The 11 obligations under PDPA and data protection

Obligations under PDPA and data protection

When Organizations collect, use, and disclose any personal data of anyone, there is an obligation for them to follow under the Personal Data Protection Act (PDPA). Failure to observe these obligations would mean that they have breached the said Act’s provisions and could be made to pay a fine of up to S$1,000,000. The following are the 11 Obligations under PDPA and data protection for Organizations that handle data: 

1. Accountability Obligation

Organizations must take steps to ensure that they are meeting their obligations under the PDPA, such as providing information about their data protection policies, practices, and complaints process upon request, appointing a data protection officer (DPO), and making business contact information available to the public.

Organizations should be willing to provide information about their data protection methods, policies, and complaint processes to anybody who asks.

For example, your organization’s privacy policy may declare that anyone who wants to learn more about the organization’s data protection practices can contact its data protection officer. It could also give way for such persons to contact that officer.

2. Notification Obligation

Organizations are required to advise individuals of the objectives for which their personal data will be collected, used, or disclosed.

3. Consent Obligation

Organizations are only permitted to collect, use, or disclose personal data for purposes to which an individual has consented.

Furthermore, organizations must allow individuals to withdraw consent with reasonable notice and notify them of the possible implications of doing so. When consent is revoked, ensure that you stop collecting, using, or disclosing the individual’s personal data.

4. Purpose Limitation Obligation

Organizations may only collect, use, or disclose personal data for purposes that a reasonable person would consider appropriate under the circumstances and for which the individual has given consent.

An organization may not force an individual to agree to the collection, use, or disclosure of his or her personal data beyond what is necessary to offer that product or service as a condition of providing that product or service.

5. Accuracy Obligation

Organizations must make a reasonable effort to ensure that the personal data collected is accurate and complete, especially if it will be used to make a decision that affects the individual or is disclosed to another organization.

Also Read: PDPA Compliance for the Telecommunication Sector

6. Protection Obligation

To prevent unauthorized access, acquisition, use, disclosure, or other threats to personal data in an organization’s control, reasonable security mechanisms must be put in place.

7. Retention Limitation

Organizations are only required to stop retaining personal data or dispose of it properly when it is no longer required for any commercial or legal reason.

8. Transfer Limitation Obligation

Organizations are only required to transmit personal data to another country according to the legislation to guarantee that the quality of protection is similar to that provided by the PDPA, unless exempted by the PDPC.

9. Access and Correction Obligation

Organizations must offer individuals access to their personal data as well as details on how the data was used or disclosed during the previous year upon request.

Organizations must also correct any errors or omissions in the individual’s personal data as soon as possible and send the corrected data to other organizations to which the personal data was disclosed (or to selected organizations to which the individual has consented) within a year of the correction.

10. Data Breach Notification Obligation

In the case of a data breach, organizations must determine if it is notifiable. Suppose a data breach is likely to cause significant harm to individuals and/or is on a large scale. In that case, organizations must notify the PDPC and the affected individuals as soon as possible.

11. Obligations under PDPA and data protection: Data Portability

Organizations are expected to communicate the individual’s data that is in their custody or under their control to another organization in a generally used machine-readable format upon the individual’s request.

Also Read: PDPA compliance for real estate agencies