FAQs
Home Alternate Text FAQs Alternate Text FAQs for Organisations
FAQs for Organisations

General

  1. What is 'personal data'?
  2. When will the Personal Data Protection Act (PDPA) come into force?
  3. What are the objectives of the PDPA?
  4. How does the PDPA benefit organisations?
  5. How will the PDPA impact business costs?
  6. How is the PDPA different from the Spam Control Act?
  7. What is 'deemed' consent?
  8. What constitutes 'acting in personal or domestic capacity'?
  9. What is 'business contact information'?
  10. What are data intermediaries and how are they different from other organisations?
  11. Can organisations use existing feedback or enquiries channels to handle data protection enquiries and requests?
  12. Must all organisations appoint a data protection officer?
  13. Must the data protection officer be an employee based in Singapore?

Collection, Use & Disclosure

  1. How much personal data can an organisation collect?
  2. What can an organisation do with respect to existing personal data collected before the effective date of the data protection rules on 2 July 2014?
  3. How can an organisation obtain an individual's consent for the collection, use or disclosure of his or her personal data?
  4. Is the failure to opt out a form of consent?
  5. Can an organisation selling databases containing personal data to other organisations continue to do so after the PDPA comes into effect?

Access & Correction

  1. Must an organisation always provide access to an individual's personal data when a request is made?
  2. What personal data must an organisation provide when an individual submits an access request?
  3. Can an organisation charge a fee for access requests?
  4. Must an organisation provide correction to an individual's personal data when a request is made?
  5. Can an organisation charge a fee for correction requests?

Care of Personal Data

  1. How long can an organisation retain its customers' personal data for?
  2. What must an organisation do to ensure the personal data collected is protected?
  3. What are the rules on cross-border transfer of personal data?

Do Not Call Registry

General

  1. What does an organisation need to do in order to send out marketing messages to Singapore telephone numbers?
  2. When will the DNC Registry be ready?
  3. What are the DNC Registers available?
  4. What telephone numbers can be registered with the DNC Registry?
  5. Will telephone numbers registered with the DNC Registry expire?
  6. For organisations that are currently using a list of contacts for the purpose of telemarketing, is clear and unambiguous consent from the individuals in that list still required to continue using that contact list for telemarketing when the DNC provisions come into effect on 2 January 2014?
  7. Do organisations have to check the DNC Registry for all telemarketing messages they intend to send out?
  8. Can an organisation rely on the Exemption Order to continue sending telemarketing messages to an individual that it has an ongoing relationship with?
  9. What is meant by an 'ongoing relationship'?
  10. Will the DNC Registry cover overseas telemarketers?
  11. Are business-to-business (B2B) marketing calls or messages covered under the DNC Registry?
  12. Are telemarketing messages sent through applications such as WhatsApp covered under the DNC provisions?
  13. Are emails and mail delivered by post covered under the DNC Registry?
  14. If an organisation has obtained consent from an individual who is registered with the DNC Registry, can the organisation send telemarketing messages to him or her?
  15. What are the payment modes available?
  16. What information will appear on my credit card statement?
  17. What is the PDPC's bank account information?

Account Creation

  1. How can an organisation create an account with or check the DNC Registry?
  2. How much will it cost organisations to create an account with and check the DNC Registry?
  3. What are the types of accounts available?
  4. How many sub accounts can be created?
  5. When will the account be activated?
  6. Can the sub-account be issued to a different business entity such as a subsidiary?
  7. Can we terminate our DNC Registry account and request for a refund of the account creation fee?

Checking the Registry

  1. When must an organisation check the DNC Registry?
  2. How can an organisation check the DNC Registry?
  3. Can an organisation directly upload its list of telephone numbers to the DNC Registry?
  4. If an organisation checks on behalf of another organisation, does the latter also need an account with the DNC Registry?
  5. What is the validity period of the telephone numbers that have been submitted to the DNC Registry for checking?
  6. Will organisations be required to develop IT systems in order to check the DNC Registry?
  7. Can an organisation link its own system with the DNC Registry to facilitate checks?
  8. Does the PDPC endorse any third-party aggregator that offers to check the DNC Registry on behalf of others?
  9. Can we request for a refund of the duplicate numbers or duplicate files that were submitted for checking?

