Law: 

Personal Data Protection Act 2012 (No. 26 of 2012) ('PDPA')

Regulator: Personal Data Protection Commission ('PDPC')

Summary: The PDPA provides for general personal data protection requirements and
contains provisions on data subject rights, the appointment of a data protection officer, as
well as obligations for organisations and data intermediaries. Furthermore, amendments to
the PDPA entered into force on 1 February 2021, introducing a number of key reforms,
including mandatory data breach notification requirements, amendments to the consent
obligation, offences for egregious mishandling of personal data, prohibitions relating to the
use of dictionary attacks and address-harvesting software, and the PDPC's power to accept
voluntary undertakings as part of its enforcement regime.

In addition to the PDPA, the Cybersecurity Act 2018 (No. 9 of 2018) sets out the regulatory
framework governing cybersecurity in Singapore and stipulates requirements for operators of
critical information infrastructure. The PDPC has also released a number of advisory
guidelines which provide clarification on its interpretation of the PDPA and is active in its
enforcement activities.

Legal Bases

1. Consent

Under the Consent Obligation, organisations are required to obtain individuals' consent
to collect, use, or disclose their personal data unless such collection, use, or disclosure
is required or authorised under the PDPA or any other written law.

Consent is not required for the collection, use, and disclosure of personal data where
the specific exceptions in the First Schedule and the Second Schedule to the PDPA
apply, for example where the collection, use, or disclosure of personal data about an
individual is:

 necessary for any purpose which is clearly in the interests of the individual, and:
o consent for the collection, use, or disclosure cannot be obtained in a timely
way; or
o the individual would not reasonably be expected to withhold consent;
 publicly available;
 in the national interest; and
 in the legitimate interests of the organisation or another person, and the
legitimate interests of the organisation or other person outweigh any adverse
effect on the individual.
An organisation is further required to state the purposes for which it is collecting, using,
or disclosing the data under the Notification Obligation. Where the supply of a product
or service is conditional upon consent being given by an individual, such consent must
not extend beyond what is reasonable to provide that product or service.

Individuals can be deemed to have given consent when they voluntarily provide their
personal data for a purpose, and it is reasonable that they would voluntarily provide
such data. The PDPA provides for three different forms of deemed consent:

 deemed consent by conduct;

 deemed consent by contractual necessity; and
 deemed consent by notification.

According to the PDPC's Key Concepts Guidelines, deemed consent by conduct applies
to situations where the individual voluntarily provides their personal data to the
organisation. The purposes are limited to those that are objectively obvious and
reasonably appropriate to the surrounding circumstances. Consent is deemed to be
given to the extent that the individual intended to provide their personal data and had
taken the action required for the data to be collected by the organisation. The onus is
on the organisation to ensure that individuals are aware of the purposes for which their
personal data is being collected, used, or disclosed.

Deemed consent by contractual necessity is where the disclosure of personal data from
one organisation A to another organisation B is necessary for the conclusion or
performance of a contract or transaction between the individual and organisation A.
Deemed consent by contractual necessity extends to disclosure by organisation B to
another downstream organisation C where the disclosure by organisation B (and
collection by organisation C) is reasonably necessary to fulfil the contract between the
individual and A.

Under deemed consent by notification, an individual may be deemed to have consented

to the collection, use, or disclosure of personal data for a purpose that the individual
had been notified of, and where that individual has not taken any action to opt-out of
the collection, use, or disclosure of their personal data. The Key Concepts Guidelines
provide that deemed consent by notification is useful where the organisation wishes to
use or disclose existing data for secondary purposes that are different from the primary
purposes for which it had originally collected the personal data, and it is unable to rely
on any of the exceptions to consent for the intended secondary use.

Reliance on deemed consent by notification is subject to the organisation assessing and

determining whether certain prior conditions are met. First, an organisation must
conduct an assessment to determine that the proposed collection, use, or disclosure of
personal data is not likely to have an adverse effect on the individual. Second, an
organisation must take reasonable steps to notify the individual of the organisation's
intention to collect, use, or disclose the personal data and the purpose of such
collection, use, or disclosure. Third, the organisation must provide a reasonable period
for the individual to opt-out before it proceeds to collect, use, or disclose the personal
data. Consent for the collection, use, or disclosure of personal data is deemed to be
given only after the opt-out period has lapsed. According to the Key Concepts
Guidelines, deemed consent by notification should not be relied on where individuals
would not have a reasonable opportunity and period to opt-out (e.g. security
monitoring of premises using video cameras).

Individuals can generally withdraw any consent given or deemed to have been given at
any time by giving reasonable notice. On receipt of notice that an individual wishes to
withdraw consent, the organisation must inform the individual of the likely
consequences of such a withdrawal of consent. While the organisation may not prohibit
an individual from withdrawing their consent, such withdrawal will not affect any legal
consequences arising from such withdrawal (e.g. cessation of services provided by the
organisation). Withdrawal of consent applies prospectively and will only affect an
organisation's continued or future use of the personal data concerned. Organisations
are also required to cause their agents and data intermediaries to cease collection, use,
or disclosure of the individual's personal data when consent is withdrawn.

An organisation collecting personal data from a third-party source is required to notify

the source of the purposes for which it will be collecting, using, and disclosing the
personal data. Moreover, the organisation should exercise the appropriate due
diligence to check and ensure that the third-party source can validly give consent for the
collection, use, and disclosure of personal data on behalf of the individuals or that the
source had obtained consent for the disclosure of the personal data.

2. Contract with the data subject

Where an organisation enters into a contract with an individual, the individual may be
deemed to have given their consent for the collection, use, or disclosure of personal
data (as the case may be). An individual gives deemed consent if the individual, without
actually giving consent, voluntarily provides the personal data to the organisation for
that purpose, and it is reasonable that the individual would voluntarily provide the data.

