Statutory Updates

Legislation on PDPA

Personal data protection act (PDPA) had come into force on 2 July 2014.

It also provides for the establishment of a Do Not Call (DNC) Registry.

The DNC Registry allows individuals to register their Singapore telephone numbers to opt-out receiving marketing phone calls, mobile text messages which includes SMS, MMS and fax from companies.

The data protection act governs the collection, use, and disclosure of personal information by companies.

There are three main sets of rules of data protection:

  1. Obligations relating to the notification, consent, and purpose:

    Companies must notify the use and purposes and seek consent from individuals for the use and disclosure of their personal data
  2. Obligations relating to compliance, accountability, access, and correction:

    Companies must make information available about their data protection policies, appoint a data protection officer, give the individual access to their personal data and allow individuals to correct their personal data
  3. Obligations relating to safeguarding personal data:

    Companies must comply with the prescribed requirements when transferring personal data outside Singapore, use reasonable measures to protect personal data and make a reasonable effort to ensure the accuracy of personal data and cease to retain personal data when no longer required.

The Data Protection Officer (DPO) role:

The DPO is a company’s security officer required by the Data Protection act. He or she is responsible for overseeing a company’s data protection strategy and method used which comply with the Data Protection Act. A company can appoint senior management to take up the role of DPO or appoint a third party to oversees the companies Data Protection process.

For more information on PDPC, please visit:
For more information on DNC, please visit: