{"id":1572,"date":"2025-03-17T10:16:29","date_gmt":"2025-03-17T10:16:29","guid":{"rendered":"https:\/\/gohrbpo.com\/blog\/?p=1572"},"modified":"2025-03-17T10:16:29","modified_gmt":"2025-03-17T10:16:29","slug":"personal-data-protection-act","status":"publish","type":"post","link":"https:\/\/gohrbpo.com\/blog\/personal-data-protection-act\/","title":{"rendered":"Guide to Understanding the Personal Data Protection Act"},"content":{"rendered":"

The PDPA in Singapore was established in 2012, to put regulations and terms in place for data protection of individuals. The primary aim of this statutory body is to safeguard individuals\u2019 personal data while being handled by organizations to collect, use, and disclose as per the\u00a0 legitimate business purposes.\u00a0<\/span><\/p>\n

PDPA is applicable to both private sector organizations and individuals also who in any commercial capacity are required to handle personal data. PDPA doesn\u2019t apply to public agencies, which are governed under different laws.\u00a0<\/span><\/p>\n

The PDPA consists of two main parts:\u00a0<\/span><\/p>\n

    \n
  1. Data Protection Provisions (DPP) \u2013 To regulate how personal data is handled to ensure accountability and transparency.\u00a0<\/span><\/li>\n<\/ol>\n
      \n
    1. Do Not Call (DNC) Provisions \u2013 To govern telemarketing regulations to ensure no unsolicited marketing communications are conducted without consent.\u00a0<\/span><\/li>\n<\/ol>\n

      What is the PDPA?<\/span><\/h2>\n

      \u201cSection 2(1) of the PDPA defines personal data as \u201cdata, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organization has or is likely to have access.\u201d<\/span><\/i><\/p>\n

      Also Read:<\/strong> Key Risks in Payroll Outsourcing in 2025: A Singapore Perspective<\/a><\/p>\n

      It contains several requirements to govern the collection, use, disclosure and proper monitoring of personal data in Singapore.\u00a0<\/span><\/p>\n

      Key Obligations Under the PDPA\u00a0<\/span><\/h2>\n

      The PDPA contains various obligations that organizations must be compliant to while handling personal data. Below I have explained some critical ones;\u00a0<\/span><\/p>\n

      1. Consent Obligation (Section 13-17)\u00a0<\/span><\/h3>\n

      Organizations must obtain consent of the individual before they collect their personnel data, use it or disclose for any purpose. Consent must be voluntary and individuals must be clearly made aware of the purposes for which their data is collected.\u00a0<\/span><\/p>\n

      2. Purpose Limitation Obligation (Section 18)\u00a0<\/span><\/h3>\n

      Organizations can only collect, use, or disclose the personal data for the purposes which they have already notified the individual about.\u00a0<\/span><\/p>\n

      3. Access and Correction Obligation (Section 21-22)\u00a0<\/span><\/h3>\n

      Individuals can anytime request access to their personal data as per their rights and understand how it\u2019s been used or disclosed. Any irregularities can be submitted for corrections in case of inaccuracy.\u00a0<\/span><\/p>\n

      4. Accuracy Obligation (Section 23)\u00a0<\/span><\/h3>\n

      Organizations must verify that personal data being collected is accurate and complete before using or disclosing it, ensuring it becomes crucial when it impacts decisions relying on the data.\u00a0<\/span><\/p>\n

      5. Protection Obligation (Section 24)\u00a0<\/span><\/h3>\n

      Organizations must put forward comprehensive security measures and encryption practices to protect personal data from any malware attacks, unauthorized access, collection, use, disclosure, copying, modification, or disposal..\u00a0<\/span><\/p>\n

      6. Retention Limitation Obligation (Section 25)\u00a0<\/span><\/h3>\n

      Individual\u2019s personal data must not be retained longer than the period required for legal or business purposes.\u00a0<\/span><\/p>\n

      7. Transfer Limitation Obligation (Section 26)\u00a0<\/span><\/h3>\n

      In case of the transfer of personal data outside Singapore, organizations must ensure that the receiving country has binding corporate data protection rules and standards.<\/span><\/p>\n

      8. Accountability Obligation (Section 11-12)\u00a0<\/span><\/h3>\n

      The Accountability Obligation, as outlined in Sections 11 and 12, requires organizations to integrate comprehensive policies, practices, and measures that ensures complete compliance with the PDPA. Organizations must also appoint Data Protection Officers (DPO) to monitor data protection processes.\u00a0<\/span><\/p>\n

      9. Data Breach Notification Obligation (Section 26A-26E)\u00a0<\/span><\/h3>\n

      Organizations must timely notify the PDPC and the concerned individuals in case of any data breach within 3 calendar days.\u00a0<\/span><\/p>\n

      Penalties under the Law\u00a0<\/span><\/h2>\n

      As per the Singapore\u2019s Personal Data Protection Act (PDPA), organizations could be levied significant fines and penalties for any non-compliance. Per the PDPA, organizations for being non-compliant or concealing information regarding its collection, utilization, or disclosure will be levied with financial penalties not exceeding S$50,000 (approximately $36,000).\u00a0<\/span><\/p>\n

      Also Read:<\/strong> The Future of Payroll: Trends to Watch in 2025<\/a><\/p>\n

      In June 2022, the Commission collected about S$750,000 and S$250,000 fines, the highest amounts reported till date on Integrated Health Information Systems and Singapore Health Services respectively for inadequacies in policies to protect the medical records of data subjects, which resulted in a massive breach from a cyberattack.<\/span><\/p>\n

      Ensuring Compliance With Singapore\u2019s PDPA<\/span><\/h2>\n

      If you run a business involving you to control personal data in Singapore or of Singaporean data subjects, you must under specific obligations outlined in Part III to VI of the PDPA;<\/span><\/p>\n