature sent to an individual would be classified as a specified message under the PDPA.

Under section 43 of the PDPA, an organisation that intends to send a specified message to a user or subscriber of a Singaporean telephone number must check with the relevant DNC register to confirm that the telephone number is not listed in the register, unless the organisation:

  • has obtained clear and unambiguous consent from the user or subscriber of the telephone number, evidenced in writing or other durable forms; or
  • has obtained confirmation that the Singaporean telephone number is not listed in the DNC registry, and has no reason to believe that, and is not reckless as to whether, among other things, such information is false or inaccurate.

When sending marketing communications to a Singaporean telephone number, organisations must comply with certain requirements, including the following:

  • for messages, organisations must include information identifying the sender and how the sender can be readily contacted in the message. Such information has to be reasonably likely to be valid for at least 30 days after the message is sent; and
  • for voice calls, not to conceal or withhold the identity of the caller from the recipient.[28]

Certain senders that are in an ongoing relationship with individuals may be exempted from the obligation to check the DNC registry before sending specified text or fax messages related to that relationship.[29] Conversely, one-off transactions are insufficient to establish an ongoing relationship, and organisations may not rely on the ongoing relationship exception once it has ceased.

Spam Control Act

Aside from the DNC Provisions, the Spam Control Act 2007 (SCA) governs the control of spam, namely unsolicited commercial communications sent in bulk by email, instant messages (on platforms such as Telegram and WeChat) or by text (SMS/MMS) or multimedia messaging to mobile telephone numbers. The SCA applies as long as the electronic message has a Singapore link.

Under section 11 of the SCA, any sender of unsolicited commercial electronic messages in bulk must comply with the requirements in the Second Schedule to the SCA.

Individuals’ rights

Individuals have the right to request an organisation to give them access to or correct the personal data in the organisation’s possession or control. In addition, the Amendment Act will introduce a new data portability obligation at a later date, which requires an organisation to, at the request of an individual, transmit personal data that is in the organisation’s possession or under its control, to another organisation in a commonly used machine-readable format. It is also contemplated that the obligation will be subject to various exceptions and the fulfilment of certain conditions, the specifics of which are not currently known.

Individuals also have a right to give and withdraw consent at any time by giving reasonable notice. However, this would not affect any legal consequences arising from such withdrawal.[30] Upon withdrawal of consent, the organisation must cease (and cause its data intermediaries and agents to cease) collecting, using or disclosing the personal data, as the case may be, unless the collection, use or disclosure of the personal data without consent is required or authorised under the PDPA or any other written law.

An individual may lodge a complaint against an organisation with the PDPC at any time. Individuals also have a right of private action for loss or damage in respect of an organisation’s breach of the PDPA. However, if the PDPC has made a decision under the PDPA in respect of the breach, the private action may only commence after the PDPC’s decision has become final (ie, where there is no further right of appeal against the decision).[31]

The role of the data protection officer

As part of the accountability obligation, it is mandatory for organisations to appoint a DPO.[32] The responsibility of the DPO is to ensure that the organisation complies with the PDPA by developing and implementing policies and processes for handling personal data and managing data protection-related queries and complaints, among other things. The DPO also plays an essential role in fostering a data protection culture among employees and communicating personal data protection policies to the various stakeholders. However, the legal responsibility for complying with the PDPA remains with the organisation and cannot be delegated to the DPO.

Organisations are required to make available the business contact information of its DPO (or any individual to whom the responsibility has been delegated). Similarly, organisations are also required to make available the business contact information of a person who is able to respond to questions relating to the collection, use or disclosure of personal data on behalf of the organisation. This person may also be the DPO.[33] While there is no requirement that such a person must be located in Singapore, to facilitate prompt responses to queries or complaints, the PDPC recommends that the business contact information of this person should be readily accessible from Singapore, operational during Singapore business hours and provide Singapore telephone numbers (where used).

Data protection breaches

Recent amendments to the PDPA introduced a mandatory data breach notification regime. Under that new regime (Part 6A of the PDPA), in the event of a data breach, organisations are required to conduct, in a reasonable and expeditious manner, an assessment of whether the data breach is a notifiable data breach.

