PDPA Consent Requirements: How Can Your Business Comply?
Since the Personal Data Protection Act (PDPA) came into force, businesses are now required to obtain their customers’ consent before collecting, using and/or disclosing their personal data.
This article will summarise the main requirements in order for your business to remain compliant with this obligation.
What is Personal Data?
Personal data means any information about a customer that is likely to allow you to identify that customer. If your business wants to collect, use and/or disclose such information, you need your customers’ consent to do so.
How Can We Obtain Our Customers’ Consent?
Have your customers given consent for a specific purpose?
The safest way is to ask for it by having the customer sign or otherwise acknowledge a notice giving you consent to collect, use and/or disclose their data for a particular purpose.
If you routinely collect data from customers via an online or physical form, it should contain a notice stating that by submitting the form, the customer consents to the collection, use and/or disclosure of his personal data for whatever specific purpose the completion of the form has.
Can I use the customer’s consent for other purposes not specified in the notice?
The consent given is limited to the collection, use and/or disclosure of the personal data only for the purposes stated in the notice.
Can I, in the notice, refuse to sell a product/service if customers do not provide their personal data or give consent for additional purposes?
You cannot insist that customers provide you with their personal data and allow you to collect, use or disclose it for any purpose other than as necessary to provide them with the product or service they are purchasing.
Nor can you refuse to provide the product or service to customers if they do not give their consent for such additional uses.
For example, if your business is an online hat shop selling hats for home delivery, you can insist that your customers provide you with their delivery address, and refuse to sell them a hat if they don’t, but only for the purpose of processing their payment and delivering the hat to their address.
You cannot insist that they also provide their email address and telephone number so that you can contact them with hat-related promotional information and refuse to sell them a hat if they withhold their consent for the use of their personal data in this way.
The implications of this law on your online form is that you can include a line saying, for example:
“By clicking SUBMIT, you agree to our collection, use and/or disclosure of your personal data to the extent necessary to process your order and provide you with this product.”
However, if you want to be able to send promotional material to your customers, you have to include a tickbox which they can choose to select or deselect, to give their consent for the collection, use or disclosure of their personal data in this way.
Do We Always have to Obtain Our Customer’s Consent?
No, but it’s safer if you do.
However, under section 15 of the PDPA, a customer who has voluntarily provided his personal data for a particular purpose in circumstances where it was reasonable for him to do so will be deemed to have consented to its collection, use or disclosure for that purpose.
If your business relies heavily on the collection, use or disclosure of personal data in a context where it may be impracticable for you to obtain consent from each and every customer to do so, you should speak to a lawyer with expertise in privacy or data protection law.
There is a long list of very specific exceptions that may apply to the way your business collects, uses or discloses data, but you should be sure that you can legally justify your business practices by references to the PDPA before deciding not to obtain consent from your customers.
Can Customer Consent be Withdrawn?
Yes. You cannot obtain an irrevocable consent from a customer.
A customer can write to you at any time to indicate that he no longer wishes you to collect, use or disclose his personal data. If he does, you should write back to explain what consequences will ensue if you comply with his request.
If he confirms his instruction, you should then delete his personal data and ensure that any other companies who were taking instructions from you with respect to his data do the same. A common automated example of this is a customer unsubscribing from an email newsletter mailing list.
How Should We Draft a Notice for Consent?
The Personal Data Protection Commission (PDPC) has a handy template for drafting a notice for consent.
What Happens If We Do Not Comply with the PDPA Requirements for Consent?
If you don’t comply with the legal requirements discussed in this article, your business could face a fine of up to S$1 million.
The PDPC may also order you to delete data, provide it to a third-party, or stop you from using the data.
In short, it is easier to take a few simple steps to ensure compliance with the law than risk running afoul of it.
Should you have any questions or require legal assistance in obtaining your customers’ consent, please feel free to speak to one of our data protection lawyers.
- What are Annual General Meetings (AGMs) in Singapore?
- Anti-Money Laundering Regulations and Your Business: What You Need to Know
- Price-Fixing, Bid-Rigging and Other Anti-Competitive Practices to Avoid
- Dividend Payments Guide for Singapore Business Owners
- Company Audits in Singapore: Requirements and Exemptions
- Guide to Transferring Shares in a Singapore Private Company
- How to Hold an Extraordinary General Meeting (EGM) in Singapore
- How to Issue Shares in a Singapore Private Company
- How to Reduce the Share Capital of Your Singapore Company
- How Businesses Can Legally Conduct Lucky Draws in Singapore
- Dormant Companies and Their Filing Obligations in Singapore
- How to Hold a Board Meeting in Singapore
- Paid-Up Capital in Singapore: A Complete Guide (Is $1 Enough?)
- Essential Regulatory Compliance Guide for Singapore Companies
- Finding a Suitable Corporate Secretarial Firm in Singapore
- Oppression of Minority Shareholders
- Process Agents in Singapore
- Company Constitution in Singapore: What It is and How to Draft One
- How to Set Up a Register of Controllers
- How to Set Up a Register of Nominee Directors
- Memorandum of Understanding (MOU): Does Your Business Need One?
- Minutes of Company Meeting in Singapore: How to Record
- Guide to Filing Financial Statements for Singapore Business Owners
- Company Resolutions: What are They?
- Board Resolutions in Singapore
- Company Memorandum and Articles of Association
- Filing Annual Returns For Your Business
- Shadow Directors: Who are They and What Duties Do They Owe to the Company?
- Guide to Directors' Remuneration in Singapore
- How to Remove a Director from a Company in Singapore
- Appointing Company Directors in Singapore: Eligibility, Process etc.
- Company Loans to Directors/Shareholders (& Vice Versa) in Singapore
- Share Transmission: What Happens If a Shareholder Dies in Singapore?
- Business Will: How to Pass on Your Business to Your Successors in Singapore
- Shareholder Rights in Singapore Private Companies
- Removal and Resignation of Company Auditor in Singapore
- What Responsibilities Do Company Shareholders Have in Singapore?
- Creating and Registering Charges in Singapore: Guide for Companies
- How to Commence a Derivative Action on Behalf of a Company in Singapore
- Managing Director vs CEO in Singapore: Roles and Obligations
- Appointing a Company Secretary: Roles and Responsibilities
- Directors' Duties in Singapore
- Essential PDPA Compliance Guide for Singapore Businesses
- Cloud Storage of Personal Data: Your Business’ Data Protection Obligations
- How Can Companies Dispose of Documents Containing Personal Data?
- Here's a 7-Step Plan for Companies to Prevent Unauthorised Disclosure When Processing and Sending Personal Data
- Appointing a Data Protection Officer For Your Business: All You Need to Know
- Summary: Your Organisation's 9 Main Obligations under the Personal Data Protection Act
- Check the Do-Not-Call Registry Before Marketing to Singapore Phone Numbers
- GDPR Compliance in Singapore: Is it Required and How to Comply
- Is It Legal for Businesses to Ask for Your NRIC in Singapore?
- PDPA Consent Requirements: How Can Your Business Comply?
- Legal Options If Employees Breach Confidentiality in Singapore
- Insolvency: Claw-back of Assets from Unfair Preference and Undervalue Transactions
- Striking Off a Company
- What Should a Creditor Do When a Company Becomes Insolvent?
- Dissolution of partnerships in Singapore
- Validation of Payments Made by Companies Being Wound Up
- Can a Company that Struck Itself Off the Register Later Apply to Restore Itself?
- Are You Closing Your Singapore Business? Have You Settled All of the Following?
- How to File a Proof of Debt against a Company in Liquidation
- Winding Up a Company