If your business in Singapore collects, uses, or discloses personal data, it must comply with the following PDPA Singapore checklist:
Your company in Singapore is expected to appoint as a Data Protection Officer (DPO) at least one person responsible for ensuring that the organization complies with the PDPA. You can delegate the
DPO functions to:
- A person or a group of staff whose field of operation relates solely to data protection; or
- Employees performing the position as one of their many responsibilities; or
- An outsourcer.
Company contact details for DPO in Singapore must be made readily accessible.
Do not make customers permit their PD processing beyond what is sensible to provide the product or service. The data is processed only for the reasons for which permission has been received. Notify the customer of your intent to process these data before seeking any PD and obtain the customer’s consent. For example, the consent clause may be included in any application form: “I agree that “organizational name” may collect, utilize and disclose my personal data provided in this form.” You must also at any time allow that consent to be withdrawn by the customer.
Make reasonable efforts to ensure the accuracy and completeness of the PD collected. When your customer requests the correction of an error or omission in their personal data, that must be done by your company. It is advised that you place a suitable application form on your website through which the requester can submit a PD description that needs to be corrected.
Taking the required precautions to (a) secure the company’s PD and (b)
avoid improper data entry, storage, use or dissemination, and other related threats. These measures may include encrypting or password-protecting any securely stored PD that may cause harm if lost or stolen, maintaining information daily, installing firewalls and virus-checking software on employee computers, etc.
In case your company transfers PD overseas, take steps to ensure that the data stays in compliance with PDPA rules while it is in your control or possession, even if the data may be outside Singapore. Ensure that the receiving company is bound by legally enforceable obligations to offer protection comparable to the PDPA standard. Such legitimately enforceable duties may be enforced by that country’s laws or, failing that, by forming a contract with the beneficiary.
You are still responsible for protecting this PD if you employ a
service provider to process PD (for uploading, storage, or processing the data). Therefore, before entering into a service agreement with the service provider, ensure that provisions are included that enable the provider to take sufficient measures to ensure that PDPA requirements are met.