Credits

  1. What is the difference between purchasing credits through Pre-paid and Pay-per-use?
  2. How soon can an organisation use the credits purchased?
  3. Are the credits separately tagged to each main or sub account?
  4. Can the credits be transferred between sub accounts?
  5. Will unused credits be refunded?
  6. Can we opt for offline payment for transactions less than $5,000?
  7. Can we get a refund of the pre-paid credits that we have purchased but not utilised?

Informal Guidance

  1. Will the PDPC respond to all informal guidance applications?
  2. How soon can an organisation expect a response from the PDPC?
  3. Will informal guidance still be available when the PDPA is fully enforced?
  4. If the PDPC has agreed to provide informal guidance on an organisation's practices, will its practices be considered in breach of the PDPA while awaiting PDPC’s informal guidance on these practices?
  5. Will the submissions in informal guidance be used against an organisation in any future investigations organised by the PDPC?
  6. If an organisation's application is selected, will it be published?
  7. What is the scope of the informal guidance?
  8. How can an organisation follow up on an Informal Guidance query sent?

Advisory Guidelines

  1. How can the Advisory Guidelines help organisations?
  2. Will an organisation be considered compliant with the PDPA so long as it adheres to the Guidelines?
  3. Are the Guidelines considered legal advice by the PDPC?
  4. Do I have to pay for the Guidelines?
  5. When will the PDPC issue the next set of Guidelines? What will the Guidelines cover?

Enforcement

  1. How will the PDPC conduct an investigation into a DNC offence?
  2. What are the penalties for DNC Registry related offences?
  3. Do organisations have to keep records of ‘clear and unambiguous consent’ by individuals and when do organisations need to show that such consent was obtained?
  4. Can an organisation carry on with business during an inspection by the PDPC?
  5. Will the PDPC take away any original documents during an on-site investigation?
  6. What can an organisation do if it does not have any of the documents or information which the PDPC has requested for it to produce during an investigation?
  7. Can the PDPC enter an organisation’s premises without a warrant?
  8. Can an organisation request for legal advice before the PDPC enters its premises?
  9. If an organisation has certain security policies such as the prohibition of entry to those with cameras or laptops, can the organisation stop the PDPC from bringing such items into its premises?

Outreach

  1. Where can an organisation seek help?
  2. Are the events organised by the PDPC chargeable?
  3. Who are the target audiences for the events?
  4. How many employees can an organisation send to attend the events?
  5. What is the maximum number of participants for each event?
  6. How often does the PDPC organise such events?
  7. Where can the details of each event be found?
  8. How can organisations be kept up to date about PDPC's outreach activities?
  9. Should organisations attend data protection courses offered by third parties and are these courses endorsed by PDPC?

General

1. What is 'personal data'?

Personal data refers to data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access.

This includes unique identifiers (e.g. NRIC number, passport number); as well as any set of data (e.g. name, age, address, telephone number, occupation, etc), which when taken together would be able to identify the individual. For example, Jack Lim, 36 years old, civil servant, lives at Blk 123 Bishan St 23.

Back to top

2. When will the Personal Data Protection Act (PDPA) come into force?

To allow time for organisations to adjust to the new law, the PDPA will be implemented in phases. The provisions relating to the Do Not Call (DNC) Registry came into effect on 2 January 2014 and the provisions relating to the personal data protection will come into force on 2 July 2014.

Back to top

3. What are the objectives of the PDPA?

Complementing sector-specific frameworks, the PDPA will safeguard individuals’ personal data against misuse by regulating the proper management of personal data. Generally, individuals have the right to be informed of the purposes for which organisations are collecting, using or disclosing their personal data, giving individuals more control over how their personal data is used.

