What is the Personal Data Protection Act (PDPA)?
Singapore Personal Data Protection Act 2012 (PDPA) is a law governing the collection, use, and disclosure by all private organizations of personal data. The Act entered into force on 2 July 2014. Organizations not complying with PDPA may suffer a penalty of up to $1 million and reputational damages.
- Purpose and Limitation
Use or disclose personal information only for defined purposes.
Inform individuals during collection about the purpose of collecting, using, and revealing their personal data.
Ensure that the individual’s consent was obtained before the collection, use, or disclosure of personal data.
- Access and Correction
On request, provide the individual’s personal data and information on how the individual’s personal data has been used or disclosed over the last year. Make any corrections as deemed necessary.
Ensure the accuracy and completeness of personal data during collection or decision making that impacts the individual.
Keep personal data in its possession secure, whether in hardcopy or electronic form, from unauthorized access, modification, disclosure, use, copying.
- Retention Limitation
Retain personal data for business/legal purposes only and, if no longer necessary, safely delete personal information.
- Transfer Limitation
Ensure that foreign organizations in overseas countries provide a level of protection comparable to the Singapore Personal Data Protection Act security
Designate a data protection officer and publish information about your business contact. Make available to the public and employees, including the complaints process, personal data protection policies, and practices.
- Do-Not-Call (DNC)
Do not send marketing messages by voice, text, or fax to individuals who have registered in the National DNC Registry unless you have obtained your unambiguous, explicit consent (for text or fax).