Impact of the GDPR in Singapore

The national data protection legislation in Singapore is the Personal Data Protection Act 2012 (No 26 of 2012) (the “PDPA”) and its accompanying subsidiary legislation.

The PDPA defines “personal data” as data, whether true or not, about an individual who can be identified – (a) from that data; or (b) from that data and other information to which the organisation has or is likely to have access. However, there are some important exemptions under the PDPA such as:

• business contact information, i.e. an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his/her personal purposes;
• publicly available personal data; and
• personal data of employees for the purpose of managing or terminating an employment relationship. 

Unlike the GDPR, the PDPA does not provide for “special categories of data” or sensitive personal data, although the regulator has issued guidelines on the collection, use, and disclosure of national identification numbers (e.g. the National Registration Identity Card (NRIC) numbers, Foreign Identification Numbers (FIN), Work Permit numbers, and passport numbers) and has also considered the sensitive nature of the personal data in the application of the law.

Data Controller

The PDPA uses a similar concept to a “data controller” but adopts the more general term “organisation”, when defining the entity which is subject to the PDPA’s obligations.

The PDPA defines an “organisation” as any individual, company, association or body of persons, corporate or unincorporated, whether or not (a) formed or recognised under the law of Singapore; or (b) resident or having an office or a place of business in Singapore.

Data Processor

The PDPA uses the concept of a “data processor” but adopts the term “data intermediary”, defined as “an organisation which processes personal data on behalf of another organisation”.

Under the PDPA, in respect of its processing of personal data on behalf of and for the purposes of another organisation, the data intermediary’s obligations are limited to the protection, retention and data breach notification obligations.  

In general, the PDPA provides the following rights to individuals, subject to certain exemptions:

• the right to access personal data;
• the right to correct personal data;
• the right to withdraw consent; and,
• the right to data portability 1

The GDPR is more expansive in providing for additional rights, such as a right to restrict processing, a right to erasure, and a right to object to automated decision-making.

Under the PDPA, organisations are subject to 10 main obligations under the PDPA namely, Consent, Notification, Purpose Limitation, Access and Correction, Accuracy, Protection, Retention, Transfer Limitation, and Data Breach Notification, and Accountability obligations.

A breach of any of these obligations could result in a complaint filed with the regulator. It would also be possible for the regulator to initiate investigation when a breach is publicised in the media, for example in the case of a data breach reported in the media.

Individuals resident in Singapore are entitled to expect organisations whether in Singapore or elsewhere to comply with all of the obligations under the PDPA.

This is generally similar to the requirements under the GDPR, except that organisations should ensure to understand the guidance by regulators on what is considered “reasonable and appropriate” in each jurisdiction.

The regulator may, upon complaint or of its own motion, investigate to determine whether an organisation is complying with the PDPA.

Upon being satisfied that an organisation has not complied with any of the data protection obligations, the regulator may give an organisation any directions the regulator thinks fit in the circumstances to ensure compliance with that provision, including to stop collecting, using or disclosing personal data in contravention of the PDPA, or to destroy personal data collected in contravention of the PDPA.

Unlike the GDPR which requires specific types of data controllers and processors to appoint a DPO, the PDPA requires all organisations to designate one or more individuals to be the Data Protection Officer (“DPO”), responsible for ensuring that the organisation complies with the PDPA. There is no mandatory requirement to register a DPO, but the regulator maintains a register of DPOs of organisations registered in Singapore.

Under the PDPA, the regulator has the right to investigate and take action against any organisation, whether or not based in Singapore, for a breach of the PDPA.

There is also a private right of action under the PDPA that allows individuals to take legal action against organisations for a breach. There are however currently no class action provisions for breach of the PDPA.

Currently, the regulator may also impose a financial penalty of up to S$200,000 (in the case of an individual), or S$1 million (in any other case).

Please note that the maximum financial penalty for organisations will be increased in the future to 10% of the organisation’s annual turnover in Singapore where the turnover exceeds S$10 million, or S$1 million, whichever is higher.