3. Legal obligations
An organisation is able to collect, use, and disclose personal data without consent
where it is required or permitted under law. For example, under Part 3(4) of the Second
Schedule to the PDPA, disclosure of personal data without consent is permitted where it
is made to any officer of a prescribed law enforcement agency, upon production of
written authorisation signed by the head or director of that law enforcement agency or
a person of a similar rank, certifying that the personal data is necessary for the
purposes of the functions or duties of the officer.

4. Interests of the data subject

An organisation is able to collect, use, and disclose personal data where it is in the vital
interests of the individual in question. Under Part 1 of the First Schedule to the PDPA,
the collection, use, or disclosure of personal data is permitted without the consent of
the individual where (amongst others):

 the disclosure is necessary for any purpose which is clearly in the interests of the
individual, if consent for its disclosure cannot be obtained in a timely way; or
 the disclosure is necessary to respond to an emergency that threatens the life,
health, or safety of the individual or another individual.

5. Public interest

An organisation is able to collect, use, and disclose personal data without consent
where it is in the public interest. For example, under Part 2(2) of the First Schedule to
the PDPA, the collection, use, or disclosure of personal data is permitted without the
consent of the individual where the collection, use, or disclosure is necessary in the
national interest.

6. Legitimate interests of the data controller

An organisation is able to collect, use, and disclose personal data without consent
where it is in the legitimate interests of the organisation. Under Part 3 of the First
Schedule to the PDPA, subject to certain requirements, organisations will be able to
collect, use, and disclose (as the case may be) personal data about an individual if:

 it is in the legitimate interests of the organisation or another person; and

 the legitimate interests of the organisation or other person outweigh any adverse
effect on the individual.

Before relying on the legitimate interests exception, an organisation must conduct an

assessment, i.e. a DPIA, in accordance with the prescribed requirements. The
organisation must, in respect of the DPIA, be able to:
  identify and be able to clearly articulate the situation or purpose that qualifies as
a legitimate interest;
 identify and implement reasonable measures to eliminate and reduce the
likelihood of the occurrence of, or mitigate the adverse effect of the processing of
personal data on the individual; and
 comply with any prescribed requirements.

An organisation relying on the legitimate interests exception to collect, use, or disclose

personal data without consent must take reasonable steps to provide the individual
with reasonable access to information that the organisation is relying on the exception.

The legitimate interests exception does not apply to the processing of personal data for
the purposes of sending an individual a message for an 'applicable purpose' as
prescribed in the Tenth Schedule of the PDPA.

7. Legal bases in other instances

In general, organisations may collect, use, or disclose personal data as long as an

exception under the First Schedule or Second Schedule to the PDPA applies.

Principles

The Data Protection Provisions under the PDPA impose the following data protection
obligations on organisations in respect of their data activities:

 Consent Obligation: An organisation must obtain an individual's consent before

collecting, using, or disclosing their personal data for a purpose (Sections 13 to 17
of the PDPA).
 Purpose Limitation Obligation: An organisation may only collect, use, or disclose
personal data for purposes that a reasonable person would consider appropriate
in the circumstances (Section 18 of the PDPA).
 Notification Obligation: An organisation must notify the individual of the
purpose(s) for which it intends to collect, use, or disclose their personal data on or
before such collection, use, or disclosure, and may only collect, use, and disclose
personal data for such purposes (Sections 18 and 20 of the PDPA).
 Access and Correction Obligation: An organisation must, upon request, allow an
individual to access and/or correct their personal data in its possession or under
its control. In addition, the organisation is obliged to provide the individual with
information about the ways in which personal data may have been used or
disclosed during the past year (Sections 21 and 22 of the PDPA).
  Accuracy Obligation: An organisation must make a reasonable effort to ensure
that personal data collected by it is accurate and complete, if it is likely to use such
personal data to make a decision that affects the individual concerned, or disclose
such personal data to another organisation (Section 23 of the PDPA).
 Protection Obligation: An organisation must protect personal data in its
possession or under its control by making reasonable security arrangements to
prevent: (a) unauthorised access, collection, use, disclosure, copying, modification,
disposal, or similar risks; and (b) the loss of any storage medium or device on
which personal data is stored (Section 24 of the PDPA).
 Retention Limitation Obligation: An organisation must cease to retain
documents containing personal data, or remove the means by which the personal
data can be associated with particular individuals, as soon as it is reasonable to
assume that the retention of such personal data no longer serves the purpose for
which it was collected and is no longer necessary for legal or business purposes
(Section 25 of the PDPA).
 Transfer Limitation Obligation: An organisation must not transfer personal data
to a country or territory outside Singapore except in accordance with
requirements prescribed under the PDPA to ensure that the transferred personal
data will be accorded a standard of protection that is comparable to that under
the PDPA (Section 26 of the PDPA).
 Accountability Obligation: An organisation must appoint a person to be
responsible for ensuring that it complies with the PDPA, typically referred to as a
DPO, and develop and implement policies and practices that are necessary to
meet its obligations under the PDPA, including a process to receive complaints. In
addition, the organisation is required to communicate to its staff information
about such policies and practices and make information available upon request to
individuals about such policies and practices (Sections 11 and 12 of the PDPA).
 Data Breach Notification Obligation: An organisation must assess data
breaches that have occurred affecting personal data in their possession or under
their control, and are required to notify the PDPC, as well as affected individuals,
of the occurrence of certain data breaches (notifiable data breaches) (Sections
26A to 26E of the PDPA).

