Drafting a Comprehensive Privacy Policy For Your Singapore Website

Last updated on October 4, 2018

website user login page.

What is a Privacy Policy and What is it For?

A privacy policy is a statement by your company, setting out how it will handle the personal data of its website’s visitors. Most websites these days have privacy policies.

Although there is no law that says a website must have a privacy policy, it is a good idea to put one in place to provide a layer of legal protection in the event of a data leak.

Ideally, your privacy policy should also set out the steps that you take to protect information that you’ve collected from falling into the wrong hands.

For example, encryption, password protection, 2-factor authentication (2FA), etc.

It is equally important that this privacy policy is actually applied by your company in real life rather than simply becoming a page on your website that no one ever reads. The privacy policy should also be updated as and when there are changes in how you deal with personal data (due to changes in the way you do business, for example).

Why is a Privacy Policy Important?

Provides reassurance to visitors who have shared their personal data with your website

With the high-profile cyberattack on SingHealth between June and July 2018 and the similar 2014 attack on SingPass where people’s personal data was stolen, visitors are getting more cautious about the risk of identity theft when they type their personal data into a website form.

While the high-profile cyberattacks are on high-profile companies, hundreds of cyberattacks against Singapore-hosted websites take place every year and they are predominantly targeted at the websites of small companies.

While a privacy policy obviously can’t prevent a cyberattack, it can reassure your website’s visitors by informing them of the steps your company takes to manage this risk.

More importantly, a privacy policy will inform visitors what your company will and will not intentionally share with third-parties, under what circumstances, for what purposes and with whom.

Protects your company against legal implications

If one of your website’s visitors suffers identity theft as a result of a data leak and sues your company, your privacy policy may be able to serve as a defence to show that you took reasonable care of your visitors’ personal data, as you cannot be expected to prevent every possible unforeseeable data leak.

If properly drafted and complied with, it may also help to protect you from regulatory action by bodies such as Singapore’s Personal Data Protection Commission that might be taken pursuant to any complaints from the public.

What Should a Privacy Policy Include?

What needs to go into your privacy policy depends on a huge variety of factors. There is no such thing as a one-size-fits-all privacy policy that can be simply copied and pasted.

The most important of these factors is where the visitors to your website are likely to be located. This will determine under what country’s laws you owe privacy obligations to them.

If your website’s visitors are located in Singapore

If most of your visitors will be in Singapore, then the law governing their privacy is the Personal Data Protection Act (PDPA).

The PDPA requires that you obtain your visitors’ consent to collect whatever data you are collecting from them, for whatever purposes you need to use it.

For example, if your company’s website uses cookies to collect data from your visitors, consent can be obtained by including a pop-up or banner which requires visitors to accept cookies being stored in order to continue using the website.

If your website’s visitors are located within the European Union or European Economic Area

If some of your visitors are located within the European Union or the European Economic Area (even if your company is not located within either area), then the applicable law is the General Data Protection Regulation (GDPR).

This law was introduced in May 2018 and grants European residents a wide range of privacy rights. For more information, see our guide on how Singapore companies can comply with the GDPR.

Other factors to consider when examining what needs to be included in your privacy policy

Apart from the location of your visitors and the applicable law you’ll need to comply with, other factors that will affect how your privacy policy needs to be tailored include:

  • The industry your company operates in;
  • The purpose and content of your website;
  • The kinds of personal data collected by your website;
  • How you need to use, retain and share the data you collect in order to run your business; and
  • The kinds of third-parties with whom you need to share the personal data collected and how they will use it.

For example, if your website has a contact form that collects names and contact details of visitors, your privacy policy would need to explain (among other things):

  • How this information is stored
  • When this information may be shared with third-parties
  • What purpose(s) such information may be shared with these third-parties for

On the other hand, if your website has an e-commerce aspect and you collect payment details from visitors or use a third-party service provider to do so, your privacy policy would need to explain (among other things):

  • What happens to this information
  • The steps you take to prevent this information from falling into the wrong hands

Engaging a Data Protection Lawyer to Draft a Privacy Policy

Because of the bespoke nature of privacy policies, it is advisable to engage a data protection lawyer to draft one for your website rather than trying to draft one yourself.

