GDPR Compliance in Singapore: Is it Required and How to Comply
Data protection is becoming increasingly important, as personal data, regarded as valuable corporate assets for the purpose of managing customer bases, are being processed (explained below) by organisations around the world.
Also, personal data may include sensitive information such as bank details and health information, which may potentially be exploited by third party fraudsters.
What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR), is a significant piece of European legislation, aimed at protecting personal data of data subjects in the European Union (EU) by regulating data controllers and processors (individuals or organisations).
Data subjects are identifiable persons by reference to identifiers including a name or an ID number.
Data controllers determine the purposes and means of processing personal data (i.e perform any operation on the personal data which includes the collection, use, disclosure, storage or erasure, etc.).
On the other hand, a data processor processes the data on behalf of the controller.
Replacing the earlier European Data Protection Directive, the GDPR is now the main source of regulation on data protection and privacy in the EU. As of 25th May 2018, the GDPR, approved by the EU Parliament, is applicable in all EU member states.
Who is the GDPR Enforced By?
The GDPR is enforced by supervisory authorities, who are given investigative and corrective powers to issue warnings, reprimands, orders and impose fines.
Supervisory authorities are independent public authorities established in EU Member States, responsible for the application of the GDPR.
Singapore is the EU’s largest trading partner in ASEAN, with many organisations potentially falling under the jurisdiction of the GDPR.
This article will thus provide a summary to ensure that proper steps are taken towards complying with the GDPR.
Who Must Comply with the GDPR?
Even though the GDPR is of European origin, its jurisdiction extends beyond the borders of Europe.
Singaporean organisations outside the EU must comply with the GDPR if they:
- Process the personal data of individuals in the EU in relation to the offer of goods or services to individuals in the EU; or
- Monitor the behaviour of individuals in the EU.
Singaporean businesses that might be regulated by the GDPR include:
- E-commerce businesses that offer goods or services through their platforms to EU individuals (particularly if the website publishes the price of products or services in Euros or EU currencies)
- Hotels that operate websites that are accessible in European languages, with their room rates in Euros or EU currencies
- Data analytic companies, insurance companies, social media platforms, gaming companies collecting data and creating profiles of individuals in the EU
- Organisations that use web-tracking, and are collecting data via cookies or social plug-ins from individuals in the EU
- Singaporean organisations that receive personal data transferred from their European parent/holding companies.
Compliance with the GDPR
The key requirements of the GDPR include the following:
Personal data may be processed if:
- The data subject has given consent
- The processing of data is necessary for the performance of a contract
- It is necessary to comply with legal obligations
- It is necessary to protect the vital or public interest
- It is necessary for the purposes of legitimate interests
Appointing a Data Protection Officer
The GDPR states organisations must employ a Data Protection Officer (DPO) where:
- Data processing is carried out by a public authority or body;
- The core activities of the organisation require regular and systematic monitoring of data subjects on a large scale; or
- Special categories of sensitive personal data (see below) or data relating to criminal convictions and offences are being processed.
The DPO is responsible for ensuring that the organisation complies with the GDPR, and processes personal data responsibly.
Individuals who are appointed as DPOs must be professionals who have expert knowledge of data protection law, and may be appointed from the organisation’s staff, or on the basis of a service contract.
DPOs must co-operate with and act as a point of contact with the supervisory authority.
Reporting Data Breaches
A breach of personal data is defined as an accidental or unlawful destruction, loss, alteration, unauthorised disclosure of personal data.
The GDPR imposes an obligation on organisations to notify supervisory authorities in the event of a data breach.
If any data breaches occur, the organisation has up to 72 hours to report the breach to a supervisory authority and the affected individuals if the personal data is likely to risk the rights and freedoms of natural persons.
Where the notification is not made within 72 hours, the organisation must state its reasons for its delay. The organisation must provide the following information when reporting the data breach:
- The nature of the breach and the approximate number of data subjects concerned;
- The contact details of the DPO or any other contact point who can provide more information;
- The likely consequences of the breach; and
- The measures taken by the organisation to address or mitigate the effects of the data breach.
Additionally, the organisation must document all personal data breaches, its effects, remedial actions and any other relevant facts to the supervisory authority to verify compliance with the GDPR.
Additional Rights that the GDPR Provides to Data Subjects:
- The “right to be forgotten” – individuals under the GDPR have the right to have their personal data erased without undue delay under certain situations, such as where the individual has withdrawn consent to the processing of their personal data.
- The right to rectify – individuals under the GDPR have the right to rectify inaccurate personal data without undue delay.
- The right to data portability – individuals under the GDPR have the right to receive data which has been previously provided to the organisation. Individuals can expect to receive the data in a structured and machine-readable format. Furthermore, individuals have the right to transmit the received data to other organisations without hindrance.