The PDPA also aims to enhance Singapore’s competitive advantages as a location for data hosting and management activities by strengthening Singapore’s reputation as a secure location for data, and giving assurance to businesses looking for safeguards to protect sensitive data sets.

Back to top

4. How does the PDPA benefit organisations?

The PDPA will strengthen Singapore’s overall economic competitiveness, and enhance Singapore’s status as a trusted hub and choice location for global data management and processing services. The law will provide greater clarity on the rules and liabilities for businesses hosting personal data in Singapore. This will complement Singapore’s existing strengths, such as geographical location, reliability and advanced telecommunications infrastructure, to create a conducive environment for the fast-growing global data management and data processing industries, such as cloud computing, to thrive in Singapore. Having safeguards to protect data sets will also help facilitate the smooth transfer of data to and from jurisdictions that have enacted data protection laws, many of which place obligations on organisations to ensure sufficient protections for transfer of data overseas. These safeguards serve as an attractive draw for cloud computing and business analytics activities to be located in Singapore. Compliance with the regime also sends a positive message and builds up trust and credibility with consumers. Organisations will be able to assure their customers that their personal data will be sufficiently protected.

Back to top

5. How will the PDPA impact business costs?

There may be some costs associated with complying with the PDPA, especially for businesses that have not adopted any data protection practices. Those that already have in place adequate data protection measures should not incur high incremental costs to comply with the new law. The impact on Small and Medium Enterprises should also be minimal if they do not collect, process or hold on to large amounts of personal data.

The costs should be viewed against the benefits of having such a law. The lack of a data protection regime potentially hinders the flow of information across borders and disadvantages Singapore businesses in the global economy, as data protection legislation is increasingly seen as a basic feature in an economy’s legal framework. 

The provisions of the PDPA were formulated keeping in mind the need to keep compliance costs manageable for businesses. A transition period (during which the PDPA is enacted but will not come into force) has been provided to allow organisations sufficient time to phase in the necessary measures to comply with the data protection regime.

Back to top

6. How is the PDPA different from the Spam Control Act?

The Spam Control Act (“SCA”) sets out a framework to manage unsolicited commercial electronic messages sent in bulk through electronic mail, text and multimedia messaging, otherwise known as "spam". The SCA requires organisations to, among others, provide an unsubscribe facility within the spam message and include an header in the subject field of the message or where there is no subject field, as the first words in the message.

While the SCA manages the sending of spam messages, the PDPA sets out rules governing the proper collection, use and disclosure of personal data, which would include contact information of an individual. Under the PDPA, organisations are required to obtain consent for a stated purpose to collect, use or disclose the contact information of an individual, and safeguard such information, unless exceptions apply.

In addition, the provisions relating to the DNC Registry in the PDPA allow individuals to opt out of marketing messages (voice calls, SMS/MMS or fax) delivered to a Singapore telephone number.

Organisations are prohibited from sending marketing messages to Singapore telephone numbers registered with the DNC Registry unless they have obtained clear and unambiguous consent, in writing or other accessible form, to the sending of the marketing message to the particular Singapore telephone number.In relation to the sending of spam messages, the PDPA applies to the collection, use and disclosure of individuals’ contact information for such purposes, while the SCA governs the manner in which the spam message may be sent. These frameworks will operate concurrently.

Back to top

7. What is 'deemed' consent?

An individual is deemed to consent to the collection, use or disclosure of personal data by an organisation for a purpose if the individual voluntarily provides the personal data to the organisation for that purpose; and it is reasonable that he or she would do so.

For example, an individual seeking medical treatment in a medical facility, such as a clinic or hospital, would voluntarily provide his or her personal data for the purpose of seeking medical treatment. He or she would also have deemed to have consented to the collection and use of his or her personal data by the medical facility hospital for that purpose.

Back to top

8. What constitutes ‘acting in personal or domestic capacity’?

These are purposes to do with an individual’s personal, family or household affairs. For example, when an individual keeps a database of his or her friends’ and relatives’ names, addresses, contact numbers and birthdates for his or her own personal use, he or she is considered to be acting in a personal or domestic capacity. His or her keeping of the database will not be covered under the PDPA.

