Q&A: the data protection legal framework in Singapore

Law and the regulatory authority

Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?

The main data protection legislation in Singapore is the Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA).

The PDPA applies to all organisations that collect, use or disclose personal data in Singapore, regardless of whether they are formed or recognised under Singapore law or whether they are resident or have an office or place of business in Singapore unless one of the exceptions under section 4 of the PDPA applies.

On 2 January 2014, provisions relating to the Do-Not-Call (DNC) registry came into force; and the main data protection provisions under parts III to VI of the PDPA (Data Protection Provisions) came into effect on 2 July 2014. The Data Protection Provisions set out the obligations of organisations with respect to the collection, use, disclosure, access to, correction and care of personal data.

The PDPA also provides for the establishment of the Personal Data Protection Commission (PDPC), the data protection authority.

There are various regulations and advisory guidelines under the PDPA deal with specific issues in greater detail. The Personal Data Protection Regulations 2014 (the PDP Regulations) were gazetted on 19 May 2014. The PDP Regulations supplement the PDPA in three key areas, as follows:

• the requirements for transfers of personal data out of Singapore;
• the form, manner and procedures for making and responding to requests for access to or correction of personal data; and
• persons who may exercise rights in relation to disclosure of personal data of deceased individuals.

The other regulations issued under the PDPA include:

• Personal Data Protection (Composition of Offences) Regulations 2013;
• Personal Data Protection (Do Not Call Registry) Regulations 2013;
• Personal Data Protection (Enforcement) Regulations 2014; and
• Personal Data Protection (Appeal) Regulations 2015.

In addition, the PDPC has issued a number of advisory guidelines, and guides to provide greater clarity on the interpretation of the PDPA. The PDPC has also developed sector-specific advisory guidelines for the telecommunication sector, the real estate agency sector, the education sector, the healthcare sector, the social service sector, as well as for transport services for hire (specifically in relation to in-vehicle recordings) and for management corporations.

The formulation of the PDPA framework has taken into account international best practices on data protection. As indicated during the second reading of the PDPA in Parliament, the then Minister of Information, Communications and the Arts had referred to the data protection frameworks in key jurisdictions such as Canada, New Zealand, Hong Kong and the European Union, as well as the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and the APEC Privacy Framework, in developing the PDPA framework.

The PDPA is currently undergoing its first comprehensive review since its enactment in 2012. On 14 May 2020, the Ministry of Communications and Information (MCI) and the PDPC launched a public consultation on the proposed amendments to the PDPA. This proposed Personal Data Protection (Amendment) Bill 2020 (PDP (Amendment) Bill) follows in the wake of three public consultations held between 2017 and 2019.

On 20 February 2018, Singapore became the sixth APEC economy to participate in the APEC Cross-Border Privacy Rules (CBPR) system, along with the United States, Mexico, Canada, Japan and the Republic of Korea. Singapore also became the second APEC economy to participate in the APEC Privacy Recognition for Processors (PRP) system. Collectively, the CBPR and PRP systems allow a smoother exchange of personal data among certified organisations in participating economies, and ensure that data protection standards are maintained for consumers in the Asia-Pacific region.

Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.

The PDPA is administered and enforced by the PDPC. The PDPC was originally established as a statutory body under the PDPA on 2 January 2013 and was under the purview of the MCI. With effect from 1 October 2016, the PDPC has been subsumed as a department under the Info-communications Media Development Authority (IMDA).

The PDPC may initiate an investigation to determine whether an organisation is in compliance with the PDPA, upon receipt of a complaint or on its own motion. As set out in the Advisory Guidelines on Enforcement of Data Protection Provisions, the factors that the PDPC may consider in deciding whether to commence an investigation include:

• whether the organisation may have failed to comply with all or a significant part of its obligations under the PDPA;
• whether the organisation’s conduct indicates a systemic failure by the organisation to comply with the PDPA or to establish and maintain the necessary policies and procedures to ensure its compliance;
• the number of individuals who are, or may be, affected by the organisation’s conduct;
• the impact of the organisation’s conduct on the complainant or any individual who may be affected;
• whether the organisation had previously contravened the PDPA or may have failed to implement the necessary corrective measures to prevent the recurrence of a previous contravention; and
• public interest considerations.