Exceptions to consent

The PDPA provides a wide range of exceptions to the consent requirement, including:

1. exemptions for all Singapore public agencies;
2. processing for evaluative purposes (such as for the purpose of determining the suitability, eligibility or qualifications of the individual for employment, appointment to office, promotion, or removal from employment or office); and,
3. for business improvement purposes.

Applicability of deemed consent

The concept of deemed consent is established in the PDPA , whereas the GDPR requires that for an individual to have given consent, he or she must have provided a freely given, specific, informed and unambiguous indication of his agreement to the processing of his or her personal data.

In addition to having deemed consent by contractual necessity, which may be similar to the GDPR’s lawful basis for the performance of a contract, the PDPA also provides for different forms of deemed consent: (a) deemed consent by conduct; and (b) deemed consent by notification.

That said, note that the exceptions to consent under the PDPA have been streamlined and categorised broadly in ways that are similar to the GDPR’s six legal bases for the processing of personal data, although there are additional exceptions applicable under the PDPA, as described above.

Applicability to deceased data subjects

Unlike the GDPR which does not apply to deceased individuals, the PDPA obligations relating to the disclosure of personal data and protection of personal data apply to individuals who are deceased for a period of 10 years after their death.

Data breach notification

The PDPA also imposes an obligation for an organisation to notify the regulator of a notifiable data breach. This is when the data breach results in, or is likely to result in, significant harm to an affected individual. In addition, and unlike the GDPR, a data breach is also notifiable if it is, or is likely to be, of a significant scale (i.e. 500 affected individuals or more).

Upon assessing that the data breach is notifiable, the organisation must notify the regulator as soon as is practicable, but no later than 3 calendar days. However, unlike the GDPR, organisations have a duty to first conduct an assessment of the data breach, in a reasonable and expeditious manner (within 30 days), of whether the data breach is notifiable. Do note that the 3 calendar days timeline for notifying the regulator kicks in only after the organisation makes the assessment that the data breach is notifiable.

The PDPA was passed by the Singapore Parliament in 2012, came into full force in 2014, and has recently undergone significant amendments in 2021. Some of these amendments align the PDPA more closely with the GDPR, such as the introduction of the mandatory data breach notification requirement and the streamlining of the exceptions to consent to be categorised broadly in ways that are similar to the GDPR’s six legal bases for the processing of personal data.

An organisation should first ascertain whether it falls within the scope of the GDPR.

If so, in addition to compliance with the PDPA,   additional steps should be taken to comply with the GDPR (e.g. to put in place processes to manage the additional data subject rights under the GDPR that are not present in the PDPA). 

Conversely, organisations cannot simply rely on compliance with the GDPR as there are additional requirements under the PDPA they must comply with. GDPR compliance, whilst important, does not ensure compliance with local data protection laws.

The PDPA had recently undergone significant amendments, only about 6 years from it coming into full force in July 2014. While many of the amendments seek to align the data protection requirements in Singapore with the requirements under the GDPR, it is notable that there were amendments that diverge from the GDPR requirements (such as the expansion of deemed consent under the recent amendments).

In tandem with the increasing reliance on the personal data of individuals in the course of business, there has been an emphasis on accountability. Notably, an obligation under the PDPA requires an organisation to be accountable in how it discharges its responsibility for personal data in its possession or which it has control over. This includes requiring organisations to continually ensure its compliance with the PDPA, and develop and implement policies and practices necessary for the organisation to meet its obligations under the PDPA.

Also, in line with the concept of accountability, the Infocomm Media Development Authority (“IMDA”) had introduced the Data Protection Trustmark Certification (“DPTM”). The DPTM is a voluntary enterprise-wide certification program for organisations to demonstrate accountable data protection practices. When certified with the DPTM, consumers dealing with such organisations can be assured that the organisation has put in place responsible data protection practices and will take better care of an individual’s personal data. As of 30 April 2021, 52 organisations in Singapore are certified with the DPTM.