Back to top

9. What is 'business contact information'?

Business contact information refers to an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by him or her solely for his or her personal purposes.

Based on the above definition, business contact information will be excluded from the data protection requirements of the PDPA, except for the requirements relating to the DNC Registry.

Back to top

10. What are data intermediaries and how are they different from other organisations?

An organisation shall be considered a data intermediary if it processes data on behalf of another organisation. Where the organisation processes personal data as a data intermediary pursuant to a contract which is evidenced or made in writing, the data intermediary will be subject to fewer obligations, namely those pertaining to protection and retention of personal data.

An example of a data intermediary could be an organisation which merely provides hosting or storage for personal data for another organisation.

Separately, the Electronic Transactions Act provides that a network service provider will not be subject to any liability under the PDPA, in respect of third-party material in the form of electronic records to which it merely provides access.

Back to top

11. Can organisations use existing feedback or enquiries channels to handle data protection enquiries and requests?

Organisations may ride on existing infrastructure to handle data protection-related enquiries and requests.

Back to top

12. Must all organisations appoint a data protection officer?

All organisations, including sole proprietorships, are required to designate at least one person (a “data protection officer”) to be responsible for ensuring that the organisation complies with the PDPA, such as developing personal data policies for the organisation’s compliance with the PDPA. This data protection officer (DPO) may be a person whose scope of work solely relates to data protection or a person in the organisation who takes on this role as one of his multiple responsibilities.

To be clear, compliance by the organisation with the PDPA remains the responsibility of the organisation notwithstanding the appointment of the data protection officer.

Organisations are also required to ensure that at least one data protection officer’s business contact information is made available to the public. The business contact information may be a general telephone or email address of the organisation. 

Back to top

13. Must the data protection officer be an employee based in Singapore?

The DPO need not be an employee of the organisation. Organisations may outsource this function to a third party. The PDPA also does not prescribe where the DPO should be based in. However, the DPO whose business contact information is provided has to be reachable whenever a member of the public in Singapore attempts to contact him, to be compliant with the PDPA requirements.

Back to top

Collection, Use & Disclosure

1. How much personal data can an organisation collect, use or disclose?

Under the PDPA, an organisation may collect, use or disclose personal data only for purposes that a reasonable person would consider appropriate in the circumstances and that the organisation has notified to the individual unless an exception under the PDPA applies.

In addition, the organisation must obtain the consent of the individual to such collection, use or disclosure, unless any exception under the PDPA applies.

In this regard, organisations shall not, as a condition of supplying a product or service, require an individual to consent to the collection, use or disclosure of personal data beyond what is reasonable to provide the product or service. For example, an organisation selling a consumer product to an individual should not require him or her to reveal his or her annual household income as a condition of selling him or her the product, although it may still ask him or her to provide such personal data as an optional field.

If the organisation wishes to collect any additional personal data, the organisation shall provide the individual the option of whether to consent to this.

Back to top

2. What can an organisation do with respect to existing personal data collected before the effective date of the data protection rules on 2 July 2014?

Generally an organisation can continue to use the personal data that was collected prior to the effective date of the data protection rules, for the reasonable purposes for which the personal data was collected.

Consent will need to be obtained if the existing data is to be used for a new purpose different from the purpose for which it was collected, or if the existing data is to be disclosed to another organisation or individual, unless any exception applies. The exceptions from the need to seek consent for collection, use or disclosure are set out in the Second, Third and Fourth Schedule of the PDPA respectively. This includes exceptions catering to certain emergency situations, investigations, publicly available data or where the personal data is used for evaluative purposes.

As an example, if a company has been using its customer’s personal data to provide after-sales customer support prior to the PDPA, it can continue to do so after the PDPA comes into effect, even if it did not obtain consent previously. However, if it now intends to use the same personal data for direct marketing where it had not collected the personal data for this purpose, consent will need to be obtained for such a purpose.