In the course of its investigation, the PDPC is empowered to:

• by notice in writing, require any organisation to produce any specified document or to provide any specified information;
• by giving at least two working days’ advance notice of intended entry, enter an organisation’s premises without a warrant; and
• obtain a search warrant to enter an organisation’s premises, and search the premises or any person on the premises (the latter, if there are reasonable grounds for believing that he or she has in his or her possession any document, equipment or article relevant to the investigation), and take possession of, or remove, any document and equipment or article relevant to an investigation.

The PDPC is also empowered to review complaints in relation to access and correction requests.

The PDPA also establishes the Data Protection Advisory Committee, which advises the PDPC on matters relating to the review and administration of the personal data protection framework, such as key policy and enforcement issues.

The PDP (Amendment) Bill aims to strengthen the PDPC’s enforcement powers by providing additional recourse to compel the attendance of witnesses, the provision of information and the production of documents. Non-compliance with such provisions may constitute an offence. As at the time of writing, the PDP (Amendment) Bill has yet to be introduced in parliament and the proposed amendments have yet to take effect.

Are there legal obligations on the data protection authority to cooperate with other data protection authorities, or is there a mechanism to resolve different approaches?

The PDPC may enter into a cooperation agreement with a foreign data protection authority for data protection matters such as cross-border cooperation. Cooperation may take the form of information exchange or any other assistance as necessary to assist in the enforcement or administration of data protection laws.

Specifically, section 10 of the PDPA provides that the cooperation agreement has to be entered into for the purposes of:

• facilitating co-operation between the PDPC and another foreign data protection authority in the performance of their respective functions insofar as those functions relate to data protection; and
• avoiding duplication of activities by the PDPC and another foreign data protection authority, being activities involving the enforcement of data protection laws.

In this regard, the cooperation agreement may include provisions to:

• enable the PDPC and the other foreign data protection authority to furnish to each other information in their respective possession if the information is required by the other for the purpose of performance by it of any of its functions;
• provide such other assistance to each other as will facilitate the performance by the other of any of its functions; and
• enable the PDPC and the other foreign data protection authority to forbear to perform any of their respective functions in relation to a matter in circumstances where it is satisfied that the other is performing functions in relation to that matter.

Under the PDPA, the PDPC may only furnish information to a foreign data protection authority pursuant to a cooperation agreement if it requires of and obtains from that authority an undertaking in writing by it that it will comply with terms specified in that agreement, including terms that correspond to the provisions of any written law concerning the disclosure of that information by the PDPC.

Where the information requested contains personal data that is treated as confidential under the PDPA, the PDPC may only disclose the information to the foreign data protection authority if the following conditions are specified:

• the information or documents requested by the foreign data protection authority are in the possession of the PDPC;
• the foreign data protection authority undertakes to keep the information confidential at all times; and
• the disclosure of the information is not likely to be contrary to the public interest (section 59(5) of the PDPA).

The PDPC is also a participant in the Asia Pacific Economic Corporation Cross-border Privacy Enforcement Arrangement (APEC CPEA), which creates a framework for the voluntary sharing of information and provision of assistance for privacy enforcement-related activities.

Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

Generally, the powers of the PDPC in the enforcement of any breach of data protection law include:

• powers relating to alternative dispute resolution (ADR);
• powers relating to review applications; and
• powers of investigation.

Any individual affected by an organisation’s non-compliance with any of the Data Protection Provisions may lodge a complaint with the PDPC. Upon receipt of a complaint, the PDPC may investigate or review the matter, or direct the parties as to the appropriate mode of dispute resolution.

With respect to ADR, under the proposed PDP (Amendment) Bill, PDPC is provided with the power to establish or approve one or more mediation schemes, and direct complainants to resolve disputes via mediation, without the need to secure the consent of both parties.

As to the type of enforcement action it may take, the PDPC may choose to do any one of the following.

The PDPC may discontinue investigations and simply issue an advisory notice where the impact is assessed to be low. Examples of circumstances where the PDPC may do so include where a complainant has not complied with a direction, the parties involved have mutually agreed to settle, or any party has commenced legal proceedings in respect of any contravention of the PDPA.

