Personal Data Protection Act 2012
Uploaded by
Aastha JainPersonal Data Protection Act 2012
Uploaded by
Aastha JainTHE STATUTES OF THE REPUBLIC OF SINGAPORE
PERSONAL DATA PROTECTION
ACT 2012
2020 REVISED EDITION
This revised edition incorporates all amendments up to and
including 1 December 2021 and comes into operation on 31 December 2021.
Prepared and Published by
THE LAW REVISION COMMISSION
UNDER THE AUTHORITY OF
THE REVISED EDITION OF THE LAWS ACT 1983
Informal Consolidation – version in force from 1/10/2022
2020 Ed.
Personal Data Protection
Act 2012
ARRANGEMENT OF SECTIONS
PART 1
PRELIMINARY
Section
1. Short title
2. Interpretation
3. Purpose
4. Application of Act
PART 2
PERSONAL DATA PROTECTION COMMISSION
AND ADMINISTRATION
5. Personal Data Protection Commission
6. Functions of Commission
7. Advisory committees
8. Delegation
9. Conduct of proceedings
10. Cooperation agreements
PART 3
GENERAL RULES WITH RESPECT TO
PROTECTION OF AND ACCOUNTABILITY FOR
PERSONAL DATA
11. Compliance with Act
12. Policies and practices
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 2
PART 4
COLLECTION, USE AND DISCLOSURE OF
PERSONAL DATA
Division 1 — Consent
Section
13. Consent required
14. Provision of consent
15. Deemed consent
15A. Deemed consent by notification
16. Withdrawal of consent
17. Collection, use and disclosure without consent
Division 2 — Purpose
18. Limitation of purpose and extent
19. Personal data collected before 2 July 2014
20. Notification of purpose
PART 5
ACCESS TO AND CORRECTION OF
PERSONAL DATA
21. Access to personal data
22. Correction of personal data
22A. Preservation of copies of personal data
PART 6
CARE OF PERSONAL DATA
23. Accuracy of personal data
24. Protection of personal data
25. Retention of personal data
26. Transfer of personal data outside Singapore
PART 6A
NOTIFICATION OF DATA BREACHES
26A. Interpretation of this Part
26B. Notifiable data breaches
26C. Duty to conduct assessment of data breach
26D. Duty to notify occurrence of notifiable data breach
26E. Obligations of data intermediary of public agency
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
3 Act 2012 2020 Ed.
PART 7
Section
27. to 32. [Repealed]
PART 8
33. [Repealed]
34. [Repealed]
35. [Repealed]
PART 9
DO NOT CALL REGISTRY
Division 1 — Preliminary
36. Interpretation of this Part
37. Meaning of “specified message”
38. Application of this Part
Division 2 — Administration
39. Register
40. Applications
41. Evidence
42. Information on terminated Singapore telephone number
Division 3 — Specified message to Singapore
telephone number
43. Duty to check register
43A. Duty of checkers
44. Contact information
45. Calling line identity not to be concealed
46. Consent
47. Withdrawal of consent
48. Defence for employee
PART 9A
DICTIONARY ATTACKS AND
ADDRESS-HARVESTING SOFTWARE
48A. Interpretation of this Part
48B. Prohibition on use of dictionary attacks and address-harvesting
software
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 4
PART 9B
OFFENCES AFFECTING PERSONAL DATA AND
ANONYMISED INFORMATION
Section
48C. Interpretation and application of this Part
48D. Unauthorised disclosure of personal data
48E. Improper use of personal data
48F. Unauthorised re-identification of anonymised information
PART 9C
ENFORCEMENT
48G. Alternative dispute resolution
48H. Power to review
48I. Directions for non-compliance
48J. Financial penalties
48K. Procedure for giving of directions and imposing of financial
penalty
48L. Voluntary undertakings
48M. Enforcement of directions of or written notices by Commission
in District Court
48N. Reconsideration of directions or decisions
48O. Right of private action
PART 9D
APPEALS
48P. Data Protection Appeal Panel and Data Protection Appeal
Committees
48Q. Appeal from direction or decision of Commission
48R. Appeals to General Division of High Court, etc.
PART 10
GENERAL
49. Advisory guidelines
50. Powers of investigation
51. Offences and penalties
52. Offences by corporations
52A. Offences by unincorporated associations or partnerships
53. Liability of employers for acts of employees
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
5 Act 2012 2020 Ed.
Section
54. Jurisdiction of court
55. Composition of offences
56. General penalties
57. Public servants and public officers
58. Evidence in proceedings
59. Preservation of secrecy
60. Protection from personal liability
61. Symbol of Commission
62. Power to exempt
63. Certificate as to national interest
64. Amendment of Schedules
65. Power to make regulations
66. Rules of Court
67. Saving and transitional provisions
68. Dissolution
First Schedule — Collection, use and disclosure of
personal data without consent
Second Schedule — Additional bases for collection, use and
disclosure of personal data without
consent
Third Schedule — [Repealed]
Fourth Schedule — [Repealed]
Fifth Schedule — Exceptions from access requirement
Sixth Schedule — Exceptions from correction requirement
Seventh Schedule— Constitution and proceedings of Data
Protection Appeal Panel and Data
Protection Appeal Committees
Eighth Schedule — Exclusion from meaning of “specified
message”
Ninth Schedule — Powers of investigation of Commission
and Inspectors
Tenth Schedule — Applicable purposes
Eleventh Schedule — Specified purposes
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 6
An Act to govern the collection, use and disclosure of personal data
by organisations, and to establish the Do Not Call Register and to
provide for its administration, and for matters connected therewith.
[22/2016]
[2 January 2013: Parts I, II, VIII, IX (except sections 36
to 38, 41 and 43 to 48) and X (except section 67(1)),
and the First, Seventh and Ninth Schedules ;
2 December 2013: Sections 36, 37, 38 and 41 ;
2 January 2014: Sections 43 to 48 and 67(1) and the
Eighth Schedule ;
2 July 2014: Parts III to VII, and the Second to
Sixth Schedules ]
PART 1
PRELIMINARY
Short title
1. This Act is the Personal Data Protection Act 2012.
Interpretation
2.—(1) In this Act, unless the context otherwise requires —
“advisory committee” means an advisory committee appointed
under section 7;
“Appeal Committee” means a Data Protection Appeal
Committee constituted under section 48P(4), read with the
Seventh Schedule;
“Appeal Panel” means the Data Protection Appeal Panel
established by section 48P(1);
“authorised officer”, in relation to the exercise of any power or
performance of any function or duty under any provision of
this Act, means a person to whom the exercise of that power
or performance of that function or duty under that provision
has been delegated under section 38 of the
Info-communications Media Development Authority
Act 2016;
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
7 Act 2012 2020 Ed.
“Authority” means the Info-communications Media
Development Authority established by section 3 of the
Info-communications Media Development Authority
Act 2016;
“benefit plan” means an insurance policy, a pension plan, an
annuity, a provident fund plan or other similar plan;
“business” includes the activity of any organisation, whether or
not carried on for purposes of gain, or conducted on a regular,
repetitive or continuous basis, but does not include an
individual acting in his or her personal or domestic capacity;
“business contact information” means an individual’s name,
position name or title, business telephone number, business
address, business electronic mail address or business fax
number and any other similar information about the
individual, not provided by the individual solely for his or
her personal purposes;
“Chief Executive”, in relation to the Authority, means the Chief
Executive of the Authority appointed under section 40(2) of
the Info-communications Media Development Authority
Act 2016, and includes any individual acting in that capacity;
“Commission” means the person designated as the Personal
Data Protection Commission under section 5 to be
responsible for the administration of this Act;
“Commissioner” means the Commissioner for Personal Data
Protection appointed under section 8(1)(a), and includes any
Deputy Commissioner for Personal Data Protection or
Assistant Commissioner for Personal Data Protection
appointed under section 8(1)(b);
“credit bureau” means an organisation which —
(a) provides credit reports for gain or profit; or
(b) provides credit reports on a routine, non-profit basis
as an ancillary part of a business carried on for gain or
profit;
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 8
“credit report” means a communication, whether in written, oral
or other form, provided to an organisation to assess the
creditworthiness of an individual in relation to a transaction
between the organisation and the individual;
“data intermediary” means an organisation which processes
personal data on behalf of another organisation but does not
include an employee of that other organisation;
“derived personal data” —
(a) means personal data about an individual that is
derived by an organisation in the course of business
from other personal data, about the individual or
another individual, in the possession or under the
control of the organisation; but
(b) does not include personal data derived by the
organisation using any prescribed means or method;
“document” includes information recorded in any form;
“domestic” means related to home or family;
“education institution” means an organisation that provides
education, including instruction, training or teaching,
whether by itself or in association or collaboration with, or
by affiliation with, any other person;
“employee” includes a volunteer;
“employment” includes working under an unpaid volunteer
work relationship;
“evaluative purpose” means —
(a) the purpose of determining the suitability, eligibility
or qualifications of the individual to whom the data
relates —
(i) for employment or for appointment to office;
(ii) for promotion in employment or office or for
continuance in employment or office;
(iii) for removal from employment or office;
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
9 Act 2012 2020 Ed.
(iv) for admission to an education institution;
(v) for the awarding of contracts, awards,
bursaries, scholarships, honours or other
similar benefits;
(vi) for selection for an athletic or artistic purpose;
or
(vii) for grant of financial or social assistance, or the
delivery of appropriate health services, under
any scheme administered by a public agency;
(b) the purpose of determining whether any contract,
award, bursary, scholarship, honour or other similar
benefit should be continued, modified or cancelled;
(c) the purpose of deciding whether to insure any
individual or property or to continue or renew the
insurance of any individual or property; or
(d) such other similar purposes as the Minister may
prescribe;
“individual” means a natural person, whether living or deceased;
“inspector” means an individual appointed as an inspector under
section 8(1)(b);
“investigation” means an investigation relating to —
(a) a breach of an agreement;
(b) a contravention of any written law, or any rule of
professional conduct or other requirement imposed
by any regulatory authority in exercise of its powers
under any written law; or
(c) a circumstance or conduct that may result in a remedy
or relief being available under any law;
“national interest” includes national defence, national security,
public security, the maintenance of essential services and the
conduct of international affairs;
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 10
“organisation” includes any individual, company, association or
body of persons, corporate or unincorporated, whether or
not —
(a) formed or recognised under the law of Singapore; or
(b) resident, or having an office or a place of business, in
Singapore;
“personal data” means data, whether true or not, about an
individual who can be identified —
(a) from that data; or
(b) from that data and other information to which the
organisation has or is likely to have access;
“prescribed healthcare body” means a healthcare body
prescribed for the purposes of the Second Schedule by the
Minister charged with the responsibility for health;
“prescribed law enforcement agency” means an authority
charged with the duty of investigating offences or charging
offenders under written law, prescribed for the purposes of
sections 21(4) and 26D(6) and the Second Schedule by the
Minister charged with the responsibility for that authority;
“private trust” means a trust for the benefit of one or more
designated individuals who are the settlor’s friends or family
members;
“proceedings” means any civil, criminal or administrative
proceedings by or before a court, tribunal or regulatory
authority that is related to the allegation of —
(a) a breach of an agreement;
(b) a contravention of any written law or any rule of
professional conduct or other requirement imposed
by any regulatory authority in exercise of its powers
under any written law; or
(c) a wrong or a breach of a duty for which a remedy is
claimed under any law;
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
11 Act 2012 2020 Ed.
“processing”, in relation to personal data, means the carrying out
of any operation or set of operations in relation to the
personal data, and includes any of the following:
(a) recording;
(b) holding;
(c) organisation, adaptation or alteration;
(d) retrieval;
(e) combination;
(f) transmission;
(g) erasure or destruction;
“public agency” includes —
(a) the Government, including any ministry, department,
agency, or organ of State;
(b) any tribunal appointed under any written law; or
(c) any statutory body specified under subsection (2);
“publicly available”, in relation to personal data about an
individual, means personal data that is generally available to
the public, and includes personal data which can be observed
by reasonably expected means at a location or an event —
(a) at which the individual appears; and
(b) that is open to the public;
“relevant body” means the Commission, the Appeal Panel or
any Appeal Committee;
“tribunal” includes a judicial or quasi-judicial body or a
disciplinary, an arbitral or a mediatory body;
“user activity data”, in relation to an organisation, means
personal data about an individual that is created in the course
or as a result of the individual’s use of any product or service
provided by the organisation;
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 12
“user-provided data”, in relation to an organisation, means
personal data provided by an individual to the organisation.
[22/2016; 40/2020]
(2) The Minister may, by notification in the Gazette, specify any
statutory body established under a public Act for a public function to
be a public agency for the purposes of this Act.
Purpose
3. The purpose of this Act is to govern the collection, use and
disclosure of personal data by organisations in a manner that
recognises both the right of individuals to protect their personal
data and the need of organisations to collect, use or disclose personal
data for purposes that a reasonable person would consider appropriate
in the circumstances.
Application of Act
4.—(1) Parts 3, 4, 5, 6, 6A and 6B do not impose any obligation
on —
(a) any individual acting in a personal or domestic capacity;
(b) any employee acting in the course of his or her
employment with an organisation;
(c) any public agency; or
(d) any other organisations or personal data, or classes of
organisations or personal data, prescribed for the purposes
of this provision.
[40/2020]
(2) Parts 3, 4, 5, 6 (except sections 24 and 25), 6A (except
sections 26C(3)(a) and 26E) and 6B do not impose any obligation on
a data intermediary in respect of its processing of personal data on
behalf of and for the purposes of another organisation pursuant to a
contract which is evidenced or made in writing.
[40/2020]
(3) An organisation has the same obligation under this Act in
respect of personal data processed on its behalf and for its purposes
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
13 Act 2012 2020 Ed.
by a data intermediary as if the personal data were processed by the
organisation itself.
(4) This Act does not apply in respect of —
(a) personal data about an individual that is contained in a
record that has been in existence for at least 100 years; or
(b) personal data about a deceased individual, except that the
provisions relating to the disclosure of personal data and
section 24 (protection of personal data) apply in respect of
personal data about an individual who has been dead for
10 years or less.
(5) Except where business contact information is expressly
mentioned, Parts 3, 4, 5, 6 and 6A do not apply to business contact
information.
[40/2020]
(6) Unless otherwise expressly provided in this Act —
(a) nothing in Parts 3, 4, 5, 6, 6A and 6B affects any authority,
right, privilege or immunity conferred, or obligation or
limitation imposed, by or under the law, including legal
privilege, except that the performance of a contractual
obligation is not an excuse for contravening this Act; and
(b) the provisions of other written law prevail to the extent that
any provision of Parts 3, 4, 5, 6, 6A and 6B is inconsistent
with the provisions of that other written law.
[40/2020]
PART 2
PERSONAL DATA PROTECTION COMMISSION
AND ADMINISTRATION
Personal Data Protection Commission
5.—(1) The Info-communications Media Development Authority
is designated as the Personal Data Protection Commission.
[22/2016]
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 14
(2) The Personal Data Protection Commission is responsible for the
administration of this Act.
[22/2016]
Functions of Commission
6. The functions of the Commission are —
(a) to promote awareness of data protection in Singapore;
(b) to provide consultancy, advisory, technical, managerial or
other specialist services relating to data protection;
(c) to advise the Government on all matters relating to data
protection;
(d) to represent the Government internationally on matters
relating to data protection;
(e) to conduct research and studies and promote educational
activities relating to data protection, including organising
and conducting seminars, workshops and symposia
relating thereto, and supporting other organisations
conducting such activities;
(f) to manage technical cooperation and exchange in the area
of data protection with other organisations, including
foreign data protection authorities and international or
inter-governmental organisations, on its own behalf or on
behalf of the Government;
(g) to administer and enforce this Act;
(h) to carry out functions conferred on the Commission under
any other written law; and
(i) to engage in such other activities and perform such
functions as the Minister may permit or assign to the
Commission by order in the Gazette.
Advisory committees
7.—(1) The Minister may appoint one or more advisory
committees to provide advice to the Commission with regard to the
performance of any of its functions under this Act.
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
15 Act 2012 2020 Ed.
(2) The Commission may consult such advisory committees in
relation to the performance of its functions and duties and the exercise
of its powers under this Act but is not bound by such consultation.
Delegation
8.—(1) The Commission may appoint, by name or office, from
among public officers and the employees of the Authority —
(a) the Commissioner for Personal Data Protection; and
(b) such number of Deputy Commissioners for Personal Data
Protection, Assistant Commissioners for Personal Data
Protection and inspectors, as the Commission considers
necessary.
[22/2016]
(2) Where any function, duty or power of the Commission under
this Act is delegated to the Commissioner under section 38 of the
Info-communications Media Development Authority Act 2016 —
(a) the Commissioner must perform that function or duty, or
exercise that power, in his or her name;
(b) the Commission must not perform that function or duty, or
exercise that power, during the period when the delegation
is in force; and
(c) the Commission must, as soon as practicable after the
delegation, publish a notice of the delegation in the
Gazette.
[22/2016]
(3) In exercising any of the powers of enforcement under this Act,
an authorised officer must on demand produce to the person against
whom he or she is acting the authority issued to him or her by the
Commission.
Conduct of proceedings
9.—(1) An individual appointed under section 8(1) or an employee
of the Authority, who is authorised in writing by the Chief Executive
of the Authority for the purpose of this section, may conduct, with the
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 16
authorisation of the Public Prosecutor, proceedings in respect of an
offence under this Act.
[22/2016]
(2) A legal counsel of the Commission who is an advocate and
solicitor may —
(a) appear in any civil proceedings involving the performance
of any function or duty, or the exercise of any power, of the
Commission under any written law; and
(b) make all applications and do all acts in respect of the civil
proceedings on behalf of the Commission or an authorised
officer.
[22/2016]
Cooperation agreements
10.—(1) For the purposes of section 59, a cooperation agreement is
an agreement for the purposes of —
(a) facilitating cooperation between the Commission and
another regulatory authority in the performance of their
respective functions in so far as those functions relate to
data protection; and
(b) avoiding duplication of activities by the Commission and
another regulatory authority, being activities involving the
enforcement of data protection laws.
[22/2016]
(2) A cooperation agreement may include provisions —
(a) to enable the Commission and the other regulatory
authority to provide to each other information in their
respective possession if the information is required by the
other for the purpose of performance by it of any of its
functions;
(b) to provide such other assistance to each other as will
facilitate the performance by the other of any of its
functions; and
(c) to enable the Commission and the other regulatory
authority to forbear to perform any of their respective
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
17 Act 2012 2020 Ed.
functions in relation to a matter in circumstances where it
is satisfied that the other is performing functions in relation
to that matter.
(3) The Commission must not provide any information to a foreign
data protection body pursuant to a cooperation agreement unless it
requires of, and obtains from, that body an undertaking in writing by
it that it will comply with terms specified in that requirement,
including terms that correspond to the provisions of any written law
concerning the disclosure of that information by the Commission.
(4) The Commission may give an undertaking to a foreign data
protection body that it will comply with terms specified in a
requirement made of the Commission by the foreign data protection
body to give such an undertaking where —
(a) those terms correspond to the provisions of any law in
force in the country or territory in which the foreign data
protection body is established, being provisions which
concern the disclosure by the foreign data protection body
of the information mentioned in paragraph (b); and
(b) compliance with the requirement is a condition imposed by
the foreign data protection body for providing information
in its possession to the Commission pursuant to a
cooperation agreement.
(5) In this section —
“foreign data protection body” means a body in whom there are
vested functions under the law of another country or territory
with respect to the enforcement or the administration of
provisions of law of that country or territory concerning data
protection;
“regulatory authority” includes the Commission and any foreign
data protection body.
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 18
PART 3
GENERAL RULES WITH RESPECT TO
PROTECTION OF AND ACCOUNTABILITY FOR
PERSONAL DATA
[40/2020]
Compliance with Act
11.—(1) In meeting its responsibilities under this Act, an
organisation must consider what a reasonable person would
consider appropriate in the circumstances.
(2) An organisation is responsible for personal data in its possession
or under its control.
(3) An organisation must designate one or more individuals to be
responsible for ensuring that the organisation complies with this Act.
(4) An individual designated under subsection (3) may delegate to
another individual the responsibility conferred by that designation.
(5) An organisation must make available to the public the business
contact information of at least one of the individuals designated under
subsection (3) or delegated under subsection (4).
(5A) Without limiting subsection (5), an organisation is deemed to
have satisfied that subsection if the organisation makes available the
business contact information of any individual mentioned in
subsection (3) in any prescribed manner.