Back to top

3. How can an organisation obtain an individual’s consent for the collection, use or disclosure of his or her personal data?

Consent can be obtained in a number of different ways. As a best practice, an organisation should obtain consent that is in writing or recorded in a manner that is accessible for future reference, for example, if the organisation is required to prove that it had obtained consent.

An organisation may also obtain consent verbally although it may correspondingly be more difficult for an organisation to prove that it had obtained consent. For such situations, it would be prudent for the organisation to document the consent in some way.

Back to top

4. Is the failure to opt out a form of consent?

Deeming that an individual has given his consent through inaction on his/her part will not be regarded as consent in all situations. Whether or not a failure to opt out can be regarded as consent will depend on the actual circumstances and facts of the case. Organisations are advised to obtain consent from an individual through a positive action of the individual to consent to the collection, use and disclosure of his personal data for the stated purposes.

Back to top

5. Can an organisation selling databases containing personal data to other organisations continue to do so after the PDPA comes into effect?

An organisation may use personal data collected before 2 July 2014 for the purposes for which the personal data was collected, unless consent for such use is withdrawn or the individual has indicated to the organisation that he does not consent to the use of the personal data.

If an organisation intends to disclose the personal data on or after the appointed day (other than disclosure that is necessarily part of the organisation’s use of the personal data), the organisation must comply with the data protection provisions in relation to such disclosure. As the sale of databases containing personal data involves a disclosure of personal data, organisations must obtain valid consent from the relevant individuals before doing so.

Back to top

Access & Correction

1. Must an organisation always provide access to an individual's personal data when a request is made?

An organisation is required to respond to an access request in respect of personal data in its possession as well as personal data that is under its control.

However, organisations are prohibited from providing an individual access if the provision of the data could reasonably be expected to:

  • cause immediate or grave harm to the individual’s safety or physical or mental health;
  • threaten the safety or physical or mental health of another individual;
  • reveal personal data about another individual;
  • reveal the identity of another individual who has provided the personal data, and the individual has not consented to the disclosure of his or her identity; or
  • be contrary to national interest.

In addition, there are cases where organisations may deny access requests.

For example, organisations will not be required to provide access to personal data if it is subject to legal professional privilege, or if the disclosure of the information would reveal confidential commercial information that could harm the competitive position of the organisation. There are also exclusions for access to and correction in respect of any examination conducted by an education institution, examination scripts and examination results prior to their release. Organisations may also refuse access to or correction of opinion data kept solely for an evaluative purpose as defined in the PDPA.

The specific exceptions may be found in section 21 and the Fifth Schedule of the PDPA.

Back to top

2. What personal data must an organisation provide when an individual submits an access request?

An organisation that receives an access request from an individual is required to provide the information requested by the individual. This may include:

  • some or all of the individual’s personal data (as specified in the request); and
  • information about the ways the personal data has been or may have been used or disclosed by the organisation (as specified in the request).

Back to top

3. Can an organisation charge a fee for access requests?

Organisations may charge an individual a minimal fee for access to personal data about the individual. The purpose of the fee is to allow organisations to recover the incremental costs of responding to the access request. There is no prescribed amount of fees imposed on organisations, to allow for greater flexibility; organisations should exercise their discretion in deriving the minimal fee they charged based on their incremental costs of providing access.

Back to top

4. Must an organisation provide correction to an individual's personal data when a request is made?

Upon request, an organisation is generally required to correct an error or omission and send the corrected personal data to every other organisation to which the personal data was disclosed by the organisation within a year before the correction, unless the other organisation does not need the corrected personal data for any legal or business purpose. For example, the organisation may have disclosed a customer’s name and address to a delivery company it engaged on a once-off basis to deliver a product that the customer has purchased. Since the delivery has been completed, the organisation will not be required to send the corrected personal data to the delivery company.

The corrected data may be sent only to specific organisations to which the data was disclosed by the organisation, if the individual consents to it.

