Show Menu

PDPA Cheat Sheet by

DDP Cheat Sheet - Topic 4

Fundem­entals of PDPA

SG's data privacy regulation used to govern collec­tion, use, disclosure and care of personal data and regulate telema­rketing practices through the Do Not Call registry
Encourage business innovation while ensuring personal data protection while streng­thening SG's position as a trusted hub for businesses
Indivi­duals → protect personal data
Organisations → use and disclose data for legitimate purposes
Does not apply to the public sector, which has separate rules under the govt
Has extrat­err­itorial effect and is applicable to orgs collec­ting, using or disclosing personal data in Singapore, regardless of the organi­zat­ion’s physical presence or where it was incorp­orated
10% of an organi­zat­ion’s annual turnover in Singapore, or SGD 1 million, whichever is greater and Reputation damage

Collection of Personal Data

Notify indivi­duals of the purposes for which the organi­sation is intending to collect, use or disclose their personal data
Personal data may be collected, used or disclosed only after consent has been given by the individual
Purpose Limitation
Personal data may be collected, used or disclosed ONLY for the purposes that is reasonable to provide the organi­sat­ion’s product or service

Care of Personal Data

Organi­zations should ensure that the personal data collected is accurate and complete
Organi­zations should put in place the required security measures to protect personal data to prevent unauth­orized access
Retention Limitation
Organi­zations should cease retention of personal data or dispose of it in a proper manner
Transfer Limitation
Ensure that the standard of protection is comparable to the PDPA when transf­erring personal data to another country

Indivi­dual’s Autonomy over Personal Data

Access and Correction
Indivi­duals have the right to request for access to their personal data and for correction of their personal data
Data Breach Notifi­cation
In the event of a data breach, that likely results in signif­icant harm to indivi­duals, or are of signif­icant scale, PDPC and the affected indivi­duals need to be notified
Data Portab­ility
At the request of the indivi­dual, organi­sations are required to transfer the indivi­dual’s data to another enviro­nment


No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.