Personal Data Protection Act (PDPA)

Personal Data Protection Act (PDPA) is a personal data protection act to govern the collection, use, and disclosure of personal data by organizations in Singapore. It came into effect on 2 July 2014. The Personal Data Protection Commission (PDPC) was established on 2 January 2013 to administer and enforce the PDPA. There are heavy penalties for not adhering to PDPA. Fine can be up to S$1 million and the company may suffer reputational risk.

Obligations of PDPA

PDPA is applicable for personal data stored in electronic as well as non-electronic format. 

As per PDPA, the personal details should be managed by the companies collecting it and should adhere to the following guidelines:

  • Used only for the purpose it has been collected for.
  • Inform the person the reason for collection and how and who would be using it.
  • Get the required permission from the individual to use the data. 
  • Make sure the information is complete and accurate before any decisions are taken.
  • Transfer the data to another country only as per the prescribed regulations set by PCPD.
  • Protect the data from being leaked and used by unauthorized individuals.
  • Destroy the data securely if no longer needed.
  • Notify PDPC and the individual in case of any data breach. 

Scope of PDPC

The PDPC serves as Singapore’s main authority in matters relating to personal data protection and represents the Singapore Government internationally on data protection-related issues. The PDPC administers and enforces the PDPA to protect individuals’ personal data and the needs of organizations to use the data for legitimate purposes.

PDPC also formulates and implements policies relating to the protection of personal data, including the relevant regulations and advisory guidelines, to help organizations understand and comply with the PDPA. From time to time, PDPC also reviews organizational actions concerning data protection rules and issues decisions or directions for compliance where necessary.

In addition, the PDPC oversees the development and operation of the Do Not Call (DNC) Registry. Individuals and companies can opt to register their Singapore telephone numbers with the DNC Register to stop receiving unwanted telemarketing calls, messages and faxes.