An organisation need not make a correction where it is satisfied on reasonable grounds that a correction should not be made. In this case, the organisation shall annotate the personal data in its possession or under its control with the correction that is requested but not made.

An organisation is also not required to alter an opinion, including a professional or expert opinion.

Exceptions from correction requirement may be found in the Sixth Schedule of the PDPA.

Back to top

5. Can an organisation charge a fee for correction requests?

Organisations are not entitled to impose a charge for the correction of personal data, as it is the organisation’s obligation under the Accuracy Obligation to obtain personal data that is accurate and complete.

Back to top

Care of Personal Data

1. How long can an organisation retain its customers' personal data for?

The PDPA does not prescribe the retention period. However, an organisation shall cease to retain personal data as soon as the purpose of collection is no longer served by the retention; and retention is no longer necessary for business or legal purposes.

Back to top

2. What must an organisation do to ensure the personal data collected is protected?

An organisation shall make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.

Back to top

3. What are the rules on cross-border transfer of personal data?

The PDPA will apply to all personal data collected, used or disclosed in Singapore. As such, organisations that collect personal data overseas and host and/or process it in Singapore will still be subject to relevant obligations under the PDPA from the point that such personal data is brought into Singapore.

For organisations that collect personal data here and transfer such data overseas, the PDPA requires that measures be put in place by the organisation here transferring the personal data, to provide a comparable standard of protection overseas. These measures include the use of contractual agreements among the organisations involved in the transfer and the conditions are documented in the Advisory Guidelines on Key Concepts in the Personal Data Protection Act.

Back to top

Do Not Call Registry - General

1. What does an organisation need to do in order to send out marketing messages to Singapore telephone numbers?

Before an organisation starts to send any marketing message to a Singapore telephone number, it should check that:

  1. the number it is sending/calling to is not registered with the DNC Registry;
  2. the messages it is sending contain clear and accurate information identifying the organisation, as well as its contact details; and
  3. if making a phone call, the telephone number it is making the call from is not concealed.

The DNC Registry contains three separate Registers of Singapore telephone numbers for voice calls, text messages (SMS/MMS/text) and faxes, which the organisation can check against.

To check, the organisation shall submit a list of the telephone numbers that it is planning to send the messages to. The DNC Registry will then indicate on the list, whether each number is in any of the Registers. The organisation may then send its marketing messages to the numbers that are not in the relevant Registers.

The organisation may rely on the information given by the DNC Registry on whether any number is registered on any of the Registers for up to 30 days. If the organisation intends to send the marketing message after the 30 days has lapsed, it must submit its list of numbers to the DNC registry again. To allow organisations to familiarise themselves with the requirements relating to the DNC registry, the prescribed duration (i.e. the 30 days referred to above) will be 60 days instead of 30 days for the first six months of the DNC Registry's operations.

Back to top

2. When will the DNC Registry be ready?

The DNC provisions came into effect on 2 January 2014 and organisations can now check their marketing lists against the DNC Registry.

Back to top

3. What are the DNC Registers available?

There are three Registers on the DNC Registry:

  • No Voice Call Register - to opt out of receiving telemarketing calls
  • No Text Message Register - to opt out of receiving telemarketing text messages, eg. SMS/MMS
  • No Fax Message Register - to opt out of receiving telemarketing faxes

Back to top

4. What telephone numbers can be registered with the DNC Registry?

The DNC Registry accepts registration of only 8-digit Singapore telephone numbers, including mobile, home and office numbers. Any Singapore number that begins with 3, 6, 8 or 9 can be registered. Please note that access to the device (of the number that is being registered) is required.

Back to top

5. Will telephone numbers registered with the DNC Registry expire?

Registrations of telephone numbers with the DNC Registry do not expire. The individual's registration with the DNC Registry will only be removed when he or she terminates the number or removes the number from the DNC Registry.

Back to top

6. For organisations that are currently using a list of contacts for the purpose of telemarketing, is clear and unambiguous consent from the individuals in that list still required to continue using that contact list for telemarketing when the DNC provisions come into effect on 2 January 2014?