[40/2020]
(6) The designation of an individual by an organisation under
subsection (3) does not relieve the organisation of any of its
obligations under this Act.
Policies and practices
12. An organisation must —
(a) develop and implement policies and practices that are
necessary for the organisation to meet the obligations of
the organisation under this Act;
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
19 Act 2012 2020 Ed.
(b) develop a process to receive and respond to complaints that
may arise with respect to the application of this Act;
(c) communicate to its staff information about the
organisation’s policies and practices mentioned in
paragraph (a); and
(d) make information available on request about —
(i) the policies and practices mentioned in
paragraph (a); and
(ii) the complaint process mentioned in paragraph (b).
PART 4
COLLECTION, USE AND DISCLOSURE OF
PERSONAL DATA
Division 1 — Consent
Consent required
13. An organisation must not, on or after 2 July 2014, collect, use or
disclose personal data about an individual unless —
(a) the individual gives, or is deemed to have given, his or her
consent under this Act to the collection, use or disclosure,
as the case may be; or
(b) the collection, use or disclosure (as the case may be)
without the individual’s consent is required or authorised
under this Act or any other written law.
Provision of consent
14.—(1) An individual has not given consent under this Act for the
collection, use or disclosure of personal data about the individual by
an organisation for a purpose unless —
(a) the individual has been provided with the information
required under section 20; and
(b) the individual provided his or her consent for that purpose
in accordance with this Act.
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 20
(2) An organisation must not —
(a) as a condition of providing a product or service, require an
individual to consent to the collection, use or disclosure of
personal data about the individual beyond what is
reasonable to provide the product or service to that
individual; or
(b) obtain or attempt to obtain consent for collecting, using or
disclosing personal data by providing false or misleading
information with respect to the collection, use or disclosure
of the personal data, or using deceptive or misleading
practices.
(3) Any consent given in any of the circumstances in subsection (2)
is not validly given for the purposes of this Act.
(4) In this Act, references to consent given, or deemed to have been
given, by an individual for the collection, use or disclosure of
personal data about the individual include consent given, or deemed
to have been given, by any person validly acting on that individual’s
behalf for the collection, use or disclosure of such personal data.
Deemed consent
15.—(1) An individual is deemed to consent to the collection, use
or disclosure of personal data about the individual by an organisation
for a purpose if —
(a) the individual, without actually giving consent mentioned
in section 14, voluntarily provides the personal data to the
organisation for that purpose; and
(b) it is reasonable that the individual would voluntarily
provide the data.
(2) If an individual gives, or is deemed to have given, consent to the
disclosure of personal data about the individual by one organisation
to another organisation for a particular purpose, the individual is
deemed to consent to the collection, use or disclosure of the personal
data for that particular purpose by that other organisation.
(3) Without limiting subsection (2) and subject to subsection (9), an
individual (P) who provides personal data to an organisation (A) with
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
21 Act 2012 2020 Ed.
a view to P entering into a contract with A is deemed to consent to the
following where reasonably necessary for the conclusion of the
contract between P and A:
(a) the disclosure of that personal data by A to another
organisation (B);
(b) the collection and use of that personal data by B;
(c) the disclosure of that personal data by B to another
organisation.
[40/2020]
(4) Where an organisation collects personal data disclosed to it by B
under subsection (3)(c), subsection (3)(b) and (c) applies to the
organisation as if the personal data were disclosed by A to the
organisation under subsection (3)(a).
[40/2020]
(5) Subsections (3) and (4) apply to personal data provided before
1 February 2021 by an individual to an organisation with a view to the
individual entering into a contract with the organisation —
(a) on or after 1 February 2021; or
(b) which contract was entered into before 1 February 2021
and remains in force on that date,
as if subsections (3) and (4) —
(c) were in force when the personal data was so provided; and
(d) had continued in force until 1 February 2021.
[40/2020]
(6) Without limiting subsection (2) and subject to subsection (9), an
individual (P) who enters into a contract with an organisation (A) and
provides personal data to A pursuant or in relation to that contract is
deemed to consent to the following:
(a) the disclosure of that personal data by A to another
organisation (B), where the disclosure is reasonably
necessary —
(i) for the performance of the contract between P and A;
or
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 22
(ii) for the conclusion or performance of a contract
between A and B which is entered into at P’s request,
or which a reasonable person would consider to be in
P’s interest;
(b) the collection and use of that personal data by B, where the
collection and use are reasonably necessary for any
purpose mentioned in paragraph (a);
(c) the disclosure of that personal data by B to another
organisation, where the disclosure is reasonably necessary
for any purpose mentioned in paragraph (a).
[40/2020]
(7) Where an organisation collects personal data disclosed to it by B
under subsection (6)(c), subsection (6)(b) and (c) applies to the
organisation as if the personal data were disclosed by A to the
organisation under subsection (6)(a).
[40/2020]
(8) Subsections (6) and (7) apply to personal data provided before
1 February 2021 by an individual to an organisation in relation to a
contract that the individual entered into before that date with the
organisation, and which remains in force on that date, as if
subsections (6) and (7) —
(a) were in force when the personal data was so provided; and
(b) had continued in force until 1 February 2021.
[40/2020]
(9) Subsections (3), (4), (5), (6), (7) and (8) do not affect any
obligation under the contract between P and A that specifies or
restricts —
(a) the personal data provided by P that A may disclose to
another organisation; or
(b) the purposes for which A may disclose the personal data
provided by P to another organisation.
[40/2020]
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
23 Act 2012 2020 Ed.
Deemed consent by notification
15A.—(1) This section applies to the collection, use or disclosure
of personal data about an individual by an organisation on or after
1 February 2021.
[40/2020]
(2) Subject to subsection (3), an individual is deemed to consent to
the collection, use or disclosure of personal data about the individual
by an organisation if —
(a) the organisation satisfies the requirements in
subsection (4); and
(b) the individual does not notify the organisation, before the
expiry of the period mentioned in subsection (4)(b)(iii),
that the individual does not consent to the proposed
collection, use or disclosure of the personal data by the
organisation.
[40/2020]
(3) Subsection (2) does not apply to the collection, use or disclosure
of personal data about the individual for any prescribed purpose.
[40/2020]
(4) For the purposes of subsection (2)(a), the organisation must,
before collecting, using or disclosing any personal data about the
individual —
(a) conduct an assessment to determine that the proposed
collection, use or disclosure of the personal data is not
likely to have an adverse effect on the individual;
(b) take reasonable steps to bring the following information to
the attention of the individual:
(i) the organisation’s intention to collect, use or disclose
the personal data;
(ii) the purpose for which the personal data will be
collected, used or disclosed;
(iii) a reasonable period within which, and a reasonable
manner by which, the individual may notify the
organisation that the individual does not consent to
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 24
the organisation’s proposed collection, use or
disclosure of the personal data; and
(c) satisfy any other prescribed requirements.
[40/2020]
(5) The organisation must, in respect of the assessment mentioned
in subsection (4)(a) —
(a) identify any adverse effect that the proposed collection, use
or disclosure of the personal data for the purpose
concerned is likely to have on the individual;
(b) identify and implement reasonable measures to —
(i) eliminate the adverse effect;
(ii) reduce the likelihood that the adverse effect will
occur; or
(iii) mitigate the adverse effect; and
(c) comply with any other prescribed requirements.
[40/2020]
Withdrawal of consent
16.—(1) On giving reasonable notice to the organisation, an
individual may at any time withdraw any consent given, or deemed
to have been given under this Act, in respect of the collection, use or
disclosure by that organisation of personal data about the individual
for any purpose.
(2) On receipt of the notice mentioned in subsection (1), the
organisation concerned must inform the individual of the likely
consequences of withdrawing his or her consent.
(3) An organisation must not prohibit an individual from
withdrawing his or her consent to the collection, use or disclosure
of personal data about the individual, but this section does not affect
any legal consequences arising from such withdrawal.
(4) Subject to section 25, if an individual withdraws consent to the
collection, use or disclosure of personal data about the individual by
an organisation for any purpose, the organisation must cease (and
cause its data intermediaries and agents to cease) collecting, using or
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
25 Act 2012 2020 Ed.
disclosing the personal data (as the case may be) unless such
collection, use or disclosure (as the case may be) without the
individual’s consent is required or authorised under this Act or other
written law.
Collection, use and disclosure without consent
17.—(1) An organisation may —
(a) collect personal data about an individual, without the
individual’s consent or from a source other than the
individual, in the circumstances or for the purposes, and
subject to any condition, in the First Schedule or Part 1 of
the Second Schedule;
(b) use personal data about an individual without the
individual’s consent, in the circumstances or for the
purposes, and subject to any condition, in the
First Schedule or Part 2 of the Second Schedule; or
(c) disclose personal data about an individual without the
individual’s consent, in the circumstances or for the
purposes, and subject to any condition, in the
First Schedule or Part 3 of the Second Schedule.
[40/2020]
(2) Unless otherwise provided under this Act, an organisation
may —
(a) collect personal data about an individual that the
organisation receives by way of a disclosure to the
organisation —
(i) on or after 1 February 2021 in accordance with
subsection (1)(c); or
(ii) before 1 February 2021 in accordance with
section 17(3) as in force before that date,
for purposes consistent with the purpose of that disclosure,
or for any purpose permitted by subsection (1)(a); or
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 26
(b) use or disclose personal data about an individual that —
(i) is collected by the organisation on or after 1 February
2021 in accordance with subsection (1)(a); or
(ii) was collected by the organisation before 1 February
2021 in accordance with section 17(1) as in force
before that date,
for purposes consistent with the purpose of that collection,
or for any purpose permitted by subsection (1)(b) or (c), as
the case may be.
[40/2020]
Division 2 — Purpose
Limitation of purpose and extent
18. An organisation may collect, use or disclose personal data about
an individual only for purposes —
(a) that a reasonable person would consider appropriate in the
circumstances; and
(b) that the individual has been informed of under section 20,
if applicable.
Personal data collected before 2 July 2014
19. Despite the other provisions in this Part, an organisation may
use personal data about an individual collected before 2 July 2014 for
the purposes for which the personal data was collected unless —
(a) consent for such use is withdrawn in accordance with
section 16; or
(b) the individual, whether before, on or after 2 July 2014, has
otherwise indicated to the organisation that he or she does
not consent to the use of the personal data.
Notification of purpose
20.—(1) For the purposes of sections 14(1)(a) and 18(b), an
organisation must inform the individual of —
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
27 Act 2012 2020 Ed.
(a) the purposes for the collection, use or disclosure of the
personal data (as the case may be) on or before collecting
the personal data;
(b) any other purpose of the use or disclosure of the personal
data of which the individual has not been informed under
paragraph (a), before the use or disclosure of the personal
data for that purpose; and
(c) on request by the individual, the business contact
information of a person who is able to answer on behalf
of the organisation the individual’s questions about the
collection, use or disclosure of the personal data.
(2) An organisation, on or before collecting personal data about an
individual from another organisation without the individual’s
consent, must provide the other organisation with sufficient
information regarding the purpose of the collection to allow that
other organisation to determine whether the disclosure would be in
accordance with this Act.
(3) Subsection (1) does not apply if —
(a) the individual is deemed to have consented to the
collection, use or disclosure (as the case may be) under
section 15 or 15A; or
(b) the organisation collects, uses or discloses the personal
data without the individual’s consent in accordance with
section 17.
[40/2020]
(4) Despite subsection (3), an organisation must comply with
subsection (5) on or before collecting, using or disclosing personal
data about an individual for the purpose of or in relation to the
organisation —
(a) entering into an employment relationship with the
individual or appointing the individual to any office; or
(b) managing or terminating the employment relationship with
or appointment of the individual.
[40/2020]
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 28
(5) For the purposes of subsection (4), the organisation must inform
the individual of the following:
(a) the purpose for which the organisation is collecting, using
or disclosing (as the case may be) the personal data about
the individual;
(b) on request by the individual, the business contact
information of a person who is able to answer the
individual’s questions about that collection, use or
disclosure (as the case may be) on behalf of the
organisation.
[40/2020]
PART 5
ACCESS TO AND CORRECTION OF
PERSONAL DATA
Access to personal data
21.—(1) Subject to subsections (2), (3) and (4), on request of an
individual, an organisation must, as soon as reasonably possible,
provide the individual with —
(a) personal data about the individual that is in the possession
or under the control of the organisation; and
(b) information about the ways in which the personal data
mentioned in paragraph (a) has been or may have been
used or disclosed by the organisation within a year before
the date of the request.
(2) An organisation is not required to provide an individual with the
individual’s personal data or other information under subsection (1)
in respect of the matters specified in the Fifth Schedule.
(3) Subject to subsection (3A), an organisation must not provide an
individual with the individual’s personal data or other information
under subsection (1) if the provision of that personal data or other
information (as the case may be) could reasonably be expected to —
(a) threaten the safety or physical or mental health of an
individual other than the individual who made the request;
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
29 Act 2012 2020 Ed.
(b) cause immediate or grave harm to the safety or to the
physical or mental health of the individual who made the
request;
(c) reveal personal data about another individual;
(d) reveal the identity of an individual who has provided
personal data about another individual and the individual
providing the personal data does not consent to the
disclosure of his or her identity; or
(e) be contrary to the national interest.
[40/2020]
(3A) Subsection (3)(c) and (d) does not apply to any user activity
data about, or any user-provided data from, the individual who made
the request despite such data containing personal data about another
individual.
[40/2020]
(4) An organisation must not inform any individual under
subsection (1)(b) that the organisation has disclosed personal data
about the individual to a prescribed law enforcement agency if the
disclosure was made under this Act or any other written law without
the individual’s consent.
[40/2020]
(5) If an organisation is able to provide the individual with the
individual’s personal data and other information requested under
subsection (1) without the personal data or other information
excluded under subsections (2), (3) and (4), the organisation must
provide the individual with access to the personal data and other
information without the personal data or other information excluded
under subsections (2), (3) and (4).
(6) Where —
(a) an individual makes a request under subsection (1) to an
organisation on or after 1 February 2021; and
(b) the organisation, by reason of subsection (2) or (3), does
not provide an individual with the individual’s personal
data or other information requested under subsection (1),
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 30
the organisation must, within the prescribed time and in accordance
with the prescribed requirements, notify the individual of the
rejection.
[40/2020]
(7) Where —
(a) an individual makes a request under subsection (1) to an
organisation on or after 1 February 2021; and
(b) the organisation provides the individual, in accordance
with subsection (5), with the individual’s personal data or
other information requested under subsection (1),
the organisation must notify the individual of the exclusion, under
subsection (2) or (3), of any of the personal data or other information
so requested.
[40/2020]
Correction of personal data
22.—(1) An individual may request an organisation to correct an
error or omission in the personal data about the individual that is in
the possession or under the control of the organisation.
(2) Unless the organisation is satisfied on reasonable grounds that a
correction should not be made, the organisation must —
(a) correct the personal data as soon as practicable; and
(b) subject to subsection (3), send the corrected personal data
to every other organisation to which the personal data was
disclosed by the organisation within a year before the date
the correction was made, unless that other organisation
does not need the corrected personal data for any legal or
business purpose.
(3) An organisation (not being a credit bureau) may, if the
individual consents, send the corrected personal data only to
specific organisations to which the personal data was disclosed by
the organisation within a year before the date the correction was
made.
(4) When an organisation is notified under subsection (2)(b) or (3)
of a correction of personal data, the organisation must correct the
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
31 Act 2012 2020 Ed.
personal data in its possession or under its control unless the
organisation is satisfied on reasonable grounds that the correction
should not be made.
(5) If no correction is made under subsection (2)(a) or (4), the
organisation must annotate the personal data in its possession or
under its control with the correction that was requested but not made.
(6) Nothing in this section requires an organisation to correct or
otherwise alter an opinion, including a professional or an expert
opinion.
(7) An organisation is not required to comply with this section in
respect of the matters specified in the Sixth Schedule.
Preservation of copies of personal data
22A.—(1) Where —
(a) an individual, on or after 1 February 2021, makes a request
under section 21(1)(a) to an organisation to provide
personal data about the individual that is in the
possession or under the control of the organisation; and
(b) the organisation refuses to provide that personal data,
the organisation must preserve, for not less than the prescribed
period, a copy of the personal data concerned.
[40/2020]
(2) The organisation must ensure that the copy of the personal data
it preserves for the purposes of subsection (1) is a complete and
accurate copy of the personal data concerned.
[40/2020]
PART 6
CARE OF PERSONAL DATA
Accuracy of personal data
23. An organisation must make a reasonable effort to ensure that
personal data collected by or on behalf of the organisation is accurate
and complete, if the personal data —
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 32
(a) is likely to be used by the organisation to make a decision
that affects the individual to whom the personal data
relates; or
(b) is likely to be disclosed by the organisation to another
organisation.
Protection of personal data
24. An organisation must protect personal data in its possession or
under its control by making reasonable security arrangements to
prevent —
(a) unauthorised access, collection, use, disclosure, copying,
modification or disposal, or similar risks; and
(b) the loss of any storage medium or device on which
personal data is stored.
[40/2020]
Retention of personal data
25. An organisation must cease to retain its documents containing
personal data, or remove the means by which the personal data can be
associated with particular individuals, as soon as it is reasonable to
assume that —
(a) the purpose for which that personal data was collected is no
longer being served by retention of the personal data; and
(b) retention is no longer necessary for legal or business
purposes.
Transfer of personal data outside Singapore
26.—(1) An organisation must not transfer any personal data to a
country or territory outside Singapore except in accordance with
requirements prescribed under this Act to ensure that organisations
provide a standard of protection to personal data so transferred that is
comparable to the protection under this Act.
(2) The Commission may, on the application of any organisation,
by written notice exempt the organisation from any requirement
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
33 Act 2012 2020 Ed.
prescribed pursuant to subsection (1) in respect of any transfer of
personal data by that organisation.
(3) An exemption under subsection (2) —
(a) may be granted subject to such conditions as the
Commission may specify in writing; and
(b) need not be published in the Gazette and may be revoked at
any time by the Commission.
(4) The Commission may at any time add to, vary or revoke any
condition imposed under this section.
PART 6A
NOTIFICATION OF DATA BREACHES
Interpretation of this Part
26A. In this Part, unless the context otherwise requires —
“affected individual” means any individual to whom any
personal data affected by a data breach relates;
“data breach”, in relation to personal data, means —
(a) the unauthorised access, collection, use, disclosure,
copying, modification or disposal of personal data; or
(b) the loss of any storage medium or device on which
personal data is stored in circumstances where the
unauthorised access, collection, use, disclosure,
copying, modification or disposal of the personal
data is likely to occur.
[40/2020]
Notifiable data breaches
26B.—(1) A data breach is a notifiable data breach if the data
breach —
(a) results in, or is likely to result in, significant harm to an
affected individual; or
(b) is, or is likely to be, of a significant scale.
[40/2020]
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 34
(2) Without limiting subsection (1)(a), a data breach is deemed to
result in significant harm to an individual —
(a) if the data breach is in relation to any prescribed personal
data or class of personal data relating to the individual; or
(b) in other prescribed circumstances.
[40/2020]
(3) Without limiting subsection (1)(b), a data breach is deemed to
be of a significant scale —
(a) if the data breach affects not fewer than the prescribed
number of affected individuals; or
(b) in other prescribed circumstances.
[40/2020]
(4) Despite subsections (1), (2) and (3), a data breach that relates to
the unauthorised access, collection, use, disclosure, copying or
modification of personal data only within an organisation is deemed
not to be a notifiable data breach.
[40/2020]
Duty to conduct assessment of data breach
26C.—(1) This section applies to a data breach that occurs on or
after 1 February 2021.
[40/2020]
(2) Subject to subsection (3), where an organisation has reason to
believe that a data breach affecting personal data in its possession or
under its control has occurred, the organisation must conduct, in a
reasonable and expeditious manner, an assessment of whether the
data breach is a notifiable data breach.
[40/2020]
(3) Where a data intermediary (other than a data intermediary
mentioned in section 26E) has reason to believe that a data breach has
occurred in relation to personal data that the data intermediary is
processing on behalf of and for the purposes of another
organisation —
(a) the data intermediary must, without undue delay, notify
that other organisation of the occurrence of the data breach;
and
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
35 Act 2012 2020 Ed.
(b) that other organisation must, upon notification by the data
intermediary, conduct an assessment of whether the data
breach is a notifiable data breach.
[40/2020]
(4) The organisation must carry out the assessment mentioned in
subsection (2) or (3)(b) in accordance with any prescribed
requirements.