The PDPC may initiate an undertaking process, which includes a written agreement between the organisation and the PDPC in which the organisation voluntarily commits to remedy the breaches and take steps to prevent a recurrence. A key consideration is the effectiveness of the remediation plan and the organisation’s readiness to implement it forthwith. The organisation’s request to invoke the undertaking process must be made very soon after the incident is known. The PDPC will not accept an undertaking request in certain cases, eg, where the organisation refutes responsibility for the data breach incident, or where the organisation does not agree for the undertaking to be published.

The proposed PDP (Amendment) Bill will enhance the effectiveness of undertakings as an enforcement mechanism by empowering the PDPC to accept statutory undertakings from an organisation when the PDPC has reasonable grounds to believe that an organisation has not complied, is not complying or is likely not to comply with the PDPA, and provides a range of options for enforcing breaches of undertakings, such as issuing directions and applying for the directions to be registered by the District Court.

The PDPC may issue an expedited breach decision at its discretion in certain circumstances where there is an upfront, voluntary admission of liability for breaching relevant obligations under the PDPA. The expedited breach decision will achieve the same enforcement outcome as a full investigation. Where financial penalties are involved, the organisation’s admission of its role in the incident will be taken as a strong mitigating factor. However, admissions might not be considered as a mitigating factor for repeated data breaches. The organisation must make a written request to the PDPC for an expedited decision when investigations commence.

For incidents with high impact, and where facilitation or mediation is inappropriate in the circumstances (eg, where there is a disclosure of personal data on a large scale or where the personal data disclosed could cause significant harm), the PDPC may initiate a full investigation.

That said, where the PDPC is satisfied that an organisation has breached the Data Protection Provisions under the PDPA, it is empowered with wide discretion to issue such remedial directions as it thinks fit. These include directions requiring the organisation to:

• stop collecting, using or disclosing personal data in contravention of the PDPA;
• destroy personal data collected in contravention of the PDPA;
• provide access to or correct personal data, or reduce or make a refund of any fee charged for any access or correction request; or
• pay a financial penalty of up to S$1 million.

Under the proposed PDP (Amendment) Bill, the present financial penalty cap is raised to up to 10 per cent of an organisation’s annual gross turnover in Singapore or S$1 million, whichever is higher.

Financial penalties are intended to act as a form of sanction and deterrence against non-compliance when directions alone do not sufficiently reflect the seriousness of the breach. In assessing the seriousness of the breach, the PDPC considers a number of factors, including the following:

• impact of the organisation’s breach;
• whether the organisation had acted deliberately or wilfully;
• whether the organisation had known or ought to have known the risk of a serious contravention and failed to take reasonable steps to prevent it;
• extent of non-compliance in terms of the PDPA obligations that the organisation had failed to discharge;
• number of individuals whose personal data had been subjected to harm and risks as a result of the breach;
• whether the organisation had appointed a data protection officer or equivalent to ensure accountability with the PDPA;
• types of personal data that were compromised or put at risk as a result of the breach; and
• whether the organisation had previously been found to have similarly breached the PDPA.

To date, the PDPC has issued more than 100 published grounds of decisions, with a significant majority of these cases relating to breaches of the Protection Obligation. On 15 January 2019, the PDPC imposed its highest financial penalties to date of S$250,000 and S$750,000 respectively on SingHealth Services Pte Ltd (SingHealth) and Integrated Health Information Systems Pte Ltd, for breaching their data protection obligations under the PDPA. This unprecedented data breach, which arose from a cyberattack on SingHealth’s patient database system, caused the personal data of some 1.5 million patients to be compromised.

Any person who suffers loss or damage directly as a result of a contravention of any of the Data Protection Provisions may also commence a private civil action in respect of such loss or damage suffered.

The PDPA provides for the imposition of criminal penalties for certain offences, namely:

• a person found guilty of making requests to obtain access to or correct the personal data of another individual without authority from that individual may be liable on conviction to a fine not exceeding S$5,000 or to imprisonment for a term not exceeding 12 months, or both;
• a person found guilty of intentionally disposing of, altering, falsifying, concealing or destroying a record containing personal data or information about the collection, use or disclosure of personal data may be punishable upon conviction with, in the case of an individual, a fine of up to S$5,000, and in the case of an organisation, a fine of up to S$50,000; and
• the obstruction of PDPC officers (eg, in the course of their investigations) or provision of false statements to the PDPC may be punishable upon conviction with, in the case of an individual, a fine of up to S$10,000 or imprisonment for a term not exceeding 12 months; and in the case of an organisation, a fine of up to S$100,000.

