PDPA Consent Requirements: How Can Your Business Comply?

Last updated on October 7, 2022

man asking for key to unlock computer data.

Since the Personal Data Protection Act (PDPA) came into force in Singapore, businesses have been required to obtain their customers’ consent before collecting, using and/or disclosing their personal data.

This article will summarise the main requirements in order for your business to remain compliant with this obligation.

What is Personal Data?

Personal data means any information about a customer that is likely to allow you to identify that customer. If your business wants to collect, use and/or disclose such information, you need your customers’ consent to do so.

How Can We Obtain Our Customers’ Consent in Singapore?

Have your customers given consent for a specific purpose?

The safest way is to ask for it by having the customer sign or otherwise acknowledge a notice giving you consent to collect, use and/or disclose their data for a particular purpose.

If you routinely collect data from customers via an online or physical form, it should contain a notice stating that by submitting the form, the customer consents to the collection, use and/or disclosure of his personal data for whatever specific purpose the completion of the form has.

Can I use the customer’s consent for other purposes not specified in the notice?

The consent given is limited to the collection, use and/or disclosure of the personal data only for the purposes stated in the notice.

Can I, in the notice, refuse to sell a product/service if customers do not provide their personal data or give consent for additional purposes?

You cannot insist that customers provide you with their personal data and allow you to collect, use or disclose it for any purpose other than as necessary to provide them with the product or service they are purchasing.

Nor can you refuse to provide the product or service to customers if they do not give their consent for such additional uses.

For example, if your business is an online hat shop selling hats for home delivery, you can insist that your customers provide you with their delivery address, and refuse to sell them a hat if they don’t, but only for the purpose of processing their payment and delivering the hat to their address.

You cannot insist that they also provide their email address and telephone number so that you can contact them with hat-related promotional information and refuse to sell them a hat if they withhold their consent for the use of their personal data in this way.

The implications of this law on your online form is that you can include a line saying, for example:

“By clicking SUBMIT, you agree to our collection, use and/or disclosure of your personal data to the extent necessary to process your order and provide you with this product.”

However, if you want to be able to send promotional material to your customers, you have to include a tickbox that they can choose to select or deselect, to give their consent for the collection, use or disclosure of their personal data in this way.

Do We Always have to Obtain Our Customer’s Consent?

No, but it’s safer if you do.

However, under section 15 of the PDPA, a customer who has voluntarily provided his personal data for a particular purpose in circumstances where it was reasonable for him to do so will be deemed to have consented to its collection, use or disclosure for that purpose.

In addition, under section 15A of the PDPA, you may inform a customer that you will be collecting, using or disclosing his personal data and provide a reasonable period for the customer to opt out of such collection, use or disclosure. And if the customer does not opt out by that period of time, then the customer may be deemed to have consented to such collection, use or disclosure.

If your business relies heavily on the collection, use or disclosure of personal data in a context where it may be impracticable for you to obtain consent from each and every customer to do so, you should speak to a lawyer with expertise in privacy or data protection law.

There is a long list of very specific exceptions that may apply to the way your business collects, uses or discloses data, but you should be sure that you can legally justify your business practices by references to the PDPA before deciding not to obtain consent from your customers.

Can Customer Consent be Withdrawn?

Yes. You cannot obtain an irrevocable consent from a customer.

A customer can write to you at any time to indicate that he no longer wishes you to collect, use or disclose his personal data. If he does, you should write back to explain what consequences will ensue if you comply with his request.

If he confirms his instruction, you should then delete his personal data and ensure that any other companies who were taking instructions from you with respect to his data do the same. A common automated example of this is a customer unsubscribing from an email newsletter mailing list.

How Should We Draft a Notice for Consent?

The Personal Data Protection Commission (PDPC) has a handy template for drafting a notice for consent.

What Happens If We Do Not Comply with the PDPA Requirements for Consent?

If you don’t comply with the legal requirements discussed in this article, your business could face a fine of 10% of the organisation’s annual turnover in Singapore for organisations with annual local turnover exceeding S$10 million, or up to S$1 million, whichever is higher.

The PDPC may also order you to stop using the data collected or delete it altogether, among other consequences.

In short, it is easier to take a few simple steps to ensure compliance with the law than risk running afoul of it.

Should you have any questions or require legal assistance in obtaining your customers’ consent in compliance with the PDPA in Singapore, please feel free to consult one of our data protection lawyers.

