The Personal Data Protection Act (PDPA) is a comprehensive law that governs the collection, use, disclosure, and protection of personal data in Singapore. The PDPA was enacted to strengthen the protection of individuals' personal data and to enhance Singapore's competitiveness as a trusted business hub. Under the PDPA, individuals have several rights regarding the use of their personal data by organizations. In this article, we'll explore these rights in detail and what organizations need to know to comply with their obligations under the PDPA.
Right to Know
One of the primary rights of individuals under the PDPA is the right to know how their personal data is being used. Organizations must inform individuals of the purposes for which their personal data is being collected, used, or disclosed. This information must be provided in a clear and concise manner before or at the time of collection. Additionally, organizations must obtain individuals' consent before collecting, using, or disclosing their personal data for any purpose.
Right to Access
Individuals also have the right to access their personal data held by an organization. This includes the right to request information about how their personal data is being used, the identity of any third parties to whom their personal data has been disclosed, and the right to request a copy of their personal data. Organizations are required to provide this information within 30 days of receiving a written request from an individual.
Right to Correction
Under the PDPA, individuals have the right to request that organizations correct any inaccurate or incomplete personal data held about them. Organizations must respond to these requests within 30 days and take reasonable steps to correct the information.
Right to Withdraw Consent
Individuals have the right to withdraw their consent for the collection, use, or disclosure of their personal data at any time. Organizations must stop using or disclosing the personal data once consent is withdrawn, except in certain circumstances where the organization is required by law to continue using or disclosing the personal data.
Right to Data Portability
Under the PDPA, individuals have the right to request that their personal data be transferred to another organization in a commonly used electronic format. This right applies in situations where the personal data was collected with the individual's consent, and the transfer is technically feasible.
Right to Object
Individuals have the right to object to the use of their personal data for certain purposes, such as direct marketing. Organizations must stop using the personal data for these purposes once an objection is received.
Right to Erasure
Under certain circumstances, individuals have the right to request that organizations delete their personal data. This includes situations where the personal data is no longer necessary for the purposes for which it was collected or where the personal data was collected unlawfully.
Right to Withdraw Consent
Individuals have the right to withdraw their consent at any time if they no longer wish to have their personal data processed. This right must be clearly communicated to individuals before they give their consent, and it must be easy for them to withdraw their consent. If an individual withdraws their consent, the organization must stop processing their personal data and delete or anonymize it, unless there are legal grounds for the data to be retained.
Right to File a Complaint
If individuals believe that their rights under the PDPA have been violated, they have the right to file a complaint with the Personal Data Protection Commission (PDPC). The PDPC is responsible for enforcing the PDPA and ensuring that organizations comply with its provisions.
Individuals can file a complaint online or by post, and the PDPC will investigate the complaint and take appropriate action against the organization if necessary. The PDPC can impose fines and penalties on organizations that violate the PDPA, and it can also order organizations to stop processing personal data or to take other remedial actions. The PDPA gives individuals in Singapore important rights over their personal data, and organizations have a legal obligation to comply with these rights. By understanding these rights and taking steps to protect personal data, organizations can build trust with their customers and ensure that they are in compliance with the PDPA.
It is important for organizations to implement appropriate policies and procedures to safeguard personal data and to ensure that they are in compliance with the PDPA. This includes appointing a Data Protection Officer (DPO) who is responsible for ensuring that the organization complies with the PDPA and that personal data is properly protected. In addition, organizations should provide training to employees on the importance of data protection and their obligations under the PDPA. By taking these steps, organizations can minimize the risk of data breaches and ensure that they are in compliance with the PDPA.
Personal Data Protection Commission. (n.d.). Personal Data Protection Act. Retrieved from https://www.pdpc.gov.sg/legislation-and-guidelines/acts-and-regulations/personal-data-protection-act
Personal Data Protection Commission. (n.d.). Guide to the Personal Data Protection Act. Retrieved from https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/Guide-to-the-Personal-Data-Protection-Act-2021.pdf
Ministry of Communications and Information. (n.d.). Overview of the Personal Data Protection Act. Retrieved from https://www.mci.gov.sg/what-we-do/pdpa/overview
Personal Data Protection Commission. (n.d.). What are the individual rights under the PDPA? Retrieved from https://www.pdpc.gov.sg/Individuals/Individual-Rights