The pricing by law firms of this service is usually extremely competitive and affordable.

They will sit down with you to figure out how the factors above apply to your company, what your company’s data collection and retention needs actually are and come up with a policy that’s actually usable for your company.

If, after obtaining quotes from law firms, you conclude that you really cannot afford to engage a lawyer to draft a privacy policy, then set aside a full day and try to find a few websites from companies that are extremely similar to yours in terms of:

  • Where the company operates;
  • Who the company’s visitors are; and
  • What the company does.

Then, try to use their privacy policies to synthesise and adapt a policy that works for your company.

Again, this is highly inadvisable unless there is someone in your company with specialised expertise in this area.

Even then, ultimately diverting them from their work for a day may prove to be a false economy compared to the cost of engaging an experienced lawyer to do the same thing more quickly and effectively.

Remember that the purpose of the privacy policy is to protect the company in the event of a suit.

If you are not sure about the legal effect of your company’s policy, then you may be creating (rather than reducing) litigation risk and thereby defeating the very purpose of having a privacy policy.

For this reason, engaging a data protection lawyer to draft and explain a privacy policy is a modest investment that may well save your company much more money in the future.

Appointment and Removal of Company Officers and Other Key Personnel
  1. Appointing Company Directors in Singapore: Eligibility, Process etc.
  2. Managing Director vs CEO in Singapore: Roles and Obligations
  3. Guide to Directors' Remuneration in Singapore
  4. Directors' Duties in Singapore
  5. Shadow Directors: Who are They and What Duties Do They Owe to the Company?
  6. How to Remove a Director from a Company in Singapore
  7. Removal and Resignation of Company Auditor in Singapore
  8. Appointing a Company Secretary: Roles and Responsibilities
  9. Appointing an Authorised Representative for Foreign Companies in Singapore
  10. Process Agents in Singapore
Holding Meetings
  1. What are Annual General Meetings (AGMs) in Singapore?
  2. How to Hold Extraordinary General Meetings (EGMs) in Singapore
  3. How to Hold a Board Meeting in Singapore
Shareholder Matters
  1. 2 Ways to Remove a Singapore Company Shareholder ASAP
  2. Guide to Paid-Up Capital in Singapore (Is $1 Enough?)
  3. Preparing a Register of Shareholders for a Singapore Company
  4. How to Issue Shares in a Singapore Private Company
  5. Guide to Transferring Shares in a Singapore Private Company
  6. Your Guide to Share Certificates in Singapore: Usage and How to Prepare
  7. Shareholder Rights in Singapore Private Companies
  8. Shareholder Roles and Obligations in Singapore Companies
  9. Dividend Payments Guide for Singapore Business Owners
  10. Share Transmission: What Happens If a Shareholder Dies in Singapore?
  11. How to Reduce the Share Capital of Your Singapore Company
  12. Buy-Sell Agreements: How to Write & Fund Them in Singapore
  13. Oppression of Minority Shareholders
Compliance
  1. Essential Regulatory Compliance Guide for Singapore Companies
  2. Dormant Companies and Their Filing Obligations in Singapore
  3. Anti-Money Laundering Regulations and Your Business: What You Need to Know
  4. Price-Fixing, Bid-Rigging and Other Anti-Competitive Practices to Avoid
  5. Legally Conducting Lucky Draws for Singapore Businesses
  6. Restaurant Inspection and Food Safety Rules in Singapore
Company Management
  1. Does Your Company Need a Legal Team (In-House Counsel)?
  2. How to Change the Name of Your Singapore Company
  3. Can Directors be Liable for Company Debts in Singapore?
  4. Company Loans to Directors/Shareholders in Singapore
  5. 3 Types of Insurance Every Singapore Business Needs
  6. Creating and Registering Charges in Singapore: Guide for Companies
