The Importance Of Knowing Personal Data Protection Regulations
These Regulations may be cited as the Personal Data Protection Regulations 2014.
Requests For Access To And Correction Of Personal Data
In this Part, unless the context otherwise requires “applicant” means an individual who makes a request; “data protection officer”, in relation to an organisation, means an individual designated by the organisation under section 11(3) of the Act or an individual to whom the responsibility of the data protection officer has been delegated under section 11(4) of the Act; “individual’s personal data” means personal data protection regulations about the individual; “request” means a request to an organisation made under section 21(1) or 22(1) of the Act; “use and disclosure information” means the information specified in section 21(1)(b) of the Act.
How to make request
(1) A request to an organisation must be made in writing and shall include sufficient detail to enable the organisation, with a reasonable effort, to identify :
(a) the applicant making the request;
(b) in relation to a request under section 21(1) of the Act, the personal data protection regulations and use and disclosure information requested by the applicant; and
(c) in relation to a request under section 22 of the Act, the correction requested by the applicant.
(2) A request must be sent to the organisation:
(a) in accordance with section 48A of the Interpretation Act (Cap. 1);
(b) by sending it to the organisation’s data protection officer in accordance with the business contact information provided under section 11(5) of the Act; or
(c) in such other manner as is acceptable to the organisation.
Duty to respond to request under section 21(1) of Act
(1) Subject to section 21(2), (3) and (4) of the Act and personal data protection regulations 6 and 7(3), an organisation must respond to each request to it under section 21(1) of the Act as accurately and completely as necessary and reasonably possible.
(2) The organisation must provide an applicant access to the applicant’s personal data protection regulations requested under section 21(1) of the Act:
(a) by providing the applicant a copy of the personal data protection regulations and use and disclosure information in documentary form;
(b) if sub-paragraph (a) is impracticable in any particular case, by allowing the applicant a reasonable opportunity to examine the personal data protection regulations and use and disclosure information; or
(c) in such other form requested by the applicant as is acceptable to the organisation.
Notification of timeframe for response
Subject to the requirement to comply with section 21(1) of the Act as soon as reasonably possible or section 22(2) of the Act as soon as practicable, if the organisation is unable to comply with that requirement within 30 days after receiving a request made in accordance with personal data protection regulations 3, the organisation must within that time inform the applicant in writing of the time by which it will respond to the request.
Refusal to confirm or deny existence, use or disclosure of personal data
Subject to section 21(4) of the Act, an organisation, in a response to a request to it under section 21(1) of the Act, may refuse to confirm or may deny:
(a) the existence of personal data referred to in paragraph 1(h) of the Fifth Schedule to the Act; or
(b) the use of personal data protection regulations without consent under paragraph 1(e) of the Third Schedule to the Act or the disclosure of personal data without consent under paragraph 1(f) of the Fourth Schedule to the Act, for any investigation or proceedings, if the investigation or proceedings and related appeals have not been completed.
(1) Subject to section 28 of the Act, an organisation may charge an applicant who makes a request to it under section 21(1) of the Act a reasonable fee for services provided to the applicant to enable the organisation to respond to the applicant’s request.
(2) An organisation must not charge a fee to respond to the applicant’s request under section 21(1) of the Act unless the organisation has:
(a) provided the applicant with a written estimate of the fee; and
(b) if the organisation wishes to charge a fee that is higher than the written estimate provided under sub-paragraph (a), notified the applicant in writing of the higher fee.
(3) An organisation does not have to respond to an applicant’s request under section 21(1) of the Act unless the applicant agrees to pay the following fee:
(a) where the organisation has notified the applicant of a higher fee under paragraph (2)(b)
(i) if the Commission has reviewed the higher fee under section 28(1) of the Act, the fee allowed by the Commission under section 28(2) of the Act; or
(ii) if sub-paragraph (i) does not apply, the higher fee notified under paragraph (2)(b); or
(b) where sub-paragraph (a) does not apply and the organisation has provided the applicant with an estimated fee under paragraph (2)(a)
(i) if the Commission has reviewed the estimated fee under section 28(1) of the Act, the fee allowed by the Commission under section 28(2) of the Act; or
(ii) if sub-paragraph (i) does not apply, the estimated fee provided under paragraph (2)(a).
For the avoidance of doubt, an organisation shall not charge the applicant any fee to comply with its obligations under section 22(2) of the Act.
Outsourced Data Protection Officer – It is mandatory to appoint a Data Protection Officer. We help our clients quickly comply with their PDPA & data protection requirements.
Vulnerability Assessment Penetration Testing – Find loopholes in your websites, mobile apps or systems.
Smart Contract Audit – Leverage our industry-leading suite of blockchain security analysis tools, combined with hands-on review from our veteran smart contract auditors.