In addition, the Amendment Act will also further introduce one more data protection
obligation (which has yet to come into effect):

 Data Portability Obligation: Upon an organisation's receipt of a data porting

request from an individual, the porting organisation must transmit the applicable
data specified in the data porting request to the receiving organisation in
 accordance with any prescribed requirements, such as requirements relating to
technical, user experience, and consumer protection matters.

Controller and Processor Obligations

1. Data processing notification

There is no obligation imposed on an organisation to notify or register with the PDPC

before collecting, using, or disclosing any personal data in Singapore.

2. Data transfers

Organisations are subject to the Transfer Limitation Obligation. An organisation must

not transfer personal data to a country or territory outside Singapore except in
accordance with the requirements prescribed under the PDPA to ensure that the
transferred personal data will be accorded a standard of protection that is comparable
to that under the PDPA.

To do so, the organisation must generally ensure that the recipients of such personal
data are bound by legally enforceable obligations to provide to the transferred personal
data a standard of protection that is at least comparable to the protection under the
PDPA. These 'legally enforceable obligations' include those imposed under law,
contract. Binding Corporate Rules ('BCRs'), or any other legally binding instrument.

In addition, organisations that hold a 'specified certification' that is granted or

recognised under the law of the country or territory to which personal data is
transferred will be taken to be bound by such legally enforceable obligations. Under the
Personal Data Protection Regulations, a 'specified certification' refers to certifications
under the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules ('APEC CBPR')
System and the APEC Privacy Recognition for Processors ('PRP') System. A recipient is
taken to have satisfied the requirements under the Transfer Limitation Obligation if:

 it is receiving the personal data as an organisation, and it holds a valid APEC CBPR
certification; or
 it is receiving the personal data as a data intermediary, and it holds either a valid
APEC PRP or CBPR certification or both.

A contract that is relied on as a legally enforceable obligation for the cross-border

transfer of personal data must:
  require the recipient to provide a standard of protection for the personal data
transferred to the recipient that is at least comparable to the protection under the
PDPA; and
 specify the countries and territories to which the personal data may be
transferred under the contract.

Similarly, BCRs that are relied on as legally enforceable obligations for the cross-border
transfer of personal data must:

 require every recipient of the transferred personal data to provide to the personal
data a standard of protection that is at least comparable to the protection under
the PDPA;
 specify the recipients of the transferred personal data to which the BCRs apply;
 specify the countries and territories to which the personal data may be
transferred under the BCRs; and
 specify the rights and obligations provided by the BCRs.

BCRs may only be used for recipients that are related to the transferring organisation. A
recipient of personal data is considered 'related' to the transferring organisation if:

 the recipient, directly or indirectly, controls the transferring organisation;

 the recipient is, directly or indirectly, controlled by the transferring organisation;
or
 the recipient and the transferring organisation are, directly or indirectly, under the
control of a common person.

There are a few express situations whereby an organisation can be taken to have
satisfied the requirement of taking appropriate steps to ensure that the recipient
outside Singapore is bound by legally enforceable obligations to protect personal data
in accordance with comparable standards. These include:

 where the individual consents to, or is deemed to have consented to, the transfer
of the personal data to the recipient in that country;
 where the transfer is necessary for a use or disclosure in certain situations where
the consent of the individual is not required under the PDPA, subject to the
transferring organisation taking reasonable steps to ensure that the personal data
will not be used or disclosed by the recipient for any other purpose; and
 where the personal data is data in transit or publicly available in Singapore.

3. Data processing records

There is no obligation imposed on an organisation to maintain any data processing
records. However, all organisations should ensure that they comply with the Data
Protection Provisions of the PDPA in carrying out their data activities.

4. Data protection impact assessment

Whilst there is no standalone obligation to conduct a DPIA under the PDPA, there are
provisions in the PDPA which require organisations to conduct 'assessments' (which
may be narrower in scope than a full DPIA) under certain circumstances. Specifically, the
obligation to conduct certain assessments under the PDPA falls on organisations
(Section 15A(4)(a) of the PDPA and Section 3 of Part 3 of the First Schedule). In addition,
the PDPC recommends that a DPIA is undertaken, as part of an organisation's 'Data
Protection Management Programme' and their obligation to develop and implement
policies and practices that are necessary for the organisation to comply with the PDPA
(Page 5 of the DPIA Guide and Pages 12 to 13 of the Management Programme Guide). In
particular, the conduct of a DPIA should be led by, among others, the project manager
or person in charge of the project and the data protection officer ('DPO'), as well as
senior management within an organisation (Page 8 of the DPIA Guide).

Mandatory

The PDPA requires an assessment to determine whether the proposed collection, use,
or disclosure of personal data is likely to have an adverse effect on the individual
concerned in the following circumstances:

 when the organisation intends to rely on the individual's 'deemed consent by

notification' under Section 15A of the PDPA (Section 15A(4)(a) of the PDPA); and
 when the collection, use, or disclosure of personal data is carried out in the
legitimate interests of the organisation or another person, pursuant to Part 3 of
the First Schedule (Paragraph 3 of Part 3 of the First Schedule).

For the above purposes, an individual is 'deemed' to have provided consent to the
processing of their personal data if (Section 15A(2) of the PDPA):

 the organisation satisfies the requirements to conduct an assessment pursuant to

Section 15A(4); and
 the individual does not notify the organisation, before the expiry of the period
mentioned in the organisation's notice to the individual, that the individual does
not consent to the proposed collection, use, or disclosure of personal data by the
organisation.
Notably, where it is assessed that there are likely residual adverse effects to the
individual after implementing the measures identified in the assessment, organisations
will not be able to rely on deemed consent by notification to collect, use, or disclose
personal data for the purpose (Section 12.67 of the Advisory Guidelines).

