Data Privacy - Singapore

Laws: Personal Data Protection Act 2012 (PDPA)

Extra-territorial scope: Yes - see Survey A2

Regulator: PDPC - website

What data is covered?

Data protection laws in Singapore apply to Personal Data: data about an individual who can be identified from that data, or from that data combined with other information to which the organisation has or is likely to have access.

Sensitive data is not separately classified in the law but the PDPC expects a high standard of security for more sensitive Personal Data, e.g. national identification numbers, finance information, health and data about children.

Key risks and considerations

1. Robust regime; PDPC guidance regularly referenced in enforcement
2. Wide range of processing grounds
3. Robust rules around international transfers enforced by the PDPC
4. Strict data breach notification obligations (individuals and regulator)
5. Specific laws governing the sending of marketing communications

Compliance overview 

Register with regulator: There is no general requirement to register with the PDPC.

Appoint a DPO: All organisations must appoint a DPO.

Appoint a CISO: Not required though the DPO may be responsible for information security issues.

Formal compliance programme: Organisations must implement a privacy policy and complaints process communicate it to staff and make available to individuals on request.

Publish/provide privacy notice: Required.

Maintain records of activities: PDPC recommends maintaining a data inventory or data flow diagram and has provided example templates.

Enforcement and top fines

• Maximum possible fine: 10% of the annual turnover in Singapore for any organisation whose annual turnover in Singapore exceeds S$10 million or S$1 million in any other case.
• Regulator powers: The PDPC has wide inspection and sanctioning powers. It is empowered to conduct investigations and on-site inspections, and request documents. The PDPC can and does also issue compliance directions.
• Top fine imposed to-date: S$750,000 (a data breach involving over 1.5m patients)
• Personal criminal sanctions are possible (though no prosecutions have yet been made).

See the aosphere Enforcements Tracker for an up-to-date record of global enforcement action.

Consent is required to process Personal Data, unless processing falls within an exception. Consent may be deemed to be provided in certain circumstances. Exceptions include legitimate interests or where processing is necessary to comply with a legal obligation, for evaluative purposes or to protect an individual's vital interests. In addition, in all cases the processing purpose must be one a reasonable person would consider appropriate in the circumstances.

Personal Data may only be transferred with the individual’s consent unless an exemption applies. Transfers outside Singapore may only be made if the recipient has legally enforceable obligations to protect the data to a standard comparable to the PDPA standard (satisfied by APEC CBPR certification, contract or binding corporate rules).

Consent may also be relied on for international transfer but is subject to specific information requirements. The PDPC recommends that organisations only rely on consent or other grounds if unable to rely on APEC CBPR certification or contract.

See the International Data Transfers app for a summary of how to transfer Personal Data to other jurisdictions.

Service providers who are Data Intermediaries - processing Personal Data on behalf of another organisation under a contract - are only required to comply with the PDPA obligations on security and data retention, and to notify data breaches to the client organisation.

There are similar breach notification requirements to those under the GDPR (though thresholds differ). See the aosphere Breach Response app for critical breach notification requirements.