The 9 Main Obligations of the PDPA in Singapore

Personal data protection on the internet has always been a concern for many. When customers provide you with their personal details to be subscribed to your mailing list, or simply to download an eBook you’ve written, they aren’t completely sure if you might take advantage of their information.

To set protective measures in place for Singapore, the Personal Data Protection Act (PDPA) was passed by Parliament on 15th October 2012 to address this concern. The main goals of the act:

  1. To govern the use, disclosure, and care of personal data by private organizations
  2. To recognize the rights of individuals to protect their personal data

So what are the obligations for you as a Singapore-based organization to adhere to and provide that vote of confidence in your clientele?

1. Consent Obligation

When it comes to personal data, you can only collect, use or disclose it when an individual has given his or her consent. You have to allow individuals to withdraw consent with reasonable notice as well, informing them of the likely consequences of their withdrawal.

Upon withdrawal, and depending on the withdrawal request, you must stop collecting, using or disclosing their personal data.

2. Purpose Limitation Obligation

You may collect, use or disclose personal data about an individual for the purpose for which he or she has given consent. An example would be a subscription to your mailing list on  the latest event tips for SMEs.

You may not, as a condition of providing a product or service, require the individual to consent to the collection, use or disclosure of his or her personal data beyond what is reasonable to provide that product or service. If you were to use their mailing list personal data for other reasons other than emailing, that is out of bounds.

3. Notification Obligation

State your purpose(s) for which you are intending to collect, use or disclose their personal data on or before this process as you want to make it clear upfront and build that trust with your customer.

4. Access & Correction Obligation

Your customers can also request for information on how their personal data has been used through the time period that they have given you consent, and it is your duty to provide as such.

You are also required to correct any error or omission in your customer’s personal data upon his or her request.

5. Accuracy Obligation

On that note, be sure that the personal data collected by or on behalf of your organization is as accurate and complete as possible. Set the necessary parameters in place to prevent any errors upon consent submission.

6. Protection Obligation

Before even beginning to manage personal data, set up the necessary security measures in place to safeguard the information that you possess or control to prevent any form of unauthorized access, collection, use, disclosure or similar risks.

Your customer has given you their trust, so you should support and maintain that trust without breach due to poor security arrangements.

7. Retention Limitation Obligation

Once the personal data is no longer necessary for any business or legal purposes, cease retention of the information or remove the means by which the personal data can be associated with your customer.

8. Transfer Limitation Obligation

If you are required to transfer your customers’ personal data to another country for any reason, do so only according to the requirements prescribed under the regulations. You want to ensure that the standard of protection provided for their personal data transferred is comparable to the protection under the PDPA in Singapore.

9. Openness Obligation

The final obligation you have to adhere to – make information about your data protection policies, practices and complaints process available on request.

To help you with this process, assign one or more individuals to implement personal data protection policies within your organization. The business contact information of your data protection officer(s) should also be made available to the public for easy contacting. However,

However, compliance with the PDPA remains the responsibility of the organization.

Now that you know the obligations you have to fulfill as a Singapore-based organization, set up the necessary procedures and practices in place and be PDPA-compliant. We at GEVME have taken steps to ensure that we are PDPA-compliant as well to give our event organizers a peace of mind.

Learn more about the PDPA via the Personal Data Protection Commission Singapore.