Appointment and Removal of Company Officers and Other Key Personnel
  1. What is a Nominee Director, How to Appoint and Other FAQs
  2. Independent Directors: Who are They and What is Their Role?
  3. Board of Advisors: Who Are They and What Is Their Role?
  4. Appointing Company Directors in Singapore: Eligibility, Process etc.
  5. Managing Director vs CEO in Singapore: Roles and Obligations
  6. Guide to Directors' Remuneration in Singapore
  7. Directors' Duties in Singapore
  8. Shadow Directors: Who are They and What Duties Do They Owe to the Company?
  9. How to Remove a Director from a Company in Singapore
  10. Removal and Resignation of Company Auditor in Singapore
  11. Appointing a Company Secretary: Roles and Responsibilities
  12. Appointing an Authorised Representative for Foreign Companies in Singapore
  13. Process Agents in Singapore
Holding Meetings
  1. What are Annual General Meetings (AGMs) in Singapore?
  2. How to Hold Extraordinary General Meetings (EGMs) in Singapore
  3. How to Hold a Board Meeting in Singapore
Shareholder Matters
  1. Share Buybacks in Singapore: Procedure, Cost and More
  2. How to Split Shares (or Stocks) in a Singapore Company
  3. 2 Ways to Remove a Singapore Company Shareholder ASAP
  4. What are Treasury Shares? Guide for Singapore Companies
  5. Guide to Paid-Up Capital in Singapore (Is $1 Enough?)
  6. Preparing a Register of Shareholders for a Singapore Company
  7. How to Issue Shares in a Singapore Private Company
  8. Guide to Transferring Shares in a Singapore Private Company
  9. Your Guide to Share Certificates in Singapore: Usage and How to Prepare
  10. Shareholder Rights in Singapore Private Companies
  11. Shareholder Roles and Obligations in Singapore Companies
  12. Dividend Payments Guide for Singapore Business Owners
  13. Share Transmission: What Happens If a Shareholder Dies in Singapore?
  14. How to Reduce the Share Capital of Your Singapore Company
  15. Buy-Sell Agreements: How to Write & Fund Them in Singapore
  16. Oppression of Minority Shareholders
Compliance
  1. Is Your Business Collaboration Competition Law-Compliant?
  2. Explained: Registered Filing Agent for Singapore Businesses
  3. Transfer Pricing Obligations of Singapore Companies
  4. Adhering to Trading Sanctions and Restrictions in Singapore
  5. Cyber Hygiene Compliance Guide for Singapore Companies
  6. Corporate Social Responsibility For Businesses in Singapore
  7. Essential Regulatory Compliance Guide for Singapore Companies
  8. Dormant Companies and Their Filing Obligations in Singapore
  9. Anti-Money Laundering Regulations and Your Business: What You Need to Know
  10. Price-Fixing, Bid-Rigging and Other Anti-Competitive Practices to Avoid
  11. Legally Conducting Lucky Draws for Singapore Businesses
  12. Restaurant Inspection and Food Safety Rules in Singapore
Company Management
  1. Does Your Company Need a Legal Team (In-House Counsel)?
  2. Acqui-Hiring of Singapore Companies: How Does It Work?
  3. How to Change the Name of Your Singapore Company
  4. Can Directors be Liable for Company Debts in Singapore?
  5. Company Loans to Directors/Shareholders in Singapore
  6. 3 Types of Insurance Every Singapore Business Needs
  7. Creating and Registering Charges in Singapore: Guide for Companies
  8. Guide to Effective Business Continuity Planning in Singapore
  9. Business Asset Sale & Disposal in Singapore: How Do They Work?
  10. Business Partnership Disputes in Singapore: How to Resolve
  11. How to Commence a Derivative Action on Behalf of a Company in Singapore
  12. Business Will: How to Pass on Your Business to Your Successors in Singapore
Company Documents
  1. Record-Keeping Requirements for Singapore Companies
  2. Company Constitutions in Singapore and How to Draft One
  3. Company Memorandum and Articles of Association
  4. Company Resolutions: What are They?
  5. Board Resolutions in Singapore
  6. Minutes of Company Meeting in Singapore: How to Record
  7. How to Set Up a Register of Controllers
  8. How to Set Up a Register of Nominee Directors
  9. Guide to Filing Financial Statements for Singapore Business Owners
  10. Filing Annual Returns For Your Business
Tax, Accounting and Audit Matters