[40/2020]
Duty to notify occurrence of notifiable data breach
26D.—(1) Where an organisation assesses, in accordance with
section 26C, that a data breach is a notifiable data breach, the
organisation must notify the Commission as soon as is practicable,
but in any case no later than 3 calendar days after the day the
organisation makes that assessment.
[40/2020]
(2) Subject to subsections (5), (6) and (7), on or after notifying the
Commission under subsection (1), the organisation must also notify
each affected individual affected by a notifiable data breach
mentioned in section 26B(1)(a) in any manner that is reasonable in
the circumstances.
[40/2020]
(3) The notification under subsection (1) or (2) must contain, to the
best of the knowledge and belief of the organisation at the time it
notifies the Commission or affected individual (as the case may be),
all the information that is prescribed for this purpose.
[40/2020]
(4) The notification under subsection (1) must be made in the form
and submitted in the manner required by the Commission.
[40/2020]
(5) Subsection (2) does not apply to an organisation in relation to an
affected individual if the organisation —
(a) on or after assessing that the data breach is a notifiable data
breach, takes any action, in accordance with any prescribed
requirements, that renders it unlikely that the notifiable
data breach will result in significant harm to the affected
individual; or
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 36
(b) had implemented, prior to the occurrence of the notifiable
data breach, any technological measure that renders it
unlikely that the notifiable data breach will result in
significant harm to the affected individual.
[40/2020]
(6) An organisation must not notify any affected individual in
accordance with subsection (2) if —
(a) a prescribed law enforcement agency so instructs; or
(b) the Commission so directs.
[40/2020]
(7) The Commission may, on the written application of an
organisation, waive the requirement to notify an affected individual
under subsection (2) subject to any conditions that the Commission
thinks fit.
[40/2020]
(8) An organisation is not, by reason only of notifying the
Commission under subsection (1) or an affected individual under
subsection (2), to be regarded as being in breach of —
(a) any duty or obligation under any written law or rule of law,
or any contract, as to secrecy or other restriction on the
disclosure of information; or
(b) any rule of professional conduct applicable to the
organisation.
[40/2020]
(9) Subsections (1) and (2) apply concurrently with any obligation
of the organisation under any other written law to notify any other
person (including any public agency) of the occurrence of a data
breach, or to provide any information relating to a data breach.
[40/2020]
Obligations of data intermediary of public agency
26E. Where an organisation —
(a) is a data intermediary processing personal data on behalf of
and for the purposes of a public agency; and
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
37 Act 2012 2020 Ed.
(b) has reason to believe that a data breach has occurred in
relation to that personal data,
the organisation must, without undue delay, notify the public agency
of the occurrence of the data breach.
[40/2020]
PART 7
27. to 32. [Repealed by Act 40 of 2020]
PART 8
33. [Repealed by Act 40 of 2020]
34. [Repealed by Act 40 of 2020]
35. [Repealed by Act 40 of 2020]
PART 9
DO NOT CALL REGISTRY
Division 1 — Preliminary
Interpretation of this Part
36.—(1) In this Part, unless the context otherwise requires —
“calling line identity” means the telephone number or
information identifying the sender;
“checker” means a person mentioned in section 43A(1);
“financial services” has the meaning given by section 2 of the
Consumer Protection (Fair Trading) Act 2003;
“goods” means any personal property, whether tangible or
intangible, and is deemed to include —
(a) chattels that are attached or intended to be attached to
real property on or after delivery;
(b) financial products and credit, including credit
extended solely on the security of land;
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 38
(c) any residential property; and
(d) a voucher;
“message” means any message, whether in sound, text, visual or
other form;
“register” means any Do Not Call Register kept and maintained
under section 39;
“send”, in relation to a message, means —
(a) to send the message, cause the message to be sent, or
authorise the sending of the message; or
(b) to make a voice call containing the message, cause a
voice call containing the message to be made, or
authorise the making of a voice call containing the
message;
“sender”, in relation to a message, means a person —
(a) who sends the message, causes the message to be
sent, or authorises the sending of the message; or
(b) who makes a voice call containing the message,
causes a voice call containing the message to be
made, or authorises the making of a voice call
containing the message;
“services” includes —
(a) a service offered or provided that involves the
addition to or maintenance, repair or alteration of
goods or any residential property;
(b) a membership in any club or organisation if the club
or organisation is a business formed to make a profit
for its owners;
(c) the right to use time share accommodation under a
time share contract; and
(d) financial services;
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
39 Act 2012 2020 Ed.
“Singapore telephone number” means —
(a) a telephone number, with 8 digits beginning with the
digit “3”, “6”, “8” or “9”, that is in accordance with
the National Numbering Plan mentioned in
regulation 12A of the Telecommunications (Class
Licences) Regulations; or
(b) any other telephone numbers as may be prescribed;
“subscriber”, in relation to a Singapore telephone number,
means the subscriber of the telecommunications service to
which the Singapore telephone number is allocated;
“time share accommodation” means any living accommodation,
in Singapore or elsewhere, used or intended to be used
(wholly or partly) for leisure purposes by a class of persons
all of whom have rights to use, or participate in arrangements
under which they may use, that accommodation or
accommodation within a pool of accommodation to which
that accommodation belongs;
“time share contract” means a contract which confers or
purports to confer on an individual time share rights that
are exercisable during a period of not less than 3 years;
“voice call” includes —
(a) a call that involves a recorded or synthetic voice; or
(b) in the case of a recipient with a disability (for
example, a hearing impairment), a call that is
equivalent to a voice call.
[40/2020]
(2) For the purposes of this Part, a telecommunications service
provider who merely provides a service that enables a specified
message to be sent is, unless the contrary is proved, presumed not to
have sent the message and not to have authorised the message to be
sent.
(3) For the purposes of this Part, if a specified message is sent and at
the relevant time the telecommunications device, service or network
from which it was sent was controlled by a person without the
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 40
knowledge of the owners or authorised users of the
telecommunications device, service or network, the owners or
authorised users are, unless the contrary is proved, presumed not to
have sent the message and not to have authorised the sending of the
message.
(4) In subsection (3), “control” means either physical control or
control through the use of software or other means.
Meaning of “specified message”
37.—(1) Subject to subsection (5), for the purposes of this Part, a
specified message is a message where, having regard to the
following, it would be concluded that the purpose, or one of the
purposes, of the message is an applicable purpose:
(a) the content of the message;
(b) the presentational aspects of the message;
(c) the content that can be obtained using the numbers, URLs
or contact information (if any) mentioned in the message;
(d) if the telephone number from which the message is made is
disclosed to the recipient (whether by calling line identity
or otherwise), the content (if any) that can be obtained by
calling that number.
[40/2020]
(2) For the purposes of subsection (1), where the applicable purpose
relates to offering, supplying, advertising or promoting any goods,
service, land, interest in land, business opportunity or investment
opportunity, it does not matter whether or not —
(a) the goods, service, land, interest or opportunity exists; or
(b) it is lawful to acquire the goods, service, land or interest or
take up the opportunity.
[40/2020]
(3) Subject to subsection (4), a person (A) who authorises another
person (B) to offer, advertise or promote A’s goods, services, land,
interest or opportunity is deemed to have authorised the sending of
any message sent by B that offers, advertises or promotes A’s goods,
services, land, interest or opportunity.
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
41 Act 2012 2020 Ed.
(4) For the purposes of subsection (3), a person who takes
reasonable steps to stop the sending of a message mentioned in
that subsection is deemed not to have authorised the sending of the
message.
(5) For the purposes of this Part, a specified message does not
include any message mentioned in the Eighth Schedule.
(6) In this section, “applicable purpose” means a purpose specified
in the Tenth Schedule.
[40/2020]
Application of this Part
38. This Part applies to a specified message addressed to a
Singapore telephone number where —
(a) the sender of the specified message is present in Singapore
when the specified message is sent; or
(b) the recipient of the specified message is present in
Singapore when the specified message is accessed.
Division 2 — Administration
Register
39.—(1) The Commission must cause to be kept and maintained
one or more registers of Singapore telephone numbers, each known
as a Do Not Call Register, for the purposes of this Part.
(2) Each register must be kept in such form and must contain such
particulars as the Commission thinks fit.
(3) The Commission may authorise another person to maintain any
register, on its behalf, subject to such conditions or restrictions as the
Commission may think fit.
Applications
40.—(1) A subscriber may apply to the Commission, in the form
and manner prescribed —
(a) to add his or her Singapore telephone number to a register;
or
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 42
(b) to remove his or her Singapore telephone number from a
register.
(2) Any person may apply to the Commission, in the form and
manner required by the Commission, to confirm whether any
Singapore telephone number is listed in a register.
Evidence
41. A certificate purporting to be signed by the Chief Executive of
the Authority or an authorised officer and stating that a Singapore
telephone number was or was not listed in a register at a date specified
in the certificate is admissible as evidence of its contents in any
proceedings.
[22/2016]
Information on terminated Singapore telephone number
42.—(1) Every telecommunications service provider must report to
the Commission, in the form and manner prescribed, all terminated
Singapore telephone numbers.
(2) A telecommunications service provider which contravenes
subsection (1) shall be guilty of an offence and shall be liable on
conviction to a fine not exceeding $10,000.
(3) In this section, “terminated Singapore telephone number”
means —
(a) a Singapore telephone number to which the following
apply:
(i) the Singapore telephone number has been allocated
to a subscriber;
(ii) the telecommunications service associated with the
Singapore telephone number has been terminated by
the subscriber or telecommunications service
provider; and
(iii) the Singapore telephone number has not been
allocated to a different subscriber; or
(b) any other telephone numbers and circumstances as may be
prescribed.
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
43 Act 2012 2020 Ed.
(4) For the purpose of subsection (1), where —
(a) a Singapore telephone number has been allocated to a
subscriber by a telecommunications service provider
(called in this subsection the first provider);
(b) the telecommunications service associated with the
Singapore telephone number has been terminated by the
subscriber;
(c) the subscriber contracts for a telecommunications service
associated with the Singapore telephone number with
another telecommunications service provider (called in
this subsection the subsequent provider);
(d) the telecommunications service mentioned in
paragraph (c) has been terminated by the subscriber or
the subsequent provider; and
(e) the Singapore telephone number has not subsequently been
allocated to any subscriber,
it is the responsibility of the first provider to satisfy subsection (1).
(5) Without affecting the obligations of the telecommunications
service provider under subsections (1) to (4), the Commission must
pay the prescribed fees to the telecommunications service provider
for each terminated Singapore telephone number reported to the
Commission in accordance with this section.
Division 3 — Specified message to Singapore
telephone number
Duty to check register
43.—(1) Subject to section 48(2), a person must not send a
specified message addressed to a Singapore telephone number
unless the person has, at the time the person sends the specified
message, valid confirmation that the Singapore telephone number is
not listed in the relevant register.
[40/2020]
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 44
(2) For the purposes of subsection (1), the person has valid
confirmation that a Singapore telephone number is not listed in the
relevant register in either of the following circumstances:
(a) the person has, within the prescribed duration before
sending the specified message —
(i) made an application to the Commission under
section 40(2) to confirm whether the Singapore
telephone number is listed in the relevant register;
and
(ii) received confirmation from the Commission that the
Singapore telephone number is not listed in the
relevant register;
(b) the person has obtained from a checker information that the
Singapore telephone number is not listed in the relevant
register (called in this section the relevant information) and
has no reason to believe that, and is not reckless as to
whether —
(i) the prescribed period in relation to the relevant
information has expired; or
(ii) the relevant information is false or inaccurate.
[40/2020]
(3) In subsection (2)(b)(i), “prescribed period”, in relation to
relevant information, means the prescribed period beginning after
the date on which the checker received confirmation from the
Commission, in response to the checker’s application to the
Commission under section 40(2), that a Singapore telephone
number is not listed in the relevant register.
[40/2020]
(4) A person does not contravene subsection (1) if the subscriber or
user of the Singapore telephone number to which a specified message
is sent —
(a) gave clear and unambiguous consent to the sending of the
specified message to that Singapore telephone number; and
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
45 Act 2012 2020 Ed.
(b) the consent is evidenced in written or other form so as to be
accessible for subsequent reference.
[40/2020]
(5) For the purposes of this section and section 43A —
(a) where there is only one register kept or maintained under
section 39, the relevant register refers to that register; and
(b) where there are 2 or more registers kept or maintained
under section 39 for different types of specified messages,
the relevant register refers to the register relevant for the
particular type of specified message.
[40/2020]
Duty of checkers
43A.—(1) This section applies to a person (called the checker) that,
for reward, provides to another person (P) information on whether a
Singapore telephone number is listed in the relevant register (called in
this section the applicable information) for the purpose of P’s
compliance with section 43(1), other than —
(a) the Commission;
(b) an individual who is an employee of P; and
(c) an individual who is an employee or agent of a checker.
[40/2020]
(2) A checker must —
(a) ensure that the applicable information provided to P is
accurate; and
(b) provide the applicable information to P in accordance with
any prescribed requirements.
[40/2020]
(3) A checker is deemed to have complied with subsection (2)(a)
if —
(a) the applicable information that the checker provides to P is
in accordance with a reply from the Commission in
response to the checker’s application under section 40(2);
and
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 46
(b) the checker provides the applicable information to P before
the expiry of the prescribed period mentioned in
section 43(2)(b)(i).
[40/2020]
Contact information
44. Subject to section 48(2), a person must not send a specified
message addressed to a Singapore telephone number unless —
(a) the specified message includes clear and accurate
information identifying the individual or organisation
that sent or authorised the sending of the specified
message;
(b) the specified message includes clear and accurate
information about how the recipient can readily contact
that individual or organisation;
(c) the specified message includes the information, and
complies with the conditions, specified in the
regulations, if any; and
(d) the information included in the specified message in
compliance with this section is reasonably likely to be
valid for at least 30 days after the message is sent.
[40/2020]
Calling line identity not to be concealed
45. Subject to section 48(3), a person that makes a voice call
containing a specified message or causes a voice call containing a
specified message to be made or authorises the making of a voice call
containing a specified message, addressed to a Singapore telephone
number, from a telephone number or fax number, must not do any of
the following:
(a) conceal or withhold from the recipient the calling line
identity of the sender;
(b) perform any operation or issue any instruction in
connection with the sending of the specified message for
the purpose of, or that has the effect of, concealing or
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
47 Act 2012 2020 Ed.
withholding from the recipient the calling line identity of
the sender.
[40/2020]
Consent
46.—(1) A person must not, as a condition for supplying goods,
services, land, interest or opportunity, require a subscriber or user of a
Singapore telephone number to give consent for the sending of a
specified message to that Singapore telephone number or any other
Singapore telephone number beyond what is reasonable to provide
the goods, services, land, interest or opportunity to that subscriber or
user, and any consent given in such circumstance is not validly given.
(2) If a person obtains or attempts to obtain consent for sending a
specified message to a Singapore telephone number —
(a) by providing false or misleading information with respect
to the sending of the specified message; or
(b) by using deceptive or misleading practices,
any consent given in such circumstances is not validly given.
Withdrawal of consent
47.—(1) On giving notice, a subscriber or user of a Singapore
telephone number may at any time withdraw any consent given to a
person for the sending of any specified message to that Singapore
telephone number.
(2) A person must not prohibit a subscriber or user of a Singapore
telephone number from withdrawing the subscriber’s or user’s
consent to the sending of a specified message to that Singapore
telephone number, but this section does not affect any legal
consequences arising from such withdrawal.
(3) If a subscriber or user of a Singapore telephone number gives
notice withdrawing consent given to a person for the sending of any
specified message to that Singapore telephone number, the person
must cease (and cause its agent to cease) sending any specified
message to that Singapore telephone number after the expiry of the
prescribed period.
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 48
(4) For the purposes of this Part, a subscriber or user of a Singapore
telephone number is deemed to have given his or her consent to a
person to send a specified message to that Singapore telephone
number if the subscriber or user —
(a) consents to the sending of the specified message before
2 January 2014; and
(b) that consent has not been withdrawn on or after 2 January
2014.
(5) For the purposes of this Part, where a subscriber or user of a
Singapore telephone number —
(a) consents to a person sending a specified message to that
Singapore telephone number before, on or after 2 January
2014; and
(b) subsequently applies to add or adds that Singapore
telephone number to the register on or after 2 January
2014,
the application to add or the addition of that Singapore telephone
number is not to be regarded as a withdrawal of the consent.
(6) To avoid doubt, a subscriber of a Singapore telephone number
may, at any time on or after 2 January 2014, withdraw any consent
given for the sending of a specified message to that Singapore
telephone number.
Defence for employee
48.—(1) In any proceedings for an offence under this Part brought
against any employee in respect of an act or conduct alleged to have
been done or engaged in (as the case may be) by the employee, it is a
defence for the employee to prove that he or she did the act or
engaged in the conduct in good faith —
(a) in the course of his or her employment; or
(b) in accordance with instructions given to him or her by or on
behalf of his or her employer in the course of his or her
employment.
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
49 Act 2012 2020 Ed.
(2) Section 43(1) or 44 does not apply to an employee (X) who
sends a specified message addressed to a Singapore telephone
number in good faith —
(a) in the course of X’s employment; or
(b) in accordance with instructions given to X by or on behalf
of X’s employer in the course of X’s employment.
[40/2020]
(3) Section 45 does not apply to an employee (Y) who makes,
causes to be made or authorises the making of a voice call containing
a specified message, addressed to a Singapore telephone number,
from a telephone number or fax number, in good faith —
(a) in the course of Y’s employment; or
(b) in accordance with instructions given to Y by or on behalf
of Y’s employer in the course of Y’s employment.
[40/2020]
(4) Subsection (1), (2) or (3) does not apply to an employee (Z)
who, at the time the act was done or the conduct was engaged in, was
an officer or a partner of Z’s employer and it is proved that —
(a) Z knew or ought reasonably to have known that the
telephone number is a Singapore telephone number listed
in the relevant register; and
(b) the specified message was sent with Z’s consent or
connivance, or the sending of the specified message was
attributable to any neglect on Z’s part.
[40/2020]
(5) In this section —
“corporation” has the meaning given by section 52(7);
“officer” —
(a) in relation to a corporation, has the meaning given by
section 52(7); or
(b) in relation to an unincorporated association (other
than a partnership), has the meaning given by
section 52A(7);
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 50
“partner”, in relation to a partnership, has the meaning given by
section 52A(7).
[40/2020]
PART 9A
DICTIONARY ATTACKS AND
ADDRESS-HARVESTING SOFTWARE
Interpretation of this Part
48A.—(1) In this Part, unless the context otherwise requires —
“address-harvesting software” means software that is
specifically designed or marketed for use for —
(a) searching the Internet for telephone numbers; and
(b) collecting, compiling, capturing or otherwise
harvesting those telephone numbers;
“applicable message” means a message with a Singapore link
that is sent to any applicable telephone number;
“applicable telephone number” means a telephone number that
is generated or obtained through the use of —
(a) a dictionary attack; or
(b) address-harvesting software;
“dictionary attack” means the method by which the telephone
number of a recipient is obtained using an automated means
that generates possible telephone numbers by combining
numbers into numerous permutations;
“message”, “send”, “sender” and “Singapore telephone number”
have the meanings given by section 36(1).
[40/2020]
(2) In this Part, an applicable message has a Singapore link in any of
the following circumstances:
(a) the message originates in Singapore;
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
51 Act 2012 2020 Ed.
(b) the sender of the message —
(i) where the sender is an individual — is physically
present in Singapore when the message is sent; or
(ii) in any other case —
(A) is formed or recognised under the law of
Singapore; or
(B) has an office or a place of business in
Singapore;
(c) the telephone, mobile telephone or other device that is used
to access the message is located in Singapore;
(d) the recipient of the message —
(i) where the recipient is an individual — is physically
present in Singapore when the message is accessed;
or
(ii) in any other case — carries on business or activities
in Singapore when the message is accessed;
(e) if the message cannot be delivered because the telephone
number to which the message is sent has ceased to exist
(assuming that the telephone number existed), it is
reasonably likely that the message would have been
accessed using a telephone, mobile telephone or other
device located in Singapore.
[40/2020]
(3) For the purposes of the definition of “applicable message” in
subsection (1), it does not matter —
(a) whether the telephone number to which the message is sent
is a Singapore telephone number;
(b) whether that telephone number exists; or
(c) whether the message reaches its intended destination.
[40/2020]
(4) For the purposes of this Part, a telecommunications service
provider that merely provides a service that enables an applicable
message to be sent is, unless the contrary is proved, presumed not to
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 52
have sent, caused to be sent or authorised the sending of the
applicable message.