  7. Guide to Effective Business Continuity Planning in Singapore
  8. Business Asset Sale & Disposal in Singapore: How Do They Work?
  9. Business Partnership Disputes in Singapore: How to Resolve
  10. How to Commence a Derivative Action on Behalf of a Company in Singapore
  11. Business Will: How to Pass on Your Business to Your Successors in Singapore
Company Documents
  1. Record-Keeping Requirements for Singapore Companies
  2. Company Constitutions in Singapore and How to Draft One
  3. Company Memorandum and Articles of Association
  4. Company Resolutions: What are They?
  5. Board Resolutions in Singapore
  6. Minutes of Company Meeting in Singapore: How to Record
  7. How to Set Up a Register of Controllers
  8. How to Set Up a Register of Nominee Directors
  9. Guide to Filing Financial Statements for Singapore Business Owners
  10. Filing Annual Returns For Your Business
Tax, Accounting and Audit Matters
  1. Singapore Corporate Tax: How to Pay, Tax Rate, Exemptions
  2. Start-Up Tax Exemption Guide for New Singapore Companies
  3. GST Registration: Requirements and Procedure in Singapore
  4. What is Withholding Tax and When to Pay It in Singapore
  5. Singapore Influencers: Here's How to Calculate Your Income Tax
  6. Tax Investigation of Tax-Evading Business Owners in Singapore
  7. Small Business Accounting Services in Singapore
  8. Company Audits in Singapore: Requirements and Exemptions
Data Protection
  1. Suspect a PDPA Data Breach? Here's What to Do Next
  2. Must You Notify PDPC About a Data Breach in Your Business?
  3. Summary: Your Organisation's 10 Main PDPA Obligations
  4. Essential PDPA Compliance Guide for Singapore Businesses
  5. PDPA Consent Requirements: How Can Your Business Comply?
  6. Is It Legal for Businesses to Ask for Your NRIC in Singapore?
  7. Here's a 7-Step Plan for Companies to Prevent Unauthorised Disclosure When Processing and Sending Personal Data
  8. Cloud Storage of Personal Data: Your Business’ Data Protection Obligations
  9. Drafting a Comprehensive Privacy Policy For Your Singapore Website
  10. GDPR Compliance in Singapore: Is it Required and How to Comply
  11. Appointing a Data Protection Officer For Your Business: All You Need to Know
  12. How Can Companies Dispose of Documents Containing Personal Data?
  13. Check the Do-Not-Call Registry Before Marketing to Singapore Phone Numbers
  14. How to Legally Install CCTVs for Home/Business Use in Singapore
  15. Is Web Scraping or Crawling Legal in Singapore?
  16. Legal Options If Employees Breach Confidentiality in Singapore
Marketing
  1. Dealing with Defamation of Your Business: Can You Sue?
  2. Sending Email Newsletters That Comply With Singapore Law
  3. A legal guide to drafting a social media policy for your company
  4. Your Guide to a Media Release Form in Singapore
  5. Your Guide to an Influencer Marketing Agreement in Singapore
  6. Outdoor Advertising: How to Legally Display Public Ads in Singapore
Franchising
  1. Starting a Franchise in Singapore: What Franchisors Should Look Out For
  2. Running a Franchise in Singapore: What To Look Out for as a Franchisee
Debt Restructuring
  1. What is Judicial Management and How It Works in Singapore
  2. Schemes of Arrangement: How They Work and How to Apply
  3. Informal Debt Restructuring and Workout in Singapore
Ending a Business
  1. Voluntary Suspension of Business in Singapore: How to Handle
  2. Winding Up a Singapore Company: Grounds and Procedure
  3. Closing Your Singapore Business: What You Need to Settle
  4. Striking Off a Company
  5. Can a Company that Struck Itself Off the Register Later Apply to Restore Itself?
  6. Dissolution of partnerships in Singapore
  7. What Should a Creditor Do When a Company Becomes Insolvent?
  8. How to File a Proof of Debt Against a Company in Liquidation
  9. Insolvency: Claw-Back of Assets From Unfair Preference and Undervalued Transactions
  10. Validation of Payments Made by Companies Being Wound Up