Talk To An Expert

+66 (0) 2285 6240-9

Obligations of Data Controllers & Processors for Singapore PDPA

Global Data Privacy Regulations

Singapore PDPA

[et_pb_section fb_built=”1″ _builder_version=”3.22″][et_pb_row _builder_version=”3.25″ background_size=”initial” background_position=”top_left” background_repeat=”repeat”][et_pb_column type=”4_4″ _builder_version=”3.25″ custom_padding=”|||” custom_padding__hover=”|||”][et_pb_text _builder_version=”4.9.4″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” hover_enabled=”0″ sticky_enabled=”0″]

The PDPA (Personal Data Protection Act) law in Singapore explains how data controllers and data processors should collect, use, process, transfer and retain data, among other things. The act ensures that all personal data of data subjects’ that businesses work with are protected concerning their privacy and ownership rights. Organizations use this data for legitimate purposes only.

As such, it’s crucial to ensure that your designated data controller and data processor are aware of their obligations under Singapore’s PDPA law.


Obligations of Data Processors and Controllers under Singapore PDPA


If your organization collects, uses or discloses personal data in Singapore, then your data controller and data processor must adhere to the following obligations:


Data collection


At the moment, there is no obligation on a business to notify or register with the PDPC (Personal Data Protection Commission) before they can collect, process or disclose any personal data within Singapore.


Data processing


There is also no obligation on businesses to maintain data processing records. With that said, all businesses must comply with the Data Protection Provisions set out by the PDPA while carrying out day-to-day data processing activities.


Data transfers


This is where things get a bit nuanced as businesses must comply with the Transfer Limitation Obligation.

This states that a business cannot transfer personal data to any country/region outside Singapore unless in accordance with the prescribed PDPA requirements – ensuring that the transferred personal data will be afforded a specific protection standard that is comparable to that of the PDPA.

To accomplish this, businesses must ensure that recipients of personal data are also bound by legally enforceable obligations to provide the transferred data a standard of protection comparable to that under the PDPA. The legally enforceable obligations include those imposed by the law, under Binding Corporate Rules (BCRs) or contract, or any legally binding instrument, for that matter. Specific rules to this can be found under Section 3 of Singapore PDPA Regulations.

Furthermore, regarding personal data transfers outside Singapore, the PDPA has acknowledged BCRs as a form of legally enforceable obligations which govern that:

  • Each recipient of the transferred personal data to provide it with a standard of protection that is at the very least comparable to that provided by the PDPA
  • Recipients to which the BCRs apply must be clearly specified.
  • The countries and/or regions where the personal data is being sent under the BCRs must be clearly specified.
  • The rights and obligations as per the BCRs must be specified.


Data retention


The Retention Limitation Obligation of Singapore PDPA requires businesses to cease retention of personal data or remove the means through which that personal data can be linked with specific individuals – as soon as the purpose for collecting that personal data has been fulfilled and no longer deemed necessary (for business or legal purposes).

The PDPA has not prescribed a personal data retention period for businesses operating in Singapore. The duration for which an organization may legally retain personal data is assessed according to a standard of ‘reasonableness’, where the purpose for collection and retention defines that standard. Furthermore, legal or specific industry-standard requirements in regards to personal data retention may apply.

When personal data is no longer required, the data controller must cease to retain that data. A business will be deemed to have ceased personal data retention after it no longer has access to that data; it is inaccessible or irretrievable.


Closing thoughts on Data Controller & Data Processor Obligations under Singapore PDPA


Under the Singapore PDPA law, organisations are required to develop and implement policies and practices to ensure that their respective data controllers and processors meet all obligations.

Formiti’s data privacy consultants can help you get started – get in touch to learn more.

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row column_structure=”3_5,2_5″ _builder_version=”4.7.7″ _module_preset=”default”][et_pb_column type=”3_5″ _builder_version=”4.7.7″ _module_preset=”default”][et_pb_code _builder_version=”4.7.7″ _module_preset=”default” background_color=”#73c2e0″][weforms id=”1204″][/et_pb_code][/et_pb_column][et_pb_column type=”2_5″ _builder_version=”4.7.7″ _module_preset=”default”][et_pb_blurb title=”Data privacy 360 Assessment” _builder_version=”4.7.7″ _module_preset=”default”]

The VinarcoPDPA  Data Privacy 360 Assessment is a globally recognised privacy gap analysis and remediation report that provides organisations with certainty with regards to their compliance status. Covers all regulations

  • Thailand PDPA
  • Singapore PDPA
  • Malaysia PDPA
  • Hong Kong PDPO


Share This :

Recent Posts

Have Any Question?

The world of data privacy laws and compliance can be a complex maze. We’re here to offer competitive data privacy protection and regulatory services to help you deal with day-to-day data privacy compliance and maintenance challenges.