[40/2020]
(5) For the purposes of this Part, if, at the time an applicable
message is sent, the telecommunications device, service or network
from which it was sent was controlled by a person without the
knowledge of the owner or authorised user of the telecommunications
device, service or network (as the case may be), the owner or
authorised user (as the case may be) is, unless the contrary is proved,
presumed not to have sent, caused to be sent or authorised the sending
of the applicable message.
[40/2020]
(6) In subsection (5), “control” means —
(a) physical control; or
(b) control through the use of software or other means.
[40/2020]
Prohibition on use of dictionary attacks and
address-harvesting software
48B.—(1) Subject to subsections (2) and (3), a person must not
send, cause to be sent or authorise the sending of an applicable
message.
[40/2020]
(2) Subsection (1) does not apply to an employee (P) who sends,
causes to be sent or authorises the sending of an applicable message
in good faith —
(a) in the course of P’s employment; or
(b) in accordance with instructions given to P by or on behalf
of P’s employer in the course of P’s employment.
[40/2020]
(3) However, subsection (2) does not apply to a person (P) who, at
the time the applicable message was sent, was an officer or a partner
of the sender and it is proved that —
(a) P knew or ought reasonably to have known that the
telephone number is an applicable telephone number; and
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
53 Act 2012 2020 Ed.
(b) the applicable message was sent with P’s consent or
connivance, or the sending of the applicable message was
attributable to any neglect on P’s part.
[40/2020]
(4) In this section —
“corporation” has the meaning given by section 52(7);
“officer” —
(a) in relation to a corporation, has the meaning given by
section 52(7); or
(b) in relation to an unincorporated association (other
than a partnership), has the meaning given by
section 52A(7);
“partner”, in relation to a partnership, has the meaning given by
section 52A(7).
[40/2020]
PART 9B
OFFENCES AFFECTING PERSONAL DATA AND
ANONYMISED INFORMATION
Interpretation and application of this Part
48C.—(1) In this Part, unless the context otherwise requires —
“disclose”, in relation to personal data, includes providing
access to personal data;
“gain” means —
(a) a gain in property or a supply of services, whether
temporary or permanent; or
(b) an opportunity to earn remuneration or greater
remuneration or to gain a financial advantage
otherwise than by way of remuneration;
“harm”, in relation to an individual, means —
(a) any physical harm; or
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 54
(b) harassment, alarm or distress caused to the
individual;
“loss” means —
(a) a loss in property or a supply of services, whether
temporary or permanent; or
(b) a loss of an opportunity to earn remuneration or
greater remuneration or to gain a financial advantage
otherwise than by way of remuneration,
but excludes, in relation to an individual, the loss of personal
data about the individual;
“Monetary Authority of Singapore” means the Monetary
Authority of Singapore established by section 3 of the
Monetary Authority of Singapore Act 1970;
“relevant public official” has the meaning given by section 7(7)
of the Public Sector (Governance) Act 2018;
“Singapore public sector agency” has the meaning given by
section 2(1) of the Public Sector (Governance) Act 2018.
[40/2020]
(2) This Part does not apply to an individual who —
(a) at the time of the commission of any offence under
section 48D(1), 48E(1) or 48F(1), is a relevant public
official in a Singapore public sector agency; or
(b) is or has been a director or an officer or employee of the
Monetary Authority of Singapore in respect of the
disclosure, use or re-identification of information
acquired in the performance of the individual’s duties or
the exercise of the individual’s functions.
[40/2020]
Unauthorised disclosure of personal data
48D.—(1) If —
(a) an individual discloses, or the individual’s conduct causes
disclosure of, personal data in the possession or under the
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
55 Act 2012 2020 Ed.
control of an organisation or a public agency to another
person;
(b) the disclosure is not authorised by the organisation or
public agency, as the case may be; and
(c) the individual does so —
(i) knowing that the disclosure is not authorised by the
organisation or public agency, as the case may be; or
(ii) reckless as to whether the disclosure is or is not
authorised by the organisation or public agency, as
the case may be,
the individual shall be guilty of an offence and shall be liable on
conviction to a fine not exceeding $5,000 or to imprisonment for a
term not exceeding 2 years or to both.
[40/2020]
(2) In proceedings for an offence under subsection (1), it is a
defence to the charge for the accused to prove, on a balance of
probabilities, any of the following:
(a) that —
(i) the personal data in the possession or under the
control of the organisation or public agency (as the
case may be) that was disclosed was, at the time of
the disclosure, publicly available; and
(ii) where the personal data was publicly available solely
because of an applicable contravention, the accused
did not know, and was not reckless as to whether, that
was the case;
(b) that the accused disclosed, or caused the disclosure of,
personal data in the possession or under the control of the
organisation or public agency, as the case may be —
(i) as permitted or required by or under an Act or other
law (apart from this Act);
(ii) as authorised or required by an order of court;
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 56
(iii) in the reasonable belief that, and was not reckless as
to whether, the accused had the legal right to do so; or
(iv) in any other circumstances, or for any other purpose,
prescribed.
[40/2020]
(3) To avoid doubt, subsection (2) does not affect any obligation or
limitation imposed on, or prohibition of, the disclosure of personal
data in the possession or under the control of an organisation or a
public agency (as the case may be) by or under any other written law
or other law.
[40/2020]
(4) In this section, “applicable contravention” means a
contravention of any of the following:
(a) subsection (1);
(b) section 48F(1);
(c) section 7(1) or 8(1) of the Public Sector (Governance)
Act 2018;
(d) section 14A(1) or 14C(1) of the Monetary Authority of
Singapore Act 1970.
[40/2020]
Improper use of personal data
48E.—(1) If —
(a) an individual makes use of personal data in the possession
or under the control of an organisation or a public agency;
(b) the use is not authorised by the organisation or public
agency, as the case may be;
(c) the individual does so —
(i) knowing that the use is not authorised by the
organisation or public agency, as the case may be; or
(ii) reckless as to whether the use is or is not authorised
by the organisation or public agency, as the case may
be; and
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
57 Act 2012 2020 Ed.
(d) the individual, as a result of that use —
(i) obtains a gain for the individual or another person;
(ii) causes harm to another individual; or
(iii) causes a loss to another person,
the individual shall be guilty of an offence and shall be liable on
conviction to a fine not exceeding $5,000 or to imprisonment for a
term not exceeding 2 years or to both.
[40/2020]
(2) In proceedings for an offence under subsection (1), it is a
defence to the charge for the accused to prove, on a balance of
probabilities, any of the following:
(a) that —
(i) the personal data in the possession or under the
control of the organisation or public agency (as the
case may be) that was used was, at the time of the
use, publicly available; and
(ii) where the personal data was publicly available solely
because of an applicable contravention, the accused
did not know, and was not reckless as to whether, that
was the case;
(b) that the accused used the personal data in the possession or
under the control of the organisation or public agency, as
the case may be —
(i) as permitted or required by or under an Act or other
law (apart from this Act);
(ii) as authorised or required by an order of court;
(iii) in the reasonable belief that, and was not reckless as
to whether, the accused had the legal right to do so; or
(iv) in any other circumstances, or for any other purpose,
prescribed.
[40/2020]
(3) To avoid doubt, subsection (2) does not affect any obligation or
limitation imposed on, or prohibition of, the use of personal data in
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 58
the possession or under the control of an organisation or a public
agency (as the case may be) by or under any other written law or other
law.
[40/2020]
(4) In this section, “applicable contravention” means a
contravention of any of the following:
(a) section 48D(1) or 48F(1);
(b) section 7(1) or 8(1) of the Public Sector (Governance)
Act 2018;
(c) section 14A(1) or 14C(1) of the Monetary Authority of
Singapore Act 1970.
[40/2020]
Unauthorised re-identification of anonymised information
48F.—(1) If —
(a) an individual takes any action to re-identify or cause
re-identification of the person to whom anonymised
information in the possession or under the control of an
organisation or a public agency relates (called in this
section the affected person);
(b) the re-identification is not authorised by the organisation or
public agency, as the case may be; and
(c) the individual does so —
(i) knowing that the re-identification is not authorised
by the organisation or public agency, as the case may
be; or
(ii) reckless as to whether the re-identification is or is not
authorised by the organisation or public agency, as
the case may be,
the individual shall be guilty of an offence and shall be liable on
conviction to a fine not exceeding $5,000 or to imprisonment for a
term not exceeding 2 years or to both.
[40/2020]
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
59 Act 2012 2020 Ed.
(2) In proceedings for an offence under subsection (1), it is a
defence to the charge for the accused to prove, on a balance of
probabilities, any of the following:
(a) that —
(i) the information on the identity of the affected person
is publicly available; and
(ii) where that information was publicly available solely
because of an applicable contravention, the accused
did not know, and was not reckless as to whether, that
was the case;
(b) the action to re-identify or cause re-identification is —
(i) permitted or required by or under an Act or other law
(apart from this Act); or
(ii) authorised or required by an order of court;
(c) the accused —
(i) reasonably believed that the re-identification was for
a specified purpose; and
(ii) notified the Commission or the organisation or
public agency (as the case may be) of the
re-identification as soon as was practicable;
(d) the accused took the action to re-identify or cause
re-identification in the reasonable belief that, and was
not reckless as to whether, the accused had the legal right to
do so, other than for a specified purpose;
(e) in any other circumstances, or for any other purpose,
prescribed.
[40/2020]
(3) To avoid doubt, subsection (2) does not affect any obligation or
limitation imposed on, or prohibition of, the re-identification of the
affected person by or under any other written law or other law.
[40/2020]
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 60
(4) In this section —
“applicable contravention” means a contravention of any of the
following:
(a) subsection (1);
(b) section 8(1) of the Public Sector (Governance)
Act 2018;
(c) section 14C(1) of the Monetary Authority of
Singapore Act 1970;
“specified purpose” means any purpose specified in the
Eleventh Schedule.
[40/2020]
PART 9C
ENFORCEMENT
Alternative dispute resolution
48G.—(1) If the Commission is of the opinion that any complaint
by an individual (called in this section the complainant) against an
organisation may more appropriately be resolved by mediation, the
Commission may, without the consent of the complainant and the
organisation, refer the matter to mediation under a dispute resolution
scheme.
[40/2020]
(2) Subject to subsection (1), the Commission may, with or without
the consent of the complainant and the organisation, direct the
complainant or the organisation or both to attempt to resolve the
complaint of the complainant in the way directed by the Commission.
[40/2020]
(3) For the purposes of subsection (1), the Commission may
establish or approve one or more dispute resolution schemes for the
resolution of complaints by individuals against organisations.
[40/2020]
(4) The Commission may, with the approval of the Minister, make
regulations under section 65 to provide for matters relating to the
operation by an operator of a dispute resolution scheme, including —
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
61 Act 2012 2020 Ed.
(a) the standards or requirements of the services provided
under the dispute resolution scheme;
(b) the fees that the operator may charge for the services
provided under the dispute resolution scheme;
(c) the records that the operator must keep, and the period of
retention of those records;
(d) the reports that the operator must submit to the
Commission, and the manner and time for those
submissions;
(e) matters relating to the administration of the dispute
resolution scheme; and
(f) generally to give effect to or for carrying out the purposes
of subsections (1) and (3).
[40/2020]
Power to review
48H.—(1) On the application of a complainant, the Commission
may review —
(a) a refusal by an organisation to provide access to personal
data or other information requested by the complainant
under section 21, or the organisation’s failure to provide
that access within a reasonable time;
(b) a refusal by an organisation to correct personal data in
accordance with a request by the complainant under
section 22, or the organisation’s failure to make the
correction within a reasonable time;
(c) a refusal by a porting organisation to transmit any
applicable data pursuant to a data porting request under
section 26H, or the porting organisation’s failure to
transmit the applicable data within a reasonable time;
(d) a fee required from the complainant by an organisation in
relation to a request by the complainant under section 21 or
22; or
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 62
(e) a fee required from the complainant or a receiving
organisation by a porting organisation in relation to a
data porting request by the complainant under section 26H.
[40/2020]
(2) Upon completion of its review under subsection (1), the
Commission may —
(a) confirm the refusal to provide access to the personal data or
other information, or direct the organisation to provide
access to the personal data or other information within the
time specified by the Commission;
(b) confirm the refusal to correct the personal data, or direct
the organisation to correct the personal data in the manner
and within the time specified by the Commission;
(c) confirm the refusal to transmit the applicable data, or direct
the porting organisation to transmit the applicable data in
the manner and within the time specified by the
Commission; or
(d) confirm, reduce or disallow a fee, or direct the organisation
or porting organisation (as the case may be) to make a
refund to the complainant or receiving organisation, as the
case may be.
[40/2020]
Directions for non-compliance
48I.—(1) The Commission may, if it is satisfied that —
(a) an organisation has not complied or is not complying with
any provision of Part 3, 4, 5, 6, 6A or 6B; or
(b) a person has not complied or is not complying with any
provision of Part 9 or section 48B(1),
give the organisation or person (as the case may be) any direction that
the Commission thinks fit in the circumstances to ensure compliance
with that provision.
[40/2020]
(2) Without limiting subsection (1), the Commission may, if it
thinks fit in the circumstances to ensure compliance with any
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
63 Act 2012 2020 Ed.
provision of Part 3, 4, 5, 6, 6A or 6B, give an organisation all or any of
the following directions:
(a) to stop collecting, using or disclosing personal data in
contravention of this Act;
(b) to destroy personal data collected in contravention of this
Act;
(c) to comply with any direction of the Commission under
section 48H(2).
[40/2020]
Financial penalties
48J.—(1) Subject to subsection (2), the Commission may, if it is
satisfied that —
(a) an organisation has intentionally or negligently
contravened any provision of Part 3, 4, 5, 6, 6A or 6B; or
(b) a person has intentionally or negligently contravened —
(i) any provision of Part 9; or
(ii) section 48B(1),
require, by written notice, the organisation or person (as the case may
be) to pay a financial penalty.
[40/2020]
(2) Subsection (1) does not apply in relation to any contravention of
a provision of this Act, the breach of which is an offence under this
Act.
[40/2020]
(3) A financial penalty imposed on an organisation under
subsection (1)(a) must not exceed the maximum amount to be
prescribed, which in no case may be more than the following:
(a) in the case of a contravention on or after the date of
commencement of section 24 of the Personal Data
Protection (Amendment) Act 2020 by an organisation
whose annual turnover in Singapore exceeds $10 million
— 10% of the annual turnover in Singapore of the
organisation;
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 64
(b) in any other case — $1 million.
[Act 40 of 2020 wef 01/10/2022]
(4) A financial penalty imposed on a person under
subsection (1)(b)(i) must not exceed the maximum amount to be
prescribed, which in no case may be more than the following:
(a) in the case of an individual — $200,000;
(b) in any other case — $1 million.
[40/2020]
[Act 40 of 2020 wef 01/10/2022]
(4A) A financial penalty imposed on a person under
subsection (1)(b)(ii) must not exceed the maximum amount to be
prescribed, which in no case may be more than the following:
(a) in the case of an individual — $200,000;
(b) in the case of a contravention on or after the date of
commencement of section 24 of the Personal Data
Protection (Amendment) Act 2020 by a person whose
annual turnover in Singapore exceeds $20 million — 5% of
the annual turnover of the person in Singapore;
(c) in any other case — $1 million.
[Act 40 of 2020 wef 01/10/2022]
(5) For the purposes of subsections (3) and (4), different maximum
amounts may be prescribed in respect of contraventions of different
provisions of this Act.
[40/2020]
(5A) For the purposes of subsections (3)(a) and (4A)(b), the annual
turnover in Singapore of an organisation or a person (as the case may
be) is the amount ascertained from the most recent audited accounts
of the organisation or person available at the time the financial
penalty is imposed on that organisation or person.
[Act 40 of 2020 wef 01/10/2022]
(6) The Commission must, in determining the amount of a financial
penalty imposed under subsection (1), have regard to, and give such
weight as the Commission considers appropriate to, all of the
following matters:
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
65 Act 2012 2020 Ed.
(a) the nature, gravity and duration of the non-compliance by
the organisation or person, as the case may be;
(b) the type and nature of the personal data affected by the
non-compliance by the organisation or person, as the case
may be;
(c) whether the organisation or person (as the case may be), as
a result of the non-compliance, gained any financial benefit
or avoided any financial loss;
(d) whether the organisation or person (as the case may be)
took any action to mitigate the effects and consequences of
the non-compliance, and the timeliness and effectiveness
of that action;
(e) whether the organisation or person (as the case may be)
had, despite the non-compliance, implemented adequate
and appropriate measures for compliance with the
requirements under this Act;
(f) whether the organisation or person (as the case may be)
had previously failed to comply with this Act;
(g) the compliance of the organisation or person (as the case
may be) with any direction given under section 48I or
48L(4) in relation to remedying or mitigating the effect of
the non-compliance;
(h) whether the financial penalty to be imposed is
proportionate and effective, having regard to achieving
compliance and deterring non-compliance with this Act;
(i) the likely impact of the imposition of the financial penalty
on the organisation or person (as the case may be),
including the ability of the organisation or person to
continue the usual activities of the organisation or person;
(j) any other matter that may be relevant.
[40/2020]
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 66
Procedure for giving of directions and imposing of financial
penalty
48K.—(1) Before giving any direction under section 48I or
imposing a financial penalty under section 48J(1), the Commission
must give written notice to the organisation or person concerned —
(a) stating that the Commission intends to take action against
the organisation or person under section 48I or 48J(1), as
the case may be;
(b) where the Commission intends to give any direction under
section 48I, specifying the direction the Commission
proposes to give;
(c) specifying each instance of non-compliance that is the
subject of the proposed action, or the reason or reasons for
the proposed action; and
(d) subject to subsections (2) and (3), specifying the time
within which written representations may be made to the
Commission with respect to the proposed action.
[40/2020]
(2) Where the Commission intends to impose a financial penalty
under section 48J(1) on an organisation or a person, the time specified
in the notice within which written representations may be made to the
Commission must be at least 14 days after the date the notice is served
on that organisation or person.
[40/2020]
(3) The Commission may, on written application by the
organisation or person concerned (whether before, on or after the
expiry of the time specified in the notice), extend the time for the
organisation or person to make written representations to the
Commission if the Commission is satisfied that the extension
should be granted by reason of exceptional circumstances in the
particular case.
[40/2020]
(4) The Commission may decide to give the direction under
section 48I or impose the financial penalty under section 48J(1), as
the case may be —
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
67 Act 2012 2020 Ed.
(a) after considering any written representation made to the
Commission pursuant to the notice mentioned in
subsection (1); or
(b) upon the expiry of the time specified in the notice under
subsection (1)(d), or as extended by the Commission under
subsection (3), where no representation is so made or any
written representation made is subsequently withdrawn.
[40/2020]
(5) Subsection (1) does not apply where the organisation or person
(as the case may be) has died, is adjudged bankrupt, has been
dissolved or wound up or has otherwise ceased to exist.
[40/2020]
(6) Where the Commission decides to give the direction under
section 48I or impose the financial penalty under section 48J(1) (as
the case may be), the Commission must serve a notice of the decision
on the following persons:
(a) the organisation or person concerned;
(b) the complainant whose complaint against the organisation
or person concerned resulted in the giving of the direction
or the imposition of the financial penalty (as the case may
be), if any.
[40/2020]
(7) A direction given under section 48I or the imposition of a
financial penalty under section 48J(1) takes effect only when the
Commission serves the notice in subsection (6)(a) on the organisation
or person concerned.
[40/2020]
(8) Where the Commission imposes a financial penalty under
section 48J(1) on an organisation or a person, the written notice
issued by the Commission to the organisation or person must specify
the date before which the financial penalty is to be paid, being a date
not earlier than 28 days after the notice is issued.
[40/2020]
(9) The Commission may, on written application by an organisation
or a person on whom a financial penalty under section 48J(1) is
imposed —
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 68
(a) extend the time for the organisation or person to pay the
financial penalty; or
(b) allow the financial penalty to be paid by instalments.
[40/2020]
(10) The interest payable —
(a) on the outstanding amount of any financial penalty
imposed under section 48J(1); and
(b) for payment by instalments (as the Commission may
allow) of any financial penalty imposed under
section 48J(1),
must be at such rate as the Commission may direct, which must not
exceed the rate prescribed in the Rules of Court in respect of
judgment debts.
[40/2020]
Voluntary undertakings
48L.—(1) Without affecting sections 48I, 48J(1) and 50(1), where
the Commission has reasonable grounds to believe that —
(a) an organisation has not complied, is not complying or is
likely not to comply with any provision of Part 3, 4, 5, 6,
6A or 6B; or
(b) a person has not complied, is not complying or is likely not
to comply with any provision of Part 9 or section 48B(1),
the organisation or person concerned may give, and the Commission
may accept, a written voluntary undertaking.
