Personal Data Protection in Singapore Series Part 2: Data Protection Officer (“DPO”) and Data Protection Policies 新加坡个人数据保护系列(第二章):数据保护合规官员 (“DPO”) 和数据保护政策
The accountability obligation under the Personal Data Protection Act 2012 (“PDPA”) requires an organisation to undertake measures to ensure that it meets its obligations under the PDPA and to demonstrate that it can do so when required. Such measures include, but are not limited to: (a) the appointment of a DPO and (b) the development and implementation of data protection policies and practices.
新加坡的《个人数据保护法2012》(”PDPA“)里的问责义务指定相关组织采取措施确保其履行《个人数据保护法 2012》规定的义务,并需要该组织证明其确实可以在需要时履行这些义务。这些措施包括但不限于:(a) 委任数据保护合规官员,以及 (b) 数据保护政策和落实措施的制订和具体实施。
Appointment of a DPO 委任数据保护合规官员
Under the PDPA, an organisation is required to designate at least one individual as the DPO to be responsible for the organisation’s compliance with the PDPA. The DPO’s function may be a dedicated responsibility (i.e. the DPO’s main role in the organisation is to serve as a DPO), or may be added to an existing role in the organisation. The DPO may delegate his or her responsibilities to another individual.
根据新加坡的《个人数据保护法2012》的规定,相关组织必须指定至少一名自然人作为组织的数据保护合规官员,以负责确保该组织遵守《个人数据保护法2012》的有关规定。数据保护合规官员的职能可以是一项专门的职责(即数据保护合规官员在组织中的主要角色就只是担任数据保护合规官员),或者可以被添加到组织中的现有角色中。数据保护合规官员可以将其部分职责委托给其他的适当人员履行。
The PDPA also stipulates that the business contact information of at least one individual who is responsible for ensuring that the organisation complies with the PDPA be made available to the public.
新加坡的《个人数据保护法2012》还规定相关组织必须向公众提供至少一位负责确保该组织遵守《个人数据保护法2012》的官员的具体联系方式。
The responsibilities of a DPO include, but are not limited to:
数据保护合规官员的职责包括但不限于:
- ensuring compliance with the PDPA when developing and implementing policies and processes for handling personal data;
以新加坡《个人数据保护法2012》 的合规为目的制定和落实处理个人数据的政策和流程; - fostering a data protection culture among employees and communicating personal data protection policies to stakeholders;
在组织内员工之间培养数据保护文化的传统,并向利益相关者传达个人数据保护政策的具体规定; - managing personal data protection-related queries and complaints;
管理与个人数据保护相关的查询和投诉; - alerting management to any risks that might arise with regard to personal data; and
提醒组织内的管理层注意可能涉及个人数据包括相关的风险;以及 - liaising with the Personal Data Protection Commission (“PDPC”) on data protection matters, if necessary.
如有需要,就数据保护事宜与个人数据保护委员会 (“PDPC”) 进行沟通。
The PDPC recommends that an individual appointed as an organisation’s DPO should be: (a) sufficiently skilled and knowledgeable, and (b) amply empowered to discharge his or her duties as a DPO. DPOs do not have to be employees of the organisation.
数据保护委员会建议被委任为机构的数据保护合规官员的对应个人应当符合以下条件:(a) 对数据保护规则与知识足够熟悉与了解,以及(b)被充分授权以履行其作为数据保护合规官员的职责。 需要注意的是,数据保护合规官员不一定必须是该组织的雇员。
Development and implementation of data protection policies and practices
数据保护政策和落实措施的制订和具体实施
The PDPA also sets out certain requirements in relation to an organisation’s policies and practices.
新加坡的《个人数据保护法2012》还规定了与相关组织的数据保护政策和具体落实相关的特别要求。
Firstly, an organisation is required to develop and implement data protection policies and practices to meet its obligations under the PDPA. Such policies can be internal or external. An organisation should develop policies and practices taking into account matters such as the types and amount of personal data it collects, and the purposes for such collection. The organisation should also put in place monitoring mechanisms and controls to ensure that said policies and practices are implemented effectively.
首先,相关组织需要制定和落实数据保护政策,从而确保该组织履行其在《个人数据保护法2012》下的对应数据保护义务。此类政策可以是内部政策,也可以是外部政策。有关组织应在制订政策及实务时,充分考量该组织的特性,考虑所收集的个人数据的类型与数量,以及收集个人数据的目的。有关组织还应建立监测机制和控制措施,以确保充分有效的落实上述数据保护政策。
Secondly, an organisation must develop a process to receive and respond to complaints that may arise with respect to the application of the PDPA. This ensures that the organisation is well-equipped to address individuals’ complaints and concerns.
其次,有关组织必须制定一个具体流程,以接收和回应可能与新加坡《个人数据保护法2012》的应用有关的投诉。
Thirdly, an organisation is required to communicate to its staff information about its personal data protection policies and practices. The organisation should ensure that its employees have access to information which may be necessary for them to effectively implement the organisation’s data protection policies and practices.
第三,有关组织必须向其员工传达有关该组织的个人数据保护政策和实践的具体信息。有关组织应确保沟通渠道的畅通,从而使其员工可以及时获得必要信息以协助其有效落实组织的具体的数据保护政策。
Lastly, an organisation is required to make information available on request concerning its data protection policies and its complaint process. This ensures that individuals are able to access the necessary information and are able to raise any concerns or complaints to the organisation directly.
最后,有关组织必须及时提供有关数据保护政策和投诉流程的信息。这可以确保利害关系人能够获取必要的信息,并能够直接向有关组织提出任何质疑或投诉。
IMPORTANT NOTICE: This memorandum is only intended as a guide and does not purport to be an exhaustive or conclusive discussion of the matters set out herein and should not be relied on as a substitute for definitive legal advice. Reference should always be made to the applicable statutes, the relevant subsidiary legislations and other applicable guidelines. This memorandum is not to be transmitted to any other person nor is it to be relied upon by any other person or for any other purpose or quoted or referred to in any public document or filed with any governmental or other authorities without our consent in writing. This memorandum is limited to the laws of Singapore. In issuing this memorandum, we do not assume any obligation to notify or inform you of any developments subsequent to its date that might render its contents untrue or inaccurate in whole or in part at such later time. If you would like to discuss the implications of these legal developments on your business or obtain advice, please do not hesitate to approach your usual contact at Insights Law LLC or you may direct the inquiry to our key contacts stated above.
重要提示:本备忘录仅用于参考,并不视作对本文所载事项的详尽或结论性的讨论,且不应被依赖作为替代明确的法律意见。应参考所适用的法规、有关附属法例、及其他适用的原则。未经本所书面同意,本备忘录不得向任何其他人传送,任何人也不得就任何目的依赖本备忘录,并于任何公共文件引述或专署,或提交给任何政府或有关当局。本备忘录仅限于新加坡的法律。本所就这份备忘录的发行,对较后时间日期发生的任何进展导致本备忘录所呈现的全部或部分不实或不准确的内容不承担任何义务。如果您想了解这些法律发展对您业务的影响或咨询意见,请随时与您智诚法律(新加坡)的联系人联系,或直接联系上述的主要联系人。