Conversely, however, organisations may still rely on legitimate interests to process

personal data, if the assessment indicates that the legitimate interests outweigh any
likely residual adverse effect to the individual (Section 12.67 of the Advisory Guidelines).

Where an assessment is required under the PDPA (i.e. for deemed consent or for
processing based on the legitimate interests of the organisation or another person), the
organisation must (Section 15A(5) of the PDPA and Paragraph 3 of Part 3 of the First
Schedule):

 identify any adverse effect that the proposed collection, use, or disclosure of the
personal data for the purpose concerned is likely to have on the individual;
 identify and implement reasonable measures to:
o eliminate the adverse effect;
o reduce the likelihood that the adverse effect will occur; or
o mitigate the adverse effect; and
 comply with any other prescribed requirements.

Assessments for the purposes of deemed consent

According to Section 14(2) of the Regulations, an assessment mentioned in Section

15A(4)(a) of the PDPA to determine that whether the proposed processing activity is
likely to have an adverse effect on an individual must specify all of the following
information:

 the types and volume of personal data to be processed;

 the purpose or purposes for which the personal data will be processed;
 the method or methods by which the personal data will be processed;
 the mode by which the individual will be notified of the organisation's proposed
processing activities; and
 the period within which, and the mode by which, the individual may notify the
organisation that the individual does not consent to the organisation's proposed
processing activities, as well as the rationale for the same.

Assessments for the purposes of legitimate interests

According to Section 14(2) of the Regulations, an assessment mentioned in Part 3 of the
First Schedule must:

 specify:
o the types and volume of personal data to be processed;
o the purpose or purposes for which the personal data will be processed; and
o the method or methods by which the personal data will be processed;
 identify any residual adverse effect on any individual after implementing any
reasonable measures mentioned in Paragraph 1(3)(b) of Part 3 of the First
Schedule;
 identify the legitimate interests that justify the processing and where the
legitimate interests identified relate to a person other than the organisation,
identify that other person by name or description; and
 set out the reasons for the organisation's conclusion that the legitimate interests
identified outweigh any adverse effect on the individual.

Other guidance

According to the Advisory Guidelines, the PDPC considers adverse effects to include any
physical harm, harassment, serious alarm, or distress to the individual (Section 12.65 of
the Advisory Guidelines). In considering the likely adverse effect, the organisation
should consider the following (Section 12.69 of the Advisory Guidelines):

 the impact of the collection, use, or disclosure of the personal data on the
individual, including the severity and likelihood of an adverse effect and
considering all reasonably foreseeable risks and effects;
 the nature and type of personal data, and whether the individuals belong to a
vulnerable segment of the population;
 the extent of the collection, use, or disclosure of personal data, and how the
personal data will be processed and protected;
 the reasonableness of the purpose of collection, use, or disclosure of personal
data; and
 whether the predictions or decisions that may arise from the collection, use, or
disclosure of the personal data are likely to cause physical harm, harassment,
serious alarm, or distress to the individual.

Furthermore, in determining whether the measures implemented to eliminate or

mitigate the likely adverse effects identified are appropriate, the PDPC adopts a
commercially reasonable standard. Examples of reasonable measures and safeguards
include (Section 12.66 of the Advisory Guidelines):
  minimising the amount of personal data collected;
 encrypting or immediate deletion of personal data after use; and
 functional separation, access controls, and other technical or organisational
measures that lower the risks of personal data being used in ways that may
adversely impact the individual.

Recommended

Separately, the PDPC outlines that a DPIA may be conducted where the system/process
is (Page 7 of the DPIA Guide):

 new and in the process of being designed; or

 in the process of undergoing major changes.

Examples of when to conduct a DPIA include (Page 8 of the DPIA Guide):

 creating a new system that involves handling personal data;

 creating new processes, including manual processes, that involve handling
personal data;
 changing the way existing systems or processes handle personal data;
 changes to the organisational structure that affects the department handling
personal data; and
 collecting new types of personal data.

According to the DPIA Guide, the key tasks in a DPIA include (Page 7 of the DPIA Guide):

 identifying the personal data handled by the system or process, as well as the
reasons for collecting the personal data;
 identifying how the personal data flows through the system or process;
 identifying data protection risks by analysing the personal data handled and its
data flows against PDPA requirements or data protection best practices;
 addressing the identified risks by amending the system or process design, or
introducing new organisation policies; and
 checking to ensure that identified risks are adequately addressed before the
system or process is in effect or implemented.

In addition, the PDPC recommends that a DPIA is undertaken, as part of an

organisation's 'Data Protection Management Programme' and their obligation to
develop and implement policies and practices that are necessary for the organisation to
comply with the PDPA (Page 5 of the DPIA Guide and Pages 12 to 13 of the Management
Programme Guide).
The obligation to conduct certain assessments under the PDPA falls on organisations
(Section 15A(4)(a) of the PDPA and Section 3 of Part 3 of the First Schedule).

Separately, the recommendation to undertake a DPIA is also directed at organisations

that are subject to the PDPA (Page 5 of the DPIA Guide). In particular, the conduct of a
DPIA should be led by, among others, the project manager or person in charge of the
project and the DPO, as well as senior management within an organisation (Page 8 of
the DPIA Guide).

How to conduct a DPIA

For the requirement to conduct an assessment under Section 15A(5) of the PDPA and
Paragraph 3 of Part 3 of the First Schedule, Annex B and Annex C of the Advisory
Guidelines provides an assessment checklist for deemed consent and legitimate
interests respectively.

Separately, the DPIA Guide also includes a DPIA lifecycle which outlines the six phases
of a DPIA:

1. assessing the need for a DPIA;

2. planning a DPIA;
3. identifying personal data and personal data flows;
4. identifying and assessing data protection risks;
5. creating an action plan; and
6. implementing and monitoring action plans.