[40/2020]
(2) Without limiting the matters to which the voluntary undertaking
may relate, the voluntary undertaking may include any of the
following undertakings by the organisation or person concerned:
(a) an undertaking to take specified action within a specified
time;
(b) an undertaking to refrain from taking specified action;
(c) an undertaking to publicise the voluntary undertaking.
[40/2020]
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
69 Act 2012 2020 Ed.
(3) Subject to subsection (4), the Commission may, after accepting
the voluntary undertaking and with the agreement of the organisation
or person who gave the voluntary undertaking —
(a) vary the terms of any undertaking included in the voluntary
undertaking; or
(b) include, in the voluntary undertaking, any additional
undertaking mentioned in subsection (2).
[40/2020]
(4) Where an organisation or a person fails to comply with any
undertaking in a voluntary undertaking —
(a) the Commission may give the organisation or person
concerned any direction that the Commission thinks fit in
the circumstances to ensure the compliance of the
organisation or person with that undertaking; and
(b) section 48K(1), (3), (4), (5), (6) and (7) applies to the
direction given under paragraph (a) as if the direction were
given under section 48I.
[40/2020]
(5) In addition, where an organisation or a person fails to comply
with an undertaking mentioned in subsection (2)(c), the Commission
may publicise the voluntary undertaking in accordance with the
undertaking, and recover the costs and expenses so incurred from the
organisation or person as a debt due to the Commission.
[40/2020]
Enforcement of directions of or written notices by Commission
in District Court
48M.—(1) For the purposes of enforcing a direction or written
notice mentioned in subsection (2) —
(a) the Commission may apply for the direction or written
notice (as the case may be) to be registered in a District
Court in accordance with the Rules of Court; and
(b) the District Court is to register the direction or written
notice in accordance with the Rules of Court.
[40/2020]
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 70
(2) Subsection (1) applies to any of the following:
(a) a direction made by the Commission under section 48H(2),
48I or 48L(4);
(b) a written notice by the Commission for the payment of any
sum comprising —
(i) a financial penalty imposed under section 48J(1);
and
(ii) any interest payable under section 48K(10) on that
financial penalty.
[40/2020]
(3) From the date of registration of a direction or written notice
under subsection (1), the direction or written notice (as the case may
be) has the same force and effect, and all proceedings may be taken
on the direction or written notice (as the case may be), for the
purposes of enforcement, as if it had been an order originally obtained
in the District Court which has power to enforce it accordingly.
[40/2020]
(4) A District Court may, for the purpose of enforcing a direction in
accordance with subsection (3), make any order —
(a) to secure compliance with the direction; or
(b) to require any person to do anything to remedy, mitigate or
eliminate any effects arising from —
(i) anything done which ought not, under the direction,
to have been done; or
(ii) anything not done which ought, under the direction,
to have been done,
which would not have occurred had the direction been
complied with.
[40/2020]
(5) A District Court has jurisdiction to enforce a written notice in
accordance with subsection (3) regardless of the amount of the sum
mentioned in subsection (2)(b).
[40/2020]
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
71 Act 2012 2020 Ed.
Reconsideration of directions or decisions
48N.—(1) An organisation or a person (including any individual
who is a complainant) aggrieved by —
(a) any direction made by the Commission under
section 48G(2), 48I(1) or (2) or 48L(4); or
(b) any direction or decision made under section 48H(2),
may make a written application to the Commission to reconsider the
direction or decision in accordance with this section.
[40/2020]
(2) An organisation or a person aggrieved by a financial penalty
imposed by the Commission under section 48J(1) on the organisation
or person may make a written application to the Commission to
reconsider the decision to impose the financial penalty or the amount
of the financial penalty so imposed in accordance with this section.
[40/2020]
(3) Unless the Commission decides otherwise in any particular
case, an application for reconsideration does not suspend the effect of
the direction or decision to be reconsidered except in the case of an
application for reconsideration under subsection (2).
[40/2020]
(4) The application for reconsideration —
(a) subject to subsection (5), must be submitted to the
Commission within the prescribed period;
(b) must be made in the form and manner required by the
Commission; and
(c) must set out the grounds on which the applicant is
requesting the reconsideration.
[40/2020]
(5) The Commission may, on written application by the
organisation or person concerned (whether before, on or after the
expiry of the prescribed period mentioned in subsection (4)(a)),
extend the time for the organisation or person to make the application
for reconsideration if the Commission is satisfied that the extension
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 72
should be granted by reason of exceptional circumstances in the
particular case.
[40/2020]
(6) If an application for reconsideration is made in accordance with
this section, the Commission must —
(a) reconsider the direction or decision;
(b) take any of the following actions as the Commission thinks
fit:
(i) affirm, revoke or vary the direction or decision;
(ii) affirm or revoke, or vary the amount of, the financial
penalty; and
(c) notify the applicant in writing of the result of the
reconsideration.
[40/2020]
(7) There is to be no application for reconsideration of a decision
made under subsection (6)(b).
[40/2020]
Right of private action
48O.—(1) A person who suffers loss or damage directly as a result
of a contravention —
(a) by an organisation of any provision of Part 4, 5, 6, 6A or
6B; or
(b) by a person of any provision of Division 3 of Part 9 or
section 48B(1),
has a right of action for relief in civil proceedings in a court.
[40/2020]
(2) If the Commission has made a decision under this Act in respect
of a contravention specified in subsection (1), an action accruing
under subsection (1) may not be brought in respect of that
contravention until after the decision has become final as a result
of there being no further right of appeal.
[40/2020]
(3) The court may grant to the claimant in an action under
subsection (1) all or any of the following:
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
73 Act 2012 2020 Ed.
(a) relief by way of injunction or declaration;
(b) damages;
(c) any other relief as the court thinks fit.
[40/2020]
[Act 25 of 2021 wef 01/04/2022]
PART 9D
APPEALS
Data Protection Appeal Panel and Data Protection Appeal
Committees
48P.—(1) There is established a Data Protection Appeal Panel.
[40/2020]
(2) The Minister must appoint the members of the Appeal Panel.
[40/2020]
(3) The Chairperson of the Appeal Panel must be appointed by the
Minister from among the members of the Appeal Panel.
[40/2020]
(4) For the purpose of hearing any appeal under section 48Q, the
Chairperson of the Appeal Panel may nominate a Data Protection
Appeal Committee comprising 3 or more members of the Appeal
Panel.
[40/2020]
(5) The Seventh Schedule has effect with respect to the Appeal
Panel, Appeal Committees and their members and the proceedings of
Appeal Committees, as the case may be.
[40/2020]
Appeal from direction or decision of Commission
48Q.—(1) An organisation or a person (including an individual
who is a complainant) aggrieved by —
(a) any direction made by the Commission under
section 48G(2), 48I(1) or (2) or 48L(4);
(b) any direction or decision made by the Commission under
section 48H(2); or
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 74
(c) any decision made by the Commission under
section 48N(6)(b),
may, within the prescribed period, appeal to the Chairperson of the
Appeal Panel against that direction or decision.
[40/2020]
(2) An organisation or a person aggrieved by a financial penalty
imposed by the Commission under section 48J(1) on the organisation
or person may, within the prescribed period, appeal to the
Chairperson of the Appeal Panel against the decision to impose the
financial penalty or the amount of the financial penalty so imposed.
[40/2020]
(3) Where an application for reconsideration has been made under
section 48N, every appeal in respect of the same direction or decision
which is the subject of the application for reconsideration is deemed
to be withdrawn.
[40/2020]
(4) Unless the Appeal Committee decides otherwise in any
particular case, the making of an appeal under this section does not
suspend the effect of the direction or decision to which the appeal
relates except in the case of an appeal under subsection (2).
[40/2020]
(5) An Appeal Committee hearing an appeal may confirm, vary or
set aside the direction or decision which is the subject of the appeal
and, in particular, may —
(a) remit the matter to the Commission;
(b) impose or revoke, or vary the amount of, a financial
penalty;
(c) give any direction, or take any other step, that the
Commission could itself have given or taken; or
(d) make any other direction or decision that the Commission
could itself have made.
[40/2020]
(6) A direction or decision of an Appeal Committee on an appeal
has the same effect, and may be enforced in the same manner, as a
direction or decision of the Commission, except that there is to be no
application for further reconsideration under section 48N and no
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
75 Act 2012 2020 Ed.
further appeal under this section from the direction or decision of the
Appeal Committee.
[40/2020]
(7) If an Appeal Committee confirms the direction or decision
which is the subject of the appeal, it may nevertheless set aside any
finding of fact on which the direction or decision was based.
[40/2020]
Appeals to General Division of High Court, etc.
48R.—(1) An appeal against, or with respect to, a direction or
decision of an Appeal Committee lies to the General Division of the
High Court —
(a) on a point of law arising from the direction or decision of
the Appeal Committee; or
(b) from any direction of the Appeal Committee as to the
amount of a financial penalty.
[40/2020]
(2) An appeal under this section may be made within the prescribed
time only at the instance of —
(a) the organisation or person aggrieved by the direction or
decision of the Appeal Committee;
(b) if the decision relates to a complaint, the complainant; or
(c) the Commission.
[40/2020]
(3) The General Division of the High Court is to hear and determine
any appeal under this section and may —
(a) confirm, modify or reverse the direction or decision of the
Appeal Committee; and
(b) make any further or other order on the appeal, whether as
to costs or otherwise, as the General Division of the High
Court thinks fit.
[40/2020]
(4) There is such further right of appeal from decisions of the
General Division of the High Court under this section as exists in the
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 76
case of decisions made by the General Division of the High Court in
the exercise of its original civil jurisdiction.
[40/2020]
PART 10
GENERAL
Advisory guidelines
49.—(1) The Commission may issue written advisory guidelines
indicating the manner in which the Commission will interpret the
provisions of this Act.
(2) Guidelines issued under this section may be varied, amended or
revoked by the Commission.
(3) The Commission must publish the guidelines in any way the
Commission thinks fit, but failure to comply with this subsection in
respect of any guidelines does not invalidate the guidelines.
Powers of investigation
50.—(1) The Commission may, upon complaint or of its own
motion, conduct an investigation under this section to determine
whether or not an organisation or a person is complying with this Act,
including a voluntary undertaking given by the organisation or person
under section 48L(1).
[40/2020]
(2) The powers of investigation under this section of the
Commission and the inspectors are set out in the Ninth Schedule.
(3) The Commission may suspend, discontinue or refuse to conduct
an investigation under this section if it thinks fit, including but not
limited to any of the following circumstances:
(a) the complainant has not complied with a direction under
section 48G(2);
(b) the parties involved in the matter have mutually agreed to
settle the matter;
(c) any party involved in the matter has commenced legal
proceedings against another party in respect of any
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
77 Act 2012 2020 Ed.
contravention or alleged contravention of this Act by the
other party;
(ca) the Commission accepts a voluntary undertaking given by
an organisation or a person under section 48L(1) in relation
to the matter;
(d) the Commission is of the opinion that the matter may be
more appropriately investigated by another regulatory
authority and has referred the matter to that authority;
(e) the Commission is of the opinion that —
(i) a complaint is frivolous or vexatious or is not made
in good faith; or
(ii) any other circumstances warrant refusing to conduct,
suspending or discontinuing the investigation.
[40/2020]
(3A) To avoid doubt, despite subsection (3)(ca), the Commission
may conduct or resume an investigation under this section at any time
if an organisation or a person fails to comply with a voluntary
undertaking given by the organisation or person under section 48L(1)
in relation to any matter.
[40/2020]
(4) An organisation must retain records relating to an investigation
under this section for one year after the conclusion of the
investigation or any longer period specified in writing by the
Commission.
Offences and penalties
51.—(1) A person shall be guilty of an offence if the person —
(a) makes a request under section 21(1) to obtain access to
personal data about another individual without the
authority of that other individual;
(b) makes a request under section 22(1) to change personal
data about another individual without the authority of that
other individual; or
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 78
(c) subject to subsection (1A), gives a porting organisation a
data porting request under section 26H(1) to transmit
personal data about another individual to a receiving
organisation without the authority of that other individual.
[40/2020]
(1A) Subsection (1)(c) does not apply to an individual who gives a
data porting request under section 26H(1), in the individual’s
personal or domestic capacity, to transmit any user activity data or
user-provided data about the individual even though the user activity
data or user-provided data (as the case may be) includes personal data
about another individual.
[40/2020]
(2) A person guilty of an offence under subsection (1) shall be liable
on conviction to a fine not exceeding $5,000 or to imprisonment for a
term not exceeding 12 months or to both.
(3) An organisation or person commits an offence if the
organisation or person —
(a) with an intent to evade a request under section 21 or 22,
disposes of, alters, falsifies, conceals or destroys, or directs
another person to dispose of, alter, falsify, conceal or
destroy, a record containing —
(i) personal data; or
(ii) information about the collection, use or disclosure of
personal data;
(b) obstructs or hinders the Commission, an inspector or an
authorised officer in the performance of any function or
duty, or the exercise of any power, under this Act;
(ba) without reasonable excuse, neglects or refuses to provide
any information or produce any document which the
organisation or person is required by or under this Act to
provide or produce to the Commission or an inspector;
(bb) without reasonable excuse, neglects or refuses to attend
before the Commission or an inspector as required by or
under this Act; or
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
79 Act 2012 2020 Ed.
(c) makes a statement, or provides any information or
document, to the Commission, an inspector or an
authorised officer under this Act, which the organisation
or person knows, or ought reasonably to know, to be false
or misleading in any material particular.
[22/2016; 40/2020]
(4) An organisation or person that commits an offence under
subsection (3)(a) is liable —
(a) in the case of an individual, to a fine not exceeding $5,000
or to imprisonment for a term not exceeding 12 months or
to both; and
(b) in any other case, to a fine not exceeding $50,000.
[40/2020]
(5) An organisation or person that commits an offence under
subsection (3)(b) or (c) is liable —
(a) in the case of an individual, to a fine not exceeding $10,000
or to imprisonment for a term not exceeding 12 months or
to both; and
(b) in any other case, to a fine not exceeding $100,000.
(6) An organisation or a person that commits an offence under
subsection (3)(ba) or (bb) is liable —
(a) in the case of an individual — to a fine not exceeding
$5,000 or to imprisonment for a term not exceeding
6 months or to both; and
(b) in any other case — to a fine not exceeding $10,000.
[40/2020]
Offences by corporations
52.—(1) Where, in a proceeding for an offence under this Act, it is
necessary to prove the state of mind of a corporation in relation to a
particular conduct, evidence that —
(a) an officer, employee or agent of the corporation engaged in
that conduct within the scope of the actual or apparent
authority of the officer, employee or agent, as the case may
be; and
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 80
(b) the officer, employee or agent had that state of mind,
is evidence that the corporation had that state of mind.
[40/2020]
(2) Where a corporation commits an offence under this Act, a
person —
(a) who is —
(i) an officer of the corporation; or
(ii) an individual involved in the management of the
corporation and in a position to influence the conduct
of the corporation in relation to the commission of
the offence; and
(b) who —
(i) consented or connived, or conspired with others, to
effect the commission of the offence;
(ii) is in any other way, whether by act or omission,
knowingly concerned in, or is party to, the
commission of the offence by the corporation; or
(iii) knew or ought reasonably to have known that the
offence by the corporation (or an offence of the same
type) would be or is being committed, and failed to
take all reasonable steps to prevent or stop the
commission of that offence,
shall be guilty of that same offence as is the corporation, and shall be
liable on conviction to be punished accordingly.
[40/2020]
(3) A person mentioned in subsection (2) may rely on a defence that
would be available to the corporation if it were charged with the
offence with which the person is charged and, in doing so, the person
bears the same burden of proof that the corporation would bear.
[40/2020]
(4) To avoid doubt, this section does not affect the application of —
(a) Chapters 5 and 5A of the Penal Code 1871; or
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
81 Act 2012 2020 Ed.
(b) the Evidence Act 1893 or any other law or practice
regarding the admissibility of evidence.
[40/2020]
(5) To avoid doubt, subsection (2) also does not affect the liability
of the corporation for an offence under this Act, and applies whether
or not the corporation is convicted of the offence.
[40/2020]
(6) The Minister may make regulations to provide for the
application of any provision of this section, with such
modifications as the Minister considers appropriate, to any
corporation formed or recognised under the law of a territory
outside Singapore.
[40/2020]
(7) In this section —
“corporation” includes a limited liability partnership within the
meaning of section 2(1) of the Limited Liability Partnerships
Act 2005;
“officer”, in relation to a corporation, means any director,
partner, chief executive, manager, secretary or other similar
officer of the corporation, and includes —
(a) any person purporting to act in any such capacity; and
(b) for a corporation whose affairs are managed by its
members, any of those members as if the member
were a director of the corporation;
“state of mind” of a person includes —
(a) the knowledge, intention, opinion, belief or purpose
of the person; and
(b) the person’s reasons for the intention, opinion, belief
or purpose.
[40/2020]
Offences by unincorporated associations or partnerships
52A.—(1) Where, in a proceeding for an offence under this Act, it
is necessary to prove the state of mind of an unincorporated
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 82
association or a partnership in relation to a particular conduct,
evidence that —
(a) an employee or agent of the unincorporated association or
partnership engaged in that conduct within the scope of the
actual or apparent authority of the employee or agent, as
the case may be; and
(b) the employee or agent had that state of mind,
is evidence that the unincorporated association or partnership had that
state of mind.
[40/2020]
(2) Where an unincorporated association or a partnership commits
an offence under this Act, a person —
(a) who is —
(i) an officer of the unincorporated association or a
member of its governing body;
(ii) a partner in the partnership; or
(iii) an individual involved in the management of the
unincorporated association or partnership and in a
position to influence the conduct of the
unincorporated association or partnership (as the
case may be) in relation to the commission of the
offence; and
(b) who —
(i) consented or connived, or conspired with others, to
effect the commission of the offence;
(ii) is in any other way, whether by act or omission,
knowingly concerned in, or is party to, the
commission of the offence by the unincorporated
association or partnership; or
(iii) knew or ought reasonably to have known that the
offence by the unincorporated association or
partnership (or an offence of the same type) would
be or is being committed, and failed to take all
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
83 Act 2012 2020 Ed.
reasonable steps to prevent or stop the commission of
that offence,
shall be guilty of the same offence as is the unincorporated
association or partnership (as the case may be), and shall be liable
on conviction to be punished accordingly.
[40/2020]
(3) A person mentioned in subsection (2) may rely on a defence that
would be available to the unincorporated association or partnership if
it were charged with the offence with which the person is charged
and, in doing so, the person bears the same burden of proof that the
unincorporated association or partnership would bear.
[40/2020]
(4) To avoid doubt, this section does not affect the application of —
(a) Chapters 5 and 5A of the Penal Code 1871; or
(b) the Evidence Act 1893 or any other law or practice
regarding the admissibility of evidence.
[40/2020]
(5) To avoid doubt, subsection (2) also does not affect the liability
of an unincorporated association or a partnership for an offence under
this Act, and applies whether or not the unincorporated association or
partnership is convicted of the offence.
[40/2020]
(6) The Minister may make regulations to provide for the
application of any provision of this section, with such
modifications as the Minister considers appropriate, to any
unincorporated association or partnership formed or recognised
under the law of a territory outside Singapore.
[40/2020]
(7) In this section —
“officer”, in relation to an unincorporated association (other than
a partnership), means the president, the secretary or any
member of the committee of the unincorporated association,
and includes —
(a) any person holding a position analogous to that of
president, secretary or member of the committee of
the unincorporated association; and
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 84
(b) any person purporting to act in any such capacity;
“partner” includes a person purporting to act as a partner;
“state of mind” of a person includes —
(a) the knowledge, intention, opinion, belief or purpose
of the person; and
(b) the person’s reasons for the intention, opinion, belief
or purpose.
[40/2020]
Liability of employers for acts of employees
53.—(1) Any act done or conduct engaged in by a person in the
course of his or her employment (called in this section the employee)
is treated for the purposes of this Act as done or engaged in by his or
her employer as well as by the employee, whether or not it was done
or engaged in with the employer’s knowledge or approval.
(2) In any proceedings for an offence under this Act brought against
any person in respect of an act or conduct alleged to have been done
or engaged in (as the case may be) by an employee of that person, it is
a defence for that person to prove that the person took such steps as
were practicable to prevent the employee from doing the act or
engaging in the conduct, or from doing or engaging in, in the course
of his or her employment, acts or conduct (as the case may be) of that
description.