- The right to object – individuals under the GDPR have the right to object to the processing of his/her personal data. This is unless the organisation proves “compelling legitimate grounds” for continued processing, then the individual’s right will be overridden. However, if the personal data is processed for direct marketing purposes, the organisation cannot refuse such a request.
Comparing the GDPR with the PDPA
The Personal Data Protection Act (PDPA) is Singapore’s leading legislation on data protection laws. The PDPA and the GDPR, whilst both sharing a common goal of protecting data, have different requirements.
Singaporean organisations that are presently complying with the PDPA may have to implement additional measures to accommodate for the stricter GDPR.
The proceeding part of this article identifies key areas that local organisations need to be aware of.
With regard to the requirements of gaining consent, the GDPR is stricter as compared to the PDPA.
Under the GDPR, there is neither the notion of “deemed consent” (see below), nor an extensive list of exemptions. Consent under the GDPR must be express, unambiguous, and freely obtained by the organisation.
A statement of clear affirmation to the data collection must be given to signify an agreement for collection of data.
Furthermore, express consent may even be invalid under the following scenarios:
- Where there is an imbalance of power between the organisation and data subjects, particularly where the organisation is a public authority and it is unlikely that the consent was freely given
- Where giving consent to the collection of data is indistinguishable from other contractual provisions or expressed in an unclear language or inaccessible form (if the consent is written)
- Where the collection of personal data is unnecessary for the performance of a contract or a provision of service.
This is unlike the PDPA, where consent can be acquired even if a person does not expressly give it, by virtue of a person providing “deemed consent”.
Deemed consent is given if a person voluntarily provides personal data for a specific purpose, and where it would be reasonable for him to voluntarily do so.
For example, if a person voluntarily provides his personal data in a job application. In this case, consent is also exempted under the PDPA for evaluative purposes (i.e to determine the eligibility of the job applicant).
Therefore, local organisations that rely on the PDPA’s exceptions or “deemed consent” for the processing of personal data, need to be careful and ensure that they obtain express consent from data subjects.
Withdrawal of Consent
The GDPR states that data subjects have the right to withdraw his or her consent at any time. Simple methods to withdraw consent should be set up, and data subjects cannot be penalised for withdrawing.
Upon the withdrawal of consent, the organisation should no longer process the data subject’s personal data.
This is unlike the PDPA, where consent may only be withdrawn upon giving reasonable notice to the organisation. However, the individual will bear the consequences arising from his or her withdrawal of consent, and this must be made known to the individual.
Even after consent is withdrawn, the organisation is not required to delete or destroy the personal data, so long as it is necessary for business or legal needs.
Transferring of Personal Data
Under the stricter GDPR, where data is being transferred out of an EU nation, the country which the recipient organisation is in must be approved by the European Commission to provide an adequate level of protection to personal data.
This is different from the PDPA, which allows the transfer of cross-border data where the overseas organisation provides a similar standard of data protection to that of the PDPA.
The following elements are considered when assessing the adequacy of the non-EU country, under the GDPR:
- The country’s rule of law, respect for human rights and fundamental freedoms;
- The country’s legislation concerning public security, defence, and criminal law;
- The existence of effective and enforceable data protection laws that can provide judicial relief for data subjects;
- The existence and effective functioning of independent supervisory authorities in the country; or
- The existence of obligations arising from legally binding conventions or international commitments entered by the country.
A list of approved or rejected countries and territories are found in the Official Journal of the European Union and its website. So far, a few recognised countries include: Argentina, Israel, New Zealand, Canada, Switzerland and the USA.
Special types of personal data which cannot be processed
Under the GDPR, subject to certain exceptions, the processing of the sensitive data is prohibited.
The following types of data constitute sensitive data:
- Data revealing racial or ethnic origins;
- Data revealing political, religious or philosophical beliefs;
- Data revealing trade union membership;
- Genetic or biometric data to identify a natural person; and
- Data concerning a person’s sexual orientation.
Sensitive data may only be processed in the following scenarios:
- Explicit consent was given by the individual
- It is in the vital interests of the person to collect sensitive data
- The sensitive data is required for legal claims, public health, scientific or historical research purposes
- The sensitive data is required for reasons of substantial public interest.
This is unlike the PDPA, under which all types of personal data may be processed. For sensitive data, the PDPA merely recommends that sensitive data be treated with greater care.
PDPA Exemptions are Not Found Under the GDPR
Under the GDPR, once an entity falls within the scope of the definition of a “data controller” or a “data processor”, the GDPR is applicable.
However, under the PDPA, certain entities are exempted from data protection obligations, including public agencies and their agents, employees, or individuals acting in a personal or domestic capacity.
Non-compliance with the GDPR and Penalties
Non-compliance with the GDPR has potentially drastic consequences upon errant organisations. GDPR supervisory authorities impose administrative fines:
- For minor infringements, up to 10 million Euros (SGD 15,870,200.56), or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Minor infringements include a failure to notify data breaches, to implement technical control or data protection by default.
