Obligations under PDPA and data protection
When Organizations collect, use, and disclose any personal data of anyone, there is an obligation for them to follow under the Personal Data Protection Act (PDPA). Failure to observe these obligations would mean that they have breached the said Act’s provisions and could be made to pay a fine of up to S$1,000,000. The following are the 11 Obligations under PDPA and data protection for Organizations that handle data:
1. Accountability Obligation
Organizations must take steps to ensure that they are meeting their obligations under the PDPA, such as providing information about their data protection policies, practices, and complaints process upon request, appointing a data protection officer (DPO), and making business contact information available to the public.
Organizations should be willing to provide information about their data protection methods, policies, and complaint processes to anybody who asks.
2. Notification Obligation
Organizations are required to advise individuals of the objectives for which their personal data will be collected, used, or disclosed.
3. Consent Obligation
Organizations are only permitted to collect, use, or disclose personal data for purposes to which an individual has consented.
Furthermore, organizations must allow individuals to withdraw consent with reasonable notice and notify them of the possible implications of doing so. When consent is revoked, ensure that you stop collecting, using, or disclosing the individual’s personal data.
4. Purpose Limitation Obligation
Organizations may only collect, use, or disclose personal data for purposes that a reasonable person would consider appropriate under the circumstances and for which the individual has given consent.
An organization may not force an individual to agree to the collection, use, or disclosure of his or her personal data beyond what is necessary to offer that product or service as a condition of providing that product or service.
5. Accuracy Obligation
Organizations must make a reasonable effort to ensure that the personal data collected is accurate and complete, especially if it will be used to make a decision that affects the individual or is disclosed to another organization.
6. Protection Obligation
To prevent unauthorized access, acquisition, use, disclosure, or other threats to personal data in an organization’s control, reasonable security mechanisms must be put in place.
7. Retention Limitation
Organizations are only required to stop retaining personal data or dispose of it properly when it is no longer required for any commercial or legal reason.
8. Transfer Limitation Obligation
Organizations are only required to transmit personal data to another country according to the legislation to guarantee that the quality of protection is similar to that provided by the PDPA, unless exempted by the PDPC.
9. Access and Correction Obligation
Organizations must offer individuals access to their personal data as well as details on how the data was used or disclosed during the previous year upon request.
Organizations must also correct any errors or omissions in the individual’s personal data as soon as possible and send the corrected data to other organizations to which the personal data was disclosed (or to selected organizations to which the individual has consented) within a year of the correction.
10. Data Breach Notification Obligation
In the case of a data breach, organizations must determine if it is notifiable. Suppose a data breach is likely to cause significant harm to individuals and/or is on a large scale. In that case, organizations must notify the PDPC and the affected individuals as soon as possible.
11. Obligations under PDPA and data protection: Data Portability
Organizations are expected to communicate the individual’s data that is in their custody or under their control to another organization in a generally used machine-readable format upon the individual’s request.
Also Read: PDPA compliance for real estate agencies