Jurisdiction of court
54. Despite any provision to the contrary in the Criminal Procedure
Code 2010, a District Court has jurisdiction to try any offence under
this Act and has power to impose the full penalty or punishment in
respect of the offence.
Composition of offences
55.—(1) The Commission may compound any offence under this
Act (except Part 9) that is prescribed as a compoundable offence by
collecting from a person reasonably suspected of having committed
the offence a sum not exceeding the lower of the following:
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
85 Act 2012 2020 Ed.
(a) one half of the amount of the maximum fine that is
prescribed for the offence;
(b) a sum of $5,000.
(2) The Commission may compound any offence under Part 9 that
is prescribed as a compoundable offence by collecting from a person
reasonably suspected of having committed the offence a sum not
exceeding $1,000.
(3) On payment of the sum of money, no further proceedings are to
be taken against that person in respect of the offence.
(4) The Commission may, with the approval of the Minister, make
regulations prescribing the offences that may be compounded.
[22/2016]
General penalties
56. A person guilty of an offence under this Act for which no
penalty is expressly provided shall be liable on conviction to a fine
not exceeding $10,000 or to imprisonment for a term not exceeding
3 years or to both and, in the case of a continuing offence, to a further
fine not exceeding $1,000 for every day or part of a day during which
the offence continues after conviction.
Public servants and public officers
57.—(1) All individuals appointed under section 8(1) —
(a) are deemed to be public servants for the purposes of the
Penal Code 1871; and
(b) are, in relation to their administration, assessment,
collection or enforcement of payment of composition
sums under this Act, deemed to be public officers for the
purposes of the Financial Procedure Act 1966; and
section 20 of that Act applies to these individuals even
though they are not or were not in the employment of the
Government.
[22/2016]
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 86
(2) All members of the Appeal Panel, and all members of an
advisory committee, are deemed to be public servants for the
purposes of the Penal Code 1871.
[22/2016]
Evidence in proceedings
58.—(1) The Commission, the Appeal Panel, an Appeal
Committee, their members and anyone acting for or under the
direction of the Commission must not give or be compelled to give
evidence in a court or in any other proceedings in respect of any
information obtained in performing their duties or exercising their
powers or functions under this Act, except —
(a) in a prosecution for perjury or for the provision of false
information;
(b) in a prosecution for an offence under this Act; or
(c) in an application for judicial review or an appeal from a
decision with respect to such an application.
(2) Subsection (1) applies also in respect of evidence of the
existence of proceedings conducted before the Commission.
Preservation of secrecy
59.—(1) Subject to subsection (5), every specified person must
preserve, and aid in the preservation of, secrecy with regard to —
(a) any personal data an organisation would be required or
authorised to refuse to disclose if it were contained in
personal data requested under section 21;
(b) whether information exists, if an organisation in refusing to
provide access under section 21 does not indicate whether
the information exists;
(c) all matters that have been identified as confidential under
subsection (3); and
(d) all matters relating to the identity of persons providing
information to the Commission,
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
87 Act 2012 2020 Ed.
that may come to the specified person’s knowledge in the
performance of the specified person’s functions and discharge of
the specified person’s duties under this Act and must not
communicate any such matter to any person, except insofar as such
communication —
(e) is necessary for the performance of any such function or
discharge of any such duty; or
(f) is lawfully required by any court, or lawfully required or
permitted under this Act or any other written law.
(2) A person who fails to comply with subsection (1) shall be guilty
of an offence.
(3) A person, when providing any information to the Commission,
may identify information that the person claims to be confidential
information.
(4) Every claim made under subsection (3) must be supported by a
written statement giving reasons why the information is confidential.
(5) Despite subsection (1), the Commission may disclose, or
authorise any specified person to disclose, any information relating
to any matter referred to in subsection (1) in any of the following
circumstances:
(a) where the consent of the person to whom the information
relates has been obtained;
(b) if the Commission considers there is evidence of an
offence, disclose information relating to the commission of
an offence to the Public Prosecutor, any police officer and
other law enforcement authorities;
(c) to give effect to any provision of this Act;
(d) for the purposes of a prosecution, an application or an
appeal mentioned in section 58(1)(a), (b) or (c);
(e) to comply with any provision of a cooperation agreement
entered into under section 10, where the conditions
specified in subsection (6) are satisfied; or
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 88
(f) to a public body in such circumstances as the Minister may
prescribe.
(6) The conditions mentioned in subsection (5)(e) are —
(a) that the information or documents requested by the foreign
country are in the possession of the Commission;
(b) that unless the Government otherwise allows, the foreign
country undertakes to keep the information given
confidential at all times; and
(c) that the disclosure of the information is not likely to be
contrary to the public interest.
(7) In this section, “specified person” means a person who is or has
been —
(a) a member or an officer of a relevant body;
(aa) a person authorised or appointed by a relevant body to
perform the relevant body’s functions or duties, or exercise
the relevant body’s powers, under this Act or any other
written law;
(b) a member of a committee of a relevant body or any person
authorised, appointed or employed to assist the relevant
body; or
(c) an inspector or a person authorised, appointed or employed
to assist an inspector.
[22/2016]
Protection from personal liability
60. No liability shall be incurred by —
(a) any member or officer of a relevant body;
(b) any person authorised, appointed or employed to assist a
relevant body;
(c) any person who is on secondment or attachment to a
relevant body;
(d) any person authorised or appointed by a relevant body to
exercise the relevant body’s powers, perform the relevant
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
89 Act 2012 2020 Ed.
body’s functions or discharge the relevant body’s duties or
to assist the relevant body in the exercise of its powers, the
performance of its functions or the discharge of its duties
under this Act or any other written law; or
(e) any inspector or any person authorised, appointed or
employed to assist an inspector in connection with any
function or duty of the inspector under this Act,
as a result of anything done (including any statement made) or
omitted to be done with reasonable care and in good faith in the
course of or in connection with —
(f) the exercise or purported exercise of any power under this
Act or any other written law;
(g) the performance or purported performance of any function
or the discharge or purported discharge of any duty under
this Act or any other written law; or
(h) the compliance or purported compliance with this Act or
any other written law.
Symbol of Commission
61.—(1) The Commission has the exclusive right to the use of such
symbol or representation as may be prescribed in connection with its
activities or affairs.
(2) A person who, without the authority of the Commission, uses a
symbol or representation identical with that of the Commission, or
which so resembles the symbol or representation of the Commission
as to deceive or cause confusion, or to be likely to deceive or to cause
confusion, shall be guilty of an offence and shall be liable on
conviction to a fine not exceeding $2,000 or to imprisonment for a
term not exceeding 6 months or to both.
Power to exempt
62. The Commission may, with the approval of the Minister, by
order in the Gazette, exempt any person or organisation or any class
of persons or organisations from all or any of the provisions of this
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 90
Act, subject to such terms or conditions as may be specified in the
order.
Certificate as to national interest
63. For the purposes of this Act, if any doubt arises as to whether
anything is necessary for the purpose of, or could be contrary to, the
national interest, a certificate signed by the Minister charged with
responsibility for that matter is conclusive evidence of the matters
stated in the certificate.
Amendment of Schedules
64.—(1) The Minister may, by order in the Gazette, amend any of
the Schedules, except the Ninth Schedule.
(2) An order under this section must be presented to Parliament as
soon as possible after publication in the Gazette.
Power to make regulations
65.—(1) The Commission may, with the approval of the Minister,
make such regulations as may be necessary or expedient for carrying
out the purposes and provisions of this Act and for prescribing
anything that may be required or authorised to be prescribed by this
Act.
[22/2016]
(2) Without limiting subsection (1), the Commission may, with the
approval of the Minister, make regulations for or with respect to all or
any of the following matters:
(a) [Deleted by Act 22 of 2016]
(b) the form, manner and procedures, relating to the making
and responding to requests under section 21 or 22,
including the content of responses to such requests, the
period for such responses, the circumstances in which an
organisation may refuse to provide a response or refuse to
confirm or deny the existence of any matter and the fees
that an organisation may charge in respect of such requests;
(ba) the assessment and notification of notifiable data breaches,
including —
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
91 Act 2012 2020 Ed.
(i) the steps and measures that an organisation must take
in relation to the investigation and assessment of data
breaches; and
(ii) the form and manner in which the Commission and
affected individuals must be notified of notifiable
data breaches;
(bb) the form, manner and procedures relating to data porting
requests, including —
(i) the information and particulars that must be provided
for such requests;
(ii) the time for and content of a porting organisation’s
responses to such requests;
(iii) the steps that a receiving organisation must take to
confirm the accessibility and completeness of any
applicable data transmitted by a porting organisation;
and
(iv) the fees that a porting organisation may charge in
respect of such requests;
(c) the classes of persons who may act under this Act for
minors, deceased persons or any other individuals who
lack capacity to act under this Act and regulating the
manner in which, and the extent to which, any rights or
powers of individuals under this Act may be exercised on
their behalf;
(d) the form, manner and procedures relating to applications
and complaints under this Act;
(e) the conduct of reviews by the Commission under
section 48H;
(f) the form, manner and procedures for applications for
reconsideration by the Commission under section 48N,
including the fees to be paid in respect of such
applications;
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 92
(g) the form, manner and procedures for appeals to an Appeal
Committee, including the fees to be paid in respect of such
appeals;
(h) the award of costs of or incidental to any proceedings
before the Commission or Appeal Committee, and the
award of expenses, including any allowances payable to
persons in connection with their attendance before the
Commission or Appeal Committee;
(i) the criteria for determining whether a Singapore telephone
number is eligible to be listed in a register;
(j) the manner in which entries in the register are to be made,
corrected or removed;
(k) the manner and form of giving or withdrawing consent for
the sending of a specified message;
(l) any other matter relating to the establishment, operation or
administration of the register;
(m) the fees to be paid in respect of applications, and services
provided by or on behalf of the Commission, under this
Act, including applications made under section 40(2);
(n) the requirements that checkers must comply with for the
purposes of this Act.
[22/2016; 40/2020]
(3) Regulations made under this section may provide differently for
different organisations, individuals, classes of organisations or
classes of individuals.
Rules of Court
66. Rules of Court may be made to provide for the practice and
procedure relating to actions under section 48O and appeals under
section 48R, including the requirement that the claimant notify the
Commission upon commencing any such action or appeal, and for
matters related thereto.
[40/2020]
[Act 25 of 2021 wef 01/04/2022]
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
93 Act 2012 2020 Ed.
Saving and transitional provisions
67.—(1) Every act done by or on behalf of the Former Commission
before 1 October 2016 remains valid and has effect as though it has
been done by or on behalf of the Commission, until such time as the
Commission invalidates, revokes, cancels or otherwise determines
that act.
[22/2016]
(2) Where any thing has been started by or on behalf of the Former
Commission before 1 October 2016, the Commission may carry on
and complete that thing on or after that date.
[22/2016]
(3) Any approval, authorisation, decision, direction, exemption,
guideline or notice (or other document) given or made by the Former
Commission under this Act before 1 October 2016 remains valid and
is deemed to have been given or made by the Commission under this
Act, to the extent that it is not inconsistent with this Act as amended
by the Info-communications Media Development Authority
Act 2016.
[22/2016]
(4) Any application that is made to the Former Commission under
this Act and is pending on 1 October 2016 is deemed to be an
application made to the Commission under this Act, to the extent that
it is not inconsistent with this Act as amended by the
Info-communications Media Development Authority Act 2016.
[22/2016]
(5) Any appeal made before 1 October 2016 under Part 8 in respect
of any direction or decision of the Former Commission is deemed to
be an appeal in respect of the direction or decision of the
Commission.
[22/2016]
(6) Any authorisation made by, or any certificate or other document
signed by, the Chairman of the Former Commission under this Act
before 1 October 2016 remains valid and is deemed to have been
made or signed by the Chief Executive of the Authority under this
Act.
[22/2016]
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 94
(7) [Omitted as spent]
[22/2016]
(8) This section does not affect the operation of section 16 of the
Interpretation Act 1965.
[22/2016]
(9) In this section, “Former Commission” means the Personal Data
Protection Commission established by section 5(1) as in force
immediately before 1 October 2016.
[22/2016]
Dissolution
68.—(1) The Former Commission is dissolved.
[22/2016]
(2) In this section, “Former Commission” has the meaning given by
section 67(9).
[22/2016]
FIRST SCHEDULE
Section 17(1) and Fifth and
Twelfth Schedules
COLLECTION, USE AND DISCLOSURE OF
PERSONAL DATA WITHOUT CONSENT
PART 1
VITAL INTERESTS OF INDIVIDUALS
1.—(1) Subject to sub-paragraph (2), the collection, use or disclosure (as the
case may be) of personal data about an individual is necessary for any purpose
which is clearly in the individual’s interests, and —
(a) consent for the collection, use or disclosure (as the case may be) cannot
be obtained in a timely way; or
(b) the individual would not reasonably be expected to withhold consent.
(2) Where the organisation collects, uses or discloses (as the case may be)
personal data about the individual under sub-paragraph (1), the organisation must,
as soon as is practicable, notify the individual of the collection, use or disclosure
(as the case may be) and the purpose for the collection, use or disclosure, as the
case may be.
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
95 Act 2012 2020 Ed.
FIRST SCHEDULE — continued
2. The collection, use or disclosure (as the case may be) of personal data about
an individual is necessary to respond to an emergency that threatens the life, health
or safety of the individual or another individual.
3. The collection, use or disclosure (as the case may be) of personal data about
an individual, where —
(a) consent for the collection, use or disclosure (as the case may be) cannot
be obtained in a timely way; and
(b) there are reasonable grounds to believe that the health or safety of the
individual or another individual will be seriously affected.
4. The collection, use or disclosure of personal data is for the purpose of
contacting the next-of-kin or a friend of any injured, ill or deceased individual.
PART 2
MATTERS AFFECTING PUBLIC
1. The collection, use or disclosure (as the case may be) of personal data about
an individual that is publicly available.
2. The collection, use or disclosure (as the case may be) of personal data about
an individual is in the national interest.
3. The collection, use or disclosure (as the case may be) of personal data about
an individual is solely for artistic or literary purposes.
4. The collection, use or disclosure (as the case may be) of personal data about
an individual is solely for archival or historical purposes, if a reasonable person
would not consider the personal data to be too sensitive to the individual to be
collected, used or disclosed (as the case may be) at the proposed time.
5. The personal data about an individual is collected, used or disclosed (as the
case may be) by a news organisation solely for its news activity.
6. In this Part —
“broadcasting service” has the meaning given by section 2(1) of the
Broadcasting Act 1994;
“news activity” means —
(a) the gathering of news, or the preparation or compilation of
articles or programmes of or concerning news, observations on
news, or current affairs, for the purposes of dissemination to the
public or any section of the public; or
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 96
FIRST SCHEDULE — continued
(b) the dissemination, to the public or any section of the public, of
any article or programme of or concerning —
(i) news;
(ii) observations on news; or
(iii) current affairs;
“news organisation” means —
(a) any organisation —
(i) the business of which consists, in whole or in part, of
news activity carried out in relation to a relevant
broadcasting service, a newswire service or the
publication of a newspaper; and
(ii) which, if the organisation publishes a newspaper in
Singapore which is not exempted from the provisions
of Part 3 of the Newspaper and Printing Presses
Act 1974, is a newspaper company defined in
section 2(1) of that Act; or
(b) any organisation which provides a broadcasting service in or
from Singapore and holds a broadcasting licence granted under
section 8 of the Broadcasting Act 1994;
“newspaper” has the meaning given by section 2(1) of the Newspaper and
Printing Presses Act 1974;
“relevant broadcasting service” means any of the following licensable
broadcasting services within the meaning of the Broadcasting Act 1994:
(a) free-to-air nationwide television services;
(b) free-to-air localised television services;
(c) free-to-air international television services;
(d) subscription nationwide television services;
(e) subscription localised television services;
(f) subscription international television services;
(g) special interest television services;
(h) free-to-air nationwide radio services;
(i) free-to-air localised radio services;
(j) free-to-air international radio services;
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
97 Act 2012 2020 Ed.
FIRST SCHEDULE — continued
(k) subscription nationwide radio services;
(l) subscription localised radio services;
(m) subscription international radio services;
(n) special interest radio services.
PART 3
LEGITIMATE INTERESTS
1.—(1) Subject to sub-paragraphs (2), (3) and (4) —
(a) the collection, use or disclosure (as the case may be) of personal data
about an individual is in the legitimate interests of the organisation or
another person; and
(b) the legitimate interests of the organisation or other person outweigh
any adverse effect on the individual.
(2) For the purposes of sub-paragraph (1), the organisation must —
(a) conduct an assessment, before collecting, using or disclosing the
personal data (as the case may be), to determine whether
sub-paragraph (1) is satisfied; and
(b) provide the individual with reasonable access to information about the
organisation’s collection, use or disclosure of personal data (as the case
may be) in accordance with sub-paragraph (1).
(3) The organisation must, in respect of the assessment mentioned in
sub-paragraph (2)(a) —
(a) identify any adverse effect that the proposed collection, use or
disclosure (as the case may be) of personal data about an individual is
likely to have on the individual;
(b) identify and implement reasonable measures —
(i) to eliminate the adverse effect;
(ii) to reduce the likelihood that the adverse effect will occur; or
(iii) to mitigate the adverse effect; and
(c) comply with any other prescribed requirements.
(4) Sub-paragraph (1) does not apply to the collection, use or disclosure of
personal data about an individual for the purpose of sending to that individual or
any other individual a message for an applicable purpose within the meaning
given by section 37(6).
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 98
FIRST SCHEDULE — continued
2. The collection, use or disclosure (as the case may be) of personal data about
an individual is necessary for evaluative purposes.
3. The collection, use or disclosure (as the case may be) of personal data about
an individual is necessary for any investigation or proceedings.
4. The collection, use or disclosure (as the case may be) of personal data about
an individual is necessary for the organisation —
(a) to recover a debt owed by the individual to the organisation; or
(b) to pay to the individual a debt owed by the organisation.
5. The collection, use or disclosure (as the case may be) of personal data about
an individual is necessary for the provision of legal services by the organisation to
another person, or for the organisation to obtain legal services.
6.—(1) Subject to sub-paragraph (2), the collection, use or disclosure (as the
case may be) of personal data about an individual —
(a) is for the purpose of the preparation by a credit bureau of a credit
report; or
(b) relates to a credit report provided by a credit bureau to a member of the
credit bureau in relation to a transaction between the member and the
individual.
(2) Sub-paragraph (1) does not apply to a credit bureau that, being required to
obtain a licence under any other written law, does not hold such a licence.
7. The collection, use or disclosure (as the case may be) of personal data about
an individual is to —
(a) confer an interest or a benefit on the individual under a private trust or
benefit plan; and
(b) administer that trust or benefit plan, at the request of the settlor or the
person establishing the benefit plan, as the case may be.
8. The personal data about an individual —
(a) is provided to the organisation by another individual to enable the
organisation to provide a service for the personal or domestic purposes
of that other individual; and
(b) is collected, used or disclosed (as the case may be) by the organisation
solely for the purpose in sub-paragraph (a).
9. The personal data about an individual —
(a) is included in a document produced in the course, and for the purposes,
of the individual’s employment, business or profession; and
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
99 Act 2012 2020 Ed.
FIRST SCHEDULE — continued
(b) is collected, used or disclosed (as the case may be) for purposes
consistent with the purpose for which the document was produced.
10. The personal data about an individual is collected, used or disclosed (as the
case may be) by the organisation, and the collection, use or disclosure (as the case
may be) of the personal data is reasonable for the purpose of or in relation to the
organisation —
(a) entering into an employment relationship with the individual or
appointing the individual to any office; or
(b) managing or terminating the employment relationship with or
appointment of the individual.
PART 4
BUSINESS ASSET TRANSACTIONS
1.—(1) Subject to the conditions in sub-paragraphs (2), (3), (4) and (5), where
an organisation (X) is a party or a prospective party to a business asset transaction
with another organisation (Y), personal data about an applicable individual of Y —
(a) is collected from Y by X for the purposes of the business asset
transaction;
(b) is used or disclosed by X in relation to the business asset transaction; or
(c) is disclosed by Y to X for the purposes of the business transaction.
(2) Where the business asset transaction concerns any part of Y or Y’s business
assets, the personal data mentioned in sub-paragraph (1) must relate directly to
that part of Y or Y’s business assets, as the case may be.
(3) If X is a prospective party to the business asset transaction, the following
conditions apply:
(a) X may collect, and Y may disclose, only personal data that is necessary
for X to determine whether to proceed with the business asset
transaction;
(b) X and Y must have entered into an agreement that requires X to use or
disclose the personal data solely for purposes related to the business
asset transaction.
