PDPA AND DNC - SIX BASICS
The Personal Data Protection Act ("PDPA") and Do-Not-Call ("DNC") Registry are enforced by the Personal Data Protection Commission ("PDPC") of Singapore.
1. PDPA Applies to Personal Data of Individuals in Singapore Only
Does Not Apply to Business Data or Information of Entities such as Companies, Businesses (Partnerships and Solopreneurs), Associations or Organisations.
Applies to Personal Private Data Only (Name, NRIC, Mobile and Home Numbers, Credit Card Details).
This is similar to European GDPR (General Data Protection Regulations) which protects personal data of European individuals.
However the European PECR (Privacy and Electronic Communications Regulations) apply to Solopreneurs and Partnerships, among others.
2. Express Consent Required and for Stated Commercial Purpose Only
This is usually done by filling up Form (Hard Copy or Online or by Ticking “Agree” Box.
Consent to receiving future emails should also be clearly obtained.
Such consent will override DNC (even if number in DNC) for use by any Entity for that particular commercial purpose only.
Consent is invalid if Purpose of Collecting Private Data is not stated clearly before Consent is given or before any Contract is signed by Individual.
Consent for collection, use and disclosure of Private Data need not be obtained in special cases as stated in Second, Third and Fourth Schedules of PDPA (eg for emergency, national interest, or where data is publicly available)
3. Consent Can be Expressly Withdrawn with Reasonable Notice
Consent by Individual can be withdrawn (in writing eg email, text etc) by giving reasonable notice eg 10 days’ notice.
The Entity must also inform its Intermediaries and Agents of withdrawal of consent.
The Entity must inform individual of what Private Data has been stored or shared.
The Entity must (usually within 30 days) provide access to and copy of Private Data where Individual makes reasonable request, if Individual pays the expenses incurred and if Private Data does not fall within Fifth Schedule of PDPA.
The Entity must delete, destroy, cease to hold (eg by returning documents to Individual) or anonymise Private Data already collected if consent withdrawn or the Purpose for which Private Data was collected does not reasonably exist or apply any longer.
If the Withdrawal of Consent does not state the Purpose for which Consent is withdrawn, then the Entity cannot use Private Data for any Purpose at all.
Similarly for GDPR, European individuals can request for data to be deleted or destroyed and can also request for copy of all Data collected (including by Social Media Companies like Facebook, Google, etc)
4. Private Data Can be Shared with Third-Parties if Clear Consent Given
This is usually where Vendor needs to provide information to his Supplier or other parties to enable transaction to be completed. The test is always whether the Collection and Use of Private Data is for stated purpose or whether Use of Private Data is reasonable. Onus is always on Entity to prove the proper collection and use of Private Data.
The Entity, Third parties and Agents must always ensure proper use and protection of such Private Data.
5. Private Data Transferred or Used Overseas Must be Similarly Protected
Similar use and protection of Private Data applies. This is similar to PECR and GDPR that protects Private Data of Europeans worldwide.
6. DNC Prohibits Telemarketing Calls and Texts Only (Unless Consent Given)
DNC protects against cold calls or unsolicited calls or texts by other Entities (Companies, Businesses, Associations or Organisations).
DNC protects Singapore numbers of Individuals and Entities which have registered their Personal or Business Numbers with DNC Registry.
Calls and texts to numbers in DNC Registry can only be made if clear consent given by such Individuals or Entities.
Calls or Texts by Entities to, inter alia, provide relevant updates or obtain further information relating to the business transaction are permitted.
Entities must display their number so Individual or other Entities know it is from an Entity to whom consent had been given earlier.
Note: Information is provided as a guide only and does not constitute legal advice. For more information on PDPA, kindly visit www.pdpc.gov.sg.