In addition, it provides example scenarios of when organisations may decide to conduct

a DPIA, sample DPIA questionnaires, and best practices (see Annexes A and B of the
DPIA Guide).

Retention of assessments

Organisations must retain a copy of its assessment mentioned in Section 15A(4)(a) of

the PDPA and Paragraph 3 of Part 3 of the First Schedule throughout the period that the
organisation collects, uses, or discloses the related personal data (Sections 14(3) and
15(3) of the Regulations).

Role of the DPO

The DPO has the following functions regarding DPIAs (Page 9 of the DPIA Guide):

 advising the DPIA lead throughout the DPIA process by:

 o identifying and mitigating identified data protection risks by providing
support based on best practices adapted to organisation's needs and
circumstances;
o defining and applying the risk assessment framework;
o ensuring that DPIAs are conducted according to the organisation's policies
and recommending improvement to DPIA methodology based on industry
best practices; and
o reviewing DPIA report prior to submission to management;
 developing templates/DPIA questionnaires necessary to complete the DPIA; and
 assisting in reviewing the DPIA when there is a change in risks to personal data
protection.

Data Protection by Design

In addition, the PDPC notes that a DPIA is also a key component of taking a Data
Protection by Design approach, in which organisations consider the protection of
personal data from the earliest possible design stage, and throughout the operational
lifecycle, of the new system, process, product, or service. This way, the appropriate
safeguards to protect personal data would have been embedded within (Page 5 of the
DPIA Guide).

5. Data protection officer appointment

As part of the accountability obligation, it is mandatory for organisations to appoint a

DPO, or a panel of individuals designated as the DPO, to be responsible for ensuring
that the organisation complies with the PDPA. DPOs can be registered with the PDPC via
its website. The organisation must make the business contact information of the DPO
publicly available. The appointed DPO may delegate the responsibility conferred by this
appointment to appropriate individuals, although, as mentioned previously, the
organisation remains ultimately responsible for complying with the PDPA (Sections
11(4) and 11(6) of the PDPA). Organisations that have not appointed a DPO are in
breach of the accountability obligation and may be subject to a financial penalty. The
PDPC may also issue directions to that organisation to appoint a DPO.

Additionally, the PDPC has stated that recognition of the importance of data protection
and the central role performed by a DPO has to come from the very top of an
organisation and ought to be part of enterprise risk management frameworks. This
would allow the board of directors and C-level executives to be made cognisant of the
risks of a data breach (see Re M Stars Movers & Logistics Specialist Pte Ltd  [2017] SGPDPC
15).
The organisation is also required to make available the business contact information of
a person who is able to respond to questions relating to the collection, use, or
disclosure of personal data on behalf of the organisation under the notification
obligation. This person may also be the designated DPO. Without limiting Section 11(5)
of the PDPA, an organisation is deemed to have satisfied that Section 11(5) of the PDPA
if the organisation makes available the business contact information of any individual
mentioned in Section 11(3) of PDPA in any prescribed manner (Section 11(5A) of the
PDPA). While there is no requirement that such a person must be located in Singapore,
to facilitate prompt responses to queries or complaints, the PDPC recommends as good
practice that the business contact information of this person should be readily
accessible from Singapore, operational during Singapore business hours and if
telephone numbers are used, they should be Singapore telephone numbers (the DPO
Guide and the DPO FAQs).

In terms of the choice of DPO, the PDPC has stated that the DPO ought to be appointed
from the ranks of senior management and be amply empowered to perform the tasks
that are assigned to them. If the DPO is not one of the C-level executives, the DPO
should have at least a direct line of communication with them. This level of access and
empowerment will provide the DPO with the necessary wherewithal to perform their
role and accomplish their functions (see Re M Stars Movers & Logistics Specialist Pte Ltd).

The responsibilities of a DPO may include, but are not limited to (the Data Protection
Officers ('the Guide') and the Data Protection Officer Competency Framework and
Training Roadmap ('the Framework')):

 ensuring compliance with the PDPA when developing and implementing policies
and processes for handling personal data;
 fostering a data protection culture among employees and communicate personal
data protection policies to stakeholders;
 managing personal data protection related queries and complaints;
 alerting management to any risks that might arise with regard to personal data;
 liaising with the PDPC on data protection matters, if necessary;
 performing Data Protection Impact Assessments to identify, assess and address
business risks, based on the organisation's functions, needs and processes;
 developing staff training programmes;
 overseeing activities to foster awareness within the organisation; and
 facilitating the implementation of data innovation by translating the user's privacy
and personal data protection requirements into the data-driven design thinking
process.
In addition, the Framework provides further guidance and outlines two roles in addition
to the DPO, namely the Data Protection Executive and the Regional DPO, both of which
have different functions and competencies. Correspondingly, the PDPA does not
provide specific minimum requirements as to the qualifications of the DPO, nor does it
stipulate a minimum age requirement. However, the appointed person is expected to
have the appropriate expertise and knowledge to be able to ensure that the
organisation complies with the PDPA and develop a process to receive and respond to
complaints with respect to the application of the PDPA (the FAQs).

Furthermore, the Guide outlines that in order to build personal data protection
capabilities of DPO's and organisation representatives engaged in data protection, a
two-day course on the fundamentals of the PDPA has been developed under the
Business Management Workforce Skill Qualifications framework. Finally, the Framework
provides guidance on the ideal competency and proficiency level for each job function
as well as the training roadmap recommended for the same. Relevant competencies
include inter alia:

 data protection management;

 business risk management;
 cyber and data breach incident management; and
 stakeholder management

Please note that the PDPC does not prescribe that the DPO should be based in
Singapore; nevertheless, organisations need to ensure that the relevant person is
readily accessible from Singapore, is operational during Singapore business hours, and
maintains a Singapore telephone number (the Guide and the FAQs).