(4) If X enters into the business asset transaction, the following conditions apply:
(a) X may use or disclose the personal data X collected from Y only for the
same purposes for which Y would have been permitted to use or
disclose the personal data;
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 100
FIRST SCHEDULE — continued
(b) if any personal data X collects from Y does not relate directly to the part
of Y or Y’s business assets with which the business asset transaction
entered into is concerned, X must destroy, or return to Y, that personal
data;
(c) X or Y must notify the applicable individuals of Y whose personal data
is disclosed that —
(i) the business asset transaction has taken place; and
(ii) the personal data about them has been disclosed to X.
(5) If the business asset transaction does not proceed or is not completed, X must
destroy, or return to Y, all personal data collected.
2.—(1) Subject to the conditions in sub-paragraphs (2), (3) and (4), where an
organisation (X) is a party or a prospective party to a business asset transaction
with another organisation (Y) in respect of Y’s interest in a third organisation (Z)
(called in this paragraph the relevant transaction), personal data about an
applicable individual of Z —
(a) is collected from Y or Z by X, or from Z by Y, for the purposes of the
relevant transaction;
(b) is used or disclosed by X or Y in relation to the relevant transaction; or
(c) is disclosed by Y or Z (as the case may be) to X, or by Z to Y, for the
purposes of the relevant transaction.
(2) If X is a prospective party to the relevant transaction, the following
conditions apply:
(a) where X collects the personal data mentioned in sub-paragraph (1)
from Y or Z —
(i) X may collect, and Y or Z (as the case may be) may disclose,
only personal data that is necessary for X to determine whether
to proceed with the relevant transaction; and
(ii) X and Y or Z (as the case may be) must have entered into an
agreement that requires X to use or disclose the personal data
solely for purposes related to the relevant transaction;
(b) where Y collects the personal data mentioned in sub-paragraph (1)
from Z —
(i) Y may collect, and Z may disclose, only personal data that is
necessary for X or Y (as the case may be) to determine whether
to proceed with the relevant transaction; and
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
101 Act 2012 2020 Ed.
FIRST SCHEDULE — continued
(ii) Y and Z must have entered into an agreement that requires Y to
use or disclose the personal data solely for purposes related to
the relevant transaction.
(3) If X enters into the relevant transaction, the following conditions apply:
(a) X may use or disclose the personal data collected from Y or Z (as the
case may be) only for the same purposes for which Y or Z (as the case
may be) would have been permitted to use or disclose the personal
data;
(b) Y may use or disclose the personal data collected from Z only for the
same purposes for which Z would have been permitted to use or
disclose the personal data;
(c) X, Y or Z must notify the applicable individuals of Z whose personal
data is disclosed that —
(i) the relevant transaction has taken place; and
(ii) the personal data about them has been disclosed to X.
(4) If the relevant transaction does not proceed or is not completed —
(a) X must destroy, or return to Y or Z (as the case may be), all personal
data collected; and
(b) Y must destroy, or return to Z, all personal data collected.
3. In this Part —
“applicable individual”, in relation to an organisation, includes a contractor, a
customer, a director, an employee, an officer or a shareholder of the
organisation;
“business asset transaction” —
(a) means the purchase, sale, lease, merger or amalgamation or any
other acquisition, disposal or financing of —
(i) an organisation or a portion of an organisation;
(ii) an interest in an organisation; or
(iii) any of the business or assets of an organisation, other
than any personal data to be disclosed under
paragraph 1(1) or 2(1), as the case may be; and
(b) includes —
(i) the amalgamation of a corporation with one or more
related corporations; and
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 102
FIRST SCHEDULE — continued
(ii) the transfer or disposal of any of the business or assets
of a corporation to a related corporation;
“business trust” has the meaning given by section 2 of the Business Trusts
Act 2004;
“corporation” and “related corporation” have the meanings given by
section 4(1) of the Companies Act 1967;
“interest” means —
(a) in relation to a corporation — a share in that corporation;
(b) in relation to an entity other than a corporation — any right or
interest (whether legal or equitable) in that entity, by whatever
name called;
(c) in relation to a business trust — a unit in that business trust; and
(d) in relation to a trust other than a business trust — any right or
interest (whether legal or equitable) in that trust, by whatever
name called.
PART 5
BUSINESS IMPROVEMENT PURPOSES
1.—(1) Subject to the conditions in sub-paragraphs (3), (4) and (5), personal
data about an individual (P) —
(a) is collected by an organisation (X) that is a corporation from a related
corporation (Y) for a purpose specified in sub-paragraph (2) (called the
relevant purpose);
(b) is used by X for a relevant purpose; or
(c) is disclosed by Y to X for a relevant purpose.
(2) The relevant purposes mentioned in sub-paragraph (1) are the following:
(a) improving or enhancing any goods or services provided, or developing
new goods or services to be provided, by X or Y;
(b) improving or enhancing the methods or processes, or developing new
methods or processes, for the operations of X or Y;
(c) learning about and understanding the behaviour and preferences of P
or another individual in relation to the goods or services provided by X
or Y;
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
103 Act 2012 2020 Ed.
FIRST SCHEDULE — continued
(d) identifying any goods or services provided by X or Y that may be
suitable for P or another individual, or personalising or customising
any such goods or services for P or another individual.
(3) Sub-paragraph (1)(a) and (c) applies only if —
(a) the relevant purpose for which X collects, or Y discloses, personal data
about P cannot reasonably be achieved without the collection, use or
disclosure (as the case may be) of the personal data in an individually
identifiable form;
(b) a reasonable person would consider the collection or disclosure of
personal data about P for the relevant purpose to be appropriate in the
circumstances; and
(c) X and Y are bound by any contract or other agreement or binding
corporate rules requiring the recipient of personal data about P to
implement and maintain appropriate safeguards for the personal data.
(4) Sub-paragraph (1)(b) applies only if —
(a) the relevant purpose for which X uses personal data about P cannot
reasonably be achieved without the use of the personal data in an
individually identifiable form; and
(b) a reasonable person would consider the use of personal data about P
for the relevant purpose to be appropriate in the circumstances.
(5) Where X collects from Y, and Y discloses to X, personal data about P for a
purpose mentioned in sub-paragraph (2)(c) or (d), P must be, at the time of the
collection or disclosure, as the case may be —
(a) an existing customer of Y; and
(b) an existing customer or a prospective customer of X.
(6) To avoid doubt, sub-paragraph (1) does not apply to the collection, use or
disclosure of personal data about P for the purpose of sending to P or another
individual a message for an applicable purpose within the meaning given by
section 37(6).
2. In this Part —
“corporation” and “related corporation” have the meanings given by
section 4(1) of the Companies Act 1967;
“existing customer”, in relation to a corporation, means an individual who
purchases, hires or uses, or has purchased, hired or used, any goods or
services provided by the corporation;
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 104
FIRST SCHEDULE — continued
“prospective customer of X” means an individual who, at the time mentioned
in paragraph 1(5) —
(a) has informed X of the individual’s interest in purchasing, hiring
or using any goods or services provided by X; or
(b) is conducting negotiations with X that lead or may lead to an
agreement between the individual and X for the purchase, hire
or use of any goods or services provided by X.
[40/2020]
SECOND SCHEDULE
Sections 2(1) and 17(1)
ADDITIONAL BASES FOR COLLECTION, USE AND
DISCLOSURE OF PERSONAL DATA WITHOUT CONSENT
PART 1
COLLECTION OF PERSONAL DATA
1. The collection of personal data about an individual, if —
(a) the personal data was disclosed by a public agency; and
(b) the collection of the personal data by the organisation is consistent with
the purpose of the disclosure by the public agency.
PART 2
USE OF PERSONAL DATA
Division 1 — Public interest
1. The use of personal data about an individual, if —
(a) the personal data was disclosed by a public agency; and
(b) the use of the personal data by the organisation is consistent with the
purpose of the disclosure by the public agency.
Division 2 — Business improvement purpose
1.—(1) Subject to the conditions in sub-paragraph (2), personal data about an
individual (P) is used by the organisation for any of the following purposes:
(a) improving or enhancing any goods or services provided, or developing
new goods or services to be provided, by the organisation;
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
105 Act 2012 2020 Ed.
SECOND SCHEDULE — continued
(b) improving or enhancing the methods or processes, or developing new
methods or processes, for the operations of the organisation;
(c) learning about and understanding the behaviour and preferences of P
or another individual in relation to the goods or services provided by
the organisation;
(d) identifying any goods or services provided by the organisation that
may be suitable for P or another individual, or personalising or
customising any such goods or services for P or another individual.
(2) Sub-paragraph (1) applies only if —
(a) the purpose for which the organisation uses personal data about P
cannot reasonably be achieved without the use of the personal data in
an individually identifiable form; and
(b) a reasonable person would consider the use of personal data about P
for that purpose to be appropriate in the circumstances.
(3) To avoid doubt, sub-paragraph (1) does not apply to the use of personal data
about P for the purpose of sending to P or another individual a message for an
applicable purpose within the meaning given by section 37(6).
(4) In this paragraph, “organisation” excludes a corporation within the meaning
given by section 4(1) of the Companies Act 1967.
Division 3 — Research
1. The use of personal data about an individual for a research purpose (including
historical or statistical research), if —
(a) the research purpose cannot reasonably be accomplished unless the
personal data is used in an individually identifiable form;
(b) there is a clear public benefit to using the personal data for the research
purpose;
(c) the results of the research will not be used to make any decision that
affects the individual; and
(d) in the event that the results of the research are published, the
organisation publishes the results in a form that does not identify the
individual.
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 106
SECOND SCHEDULE — continued
PART 3
DISCLOSURE OF PERSONAL DATA WITHOUT CONSENT
Division 1 — Public interest
1. The disclosure of personal data about an individual to a public agency, where
the disclosure is necessary in the public interest.
2. The disclosure of personal data about an individual who is a current or former
student of an educational institution to a public agency for the purposes of policy
formulation or review.
3. The disclosure of personal data about an individual who is a current or former
patient of any of the following to a public agency for the purposes of policy
formulation or review:
(a) a healthcare institution licensed under the Private Hospitals and
Medical Clinics Act 1980;
(b) a licensee under the Healthcare Services Act 2020;
(c) a prescribed healthcare body.
4. The disclosure of personal data about any individual to any officer of a
prescribed law enforcement agency, upon production of written authorisation
signed by the head or director of that prescribed law enforcement agency or a
person of a similar rank, certifying that the personal data is necessary for the
purposes of the functions or duties of the officer.
Division 2 — Research
1. The disclosure of personal data about an individual for a research purpose
(including historical or statistical research), if —
(a) the research purpose cannot reasonably be accomplished unless the
personal data is disclosed in an individually identifiable form;
(b) it is impracticable for the organisation to seek the individual’s consent
for the disclosure;
(c) there is a clear public benefit to disclosing the personal data for the
research purpose;
(d) the results of the research will not be used to make a decision that
affects the individual; and
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
107 Act 2012 2020 Ed.
SECOND SCHEDULE — continued
(e) in the event that the results of the research are published, the
organisation publishes the results in a form that does not identify the
individual.
[40/2020]
THIRD SCHEDULE
[Repealed by Act 40 of 2020]
FOURTH SCHEDULE
[Repealed by Act 40 of 2020]
FIFTH SCHEDULE
Section 21(2)
EXCEPTIONS FROM ACCESS REQUIREMENT
1. An organisation is not required to provide information under section 21(1) in
respect of —
(a) opinion data kept solely for an evaluative purpose;
(b) any examination conducted by an education institution, examination
scripts and, prior to the release of examination results, examination
results;
(c) the personal data of the beneficiaries of a private trust kept solely for
the purpose of administering the trust;
(d) personal data kept by an arbitral institution or a mediation centre solely
for the purposes of arbitration or mediation proceedings administered
by the arbitral institution or mediation centre;
(e) a document related to a prosecution if all proceedings related to the
prosecution have not been completed;
(f) personal data which is subject to legal privilege;
(g) personal data which, if disclosed, would reveal confidential
commercial information that could, in the opinion of a reasonable
person, harm the competitive position of the organisation;
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 108
FIFTH SCHEDULE — continued
(h) personal data collected, used or disclosed without consent, under
paragraph 3 of Part 3 of the First Schedule, for the purposes of an
investigation if the investigation and associated proceedings and
appeals have not been completed;
(i) personal data collected or created by a mediator or arbitrator in the
conduct of a mediation or arbitration for which he or she was appointed
to act —
(i) under a collective agreement under the Industrial Relations
Act 1960 or by agreement between the parties to the mediation
or arbitration;
(ii) under any written law; or
(iii) by a court, arbitral institution or mediation centre; or
(j) any request —
(i) that would unreasonably interfere with the operations of the
organisation because of the repetitious or systematic nature of
the requests;
(ii) if the burden or expense of providing access would be
unreasonable to the organisation or disproportionate to the
individual’s interests;
(iii) for information that does not exist or cannot be found;
(iv) for information that is trivial; or
(v) that is otherwise frivolous or vexatious.
2. For the purposes of paragraph 1(j)(i), the organisation may have regard to the
number and frequency of requests received.
[40/2020]
SIXTH SCHEDULE
Section 22(7)
EXCEPTIONS FROM CORRECTION REQUIREMENT
1. Section 22 does not apply in respect of —
(a) opinion data kept solely for an evaluative purpose;
(b) any examination conducted by an education institution, examination
scripts and, prior to the release of examination results, examination
results;
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
109 Act 2012 2020 Ed.
SIXTH SCHEDULE — continued
(c) the personal data of the beneficiaries of a private trust kept solely for
the purpose of administering the trust;
(d) personal data kept by an arbitral institution or a mediation centre solely
for the purposes of arbitration or mediation proceedings administered
by the arbitral institution or mediation centre;
(e) a document related to a prosecution if all proceedings related to the
prosecution have not been completed; or
(f) derived personal data.
[40/2020]
SEVENTH SCHEDULE
Section 48P(5)
CONSTITUTION AND PROCEEDINGS OF DATA PROTECTION APPEAL
PANEL AND DATA PROTECTION APPEAL COMMITTEES
Data Protection Appeal Panel
1.—(1) The Data Protection Appeal Panel consists of not more than 30 members
appointed by the Minister on the basis of their ability and experience in industry,
commerce or administration or their professional qualifications or their suitability
otherwise for appointment.
(2) Members of the Appeal Panel are appointed for such period as the Minister
may determine and are eligible for re-appointment.
(3) The Minister may at any time revoke the appointment of any member of the
Appeal Panel without giving any reason.
(4) A member of the Appeal Panel may resign by giving written notice to the
Minister.
Chairperson of Appeal Panel or temporary Chairperson of Appeal Panel
2.—(1) The Chairperson of the Appeal Panel, unless his or her appointment is
revoked by the Minister or unless he or she resigns during his or her term of office,
holds office for such period as the Minister may determine and is eligible for
re-appointment.
(2) The Minister may appoint any member to be a temporary Chairperson of the
Appeal Panel during the temporary incapacity from illness or otherwise or during
the temporary absence from Singapore of the Chairperson of the Appeal Panel.
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 110
SEVENTH SCHEDULE — continued
Secretary to Appeal Panel
2A.—(1) The Secretary to the Appeal Panel is to be appointed by the Minister.
(2) The Secretary is to provide administrative and secretarial support to the
Chairperson of the Appeal Panel, the Appeal Panel and every Appeal Committee,
in the discharge of their functions, duties and powers under this Act.
(3) The Secretary is to act in accordance with the instructions of the Chairperson
and, in particular, be responsible for —
(a) the acceptance, transmission, service and custody of documents
relating to the Appeal Panel, Appeal Committees and proceedings
relating to appeals; and
(b) keeping the records of proceedings relating to appeals in such form as
the Chairperson may direct.
(4) The Secretary and any person authorised under sub-paragraph (5) may attend
any meeting of an Appeal Committee to carry out their functions under this Act.
(5) The Secretary may be assisted in carrying out the Secretary’s functions under
this Act by persons authorised by the Secretary.
Constitution of Appeal Committee
2B.—(1) Where an appeal is made, the Chairperson of the Appeal Panel is to
nominate 3 or more members of the Appeal Panel (which may include the
Chairperson) to constitute an Appeal Committee to hear the appeal.
(2) For the proper functioning of any Appeal Committee, the Chairperson of the
Appeal Panel may at any time —
(a) terminate the nomination of any member of the Appeal Committee;
and
(b) reconstitute the Appeal Committee upon the termination of the
nomination, the expiry of the term of appointment or the withdrawal
of any member of the Appeal Committee.
(3) The reconstitution of an Appeal Committee under sub-paragraph (2)(b) does
not affect the validity of anything done by the Appeal Committee under this Act
before, on or after the reconstitution of the Appeal Committee.
Proceedings of Appeal Committees
3.—(1) The presiding member of an Appeal Committee is —
(a) the Chairperson of the Appeal Panel, if the Chairperson nominates
himself or herself as a member of the Appeal Committee; or
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
111 Act 2012 2020 Ed.
SEVENTH SCHEDULE — continued
(b) the member of the Appeal Panel appointed by the Chairperson of the
Appeal Panel as the presiding member of that Appeal Committee.
(2) However, in the absence at any meeting of the presiding member of an
Appeal Committee mentioned in sub-paragraph (1), another member of the
Appeal Committee chosen by the members of that Appeal Committee present is to
preside at that meeting.
(3) All matters coming before an Appeal Committee are to be decided by a
majority of votes of those members present and, in the event of an equality of
votes, the presiding member has a second or casting vote.
(4) Any member of the Appeal Panel whose term of appointment expires in the
course of proceedings by an Appeal Committee to which the member is appointed
continues as a member of that Appeal Committee until the Appeal Committee —
(a) completes its work on the appeal; or
(b) is earlier reconstituted under paragraph 2B(2)(b) without that member.
(5) An Appeal Committee is to meet for any purpose under this Act at such times
and places as determined by the presiding member before the meeting.
Powers of Appeal Committees
4.—(1) An Appeal Committee has all the powers and duties of the Commission
that are necessary to perform its functions and discharge its duties under this Act.
(2) An Appeal Committee has the powers, rights and privileges vested in a
District Court on the hearing of an action, including —
(a) the enforcement of the attendance of witnesses and their examination
on oath or otherwise;
(b) the compelling of the production of documents; and
(c) the award of such costs or expenses as may be prescribed under
section 65.
(3) A summons signed by such member of an Appeal Committee as may be
authorised by the Appeal Committee is equivalent to any formal procedure
capable of being issued in an action for enforcing the attendance of witnesses and
compelling the production of documents.
(4) Where any person being duly summoned to attend before an Appeal
Committee does not so attend, that person shall be guilty of an offence and shall be
liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term
not exceeding 6 months or to both.
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 112
SEVENTH SCHEDULE — continued
(5) A witness before an Appeal Committee is entitled to the same immunities
and privileges as if he or she were a witness before a District Court.
(6) All appeals must be determined, having regard to the nature and complexity
of the appeal, as soon as reasonably practicable.
(7) An Appeal Committee must inform the Commission and the parties to the
appeal of the date on and the place at which the appeal is to be heard.
(8) An Appeal Committee must inform the Commission and the parties to the
appeal of its decision in respect of the appeal and the reasons for its decision.
(9) Subject to other provisions of this Act and regulations made under this Act,
an Appeal Committee may regulate its own procedure.
Allowances
5. Members of the Appeal Committee may receive such remuneration and such
travelling and subsistence allowances as the Minister may determine.
Validity of act or proceeding
6. No proceedings relating to any appeal before an Appeal Committee, and no
act of the Chairperson of the Appeal Panel or of the presiding member of an
Appeal Committee, is to be nullified only because of —
(a) in the case of an appeal or proceeding before or act of an Appeal
Committee, any vacancy in, or defect in the constitution of, the Appeal
Committee; or
(b) any defect in the appointment of the Chairperson of the Appeal Panel,
or any member (or presiding member) of an Appeal Committee, as the
case may be.
Definition
7. In this Schedule, “appeal” means an appeal under —
(a) section 34 as in force immediately before 1 February 2021; or
(b) section 48Q.
