Personal Data Protection Act in a Nutshell

Singapore Personal Data Protection Act 2012

What is the Personal Data Protection Act (PDPA)?

Singapore Personal Data Protection Act 2012 (PDPA) is a law governing the collection, use, and disclosure by all private organizations of personal data. The Act entered into force on 2 July 2014. Organizations not complying with PDPA may suffer a penalty of up to $1 million and reputational damages.

  1. Purpose and Limitation

Use or disclose personal information only for defined purposes.

  1. Notification

Inform individuals during collection about the purpose of collecting, using, and revealing their personal data.

  1. Consent

Ensure that the individual’s consent was obtained before the collection, use, or disclosure of personal data.

  1. Access and Correction

On request, provide the individual’s personal data and information on how the individual’s personal data has been used or disclosed over the last year. Make any corrections as deemed necessary.

  1. Accuracy

Ensure the accuracy and completeness of personal data during collection or decision making that impacts the individual.

Singapore Personal Data Protection Act 2012

  1. Protection

Keep personal data in its possession secure, whether in hardcopy or electronic form, from unauthorized access, modification, disclosure, use, copying.

  1. Retention Limitation

Retain personal data for business/legal purposes only and, if no longer necessary, safely delete personal information.

  1. Transfer Limitation

Ensure that foreign organizations in overseas countries provide a level of protection comparable to the Singapore Personal Data Protection Act security

  1. Openness

Designate a data protection officer and publish information about your business contact. Make available to the public and employees, including the complaints process, personal data protection policies, and practices.

  1. Do-Not-Call (DNC)

Do not send marketing messages by voice, text, or fax to individuals who have registered in the National DNC Registry unless you have obtained your unambiguous, explicit consent (for text or fax).