Furthermore, any organisation that breaches the DNC Provisions in the PDPA is liable to a fine of up to S$10,000 per offence. In appropriate cases, the PDPC may compound the offence for a sum of up to S$1,000. Whether composition is offered and the amount of composition will be decided by the PDPC based on the facts of each case.

Scope

Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?

The Personal Data Protection Act (PDPA) applies to all organisations in Singapore, regardless of their scale or size.

An ‘organisation’ is defined broadly under the PDPA as including any individual, company, association or body of persons, corporate or unincorporated, and whether or not formed or recognised under the law of Singapore, or resident or having an office or place of business in Singapore.

Certain categories of organisations are carved out of the application of the PDPA, such as:

• individuals acting in a personal or domestic capacity;
• employees acting in the course of their employment with an organisation; and
• public agencies, or organisations acting on behalf of a public agency in relation to the collection, use or disclosure of personal data.

The proposed Personal Data Protection Regulations (Amendment) Bill limits the application of the last two exemptions by removing the exclusion for organisations acting on behalf of public agencies in relation to the collection, use or disclosure of personal data, and introducing new offences to hold individuals, including employees, accountable for egregious mishandling of personal data in the possession of or under the control of an organisation or a public agency.

The PDPA is intended to set a baseline standard for personal data protection across the private sector, and will operate alongside (and not override) existing laws and regulations. The PDPA provides that the general data protection framework does not affect any right or obligation under the law, and that in the event of any inconsistency, the provisions of other written laws will prevail.

The PDPC has also published a number of sector-specific advisory guidelines which provide greater clarity on the interpretation of the PDPA in various sectors.

Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.

To the extent that personal data is collected in the interception of communications and in the monitoring and surveillance of individuals, the PDPA applies to the organisation collecting such data. As such, the individual’s consent has to be sought before any such collection takes place unless such consent is not required.

For example, the Advisory Guidelines on the Personal Data Protection Act for Selected Topics (revised 9 October 2019) (Selected Topics Guidelines) indicate that an employer may not need to seek consent for any personal data collected from its monitoring of its employees’ use of company computer network resources as long as such collection is reasonable for the purpose of managing or terminating the employment relationship, although under section 20(4) of the PDPA, it is still required to notify its employees of this purpose for such collection of their personal data.

In relation to closed-circuit television (CCTV) surveillance, the Selected Topics Guidelines explicitly clarify that organisations that install a CCTV system on their premises are required to put up notices informing individuals that CCTV is in use on the premise, stating the use and purpose of such surveillance, and if both audio and video recordings are taking place, to state as such, in order to fulfil their obligation to obtain consent for the collection, use or disclosure of personal data from CCTV footage. This is unless such consent is not required, for example, if the CCTV surveillance is necessary for any investigation or proceedings, insofar as it is reasonable to expect that seeking the consent of the individual would compromise the availability or the accuracy of the personal data.

In addition, where an organisation collecting such personal data via the interception of communications or the performance of surveillance or monitoring activities is a public agency (eg, the Singapore Police Force or the Info-communications Media Development Authority (IMDA), it is excluded from the application of the PDPA under section 4(1)(c) of the PDPA. Thus, to the extent that the above exceptions apply, the organisation collecting personal data via interception of communication or monitoring and surveillance of individuals will not have to seek the individuals’ consent prior to such collection.