[40/2020; S 19/2015]
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
113 Act 2012 2020 Ed.
EIGHTH SCHEDULE
Section 37(5)
EXCLUSION FROM MEANING OF “SPECIFIED MESSAGE”
1.—(1) For the purposes of Part 9, a specified message does not include any of
the following:
(a) any message sent by a public agency under, or to promote, any
programme carried out by any public agency which is not for a
commercial purpose;
(b) any message sent by an individual acting in a personal or domestic
capacity;
(c) any message which is necessary to respond to an emergency that
threatens the life, health or safety of any individual;
(d) any message the sole purpose of which is —
(i) to facilitate, complete or confirm a transaction that the recipient
of the message has previously agreed to enter into with the
sender;
(ii) to provide warranty information, product recall information or
safety or security information with respect to a product or
service purchased or used by the recipient of the message; or
(iii) to deliver goods or services, including product updates or
upgrades, that the recipient of the message is entitled to receive
under the terms of a transaction that the recipient has
previously agreed to enter into with the sender;
(e) any message, other than a message mentioned in sub-paragraph (d) —
(i) that is sent while the sender is in an ongoing relationship with
the recipient of the message; and
(ii) the sole purpose of which relates to the subject matter of the
ongoing relationship;
(f) any message the sole purpose of which is to conduct market research or
market survey;
(g) any message sent to an organisation other than an individual acting in a
personal or domestic capacity, for any purpose of the receiving
organisation.
(2) In sub-paragraph (1)(e), “ongoing relationship” means a relationship, on an
ongoing basis, between the sender and the recipient of the message, arising from
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 114
EIGHTH SCHEDULE — continued
the carrying on or conduct of a business or an activity (commercial or otherwise)
by the sender.
[22/2016; 40/2020]
NINTH SCHEDULE
Section 50(2)
POWERS OF INVESTIGATION OF COMMISSION AND INSPECTORS
Power to require documents or information
1.—(1) For the purposes of an investigation under section 50, the Commission
or an inspector may, by written notice to any organisation, require the organisation
to produce to the Commission or the inspector a specified document or specified
information, which the Commission or inspector considers relates to any matter
relevant to such investigation.
(2) A notice under sub-paragraph (1) must indicate the purpose for which the
specified document or specified information is required by the Commission.
(3) The Commission may specify in the notice —
(a) the time and place at which any document is to be produced or any
information is to be provided; and
(b) the manner and form in which it is to be produced or provided.
(4) The power under this paragraph to require an organisation to produce a
document includes the power —
(a) if the document is produced —
(i) to take copies of it or extracts from it; and
(ii) to require the organisation, or any person who is a present or
past officer of the organisation, or is or was at any time
employed by the organisation, to provide an explanation of the
document; or
(b) if the document is not produced, to require the organisation or person
to state, to the best of the organisation’s or person’s knowledge and
belief, where it is.
(5) In sub-paragraphs (1) and (2), “specified” means —
(a) specified or described in the notice; or
(b) falling within a category which is specified or described in the notice.
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
115 Act 2012 2020 Ed.
NINTH SCHEDULE — continued
Power to require provision of information, etc.
1A.—(1) For the purposes of an investigation under section 50, the Commission
or an inspector may do all or any of the following:
(a) require, by written notice, any person whom the Commission or
inspector reasonably believes has any information, or any document in
the person’s custody or control, that is relevant to the investigation, to
provide that information or produce that document, within the time and
in the manner specified in the written notice;
(b) require, by written notice, any person within the limits of Singapore,
who appears to be acquainted with the facts or circumstances of the
matter, to attend before the Commission or inspector;
(c) examine orally any person who appears to be acquainted with the facts
or circumstances of the matter.
(2) A person examined under sub-paragraph (1)(c) is bound to state truly the
facts and circumstances with which the person is acquainted concerning the matter
except that the person need not say anything that might expose the person to a
criminal charge, penalty or forfeiture.
(3) A statement made by a person examined under sub-paragraph (1)(c) must —
(a) be reduced to writing;
(b) be read over to the person;
(c) if the person does not understand English, be interpreted in a language
that the person understands; and
(d) after correction (if necessary), be signed by the person.
Power to enter premises without warrant
2.—(1) In connection with an investigation under section 50, an inspector, and
such other persons as the inspector may require to assist him or her, may enter any
premises.
(2) An inspector or a person assisting the inspector must not enter any premises
in exercise of the powers under this paragraph unless the inspector has given the
occupier of the premises a written notice which —
(a) gives at least 2 working days’ notice of the intended entry; and
(b) indicates the subject matter and purpose of the investigation.
(3) Sub-paragraph (2) does not apply if the inspector has reasonable grounds for
suspecting that the premises are, or have been, occupied by an organisation which
is being investigated in relation to a contravention of this Act and if the inspector
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 116
NINTH SCHEDULE — continued
has taken all such steps as are reasonably practicable to give written notice under
that sub-paragraph but has not been able to do so.
(4) Where sub-paragraph (3) applies, the power of entry conferred by
sub-paragraph (1) shall be exercised upon production of —
(a) evidence of the inspector’s appointment; and
(b) a document containing the information referred to in
sub-paragraph (2)(b).
(5) An inspector or a person assisting the inspector entering any premises under
this paragraph may —
(a) take with him or her such equipment as appears to him or her to be
necessary;
(b) require any person on the premises —
(i) to produce any document which he or she considers relates to
any matter relevant to the investigation; and
(ii) if the document is produced, to provide an explanation of it;
(c) require any person to state, to the best of the person’s knowledge and
belief, where any such document is to be found;
(d) take copies of, or extracts from, any document which is produced;
(e) require any information which is stored in any electronic form and is
accessible from the premises and which he or she considers relates to
any matter relevant to the investigation, to be produced in a form —
(i) in which it can be taken away; and
(ii) in which it is visible and legible; and
(f) take any step which appears to be necessary for the purpose of
preserving or preventing interference with any document which he or
she considers relates to any matter relevant to the investigation.
Power to enter premises under warrant
3.—(1) The Commission or any inspector may apply to a court for a warrant and
the court may issue such a warrant if it is satisfied that —
(a) there are reasonable grounds for suspecting that there are, on any
premises, documents —
(i) the production of which has been required under paragraph 1
or 2; and
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
117 Act 2012 2020 Ed.
NINTH SCHEDULE — continued
(ii) which have not been produced as required;
(b) there are reasonable grounds for suspecting that —
(i) there are, on any premises, documents which the Commission
or the inspector has power under paragraph 1 to require to be
produced; and
(ii) if the documents were required to be produced, they would not
be produced but would be concealed, removed, tampered with
or destroyed; or
(c) an inspector or a person assisting the inspector has attempted to enter
the premises in the exercise of his or her powers under paragraph 2 but
has been unable to do so and that there are reasonable grounds for
suspecting that there are, on the premises, documents the production of
which could have been required under that paragraph.
(2) A warrant under this paragraph authorises a named officer, and such other
persons as the inspector may require to assist him or her, to do all or any of the
following:
(a) to enter the premises specified in the warrant, using such force as is
reasonably necessary for the purpose;
(b) to search any person on those premises if there are reasonable grounds
for believing that that person has in his or her possession any
document, equipment or article which has a bearing on the
investigation;
(c) to search the premises and take copies of, or extracts from, any
document appearing to be of a kind in respect of which the application
under sub-paragraph (1) was granted (the relevant kind);
(d) to take possession of any document appearing to be of the relevant kind
if —
(i) such action appears to be necessary for preserving the
document or preventing interference with it; or
(ii) it is not reasonably practicable to take copies of the document
on the premises;
(e) to take any other step which appears to be necessary for the purpose
mentioned in sub-paragraph (d)(i);
(f) to require any person to provide an explanation of any document
appearing to be of the relevant kind or to state, to the best of the
person’s knowledge and belief, where it may be found;
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 118
NINTH SCHEDULE — continued
(g) to require any information which is stored in any electronic form and is
accessible from the premises and which he or she considers relates to
any matter relevant to the investigation, to be produced in a form —
(i) in which it can be taken away; or
(ii) in which it is visible and legible; and
(h) to remove from those premises for examination any equipment or
article which relates to any matter relevant to the investigation.
(3) If, in the case of a warrant under sub-paragraph (1)(b), the court is satisfied
that it is reasonable to suspect that there are also on the premises other documents
relating to the investigation concerned, the warrant also authorises the actions
mentioned in sub-paragraph (2) to be taken in relation to any such document.
(4) Where possession of any document is taken under sub-paragraph (2)(d) or
(3), the named officer may, at the request of the person from whom possession of
the document was taken, provide such person with a copy of the document.
(5) A named officer may allow any equipment or article which has a bearing on
an investigation and which may be removed from any premises for examination
under sub-paragraph (2)(h) to be retained on those premises subject to such
conditions as the named officer may require.
(6) A warrant issued under this paragraph —
(a) must indicate the subject matter and purpose of the investigation; and
(b) continues in force until the end of one month beginning from the day
on which it is issued.
(7) The powers conferred by this paragraph must not be exercised except upon
production of a warrant issued under this paragraph.
(8) A person entering any premises by virtue of a warrant under this
paragraph may take with the person such equipment as appears to the person to
be necessary.
(9) If there is no one at the premises when the named officer proposes to execute
such a warrant, the named officer must, before executing it —
(a) take such steps as are reasonable in all the circumstances to inform the
occupier of the intended entry; and
(b) if the occupier is informed, give the occupier or the occupier’s legal or
other representative a reasonable opportunity to be present when the
warrant is executed.
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
119 Act 2012 2020 Ed.
NINTH SCHEDULE — continued
(10) If the named officer is unable to inform the occupier of the intended entry,
the named officer must, when executing the warrant, leave a copy of the warrant in
a prominent place on the premises.
(11) On leaving any premises which the named officer has entered by virtue of a
warrant under this paragraph, the named officer must, if the premises are
unoccupied or the occupier is temporarily absent, leave them as effectively
secured as the named officer found them.
(12) Any document of which possession is taken under sub-paragraph (2)(d) or
(3) may be retained for a period of not more than 3 months.
(13) In this paragraph —
“named officer” means an inspector named in the warrant;
“occupier”, in relation to any premises, means a person whom the inspector
reasonably believes is the occupier of those premises.
[40/2020]
TENTH SCHEDULE
Section 37(6)
APPLICABLE PURPOSES
1. Offering to supply goods or services.
2. Advertising or promoting goods or services.
3. Advertising or promoting a supplier, or prospective supplier, of goods or
services.
4. Offering to supply land or an interest in land.
5. Advertising or promoting land or an interest in land.
6. Advertising or promoting a supplier, or prospective supplier, of land or an
interest in land.
7. Offering to provide a business opportunity or an investment opportunity.
8. Advertising or promoting a business opportunity or an investment
opportunity.
9. Advertising or promoting a provider, or prospective provider, of a business
opportunity or an investment opportunity.
[40/2020]
Informal Consolidation – version in force from 1/10/2022
Personal Data Protection
2020 Ed. Act 2012 120
ELEVENTH SCHEDULE
Section 48F(4)
SPECIFIED PURPOSES
1. Testing the effectiveness of the anonymisation of personal data in the
possession or under the control of an organisation or a public agency, as the case
may be.
2. Testing the integrity and confidentiality of anonymised information in the
possession or under the control of an organisation or a public agency, as the case
may be.
3. Assessing, testing or evaluating the systems and processes of an organisation
or a public agency for ensuring or safeguarding the integrity and confidentiality of
anonymised information —
(a) in the possession or under the control of the organisation or public
agency; or
(b) transmitted or received by the organisation or public agency.
[40/2020]
Informal Consolidation – version in force from 1/10/2022
LEGISLATIVE HISTORY
PERSONAL DATA PROTECTION
ACT 2012
This Legislative History is a service provided by the Law Revision Commission
on a best-efforts basis. It is not part of the Act.
1. Act 26 of 2012 — Personal Data Protection Act 2012
Bill : 24/2012
First Reading : 10 September 2012
Second Reading : 15 October 2012
Notice of Amendments : 15 October 2012
Third Reading : 15 October 2012
Commencement : 2 January 2013 (Parts I, II, VIII, IX
(except sections 36 to 38, 41 and 43 to
48) and X (except section 67(1)), and
the First, Seventh and Ninth
Schedules)
2 December 2013 (sections 36, 37, 38
and 41)
2 January 2014 (sections 43 to 48 and
67(1) and the Eighth Schedule)
2 July 2014 (Parts III to VII, and the
Second to Sixth Schedules)
2. G.N. No. S 19/2015 — Personal Data Protection Act (Amendment of
Seventh Schedule) Order 2015
Commencement : 23 January 2015
3. Act 29 of 2014 — Business Names Registration Act 2014
(Amendments made by section 47 read with item 14 of the Schedule to the
above Act)
Bill : 26/2014
First Reading : 8 September 2014
Second and Third Readings : 8 October 2014
Commencement : 3 January 2016 (section 47 read with
item 14 of the Schedule)
Informal Consolidation – version in force from 1/10/2022
ii
4. Act 22 of 2016 — Info-communications Media Development Authority
Act 2016
(Amendments made by section 96 of the above Act)
Bill : 21/2016
First Reading : 11 July 2016
Second and Third Readings : 16 August 2016
Commencement : 1 October 2016 (section 96 except
section 96(v))
2 October 2016 (section 96(v))
5. Act 40 of 2019 — Supreme Court of Judicature (Amendment) Act 2019
(Amendments made by section 28(1) read with item 115 of the Schedule to the
above Act)
Bill : 32/2019
First Reading : 7 October 2019
Second Reading : 5 November 2019
Notice of Amendments : 5 November 2019
Third Reading : 5 November 2019
Commencement : 2 January 2021 (section 28(1) read
with item 115 of the Schedule)
6. 2020 Revised Edition — Personal Data Protection
Act 2012
Operation : 31 December 2021
7. Act 25 of 2021 — Courts (Civil and Criminal Justice) Reform Act 2021
Date of First Reading : 26 July 2021
(Bill No. 18/2021)
Date of Second and Third : 14 September 2021
Readings
Date of commencement : 1 April 2022
8. Act 40 of 2020 — Personal Data Protection (Amendment) Act 2020
Date of First Reading : 5 October 2020
(Bill No. 37/2020)
Date of Second and Third : 2 November 2020
Readings
Informal Consolidation – version in force from 1/10/2022
iii
Date of commencement : 1 February 2021 (except sections 14,
24, 39, 42, 44 and 45)
1 October 2022
Abbreviations
. (updated on 29 August 2022)
G.N. Gazette Notification
G.N. Sp. Gazette Notification (Special Supplement)
L.A. Legislative Assembly
L.N. Legal Notification (Federal/Malaysian)
M. Malaya/Malaysia (including Federated Malay States,
Malayan Union, Federation of Malaya and Federation of
Malaysia)
Parl. Parliament
S Subsidiary Legislation
S.I. Statutory Instrument (United Kingdom)
S (N.S.) Subsidiary Legislation (New Series)
S.S.G.G. Straits Settlements Government Gazette
S.S.G.G. (E) Straits Settlements Government Gazette (Extraordinary)
Informal Consolidation – version in force from 1/10/2022
You might also like
- Data Protection and Privacy Regulations, 2020No ratings yetData Protection and Privacy Regulations, 202036 pages
- Act No. 11 Sheria Ya Ulinzi Wa Taarifa Binafsi, 2022No ratings yetAct No. 11 Sheria Ya Ulinzi Wa Taarifa Binafsi, 202237 pages
- Digital Personal Data Protection Bill, 2022No ratings yetDigital Personal Data Protection Bill, 202225 pages
- Cyber & Data Protection Act Cap1207 No 5 of 2021 Gaz 2022-03-11No ratings yetCyber & Data Protection Act Cap1207 No 5 of 2021 Gaz 2022-03-1138 pages
- Data Protection and Privacy Regulations-2021No ratings yetData Protection and Privacy Regulations-202152 pages
- Cyber & Data Protection Act Cap1207 No 5 of 2021 Gaz 2022-03-11No ratings yetCyber & Data Protection Act Cap1207 No 5 of 2021 Gaz 2022-03-1138 pages
- Digital Personal Data Protection Act 2023 PresidentNo ratings yetDigital Personal Data Protection Act 2023 President21 pages
- Digital Personal Data Protection Act, 2023No ratings yetDigital Personal Data Protection Act, 202321 pages
- Personal Data Protection Bill 2020 UpdatedNo ratings yetPersonal Data Protection Bill 2020 Updated32 pages
- Data Protection Act Law 3020 W0rksheet 4 Week 7-2No ratings yetData Protection Act Law 3020 W0rksheet 4 Week 7-230 pages
- Digital Personal Data Protection Act 2023No ratings yetDigital Personal Data Protection Act 202321 pages
- Act 5 of 2021 Data Protection Act - WatermarkedNo ratings yetAct 5 of 2021 Data Protection Act - Watermarked38 pages
- Data Protection Singapore Vs United KingdomNo ratings yetData Protection Singapore Vs United Kingdom25 pages
- Republic Act 10173 - Data Privacy Act of 2012 National Privacy CommissionNo ratings yetRepublic Act 10173 - Data Privacy Act of 2012 National Privacy Commission15 pages
- The Uganda Data Protection and Privacy ACT100% (1)The Uganda Data Protection and Privacy ACT32 pages
- Personal Data Protection Act 2010 - 230609 - 174550No ratings yetPersonal Data Protection Act 2010 - 230609 - 17455053 pages
- IRR of RA 10173 Data Privacy Act of 2012No ratings yetIRR of RA 10173 Data Privacy Act of 201235 pages
- Translation - The Data Protection Act 2023 - 27marchNo ratings yetTranslation - The Data Protection Act 2023 - 27march26 pages
- Part I. The Personal Data Protection Act (The PDPA) - An IntroductionNo ratings yetPart I. The Personal Data Protection Act (The PDPA) - An Introduction1 page
- J 2015 10 SCC 213 2016 1 SCC Civ 102 2015 SCC OnLi Harshmanohar Jgueduin 20241110 210652 1 22No ratings yetJ 2015 10 SCC 213 2016 1 SCC Civ 102 2015 SCC OnLi Harshmanohar Jgueduin 20241110 210652 1 2222 pages
- J 2011 5 SCC 532 2011 2 SCC Civ 781 2011 SCC OnLin Harshmanohar Jgueduin 20241110 211258 1 19No ratings yetJ 2011 5 SCC 532 2011 2 SCC Civ 781 2011 SCC OnLin Harshmanohar Jgueduin 20241110 211258 1 1919 pages
- Group 3 - Sunil Sharma - Franchise AgreementNo ratings yetGroup 3 - Sunil Sharma - Franchise Agreement16 pages
- J 1957 SCR 77 AIR 1957 SC 255 22jglsabakrewal Jgueduin 20230916 130647 1 15No ratings yetJ 1957 SCR 77 AIR 1957 SC 255 22jglsabakrewal Jgueduin 20230916 130647 1 1515 pages
- Evans HumanitarianInterventionResponsibility 2013 2No ratings yetEvans HumanitarianInterventionResponsibility 2013 217 pages
- 1988 Cede Co V Technicolor Inc 542 A2d 1182No ratings yet1988 Cede Co V Technicolor Inc 542 A2d 118217 pages
- Union of India UOI and Ors Vs Deoki Nandan Aggarwa0428s920433COM524056No ratings yetUnion of India UOI and Ors Vs Deoki Nandan Aggarwa0428s920433COM5240568 pages
- Hand Tools - Metal: Marking Out, Measurement, Fitting & Assembly100% (2)Hand Tools - Metal: Marking Out, Measurement, Fitting & Assembly16 pages
- Central Civil Services (Conduct) Rules MCQNo ratings yetCentral Civil Services (Conduct) Rules MCQ11 pages
- Meo Class I Assessment Process MMD Kochi-1No ratings yetMeo Class I Assessment Process MMD Kochi-110 pages
- Carrier VRF Catalogue 2021 Tcm173-142860-Output-OutputNo ratings yetCarrier VRF Catalogue 2021 Tcm173-142860-Output-Output2 pages
- History Compass - 2022 - Milne Smith - Gender and Madness in Nineteenth Century BritainNo ratings yetHistory Compass - 2022 - Milne Smith - Gender and Madness in Nineteenth Century Britain10 pages
- Memorandum: Rivergate Place, Murrarie, QLD Hope Harbour Marina, QLD +1300 052 081No ratings yetMemorandum: Rivergate Place, Murrarie, QLD Hope Harbour Marina, QLD +1300 052 0813 pages
- PH Formative Assessment Training - Final Report - FINALNo ratings yetPH Formative Assessment Training - Final Report - FINAL50 pages
- Cambridge University Press American AntiquityNo ratings yetCambridge University Press American Antiquity4 pages
- Transportation Engineering Ii: Classification and Axle Loading of Commercial VehiclesNo ratings yetTransportation Engineering Ii: Classification and Axle Loading of Commercial Vehicles13 pages
