Personal Data Protection in Singapore Series Part 2: Data Protection Officer (“DPO”) and Data Protection Policies 新加坡个人数据保护系列(第二章):数据保护合规官员 (“DPO”) 和数据保护政策

7 October 2022|In Legal Updates

The accountability obligation under the Personal Data Protection Act 2012 (“PDPA”) requires an organisation to undertake measures to ensure that it meets its obligations under the PDPA and to demonstrate that it can do so when required. Such measures include, but are not limited to: (a) the appointment of a DPO and (b) the development and implementation of data protection policies and practices.
新加坡的《个人数据保护法2012》(”PDPA“)里的问责义务指定相关组织采取措施确保其履行《个人数据保护法 2012》规定的义务,并需要该组织证明其确实可以在需要时履行这些义务。这些措施包括但不限于:(a) 委任数据保护合规官员,以及 (b) 数据保护政策和落实措施的制订和具体实施。

Appointment of a DPO 委任数据保护合规官员

Under the PDPA, an organisation is required to designate at least one individual as the DPO to be responsible for the organisation’s compliance with the PDPA. The DPO’s function may be a dedicated responsibility (i.e. the DPO’s main role in the organisation is to serve as a DPO), or may be added to an existing role in the organisation. The DPO may delegate his or her responsibilities to another individual.

The PDPA also stipulates that the business contact information of at least one individual who is responsible for ensuring that the organisation complies with the PDPA be made available to the public.

The responsibilities of a DPO include, but are not limited to:

  1. ensuring compliance with the PDPA when developing and implementing policies and processes for handling personal data;
    以新加坡《个人数据保护法2012》 的合规为目的制定和落实处理个人数据的政策和流程;
  2. fostering a data protection culture among employees and communicating personal data protection policies to stakeholders;
  3. managing personal data protection-related queries and complaints;
  4. alerting management to any risks that might arise with regard to personal data; and
  5. liaising with the Personal Data Protection Commission (“PDPC”) on data protection matters, if necessary.
    如有需要,就数据保护事宜与个人数据保护委员会 (“PDPC”) 进行沟通。

The PDPC recommends that an individual appointed as an organisation’s DPO should be: (a) sufficiently skilled and knowledgeable, and (b) amply empowered to discharge his or her duties as a DPO. DPOs do not have to be employees of the organisation.
数据保护委员会建议被委任为机构的数据保护合规官员的对应个人应当符合以下条件:(a) 对数据保护规则与知识足够熟悉与了解,以及(b)被充分授权以履行其作为数据保护合规官员的职责。 需要注意的是,数据保护合规官员不一定必须是该组织的雇员。

Development and implementation of data protection policies and practices

The PDPA also sets out certain requirements in relation to an organisation’s policies and practices.

Firstly, an organisation is required to develop and implement data protection policies and practices to meet its obligations under the PDPA. Such policies can be internal or external. An organisation should develop policies and practices taking into account matters such as the types and amount of personal data it collects, and the purposes for such collection. The organisation should also put in place monitoring mechanisms and controls to ensure that said policies and practices are implemented effectively.

Secondly, an organisation must develop a process to receive and respond to complaints that may arise with respect to the application of the PDPA. This ensures that the organisation is well-equipped to address individuals’ complaints and concerns.

Thirdly, an organisation is required to communicate to its staff information about its personal data protection policies and practices. The organisation should ensure that its employees have access to information which may be necessary for them to effectively implement the organisation’s data protection policies and practices.

Lastly, an organisation is required to make information available on request concerning its data protection policies and its complaint process. This ensures that individuals are able to access the necessary information and are able to raise any concerns or complaints to the organisation directly.

IMPORTANT NOTICE: This memorandum is only intended as a guide and does not purport to be an exhaustive or conclusive discussion of the matters set out herein and should not be relied on as a substitute for definitive legal advice. Reference should always be made to the applicable statutes, the relevant subsidiary legislations and other applicable guidelines. This memorandum is not to be transmitted to any other person nor is it to be relied upon by any other person or for any other purpose or quoted or referred to in any public document or filed with any governmental or other authorities without our consent in writing. This memorandum is limited to the laws of Singapore. In issuing this memorandum, we do not assume any obligation to notify or inform you of any developments subsequent to its date that might render its contents untrue or inaccurate in whole or in part at such later time. If you would like to discuss the implications of these legal developments on your business or obtain advice, please do not hesitate to approach your usual contact at Insights Law LLC or you may direct the inquiry to our key contacts stated above.