Apart from the PDPA, there are provisions in other laws or regulations that allow for the interception of communications and the monitoring and surveillance of individuals. Below is a non-exhaustive list of such provisions:

• Organisations providing telecommunications services and holding services-based operations licences may have to comply with interception requests by the IMDA and other authorities. Specifically, condition 16.2 of the IMDA’s standard Services-Based Operator (Individual) (SBO (I)) licence conditions expressly permit disclosure of subscriber information where the disclosure of subscriber information is deemed necessary to the IMDA or such other relevant law enforcement or security agencies in the exercise of their functions or duties. Condition 26.1 of the IMDA’s standard SBO (I) licence conditions also requires licensees to ‘provide the [IMDA] with any document and information within its knowledge, custody or control, which the [IMDA] may, by notice or direction require’.
• Section 20 of the Criminal Procedure Code (Cap. 68) empowers the police to require the production of a ‘document or other thing’ (which is necessary or desirable for any investigation, inquiry, trial or another proceeding under the Code) by issuing a written order to ‘the person in whose possession or power the document or thing is believed to be’.
• Section 10 of the Kidnapping Act (Cap. 151) states that the Public Prosecutor may authorise any police officer to, among others, ‘intercept any message transmitted or received by telecommunication’ or ‘intercept or listen to any conversation by telephone’.
• Section 19 of the Cybersecurity Act 2018 (No. 9 of 2018) (Cybersecurity Act) states that where information regarding a cybersecurity threat or incident has been received by the Commissioner, he may exercise certain powers as are necessary to investigate the cybersecurity threat or incident, including the power to require the provision of any document in a person’s possession or information considered to be related to the matter.

Generally, where the personal data of an individual is collected, used and disclosed for marketing purposes, the consent of the individual concerned must be obtained and such consent must not have been obtained as a condition for the provision of a product or service where it would not be reasonably required to provide that product or service. The PDPC has noted in its Advisory Guidelines on Key Concepts in the Personal Data Protection Act (revised 9 October 2019) (Key Concepts Guidelines) that a failure to opt out will not be regarded as consent in all situations, and recommended that organisations obtain consent from an individual through a positive action of the individual (eg, opt-in consent).

In relation to the sending of marketing communications by telephone call or text messaging (or fax) to a Singapore telephone number, Part IX of the PDPA (ie, the Do-Not-Call (DNC) Provisions) requires an organisation to:

• verify against the relevant DNC Register to confirm that the telephone number is not listed before sending the message or calling, unless clear and unambiguous consent to the sending of the specified message to that number is obtained in evidential form;
• be identified as a marketing message, and include information identifying the sender for messages and details on how the sender can be readily contacted, and such details and contact information should be reasonably likely to be valid for at least 30 days after the sending of the message; and
• for voice calls, not conceal or withhold the calling line identity from the recipient.

A limited exception exists with respect to sending messages to individuals with whom the organisation has an ongoing relationship with.

Under the proposed PDP (Amendment) Bill, the DNC Provisions will be amended to prohibit the sending of specified messages to telephone numbers obtained through the use of dictionary attacks and address harvesting software. Furthermore, the bill imposes an obligation on third-party checkers to communicate accurate DNC Register query results to organisations that they are checking the DNC Register on behalf of. Liability will be imposed on such service providers for infringements resulting from erroneous information provided by them.

Currently, breaches of the DNC Provisions are enforced as criminal offences. The PDP (Amendment) Bill intends for PDPC to enforce these requirements under the same administrative regime as the Data Protection Provisions, which will empower PDPC to issue directions (eg, imposing financial penalties) for infringement.

Section 11 read with the Second Schedule of the Spam Control Act (Cap. 331) (Spam Control Act) requires any person who ‘sends, causes to be sent or authorises the sending of unsolicited commercial electronic messages (which include both emails and SMS/MMS) in bulk’ to comply with certain obligations. These include, among others, requirements that unsolicited commercial electronic messages must contain an unsubscribe facility; the label ‘<ADV>’ to indicate that the message is an advertisement; and the message must not contain header information that is false or misleading. Section 9 of the Spam Control Act also prohibits electronic messages from being sent to electronic addresses generated or obtained through the use of a dictionary attack or address-harvesting software. The Spam Control Act provides for civil liability (including the grant of an injunction or the award of damages) against parties in breach of these requirements. Statutory damages of up to S$25 per message may be awarded, up to an aggregate of S$1 million (unless the plaintiff proves that his or her actual loss is higher).

Under the proposed PDP (Amendment) Bill, the Spam Control Act will be amended to cover messages sent to instant messaging (IM) accounts via IM platforms, including platforms such as Telegram and WeChat.

