Sample content:
Data Privacy - Singapore
This is a sample "speed read" summary of data privacy obligations in Singapore taken from Rulefinder Data Privacy, published 5th August 2024.
The full report, available to subscribers and those on a free trial, includes access to a detailed legal memorandum, Breach Response App, Horizon Scanning and Sanctions Tracking, Schrems II Toolkit and Territorial Scope View, all supported by daily monitoring and alerts.
Overview
High complexity
Laws: Personal Data Protection Act 2012 (PDPA)
Extra-territorial scope: Yes - see Survey A2
Regulator: PDPC - website
What data is covered?
Data protection laws in Singapore apply to Personal Data: data about an individual who can be identified from that data, or from that data combined with other information to which the organisation has or is likely to have access.
Sensitive data is not separately classified in the law but the PDPC expects a high standard of security for more sensitive Personal Data, e.g. national identification numbers, finance information, health and data about children.
Key risks and considerations
- Robust regime; PDPC guidance regularly referenced in enforcement
- Wide range of processing grounds
- Robust rules around international transfers enforced by the PDPC
- Strict data breach notification obligations (individuals and regulator)
- Specific laws governing the sending of marketing communications
Compliance overview
Register with regulator: There is no general requirement to register with the PDPC.
Appoint a DPO: All organisations must appoint a DPO.
Appoint a CISO: Not required though the DPO may be responsible for information security issues.
Formal compliance programme: Organisations must implement a privacy policy and complaints process communicate it to staff and make available to individuals on request.
Publish/provide privacy notice: Required.
Maintain records of activities: PDPC recommends maintaining a data inventory or data flow diagram and has provided example templates.
Enforcement and top fines
- Maximum possible fine: 10% of the annual turnover in Singapore for any organisation whose annual turnover in Singapore exceeds S$10 million or S$1 million in any other case.
- Regulator powers: The PDPC has wide inspection and sanctioning powers. It is empowered to conduct investigations and on-site inspections, and request documents. The PDPC can and does also issue compliance directions.
- Top fine imposed to-date: S$750,000 (a data breach involving over 1.5m patients)
- Personal criminal sanctions are possible (though no prosecutions have yet been made).
See the aosphere Enforcements Tracker for an up-to-date record of global enforcement action.
Lawful basis
Consent is required to process Personal Data, unless processing falls within an exception. Consent may be deemed to be provided in certain circumstances. Exceptions include legitimate interests or where processing is necessary to comply with a legal obligation, for evaluative purposes or to protect an individual's vital interests. In addition, in all cases the processing purpose must be one a reasonable person would consider appropriate in the circumstances.
Data transfers
Personal Data may only be transferred with the individual’s consent unless an exemption applies. Transfers outside Singapore may only be made if the recipient has legally enforceable obligations to protect the data to a standard comparable to the PDPA standard (satisfied by APEC CBPR certification, contract or binding corporate rules).
Consent may also be relied on for international transfer but is subject to specific information requirements. The PDPC recommends that organisations only rely on consent or other grounds if unable to rely on APEC CBPR certification or contract.
See the International Data Transfers app for a summary of how to transfer Personal Data to other jurisdictions.
Service providers
Service providers who are Data Intermediaries - processing Personal Data on behalf of another organisation under a contract - are only required to comply with the PDPA obligations on security and data retention, and to notify data breaches to the client organisation.
Breach response
There are similar breach notification requirements to those under the GDPR (though thresholds differ). See the aosphere Breach Response app for critical breach notification requirements.
Find out how aosphere can help
Rulefinder Data Privacy is an easy-to-use online resource that provides practical analysis of data protection and privacy laws across key global markets. The analysis is simple to access online, easy to navigate and maintained by a dedicated team of senior lawyers.