An individual designated as a DPO may delegate to another individual the

responsibilities conferred onto them (Section 11(4) of the PDPA). The designation of an
individual by an organisation under Section 11(3) of the PDPA shall not relieve the
organisation of any of its obligations under the PDPA (Section 11(6) of the PDPA).

Notification

An organisation shall make available to the public the business contact information of at
least one of the individuals designated under Section 11(3) of the PDPA or delegated
under Section 11(4) of the PDPA (Section 11(5) of the PDPA). Without limiting Section
11(5) of the PDPA, an organisation is deemed to have satisfied that Section 11(5) of the
PDPA if the organisation makes available the business contact information of any
individual mentioned in Section 11(3) of PDPA in any prescribed manner (Section 11(5A)
of the PDPA).
DPOs can be registered with the PDPC via its website.

6. Data breach notification

The Amendment Act introduced a new Data Breach Notification Obligation under Part
6A of the PDPA, which came into effect on 1 February 2021. Under this Data Breach
Notification Obligation, organisations are required to assess data breaches that have
occurred affecting personal data in their possession or under their control, and to notify
the PDPC, as well as affected individuals, of the occurrence of data breaches that meet
certain thresholds (i.e. notifiable data breaches), unless an exception applies.

A 'data breach', in relation to personal data, is defined as:

 the unauthorised access, collection, use, disclosure, copying, modification, or

disposal of personal data; or
 the loss of any storage medium or device on which personal data is stored in
circumstances where the unauthorised access, collection, use, disclosure, copying,
modification, or disposal of the personal data is likely to occur.

A notifiable data breach is a data breach that:

 in, or is likely to result in, significant harm to any individual to whom any personal
data affected by a data breach relates; or
 is, or is likely to be, of a significant scale (i.e. 500 or more individuals).

Section 26C of the PDPA provides for a duty to assess, which requires organisations to
conduct, in a reasonable and expeditious manner, an assessment of whether the data
breach is a notifiable data breach, if it has reason to believe that a data breach has
occurred affecting personal data in its possession or under its control.

Under Section 26D of the PDPA, where an organisation assesses that a data breach is a
notifiable data breach, the organisation must notify the PDPC as soon as is practicable,
but in any case no later than three calendar days after it makes the assessment.

Furthermore, unless an exception applies, organisations must, on or after notifying the

PDPC, notify the individuals affected by a notifiable data breach, if the data breach
results in, or is likely to result in, significant harm to an affected individual. The
notification should be in the form and manner as prescribed and contain information to
the best of the knowledge and belief of the organisation at the time.

Under the Breach Notification Regulations, a data breach is deemed to result in

significant harm to an individual if the data breach relates to:
  the individual's full name or alias or identification number, and any of the
personal data or classes of personal data relating to the individual set out in Part
1 of the Schedule, subject to Part 2 of the Schedule; or
 all of the following personal data relating to an individual's account with an
organisation:
o the individual's account identifier such as an account name or number; and 
o any password, security code, access code, response to a security question,
biometric data, or other data that is used or required to allow access to or
use of the individual's account.

The categories under Part 1 of the Schedule to the Breach Notification Regulations
broadly include personal data in the following categories:

 financial information which is not publicly disclosed;

 personal data which would lead to the identification of vulnerable individuals (e.g.
leading to identification of a minor who has been arrested for an offence);
 life, accident, and health insurance information which is not publicly disclosed;
 specified medical information, including the assessment and diagnosis of HIV
infections;
 information related to adoption matters; and
 a private key used to authenticate any or digitally sign an electronic record or
transaction.

One notable exception to the duty to notify is where a data breach takes place within an
organisation. A data breach that relates to the unauthorised access, collection, use,
disclosure, copying, or modification of personal data only within an organisation is
deemed not to be a notifiable data breach (Section 26B(4) of the PDPA). The PDPC
provides an example, in the Key Concepts Guidelines, of the HR department of an
organisation mistakenly sending an email attachment containing personal data to
another department within the same organisation that is not authorised to receive it.
Since the data breach is contained within the organisation, it is not a notifiable data
breach and the data breach is not subject to the Data Breach Notification Obligation.

The PDPC has also reminded organisations of their general duty to preserve evidence,
including but not limited to documents and records, in relation to an investigation by
the PDPC (see Re NTUC Income Insurance Co-operative  [2018] SGPDPC 10).

Where a data intermediary has reason to believe that a data breach has occurred in
relation to personal data that the data intermediary is processing on behalf of and for
the purposes of another organisation, the data intermediary must, without undue
delay, notify that other organisation of the occurrence of the data breach. The PDPC
provides that, as a good practice, organisations should establish clear procedures for
complying with the Data Breach Notification Obligation when entering into service
agreements or contractual arrangements with their data intermediaries.

Additionally, organisations are also subject to the Protection Obligation. An organisation

must protect personal data in its possession or under its control by making reasonable
security arrangements to prevent unauthorised access, collection, use, disclosure,
copying, modification, disposal, or similar risks, and the loss of any storage medium or
device on which personal data is stored. In this regard, the PDPC has published
the Guide to Securing Personal Data in Electronic Medium, Guide to Data Protection
Practices for ICT Systems (which includes a Handbook on How to Guard Against
Common Types of Data Breaches and Checklists to Guard Against Common Types of
Data Breaches), and Guide to Managing and Notifying Data Breaches (revised on 15
March 2021), which is intended to help organisations to identify, prepare for, and
manage data breaches.

