When organizations in Singapore, such as real estate agencies, collect, use, or disclose an individual’s personal data, they must comply with the terms of the PDPA unless they are in the course of acting on behalf of a public agency or face a substantial penalty.
PDPA compliance for real estate agencies in Singapore
Not all data collected by real estate agencies constitute personal data. As defined in the Advisory Guidelines For The Real Estate Agency Sector of 2014, personal data is data, whether true or not, about an individual who can be identified: a) from that data, or b) from that data and other information to which the Organization has or is likely to have access. Thus, when an individual cannot be identified from the said data, the PDPA does not generally apply.
Thus, when the types of personal data that are typically collected by the estate agent(s) or salesperson(s), that may include, but are not limited to, the full name, NRIC number, marital status, contact details, and residential addresses of the client(s) and/or other parties to the transaction, does not identify a specific person, it is not considered as personal data.
PDPA compliance for real estate agencies: Consent and Notification Obligations
According to the 2014 Advisory Guidelines For The Real Estate Agency Sector, whenever an organization undertakes activities relating to the collection, use, or disclosure of personal data, they must obtain consent from individuals and notify them for such collection, use, and disclosure of personal data, unless exceptions apply.
The PDPC does not indicate any precise method of collecting consent from persons in the new recommendations for PDPA compliance for real estate agencies. It is up to the Organization to determine how they acquire it.
PDPA compliance for real estate agencies: Application of the Do Not Call Provision
Under the Do Not Call provision of the PDPA, organizations cannot send specified messages to the individual’s telephone or mobile number registered in the Do Not Call Registry. Otherwise, such Organizations will face a hefty fine.
Under the Do Not Call Provision, these specified messages are messages with a purpose to offer to supply, advertise or promote goods or services, land or an interest in land, or a business or investment opportunity, or a supplier of such goods, services, land or opportunity.
However, there are exceptions to this rule. If the recipient gave the consent for the unspecified message, or if such message is a specified one, the Organization is exempted from complying with its obligation under the Exemption Order.
Under the Exemption Order, if there exists an “ongoing relationship” between the sender and a recipient, the Organization is exempted from the requirement to check the relevant Do Not Call Registers.
An “ongoing relationship” under the Exemption Order means a relationship which is on an ongoing basis, between a sender and a subscriber or user of a Singapore telephone number, arising from the carrying on or conduct of a business or activity (commercial or otherwise) by the sender.
Hiring a Data Protection Officer (DPO) and PDPA compliance for real estate agencies
The PDPA applies to organizations that collect, utilize, and disclose data. According to the PDPC decision and undertakings, if there is a violation, regardless of its source (i.e. if it was just a mistake made by its employee), the Organization might be forced to pay a high fine of up to S$1,000,000. To avoid this, the appointment of a DPO is necessary.
The DPO’s importance rests in ensuring that all PDPA compliance is satisfied. Every Organization subject to the PDPA is obligated to employ DPOs to ensure that no breaches occur in the future.
This is because the DPO is responsible for the following duties in order to limit any data breach:
a. Putting together a personal data protection policy that sets out the purposes for which personal data may be collected, used, or disclosed by the real estate agencies, as well as other data protection practices to ensure compliance with the PDPA and making information about this policy available to all stakeholders;
b. Raising awareness and fostering a culture of data protection among staff and key personnel
c. Developing and implementing policies and processes for the proper handling and management of personal data protection-related queries and complaints (e.g., access and correction requests) and making information about the complaints process available on request; and
d. Alerting the real estate agencies to any risks that might arise concerning the collection, use, or disclosure of personal data.
How Privacy Ninja can help
Privacy Ninja, one of the leading data protection service providers in Singapore, can help with your PDPA compliance needs with ease without you lifting a finger for a competitive price. Privacy Ninja value adds to your organization’s data protection policies by participating in Privacy Ninja’s exhaustive PDPA training. In sum, we got you covered with your PDPA compliance needs.
Also Read: PDPA compliance for Singapore schools
Outsourced Data Protection Officer – It is mandatory to appoint a Data Protection Officer. We help our clients quickly comply with their PDPA & data protection requirements.
Vulnerability Assessment Penetration Testing – Find loopholes in your websites, mobile apps or systems.
Smart Contract Audit – Leverage our industry-leading suite of blockchain security analysis tools, combined with hands-on review from our veteran smart contract auditors.