PDPA
GDPR
Applies to any organisation established within and outside of the EU, so long as:
- the organisation offers goods or services to individuals in the EU, or
- monitors their behaviour within the EU
- processes and holds personal data of individuals residing in the EU, regardless of the organisation’s location
PDPA
GDPR
The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.
PDPA – What it means for your business?
- 9 data protection obligations:
- Consent: needed before personal data is collected, used, or disclosed
- Purpose limitation: an organisation must inform an individual of its purpose for collecting, using, or disclosing personal data; also, the collected data must not be used for anything other than the initial intended purpose.
- Notification: individuals must be notified of the purpose before they may give their consent to have their personal data collected, used, or disclosed.
- Access and correction: individuals have the right to request access to their personal data in an organisation’s possession or control, and be allowed to correct any error to his/her personal data.
- Accuracy: an organisation should make reasonable effort to collect accurate and complete personal data, especially if any decisions made using the personal data affects the individual, and if the personal data will be disclosed to another organisation.
- Protection: reasonable security arrangements must be made to prevent unauthorised access, use, disclosure, copying, modification, and disposal of personal data in an organisation’s possession or control
- Retention limitation: An organisation may only keep personal data until a certain period, after which it must remove or delete documents containing such permanently.
- Transfer limitation: personal data may not be given outside of Singapore unless the recipient country has data protection standards commensurate to that of the PDPA
- The National Do Not Call Registry
- Names registered into the national DNC Registry may not receive unsolicited marketing messages (voice calls, text messages, or fax) from any registered organisation in Singapore.
GDPR – What it means for your business?
- These are the key changes introduced to the GDPR:
- Increased territorial scope: regardless of where you are in the world, if your company processes personal data of subjects residing in the EU, then the GDPR should apply to you.
- Penalties: An organisation that doesn’t comply can be fined up to a maximum of 4% of annual global turnover, or €20 million (whichever is greater).
- Consent: Individuals must be given a request for consent form that is intelligible and easily accessible.
- Breach notification: Data controllers must notify supervisory authority, private individuals affected, or the organisation to which it reports of any privacy breaches without undue delay/within the first 72hrs of having become aware of the breach.
- Right to access: Data subjects must be able to easily access their personal data in the possession or control of data controllers, free of charge, and must be provided a copy in electronic format.
- Data erasure: Data subjects have the right to have their personal data forgotten: erased, ceased to be disseminated, or have third parties halt processing of their personal data by the data controller.
- Data portability: Data subjects should be able to receive the personal data they have consented to provide in a “commonly used and machine readable format” and have the right to transmit that data to another controller
- Privacy by design: Data protection must be included at the onset of designing of systems, and not just as an addition.
- Appointment of Data Protection Officers will only be for organisations:
- whose core activities consist of data processing operations,
- that do systematic monitoring of data subjects on a large scale,
- that regularly process special categories of data or data relating to criminal convictions and offences
The GDPR has stricter measures than the PDPA for requesting and providing consent, so be sure to take a closer look into this section of the policy.
PDPA
Exclusions:
- Data used for business purposes (i.e., business contact info)
- Data belonging to an individual deceased for over 10 years
GDPR
Only data that is necessary to an organisation’s purpose should be collected. (data minimization)
PDPA
“Deemed Consent”:
- When an individual voluntarily provides his/her personal data to an organisation and it is reasonable for the individual to do so
- Voluntarily provided data to one organisation can be passed on to another organisation for a particular purpose
(Source)
Exceptions:
Consent is not needed for the following uses and circumstances:
- For collection of personal data: Second schedule
- For use of personal data: Third schedule
- For disclosure of personal data: Fourth schedule
GDPR
- Requires positive opt-in (no pre-ticked boxes or default consent)
- Expressly and explicitly given in a very clear and specific statement
- Consent requests should be separate from other terms and conditions.
- Get separate consent for separate purposes. Vague or blanket consent is not acceptable.
- Third-party controllers who will rely on consent should be named
- Individuals should be informed how they may withdraw their consent, and the steps to withdrawal should be easy.
- Consent to processing a precondition of a service should not be made.
For a more thorough checklist on asking for, recording, and managing consent, click here.
PDPA
GDPR
- racial or ethnic origin,
- political opinions,
- religious or philosophical beliefs
- trade union membership,
- genetic data,
- biometric data for the purpose of uniquely identifying a natural person,
- data concerning health, or
- data concerning a natural person’s sex life or sexual orientation.
Such data is prohibited from being collected, used, or disclosed.
PDPA
GDPR
PDPA
- Should be considered appropriate to the circumstances by a “reasonable person” (Section 18)
- No need to specify the activities an organisation will be undertaking in relation to the data collected; however, objectives and reasons for collecting such should be provided to the individuals from whom you wish to gain consent (Source)
GDPR
- “specified, explicit and legitimate purposes” (Article 5)
- public archiving, historical, scientific, or statistical purposes must not be incompatible with the initial purposes (purpose limitation)