A data breach is a ‘notifiable data breach’ if it:

  • results in, or is likely to result in, significant harm to any individual to whom any personal data affected by a data breach relates; or
  • is, or is likely to be, of a significant scale (ie, 500 or more individuals).

The organisation must notify the PDPC of the notifiable data breach as soon as practicable, but in any case, no later than three calendar days after making the determination that a data breach is notifiable. Where a data intermediary has reason to believe that a data breach has occurred in relation to personal data it is processing on behalf of the primary organisation, it must notify the primary organisation without undue delay.

Organisations must notify affected individuals if the data breach is likely to result in significant harm or impact to the individuals to whom the information relates.[34] There are two exceptions to this requirement to notify affected individuals, namely:

  • where organisations have taken timely remedial actions in accordance with any prescribed requirements, which renders it unlikely that the breach will result in significant harm to affected individuals; and
  • where the personal data that was compromised by the data breach is subject to technological protection (eg, encryption) such that the data breach is unlikely to result in significant harm to the affected individuals.

Organisations must also not notify affected individuals if instructed by a prescribed law enforcement agency or so directed by the PDPC, for example, in circumstances where such notification may compromise investigations or prejudice enforcement efforts.

The Personal Data Protection (Notification of Data Breaches) Regulations 2021 set out further prescribed requirements relating to data breach notifications, including the contents of the notification to the PDPC as well as the categories of prescribed personal data that are deemed to result in significant harm to the affected individual.

For more information, organisations may refer to the PDPC’s Guide on Managing and Notifying Data Breaches under the PDPA (revised 15 March 2021).

Updates and trends

Model AI governance framework

On 21 January 2020, the PDPC published the second edition of its Model Artificial Intelligence (AI) Governance Framework (AI Framework). This is an accountability-based framework that helps to chart the language and frame discussions around harnessing AI in a responsible way. Key changes in the second edition include the addition of industry examples in each section of the AI Framework, to clearly illustrate how organisations have implemented AI governance practices. The AI Framework is accompanied by a Compendium of Use Cases and an Implementation and Self-Assessment Guide for Organisations.

Launch of AI governance testing framework and toolkit

On 25 May 2022, the IMDA and the PDPC launched A.I. Verify, the world’s first AI Governance Testing Framework and Toolkit, for companies that wish to demonstrate their deployment of responsible AI. A.I. Verify is currently available as a minimum viable product for system developers and owners who want to be more transparent about the performance of their AI systems through a combination of technical tests and process checks.

Proposed changes to legislation

The Amendment Act was passed by the Singapore parliament on 2 November 2020, and most of the amendments made under the Amendment Act to the PDPA came into effect on 1 February 2021. The enhanced financial penalty provisions will come into effect on 1 October 2022.

Surveillance laws

The PDPA does not have any express provisions on surveillance. Organisations may generally collect, use and disclose personal data without an individual’s consent, if required or authorised to do so under the PDPA or other written law or if any exception in the PDPA applies.

Singapore has other piecemeal legislation relating to state interception of communications and the monitoring and surveillance of individuals for national security purposes.

In terms of surveillance via closed-circuit television (CCTV) cameras, unless an exception under the PDPA applies, organisations are required to inform individuals of the purposes for which their personal data will be collected, used or disclosed in order to obtain their consent. Where notification is not required, organisations are nonetheless encouraged to provide notifications as a matter of good practice. Generally, organisations should indicate that CCTV cameras are operating in the premises, the purpose of such surveillance if such purpose may not be obvious to the individual, and if both audio and video recordings are taking place.

Organisations that operate unmanned aircraft and aerial vehicles (ie, drones) equipped with photography, video or audio recording capabilities will need to comply with the PDPA insofar as the drones are likely to capture the personal data of individuals.[35]

Case studies

As at 15 July 2022, the PDPC has released 218 enforcement decisions that are helpful in illustrating how the PDPA is to be interpreted. We have selected several case studies below.

Breach of protection obligation by SingHealth Services Pte Ltd and Integrated Health Information Systems Pte Ltd[36]

The PDPC imposed its highest financial penalties to date of S$250,000 and S$750,000 respectively on Singapore Health Services Pte Ltd (SingHealth) and Integrated Health Information Systems Pte Ltd, for breaching their data protection obligations under the PDPA in a decision on 15 January 2019. This unprecedented data breach, which arose from a cyberattack on SingHealth’s patient database system, caused the sensitive personal data of almost 1.5 million patients to be compromised.

