Singapore – Personal Data Protection Act 2012 (PDPA)

In Singapore, all organisations must comply with the Personal Data Protection Act 2012. Under the PDPA, all organisations are required to develop and implement policies and practices necessary to fulfil their obligations under the PDPA. Specifically, organisations must designate at least one individual as the Data Protection Officer (DPO) to oversee data protection responsibilities and ensure compliance with the PDPA.

 

Appointment of a Data Protection Officer

Under the PDPA, it is mandatory for organisations to:

  1. Appoint a DPO responsible for ensuring compliance with the PDPA.
  2. Make the DPO’s business contact information publicly accessible.

 

Responsibilities of the DPO

The PDPA does not state the responsibilities that DPO has to undertake. However, your organisation could task your DPO with:

  • Crafting and implementing processes and policies for the handling of personal data, in accordance with your business’ data protection obligations;
  • Increasing your stakeholders’ (e.g. employees, independent contractors, and business partners) awareness of both these data protection policies and your business’ data protection obligations;
  • Handling queries and complaints regarding your business’ protection of personal data;
  • Informing management of any data protection-related risks which may arise; and
  • Liaising with the Personal Data Protection Commission (PDPC), which administers and enforces the PDPA, where necessary.

Given the importance of such tasks, should you decide to appoint an employee as your DPO, you may consider appointing someone from the middle to senior management levels.

Organisations must register their DPO information with the PDPC via ACRA BizFile+ (www.bizfile.gov.sg) by 30 September 2024 to fulfill this obligation.

 

PDPA Obligations

Organisations are responsible for the personal data in their possession or under their control and must comply with the 11 data protection obligations (“11 obligations”) under the PDPA. For more information on the 11 obligations, please refer to the link below: –

https://www.pdpc.gov.sg/overview-of-pdpa/the-legislation/personal-data-protection-act/data-protection-obligations

For more assistance, including subsidised training, online courses, and checklists on how to comply with the PDPA, please visit PDPC’s Help and Resources.

 

Consequences of a Personal Data Breach

The PDPC’s enforcement powers have been strengthened, allowing it to accept voluntary undertakings from organisations as part of its enforcement regime. Additionally, the maximum financial penalty for PDPA breaches has increased. Previously capped at S$1 million, the penalty can now reach up to 10% of the organisation’s annual turnover in Singapore for those with an annual local turnover exceeding S$10 million, whichever amount is higher.