Advomi Logo
Close this search box.

Singapore PDPA – Part 1

In recent times data protection worldwide has become a trending topic for discussion and Singapore makes no difference. Data protection in the country is governed by the Personal Data Protection Act (PDPA). The PDPA aims to balance regulations between recognizing the rights of individuals regarding their personal data and the interest of businesses to use data for reasonable purposes.

The Personal Data Protection Act provides a complex regulation of the data processing activities and the related rights of individuals. We will be exploring it in a series of posts on the topic and this is the first part.

Application of the PDPA

The main provisions of the PDPA, simply put, apply to businesses. They do not apply to any individual who is acting in a personal or domestic capacity. The same is also valid for employees acting in the course of their employment with an organization. Companies that collect and use personal data represent the majority of entities who may be found liable under the Act if their conduct is contrary to what is required.

There are also other exceptions for which the PDPA does not apply to such as the public agencies and organizations that are acting on behalf of a public agency. If an individual or an entity does not fall under one of these exceptions they will have to adhere to the PDPA obligations and guidelines to avoid being liable under the Act.

What is personal data?

Personal data means any information about an individual that is likely to allow the identification of that individual. It can also be a combination of data like email, name, phone number, address, etc. Data that is related to an individual who can be identified can be considered personal data.

Consent as a ground for collecting and using personal data

The consent obligation requires entities that are liable under the PDPA to first obtain consent before they are allowed to collect, use or disclosure the personal data of individuals. Consent is usually provided explicitly, i.e. in writing or verbally agreeing. This includes also the marking of a checkbox on a website or clicking a button indicating the provision of consent for collection and use of data. The PDPA also recognizes the form of deemed consent. An example of deemed consent would be when an individual is repeatedly given the option to opt out of giving consent, however whether the failure to opt out is considered deemed consent is also dependent on the unique circumstances of each case.

The consent must be informed. This means that the individual must be notified of the purposes for which the organization is collecting (or using, disclosing) his personal data. The consent given is limited to the collection, use and/or disclosure of the personal data only for the purposes stated in the notice.

It is also important for the individual to be allowed to withdraw the consent after he has given it. If an individual chooses to withdraw consent, the organization or individual that has his information is required to inform him about the likely consequences of him withdrawing his consent. This gives the individual the opportunity to consider his options and decide accordingly.

Another important aspect of the consent obligation is that businesses are not allowed to require customers to allow the collection, use, or disclosure of personal data for any purpose other than as necessary to provide them with the product or service they are purchasing. A company may not refuse to provide a service or a product to customers if they do not give their consent for such additional uses.

More resources

A Tool-box for Singapore’s Updated Cybersecurity Laws

Mahdev Mohan, Shloka Vidyasagar Since its enactment in 2018, the Cybersecurity Act has served as the main statutory framework for safeguarding the nation’s digital infrastructure.…


Tokenisation of real world assets (RWAs)

Introduction Tokenisation of real world assets refers to breaking down high-value properties, whether tangible (such as art pieces) or intangible (such as financial instruments and…


Gambling Control Act

Introduction The Gambling Control Act 2022 (GCA) is a consolidation and update of previous gambling legislation including the Betting Act 1960, the Common Gaming Houses…



Introduction Retrenchment refers to the termination of an employee’s employment due to redundancy, restructuring or for cost saving reasons, as opposed to termination for poor…


Restraint of Trade Clauses in Employment Contracts

When drafting an employment contract, employers often include a restraint of trade clause in order to restrict what an ex-employee may do post-employment. As defined…


Understanding Crypto Fraud, Investigations and Asset Tracing part 3

After exploring the diverse landscape of blockchain and cryptocurrency frauds in our first article, and delving into the array of disputes in our second installment,…