- For major infractions, up to 20 million Euros (SGD 31,740,401.11), or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Major infractions include violating the conditions for consent or failing to adhere to the regulations regarding the transfer of personal data to a third country or to an international organisation.
Unlike the PDPA, the penalties under the GDPR draws no distinction to individuals or organisations that process personal data. The same penalties apply regardless.
Apart from the harsh penalties imposed, the reputation of errant organisations is negatively affected, as customers begin to distrust the organisations’ data management practices.
This might potentially cause the organisation to be on the receiving end of lawsuits or lose market share and/or its customer base.
Some General Tips for Better Organisational Data Management
To accommodate for the GDPR, Singaporean organisations should do any or all of the following:
- Ensure that the data processed is necessary for the organisation, and deciding what data to keep or delete
- Ensure that the organisation’s practices and processes can give effect to the expanded rights of data subjects under the GDPR
- Ensure that all data is encrypted to reduce the possibilities of a data breach
- Ensure that employees are trained with proper data handling techniques and are aware of the GDPR
- Develop data governance policies when moving EU-specific data to countries outside of the EU.
The GDPR is a landmark piece of legislation and is intended to increase transparency and an individual’s rights over their personal data. Data protection is becoming ever so important, and the strict penalties under the GDPR are a testimony of this.
The GDPR undoubtedly compels businesses to review their data protection policies and procedures. Therefore, with GDPR’s wide cross-border scope, businesses should adapt to it, in order to avoid facing unnecessary punishments.
If you require any assistance with compliance or interpretation of the GDPR, you should consult a corporate lawyer on the matter.
- Annual General Meetings (AGMs) in Singapore: What are They?
- Anti-Money Laundering Regulations and Your Business: What You Need to Know
- Price-Fixing, Bid-Rigging and Other Anti-Competitive Practices to Avoid
- The Business Owner’s Guide to Dividend Payments in Singapore
- Company Audits in Singapore: Requirements and Exemptions
- How to Transfer Shares in a Singapore Private Company: The Essential Guide
- How to Hold an Extraordinary General Meeting (EGM) in Singapore
- How to Issue Shares in a Singapore Private Company
- How to Reduce the Share Capital of Your Singapore Company
- How Businesses Can Legally Conduct Lucky Draws in Singapore
- Essential Regulatory Compliance Guide for Singapore Companies
- Finding a Suitable Corporate Secretarial Firm in Singapore
- Oppression of Minority Shareholders
- Process Agents in Singapore
- Company Constitution in Singapore: What It is and How to Draft One
- How to Set Up a Register of Controllers
- How to Set Up a Register of Nominee Directors
- Memorandum of Understanding (MOU): Does Your Business Need One?
- Minutes of Company Meeting in Singapore: How to Record
- Company Resolutions: What are They?
- Company Memorandum and Articles of Association
- Filing Annual Returns For Your Business
- Shadow Directors: Who are They and What Duties Do They Owe to the Company?
- Director's Remuneration: When Can Company Directors be Remunerated For Their Services?
- How to Remove a Director from a Company in Singapore
- Appointing Company Directors in Singapore: Eligibility, Process etc.
- Company Loans to Directors/Shareholders (& Vice Versa) in Singapore
- Share Transmission: What Happens If a Shareholder Dies in Singapore?
- Business Will: How to Pass on Your Business to Your Successors in Singapore
- Shareholder Rights in Singapore Private Companies
- Appointing a Company Secretary: Roles and Responsibilities
- Directors' Duties in Singapore
- Essential PDPA Compliance Guide for Singapore Businesses
- Cloud Storage of Personal Data: Your Business’ Data Protection Obligations
- How Can Companies Dispose of Documents Containing Personal Data?
- Here's a 7-Step Plan for Companies to Prevent Unauthorised Disclosure When Processing and Sending Personal Data
- Appointing a Data Protection Officer For Your Business: All You Need to Know
- Summary: Your Organisation's 9 Main Obligations under the Personal Data Protection Act
- Check the Do-Not-Call Registry Before Marketing to Singapore Phone Numbers
- GDPR Compliance in Singapore: Is it Required and How to Comply
- Is It Legal for Businesses to Ask for Your NRIC in Singapore?
- PDPA Consent Requirements: How Can Your Business Comply?
- Insolvency: Claw-back of Assets from Unfair Preference and Undervalue Transactions
- Striking Off a Company
- What Should a Creditor Do When a Company Becomes Insolvent?
- Dissolution of partnerships in Singapore
- Validation of Payments Made by Companies Being Wound Up
- Can a Company that Struck Itself Off the Register Later Apply to Restore Itself?
- Are You Closing Your Singapore Business? Have You Settled All of the Following?
- How to File a Proof of Debt against a Company in Liquidation
- Winding Up a Company