Identify any further laws or regulations that provide specific data protection rules for related areas.

Prior to the enactment of the PDPA, Singapore did not have an overarching law governing the protection of personally identifiable information (PII). The collection, use, disclosure and care of personal data in Singapore were regulated to a certain extent by a patchwork of laws including common law, sector-specific legislation and various self-regulatory or co-regulatory codes. These existing sector-specific data protection frameworks continue to operate alongside the PDPA.

Various other laws and regulations in Singapore set out specific data protection rules, some of which are sector-specific. For instance:

• the Banking Act proscribes the disclosure of customer information by a bank or its officers;
• the Computer Misuse Act (Cap. 50A) deals with computer system hackers and other similar forms of unauthorised access or modification to computer systems;
• the Cybersecurity Act establishes a legal framework for the oversight and maintenance of national cybersecurity in Singapore to ensure that computers, systems and data are better protected;
• the Electronic Transactions Act (Cap. 88) provides for the security and use of electronic transactions by criminalising any disclosure of electronic data obtained pursuant to the Act, unless the disclosure is expressly allowed under the Act, required by any written law, or mandated by an order of court;
• the Private Hospitals and Medical Clinics Act (Cap. 248) contains provisions relating to the confidentiality of information held by private hospitals, medical clinics, clinical laboratories and healthcare establishments licensed under the Act;
• the Official Secrets Act (Cap. 213) contains provisions relating to the prevention of disclosure of official documents and information;
• the Statutory Bodies and Government Companies (Protection of Secrecy) Act (Cap. 319) details provisions protecting the secrecy of information of statutory bodies and government companies; and
• the Telecom Competition Code issued under the Telecommunications Act (Cap. 323) contains certain provisions pertaining to the safeguarding of end-user service information.

With regard to the financial sector, the Monetary Authority of Singapore (MAS) is empowered under the Monetary Authority of Singapore Act (Cap. 186) and other sectoral legislation to issue directives and notices. Examples of MAS-issued regulatory instruments which are relevant to data protection include the Notices on Cyber Hygiene, Notices and Guidelines on Technology Risk Management, Notices and Guidelines on Prevention of Money Laundering and Countering the Financing of Terrorism, and the Guidelines on Outsourcing. These regulations operate alongside the PDPA and prevail to the extent of any inconsistency.

What forms of PII are covered by the law?

All formats of ‘personal data’ are covered under the PDPA, whether electronic or non-electronic, and regardless of the degree of sensitivity. ‘Personal data’ is broadly defined under the PDPA as data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access.

Nonetheless, the PDPA provides for certain exceptions and limitations for the applicability of the Data Protection Provisions for certain types of personal data, such as personal data that is contained in a record that has been in existence for at least 100 years, or ‘business contact information’ as defined under the PDPA.

Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?

The Data Protection Provisions applies to all organisations that collect, use or disclose personal data in Singapore, regardless of whether they are formed or recognised under Singapore law or whether they are resident or have an office or place of business in Singapore. As such, organisations that are located overseas are still subject to the Data Protection Provisions as long as they collect, use or disclose personal data in Singapore. In addition, organisations that collect personal data overseas and host or process it in Singapore will also be subject to the relevant obligations under the PDPA from the point that such data is brought into Singapore.

Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners? Do owners’, controllers’ and processors’ duties differ?

Yes, the PDPA regulates the collection, use and disclosure of personal data by an organisation. An organisation that collects, uses or discloses personal data is accordingly required to comply with the Data Protection Provisions under the PDPA.

A ‘data intermediary’, however, is exempt from the majority of the Data Protection Provisions under the PDPA. A data intermediary refers to an organisation that processes personal data on behalf of and for the purposes of another organisation (the principal organisation) pursuant to a written contract. A data intermediary is only required to comply with the rules relating to the protection and retention of personal data, while the principal organisation is subject to the full suite of Data Protection Provisions under the PDPA as if it were processing the personal data itself.

A data intermediary that processes personal data in a manner that goes beyond the processing required under the written contract would not be considered a data intermediary, and is subject to the full suite of Data Protection Provisions under the PDPA in respect of that processing.

Law stated date

Give the date on which the information above is accurate.

26 May 2020