Breach of protection, accountability and retention limitation obligations by Stylez[37]

On 14 October 2021, the PDPC published a decision pertaining to Stylez Pte Ltd’s breach of the protection, accountability and retention limitation obligations, which culminated in a financial penalty of S$37,500. In relation to the accountability obligation, the PDPC clarified that an organisation will not be taken to have complied with the accountability obligation if it fails to develop and implement any internal data protection policy to give effect to externally communicated standards. Any externally communicated data protection policy must be given the weight of the necessary internal policies to guide an organisation’s employees on how to comply with the PDPA in carrying out their work functions.


Notes

[1] Section 48I(2) of the PDPA.

[2] Section 50(2) read with the Ninth Schedule to the PDPA.

[3] Section 51 of the PDPA.

[4] See Re Aviva Ltd [2017] SGPDPC 14; Re Credit Counselling Singapore [2017] SGPDPC 18; Re Singapore Taekwondo Federation [2018] SGPDPC 17; and Re AIA Singapore Private Limited [2019] SGPDPC 20.

[5] Section 13 of the PDPA.

[6] The ‘legitimate interests’ exception enables organisations to collect, use or disclose personal data without consent in circumstances where there is a need to protect the lawful Interests of the organisation or any other person. Organisations wishing to rely on this ‘legitimate interests’ basis must fulfil certain requirements (eg, conducting a risk and impact assessment).

[7] The ‘business improvement’ exception provides that organisations can use personal data for the purposes of operational efficiency and service improvements; product and service development; or knowing customers better, subject to the fulfilment of certain requirements.

[8] Section 15 of the PDPA.

[9] For deemed consent by contractual necessity, consent is deemed to have been given for the disclosure of personal data where it is reasonably necessary for the conclusion or performance of a contract or transaction between the individual and the organisation.

[10] For deemed consent by notification, subject to fulfilling certain conditions, consent is deemed to have been given if the organisation provides appropriate notification as to the purpose of such processing, with a reasonable period for the individual to opt out; and the individual did not opt out within the period.

[11] Section 14(2) of the PDPA.

[12] Section 16 of the PDPA.

[13] Section 18 of the PDPA.

[14] Section 21 of the PDPA.

[15] Section 22 of the PDPA.

[16] Section 23 of the PDPA.

[17] Section 24 of the PDPA.

[18] Section 25 of the PDPA.

[19] Section 26 of the PDPA.

[20] Regulation 11(1) of the PDP Regulations 2021.

[21] Sections 26C and 26D of the PDPA.

[22] Sections 26C(3) and 26E of the PDPA.

[23] Section 11 of the PDPA. Previously known as the openness obligation.

[24] Section 12 of the PDPA.

[25] Section 4(2) of the PDPA.

[26] The Amendment Act made certain changes to the DNC Provisions, which includes: inserting a new Part 9A into the PDPA with provisions prohibiting the sending of specified messages to telephone numbers obtained through the use of dictionary attacks and address harvesting software; and imposing an obligation on third-party checkers to communicate accurate DNC registry query results to organisations on whose behalf they are checking the registry.

[27] Tenth Schedule of the PDPA.

[28] Sections 44 and 45 of the PDPA.

[29] Paragraph 1(1)(e) of the Eighth Schedule of the PDPA.

[30] Section 16 of the PDPA.

[31] Section 48O(2) of the PDPA.

[32] Section 11(3) of the PDPA.

[33] Section 11(5) of the PDPA.

[34] There is no specified maximum period to notify affected individuals in the PDPA and the PDPC’s guidelines. However, generally, the time frame must be a reasonable one, taking into account Section 11(1) of the PDPA which states that ‘In meeting its responsibilities under [the PDPA], an organisation must consider what a reasonable person would consider appropriate in the circumstances.’

[35] See Advisory Guidelines on the PDPA for Selected Topics at Chapter 4.

[36] Re Singapore Health Services Pte Ltd and another [2019] SGPDPC 3.

[37] Re Stylez Pte. Ltd [2021] SGPDPC 8.

Unlock unlimited access to all Global Data Review content