How GDPR Singapore impact businesses and its compliance
On May 25, 2018, the General Data Protection Regulation (GDPR Singapore) went into effect. The GDPR Singapore will apply to any organisation established outside of the EU that offers goods or services to EU citizens or monitors their behavior within the EU.
The PDPC has created a factsheet on the GDPR Singapore that highlights the key GDPR Singapore requirements.
When does an organization based in Singapore have to comply with the GDPR Singapore?
The GDPR Singapore may apply to Singaporean organisations that provide goods or services to individuals in the EU (whether or not payment is required) or monitor the behaviour of individuals in the EU.
For example, presenting a version of your organization’s website in an EU Member State’s vernacular language, publishing prices of products or services in Euros or the currency of an EU Member State, and offering to ship goods to any EU Member State may constitute offering goods to individuals in the EU.
Suppose an organisation is targets individuals in the EU this way. In that case, it may be required to appoint a European representative if it processes data on a large scale (rather than just occasionally) or if it processes any special categories of personal data as defined in GDPR Articles 9(1) and 10.
Does compliance with Singapore’s Personal Data Protection Act (PDPA) equate to compliance with the GDPR Singapore?
Compliance with the PDPA does not necessarily imply compliance with the GDPR Singapore, as the two regimes have different requirements.
What do organizations need to do to comply with the GDPR Singapore?
The European Commission has issued guidance on how to comply with the GDPR Singapore. Organizations may refer to European regulators’ resources on GDPR Singapore requirements or seek professional legal advice on GDPR Singapore compliance where necessary.
The PDPC’s factsheet on the GDPR Singapore, which highlights the key GDPR Singapore requirements, may be useful for organisations’ information. The factsheet can be found here.
The following scenarios demonstrate when GDPR Singapore is likely or unlikely to apply to personal data processing:
Examples where GDPR Singapore is likely to apply
- A Chinese Language School in Singapore offers an online course for EU citizens (e.g., French-Chinese lessons). Its website is available in English, French, Spanish, Dutch, and Italian. Individuals in the EU can also use the website to submit an enrolment application and pay in Euros.
- A hotel in Singapore has a website that is available in French, Spanish, Dutch, and Italian. The website displays room rates in various currencies, including Euros, and accepts reservations and credit card payments for hotel room bookings in Euros.
- A retailer in Singapore has a website that is available in French, Spanish, Dutch, and Italian. Customers in the EU can place orders online and pay with a credit card in Euros. The retailer fulfills the order and ships it to EU countries.
- A Singapore-based mobile game developer allows EU users to download and register for its app. It collects personal information from users and tracks their app usage and geolocation. When the such app is used in the EU, an agreement is made with a digital advertising platform to deliver location-specific advertisements to users.
Examples where GDPR Singapore is unlikely to apply
- A café in Singapore hires coffee baristas, including EU nationals, and collects personal information as part of employee records. It doesn’t provide any goods or services to customers in the EU. It only sells its coffee to customers at its Singapore cafés.
- Museums in Singapore provide a membership program for all visitors, including EU tourists. Museums provide regular email updates and information on upcoming museum exhibits and programs to all members in English as part of the membership program.
- Mobile app providers allow any individual, including those in the EU, to download the mobile app provider’s English-language app and create an account to make dining reservations for restaurants in Singapore. The app also keeps track of each user’s dining history and culinary preferences, and it rewards users with frequent diner points, which can be redeemed for discount vouchers redeemable at the Singapore restaurant.
- Car booking service in Singapore allows anyone, including those in the EU, to make advance reservations through its website. The website is in English, and credit card deposits for reservations are only accepted in Singapore dollars.
Data protection has never been this robust with the implementation of GDPR Singapore and the PDPA. With these laws working together to ensure personal data is safe and managed well by organisations in Singapore, the instances of breaches are further minimized and prevented for the benefit of any individual entrusting their personal information to these organisations.
To ensure its compliance, organisations can opt to hire an outsourced Data Protection Officer (DPO) like Privacy Ninja, who also caters to Singapore entities that follow their HQ’s GDPR, if they do not have an in-house one. It is important that each organisation has a DPO not just because it is mandated but also to ensure that no stones are left unturned when it comes to data protection compliance.