Personal Data Protection in Singapore Series Part 1: Introduction to the Personal Data Protection Act 2012 (“PDPA”) 新加坡个人数据保护系列(第一章):《个人数据保护法 2012》(“PDPA”) 简介

5 October 2022|In Legal Updates

The PDPA, enacted on 20 November 2012, provides a baseline standard of protection for personal data in Singapore and a regime for the protection of the general public from unwanted telemarketing messages.
新加坡的《个人数据保护法 2012》于2012年11月20日颁布,为新加坡公众的个人数据提供了基本保护标准,并为保护公众免受不请自来的电话营销信息的骚扰提供了制度性保护。

Besides the PDPA, organisations may be subject to certain sector-specific data protection requirements. For example, the Banking Act 1970 sets out banking secrecy provisions that regulate customer information collected by banks.
除了《个人数据保护法2012》以外,某些机构还须遵守特定行业的数据保护规定。例如,《银行法 1970》规定了规范银行收集的客户数据的银行保密条款。

The Personal Data Protection Commission (“PDPC”) administers and enforces the PDPA, while sector-specific data protection requirements are enforced by the regulators responsible for the relevant sector.
新加坡的 个人数据保护委员会(”PDPC“)负责管理和执行《个人数据保护法2012》,而特定行业的数据保护要求则由负责相关行业的监管机构落实执行。

Objectives of the PDPA 《个人数据保护法 2012》的宗旨

The key objective of the PDPA is to strengthen Singapore’s position as a trusted hub for data management activities.
《个人数据保护法 2012》的出台旨在加强新加坡作为数据管理活动值得信赖的区域中心的地位。

Accordingly, the PDPA explicitly recognises the need to strike a balance between: (a) ensuring that organisations can use and harness personal data for legitimate purposes, and (b) protecting the personal data of individuals. As such, the PDPA sets out a consent-centric approach and provides for consent as the primary basis for the collection, use, and disclosure of personal data.
相应的,《个人数据保护法2012》明确指出有必要在以下两个目的之间达到一个平衡:(a) 确保机构可为合法目的使用和利用个人数据,以及 (b) 保护个人数据的安全性。因此,《个人数据保护法2012》制定了以许可为中心的模式,并规定“许可”是收集、使用和披露个人数据的根本前提。

What is “personal data”? 什么是 “个人数据”?

“Personal data” is defined under the PDPA as data about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access.
根据《个人数据保护法2012》,“个人数据”的定义为:那些可以从有关数据中, 或从有关数据以及有关组织已经拥有的或可能知晓的其他信息中,识别出具体个人身份的数据。

The PDPA applies to personal data stored in electronic and non-electronic formats.

Data protection obligations 数据保护义务

Under the PDPA, an organisation has the following obligations:

  1. accountability obligation – undertake measures to ensure that it meets its obligations under the PDPA (e.g. designating a data protection officer);
    问责义务 – 相关组织须采取措施确保履行其在《个人数据保护法2012》下的义务(例如:指定一名数据保护合规官员);
  2. notification obligation – notify individuals of the purposes for which it intends to collect, use or disclose their personal data;
    通知义务 – 相关组织须告知对应个人收集、使用或披露有关个人数据的目的;
  3. consent obligation – only collect, use and disclose personal data for which an individual has given his / her consent to, allow individuals to withdraw consent with reasonable notice, inform him / her of the likely consequences of withdrawal, and cease to collect, use and disclose personal data once consent is withdrawn;
    准许义务 – 相关组织应当仅收集、使用和披露对应个人已给予同意的个人数据,允许个人在给予合理通知的情况下撤回许可,告知他/她撤回准许的后果,并停止收集、使用和披露对应的个人数据;
  4. purpose limitation obligation – only collect, use or disclose personal data for the purposes that a reasonable person would consider appropriate under the given circumstances and for which the individual has given consent;
    目的限制义务 – 相关组织应确保只有在合理的前提下,以合理目的为前提,收集、使用或披露个人数据;
  5. accuracy obligation – make reasonable effort to ensure that personal data collected is accurate and complete;
    准确性义务 – 相关组织应尽合理的努力确保所收集的个人数据是准确和完整的;
  6. protection obligation – make reasonable security arrangements to protect the personal data in its possession to prevent unauthorised collection, use, or disclosure;
    保护义务 – 相关组织应采取合理的安全保护措施以确保拥有的个人数据的安全性,以防止未经授权的收集、使用或披露;
  7. retention limitation obligation – cease retention of personal data or dispose of it in a proper manner when it is no longer needed for any business or legal purpose;
    保留限制义务 – 当根据法律规定或因为商业原因而不再需要有关个人数据时,有关组织应当停止保留或以适当的方式妥善处理不再需要的个人数据;
  8. transfer limitation obligation – transfer personal data to another country only according to the requirements prescribed under the regulations, to ensure that the standard of protection is comparable to the protection under the PDPA;
    转让限制义务 – 相关组织必须在法律规定的前提下,才可以将有关个人数据传输到另一个国家,且必须确保接受数据法域的保护标准与《个人数据保护法2012》下的保护旗鼓相当;
  9. access and correction obligation – to provide individuals with access to their personal data and information about how the data was used or disclosed within a year before the request, to correct any error or omission in an individual’s personal data as soon as practicable, and to send the corrected data to other organisations to which the personal data was disclosed within a year before the correction is made;
    查阅及更正义务 – 向对应个人提供渠道以允许其查阅对应个人的数据信息以及有关数据在过去一年内是如何被收集与使用的情况;在切实可行范围内尽快更正个人数据中的任何错误或遗漏,并将更正后的数据送交于在过去一年内曾向其披露该对应个人数据的其他机构;
  10. data breach notification obligation – in the event of a data breach, to take steps to assess if the breach is notifiable. If the breach likely results in significant harm to individuals and/or are of significant scale, it is required to notify the PDPC and the affected individuals as soon as practicable; and
    数据泄露通知义务 – 在数据泄露的情况下,采取对应措施以评估泄露事件是否需要通知利害关系人。如果该数据泄露事件存在对个人造成重大伤害和/或规模很大的情况,有关组织需尽快通知个人数据保护委员会(PDPC)与受到影响的个人;以及
  11. data portability obligation – at the request of the individual, it is required to transmit the individual’s data that is in its possession or under its control, to another organisation in a commonly used machine-readable format.
    数据可移植性义务 – 根据对应个人的特定要求,有关组织需以常用的机器可读取的格式将该组织所拥有或控制的个人数据传输给另一个组织。

If the PDPC finds that an organisation has breached any of the provisions of the PDPA, the PDPC will direct the organisation to take steps to ensure compliance with the PDPA such as:
若个人数据保护委员会 (PDPC) 发现有关组织违反了《个人数据保护法2012》的任何规定,个人数据保护委员会(PDPC)将指令有关组织采取更正措施遵守《个人数据保护法2012》的所有规定,这些指令一般会以如下形式出现:

  1. to stop collecting, using or disclosing personal data in contravention of the PDPA;
  2. to destroy personal data collected in contravention of the PDPA;
  3. to provide access to or correct the personal data; and/or
  4. to pay a financial penalty.

IMPORTANT NOTICE: This memorandum is only intended as a guide and does not purport to be an exhaustive or conclusive discussion of the matters set out herein and should not be relied on as a substitute for definitive legal advice. Reference should always be made to the applicable statutes, the relevant subsidiary legislations and other applicable guidelines. This memorandum is not to be transmitted to any other person nor is it to be relied upon by any other person or for any other purpose or quoted or referred to in any public document or filed with any governmental or other authorities without our consent in writing. This memorandum is limited to the laws of Singapore. In issuing this memorandum, we do not assume any obligation to notify or inform you of any developments subsequent to its date that might render its contents untrue or inaccurate in whole or in part at such later time. If you would like to discuss the implications of these legal developments on your business or obtain advice, please do not hesitate to approach your usual contact at Insights Law LLC or you may direct the inquiry to our key contacts stated above.