Data Protection in Singapore

Collection and processing in Singapore

Organizations may only collect, use or disclose personal data in the following scenarios:

  • They obtain express consent from the individual prior to the collection, use, or disclosure of the personal data (and such consent must not be a condition of providing a product or service, beyond what is reasonable to provide such product or service; and must not be obtained through the provision of false or misleading information or through deceptive or misleading practices), and have also provided the relevant data protection notice (notifying purposes of collection, use and disclosure) to the individual before, or at the time when they are collecting, using or disclosing the personal data. It is also possible to obtain the deemed consent of the individual to the collection, use, or disclosure of the personal data in accordance with the relevant conditions of the Act (see the Personal Data Protection Regulations 2021).
  • Where the limited specific exclusions prescribed in the Act apply (if no consent or deemed consent is given). Such exclusions include vital interests of individuals, matters affecting public, legitimate interests, business asset transactions, business improvement purposes and other additional bases.

The Act currently in force expanded the concept of “deemed consent” to cover circumstances where: (i) the collection, use or disclosure of personal data is reasonably necessary to conclude or perform a contract or transaction; or (ii) (a) where individuals have been notified of the purpose of the intended collection, use or disclosure of personal data, given a reasonable opportunity to opt-out, and have not opted out, and (b) the organization has conducted an assessment on the likely adverse effect on such individuals, and identified and put in place reasonable measures to eliminate, reduce the likelihood of or mitigate any such adverse effect.

An individual may at any time withdraw any consent given, or deemed given under the Act, upon giving reasonable notice to the organization.

Further, any collection, use or disclosure of the personal data must only be for the purposes that a reasonable person would consider appropriate in the circumstances, and for purposes to which the individual has been notified of. Such notification must be made in accordance with the requirements of the Act.

An organization must also do all of the following:

  • Make information about its data protection policies, practices and complaints process publicly available.
  • Cease to retain personal data or anonymize it where it is no longer necessary for any business or legal purpose. Ensure personal data collected is accurate and complete if likely to be used to make a decision about the individual or disclosed.
  • Respond to requests by data subjects under their statutory rights, including a new right of data portability (this right is expected to come into force soon).

Data intermediaries that process personal data on behalf of another organization (i.e. data controller) pursuant to a written contract are exempt from most of the data protection obligations under the PDPA. However, data intermediaries are directly liable under two specific obligations relating to the retention (see above) and protection (see Security) of personal data.

Data protection management program (“DPMP”) and data protection impact assessment (“DPIA”) guides were published by the Commission in November 2017 and updated in September 2021.

Continue reading

  • no results

Previous topic
Back to top