Sectoral obligations

In relation to financial institutions ('FIs'), the Monetary Authority of Singapore ('MAS')

has issued Notices on Technology Risk Management (complemented by the Guidelines
on Outsourcing and the Technology Risk Management Guidelines ('the Risk
Management Guidelines')), which require FIs to notify the MAS of, amongst others,
breaches of security and confidentiality of the FI's customer information within the
following timeframes:

 within an hour of the discovery of a 'Relevant Incident', which is defined as 'a

system malfunction or IT security incident, which has a severe and widespread
impact on the financial institution's operations or materially impacts the financial
institution's service to its customers'; and
 'as soon as possible of any adverse development arising from (their) outsourcing
arrangements that could impact the institution' as well as any 'such adverse
development encountered within the institution's group'.

7. Data retention

The Retention Limitation Obligation in the PDPA requires an organisation to cease to

retain its documents containing personal data, or remove the means by which the
personal data can be associated with particular individuals, as soon as it is reasonable
to assume that the purpose for which that personal data was collected is no longer
being served by retention of the personal data, and such retention is no longer
necessary for legal or business purposes.
The PDPA does not prescribe a specific retention period for personal data, and the
duration of time whereby an organisation can retain personal data is assessed on a
standard of reasonableness, having regard to the purposes for which the personal data
was collected and retained. Accordingly, legal or specific industry-standard
requirements in relation to the retention of personal data may apply.

Where there is no longer a need for an organisation to retain personal data, the
organisation should cease to do so. An organisation will be deemed to have ceased to
retain personal data when it no longer has access to the documents and the personal
data they contain, or when the personal data is otherwise inaccessible to or
irretrievable by the organisation. In considering whether an organisation has ceased to
retain personal data the PDPC will consider the following factors in relation to the
personal data:

 whether the organisation has any intention to use or access the personal data;
 how much effort and resources the organisation would need to expend in order
to use or access the personal data again;
 whether any third parties have been given access to that personal data; and
 whether the organisation has made a reasonable attempt to destroy, dispose of,
or delete the personal data in a permanent and complete manner.

7.8. Children's data

There are no specific provisions regulating the processing of children's data. However,
see the definition of 'sensitive data' under section on key definitions above.

Additionally, the PDPC has stated, in its Selected Topics Guidelines, that organisations
should generally consider whether a minor has sufficient understanding of the nature
and consequences of giving consent in determining if the minor can effectively provide
consent on their own behalf for the purposes of the PDPA.

The PDPC has also stated in the Selected Topics Guidelines that it would adopt the
practical rule of thumb that a minor who is at least 13 years of age would typically have
sufficient understanding to be able to consent on their own behalf. However, it also
states that where an organisation has reason to believe or it can be shown that a minor
does not have sufficient understanding of the nature and consequences of giving
consent, the organisation should obtain consent from an individual who is legally able
to provide consent on the minor's behalf, such as the minor's parent or guardian.

7.9. Special categories of personal data

See the definition of 'sensitive data' under section on key definitions above.
7.10. Controller and processor contracts

The PDPA draws a distinction between an 'organisation' and a 'data intermediary' in

relation to the processing of personal data. The relevant definitions as set out in Section
2(1) of the PDPA are as follows:

An 'organisation' is defined as any individual, company, association, or body of persons,

corporate or unincorporated, whether or not:

 formed or recognised under the law of Singapore; or

 resident, or having an office or a place of business, in Singapore.

A 'data intermediary' is defined as an organisation which processes personal data on

behalf of another organisation but does not include an employee of that other
organisation.

'Processing' is defined as the carrying out of any operations or set of operations in

relation to the personal data, and includes any of the following:

 recording;
 holding;
 organisation, adaptation, or alteration;
 retrieval;
 combination;
 transmission; and
 erasure or destruction.

If an organisation is not a data intermediary, it is subject to the full set of data

protection obligations under the PDPA. In contrast, as elaborated on in section on
personal scope above, other than the Protection Obligation, the Retention Limitation
Obligation, and the duty to notify the organisation/public agency it is processing data on
behalf of a data breach under the Data Breach Notification Obligation, no other data
protection obligations are imposed on a data intermediary, with respect to its
processing of personal data for or on behalf of an organisation pursuant to a contract in
writing. Therefore, to avoid both parties having to answer to the Data Protection
Provisions to the full extent, the contract should state clearly the relationship and the
rights and obligations of both parties.

Even if an organisation engages a data intermediary to process personal data on its

behalf and for its purposes, Section 4(3) of the PDPA provides that it shall have the
same obligations as if the personal data were processed by the organisation itself.
Therefore, effectively, the organisation will remain liable for the actions and omissions
of the data intermediary for personal data that the data intermediary is processing on
the organisation's behalf.

In this regard, data intermediaries are typically subject to contractual obligations which
necessitate compliance with the other obligations of the PDPA. According to the Key
Concepts Guidelines, it is expected that organisations engaging data intermediaries
would generally have imposed obligations that ensure protection in the relevant areas
in the service agreement between the organisation and the data intermediary.

On 1 February 2021, the PDPC released a revised version of its non-legally

binding Guide on Data Protection Clauses for Agreements Relating to the Processing of
Personal Data, which provides sample data protection clauses that an organisation
purchasing services relating to the processing of personal data may include in the
service agreements with the data intermediaries.

If the organisation fails to put in place data protection clauses in such service
agreements, the organisation runs the risk of being held to have breached its Protection
Obligation by failing to take necessary actions and precautionary measures to protect
such personal data.

