Compliance guide for companies under PDPA

Last updated on 7 February 2024

The Personal Data Protection Act 2021 (PDPA) was passed in October 2012 and protects the rights of individuals to safeguard their personal data, which is balanced against the needs of organisations to collect, use and appropriately disclose personal data.

What is personal data?

Personal data refers to data that can identify an individual (e.g. Name and NRIC number, biometric identifiers, photographs, voice or video images of an individual, DNA profile). Additionally, data and information a business has or is likely to have access to that can identify an individual are also classified as personal data.

What are the types of personal data that PDPA does not apply to?

The PDPA does not apply to personal data that is contained in a record that has been in existence for at least 100 years and personal data about a deceased individual who has been dead for more than 10 years. Business contact information, such as an individual’s name, business title, business telephone number, business address and business email address, are also not protected under PDPA.

Companies’ obligations under PDPA

  1. Consent
    Only those who have consented may have their personal data collected, used, and/or disclosed by a company.
  2. Restriction of use
    Only the purposes for which the persons have granted consent may a firm collect, use, and/or disclose their personal data.
  3. Notification
    The company must inform people about the reason(s) for which their personal information is being gathered, utilised, and/or disclosed.
  4. Access and Correction
    A company must provide to individuals, when requested, information on the personal information kept of the individual and the usage of their personal data 1 year before the request. Any errors and omissions should be corrected in a reasonable manner.
  5. Accuracy
    A company should ensure that data collected on individuals is accurate and complete if it is to be used and will affect the individuals or if the data is to be shared with another organisation.
  6. Protection
    Companies should take reasonable steps to protect the data collected, such as preventing unauthorised access, collection, use and disclosure.
  7. Retention Limit
    Data collected should only be retained for as long as it is necessary for business or legal purposes.
  8. Storing and Transferring of Data
    If personal data is stored overseas or in the cloud, companies must ensure that the data transfer meets the protection requirements and is offered the same level of protection as the PDPA requires.
  9. Data Breach
    Individuals who may be affected by a data breach should be informed. The Personal Data Protection Commission should also be notified if a breach involves more than 500 individuals.

Data Protection Officer

The PDPA requires companies to designate one or more Data Protection Officers (DPOs) to oversee personal data acquisition, use, and dissemination. The DPO is responsible for ensuring compliance with the latest developments under the PDPA and updating company data protection policies and procedures accordingly. The DPO also acts as a point of contact for people to contact companies with PDPA-related issues.

Business entities that are registered with the ACRA can choose to register, and update their DPO’s business contact information on ACRA’s BizFile portal.

Whilst it is not mandatory to register an organisation’s DPO with ACRA, doing so will satisfy the organisation’s accountability obligation to make available its DPO’s business contact information to the public.

To ensure that their organisation complies with the PDPA, employees acting in the course of their employment with that organisation must follow that organisation’s rules. However, they are not individually accountable for any activities that lead to their company violating the PDPA.

While setting up a company in Singapore, business owners should pay attention to their obligations under the PDPA, especially if they are engaging the public. When seeking the help of firms providing corporate secretarial and incorporation services in Singapore to set up your company, be sure to appoint one familiar with the PDPA.