  1. Carbon Tax in Singapore: What is the Rate and Who Must Pay?
  2. Laws and Penalties for GST Evasion in Singapore
  3. 6 Common Taxes in Singapore For Individuals & Businesses
  4. Singapore Corporate Tax: How to Pay, Tax Rate, Exemptions
  5. Start-Up Tax Exemption Guide for New Singapore Companies
  6. GST Registration: Requirements and Procedure in Singapore
  7. What is Withholding Tax and When to Pay It in Singapore
  8. Singapore Influencers: Here's How to Calculate Your Income Tax
  9. Tax Investigation of Tax-Evading Business Owners in Singapore
  10. Small Business Accounting Services in Singapore
  11. Company Audits in Singapore: Requirements and Exemptions
Data Protection
  1. Suspect a PDPA Data Breach? Here's What to Do Next
  2. Must You Notify PDPC About a Data Breach in Your Business?
  3. Data Room: Should Your Singapore Company Set Up One?
  4. Victim of a Data Breach? Here’s What You Can Do
  5. Summary: Your Organisation's 10 Main PDPA Obligations
  6. Essential PDPA Compliance Guide for Singapore Businesses
  7. PDPA Consent Requirements: How Can Your Business Comply?
  8. Is It Legal for Businesses to Ask for Your NRIC in Singapore?
  9. Here's a 7-Step Plan for Companies to Prevent Unauthorised Disclosure When Processing and Sending Personal Data
  10. Cloud Storage of Personal Data: Your Business’ Data Protection Obligations
  11. Drafting a Comprehensive Privacy Policy For Your Singapore Website
  12. GDPR Compliance in Singapore: Is it Required and How to Comply
  13. Appointing a Data Protection Officer For Your Business: All You Need to Know
  14. How Can Companies Dispose of Documents Containing Personal Data?
  15. Check the Do-Not-Call Registry Before Marketing to Singapore Phone Numbers
  16. How to Legally Install CCTVs for Home/Business Use in Singapore
  17. Is Web Scraping or Crawling Legal in Singapore?
  18. Legal Options If Employees Breach Confidentiality in Singapore
Marketing
  1. Social Media Marketing: Legal Guide for Singapore Businesses
  2. Your Guide to E-commerce Website Terms of Service in Singapore
  3. Dealing with Defamation of Your Business: Can You Sue?
  4. Sending Email Newsletters That Comply With Singapore Law
  5. A legal guide to drafting a social media policy for your company
  6. Your Guide to a Media Release Form in Singapore
  7. Your Guide to an Influencer Marketing Agreement in Singapore
  8. Outdoor Advertising: How to Legally Display Public Ads in Singapore
Fintech and Payment Services Advisory
  1. A Guide to Digital Bank Regulation in Singapore
  2. Applying for a Major Payment Institution Licence in Singapore
  3. Applying to the MAS FinTech Regulatory Sandbox
  4. Payment Services Act Licensing Guide for Fintech Businesses
  5. How to Get a Payment Service Provider Licence in Singapore
  6. Financial Adviser's Licence Guide for Singapore Businesses
  7. Capital Markets (CMS) Licence Requirements in Singapore
  8. How to Offer E-Wallet Services in Singapore: Licensing Guide
  9. Digital Payment Token Services Licence Guide in Singapore
  10. How to Legally Offer Crypto Services in Singapore
Franchising
  1. Starting a Franchise in Singapore: What Franchisors Should Look Out For
  2. Running a Franchise in Singapore: What To Look Out for as a Franchisee
Debt Restructuring
  1. What is Judicial Management and How It Works in Singapore
  2. Schemes of Arrangement: How They Work and How to Apply
  3. Informal Debt Restructuring and Workout in Singapore
Ending a Business
  1. How to Restore a Struck-Off Company in Singapore
  2. Claw-Back of Assets From Unfair Preference and Undervalued Transactions
  3. Should You Save or Close Your Zombie Company in Singapore?
  4. Voluntary Suspension of Business in Singapore: How to Handle
  5. Winding Up a Singapore Company: Grounds and Procedure
  6. Closing Your Singapore Business: What You Need to Settle
  7. Striking Off a Company
  8. Restoring a Company That was Struck Off Without You Knowing
  9. Dissolution of partnerships in Singapore
  10. What Should a Creditor Do When a Company Becomes Insolvent?
  11. How to File a Proof of Debt Against a Company in Liquidation
  12. Validation of Payments Made by Companies Being Wound Up