Penalties 

The PDPC is responsible for enforcing the PDPA. Where the PDPC is satisfied that an
organisation has breached the Data Protection Provisions under the PDPA, the PDPC is
empowered with wide discretion to issue such remedial directions as it thinks fit. These
include directions requiring the organisation to:

 stop collecting, using, or disclosing personal data in contravention of the PDPA;

 destroy personal data collected in contravention of the PDPA;
 provide access to or correct personal data; or
 pay a financial penalty of up to SGD 1 million (approx. €684,600).

The changes that will come into force at a later date under the Amendment Act will
empower the PDPC to impose higher financial penalties. In particular, the PDPC will be
empowered to impose a financial penalty on organisations in breach of the data
protection provisions in the PDPA, of up to a maximum of 10% of the organisation's
annual turnover in Singapore (if its annual turnover in Singapore exceeds SGD 10
million (approx. €6.85 million) or up to SGD 1 million (approx. €684,600) in any other
case. An organisation's annual turnover in Singapore will be ascertained from the most
recent audited accounts of the organisation that is available at the time the financial
penalty is imposed. The Ministry of Communications and Information has indicated that
the enhanced financial penalty provisions will take effect from 1 October 2022.

In the course of its investigation, the PDPC may:

 by notice in writing, require an organisation to produce any specified document or

specified information or require any person within the limits of Singapore to
attend before the PDPC;
 by giving at least two working days' advance notice of intended entry, enter into
an organisation's premises without a warrant; and
 obtain a search warrant to enter an organisation's premises and take possession
of, or remove, any document.

Non-compliance with certain provisions under the PDPA may also constitute an offence,
for which a fine or a term of imprisonment may be imposed. The quantum of the fine
and the length of imprisonment (if any) vary, depending on which provisions are
breached.

For instance, a person found guilty of making requests to obtain access to or correct the
personal data of another without authority may be liable on conviction to a fine not
exceeding SGD 5,000 (approx. €3,420) or to imprisonment for a term not exceeding 12
months, or both (Section 51(2) of the PDPA).

The Amendment Act has also introduced further offences under the PDPA. Under the
new Section 48F, an individual commits an offence if they take any action to re-identify
or cause re-identification of a person to whom anonymised information in the
possession or under the control of an organisation or a public agency relates, where the
re-identification is not authorised by the organisation or public agency, and the
individual either knows that the re-identification is not authorised or is reckless as to
whether the re-identification is or is not authorised. The penalty is a fine not exceeding
SGD 5,000 (approx. €3,420) or imprisonment for a term not exceeding two years, or
both.

An organisation or person who obstructs or impedes the PDPC or an authorised officer,

or knowingly or recklessly makes a false statement to the PDPC, or knowingly misleads
or attempts to mislead the PDPC in the exercise of their powers or performance of their
duties under the PDPA, commits an offence for which that person would be liable upon
conviction to a fine of up to SGD 10,000 (approx. €6,850) and/or to imprisonment for a
term of up to 12 months (in the case of an individual), or a fine of up to SGD 100,000
(approx. €68,480) (in any other case) (Section 51(5) of the PDPA). Additionally, an
organisation or person who neglects or refuses to comply with an order to appear
before the PDPC, or without reasonable excuse neglects or refuses to furnish any
information or produce any document specified in a written notice to produce
information, will be guilty of an offence punishable by a fine not exceeding SGD 5,000
(approx. €3,420) or to imprisonment for a term not exceeding 12 months, or both (in
the case of an individual), and in any other case, to a fine not exceeding SGD 10,000
(approx. €6,850).

An aggrieved individual or organisation may make a written application to the PDPC to

reconsider its direction or decision. Thereafter, any individual or organisation aggrieved
by the PDPC's reconsideration decision may lodge an appeal to the Data Protection
Appeal Panel. Alternatively, an aggrieved individual or organisation may appeal directly
to the Data Protection Appeal Panel without first submitting a reconsideration request.
A direction or decision of the Data Protection Appeal Panel (via the Data Protection
Appeal Committee) may be appealed to the High Court on a point of law or where such
decision relates to the amount of a financial penalty. The decision of the High Court may
be further appealed to the Court of Appeal.

An individual who suffers loss or damage directly as a result of a contravention of the

provisions of the PDPA may also commence a private civil action. However, such a right
of private action is only exercisable after all avenues of appeal, in respect of the relevant
infringement decision issued by the PDPC, have been exhausted.

Enforcement decisions

Since 2016, the PDPC has released a series of enforcement decisions that are helpful in
clarifying the requirements under the PDPA in respect of personal data protection.
These enforcement decisions are generally accessible via the PDPC's website.

As of 1 March 2022, the PDPC has published a total of 203 grounds of decisions or
summaries of grounds of decisions, with a significant majority of these cases relating to
breaches of the Protection Obligation, under Section 24 of the PDPA. The most common
types of breaches of the Protection Obligation involve the deliberate disclosure of
personal data, poor technical security arrangements, poor physical security
arrangements, errors in mass email and/or post, and insufficient data protection
policies.

To date, the highest financial penalties that the PDPC has imposed on organisations are
SGD 250,000 (approx. €171,220) and SGD 750,000 (approx. €513,670) on SingHealth
Services Pte Ltd and Integrated Health Information Systems Pte Ltd respectively, for
breaching their data protection obligations under the PDPA (see Re Singapore Health
Services Pte Ltd and another  [2019] SGPDPC 3). This unprecedented data breach which
arose from a cyber attack on SingHealth's patient database system, caused the personal
data of some 1.5 million individuals to be compromised.

In addition to these enforcement decisions, the PDPC also publishes an annual Personal
Data Protection Digest, which is a compendium comprising the PDPC's grounds of
decisions, summaries of unpublished cases where a finding of no breach was found,
and a collection of data protection-related articles contributed by data protection
practitioners.