If an organisation intends to carry out telemarketing (i.e. send a specified message to a Singapore telephone number), the organisation must ensure that they also comply with the DNC provisions of the PDPA. That is, before sending a specified message to a Singapore telephone number, the organisation must check with the DNC Registry to confirm that the number is not listed on a DNC Register, unless it has obtained "clear and unambiguous consent" in evidential form from the user/subscriber to the sending of the message. This applies even if organisations are using Singapore telephone numbers they collected before the PDPA comes into effect, and have been sending telemarketing messages to these numbers so far.

The DNC provisions will continue to apply concurrently with the data protection provisions when those come into force on 2 July 2014. Thus, whilst under the data protection provisions, an organisation may continue to use personal data collected before 2 July 2014 for the purposes for which it was collected (unless the individual has indicated that he does not consent to the use of his personal data), an organisation may still have to obtain "clear and unambiguous consent" in evidential form from the user/subscriber of the telephone number if it wishes to send specified messages.

Back to top

7. Do organisations have to check the DNC Registry for all telemarketing messages they intend to send out?

Generally, organisations are required to check the DNC Registry before sending telemarketing messages to a Singapore telephone number. Some exceptions to this requirement are:

  1. If the subscriber or user of the number has given the organisation clear and unambiguous consent in written or other evidential form for the organisation to send telemarketing messages to the number;
  2. If the message falls within an exclusion in the Eighth Schedule to the PDPA (for example, if it is solely for the purpose of conducing market research, or for business-to-business marketing); or
  3. If the organisation is able to rely on the Personal Data Protection (Exemption from Section 43) Order 2013 to send the message.

Back to top

8. Can an organisation rely on the Exemption Order to continue sending telemarketing messages to an individual that it has an ongoing relationship with?

An organisation that relies on the Personal Data Protection (Exemption from Section 43) Order 2013 to send promotional messages without checking the DNC Registry has to fulfil the following conditions:

  • it must have an ongoing relationship with the subscriber or user; or
  • it must send a text or fax message (but not voice call) that is related to the subject of their ongoing relationship with the subscriber or user; and
  • it must provide an opt-out facility within the body of the message. The opt-out facility may be provided via a Singapore telephone number or short code (in the case of a specified text message), or a fax number (in the case of a specified fax message). When the subscriber or user opts out, the organisation can no longer rely on the exemption and must stop sending such messages to that individual 30 days after the individual has opted out.

An organisation will not be able to rely on this exemption if the subscriber or user has withdrawn consent (and the prescribed period has lapsed) or indicated that he does not consent to the sending of any telemarketing message.

Back to top

9. What is meant by an 'ongoing relationship'?

‘Ongoing relationship’ means a relationship, which is on an ongoing basis, between a sender and a subscriber or user of a Singapore telephone number, arising from the carrying on or conduct of a business or activity (commercial or otherwise) by the sender. An ongoing relationship may include, for example, a subscription, membership, account, loan or comparable relationships involving the ongoing purchase or use of goods and services supplied by the sender to the individual. A series of one-off transactions or a past relationship is not sufficient to constitute an ongoing relationship.

Back to top

10. Will the DNC Registry cover overseas telemarketers?

The PDPA shall apply to a marketing message addressed to a Singapore telephone number where:

  • the sender is present in Singapore when the message is sent; or
  • the recipient of the message is present in Singapore when the message is accessed.

If a Singapore organisation outsources the telemarketing function overseas, the Singapore organisation that authorised the sending of the message will need to comply with the DNC provisions and will be responsible for the sending of the message.

If both the telemarketing organisation and the organisation which outsourced its telemarketing function are overseas organisations, and the recipient is overseas, the DNC provisions will not apply. For example, an overseas telecom service operator sending messages promoting their cheaper IDD service to Singapore subscribers roaming on the overseas telecom network will not need to check the DNC Registry.

Back to top

11. Are business-to-business (B2B) marketing calls or messages covered under the DNC Registry?

B2B marketing calls, SMS/MMS and fax messages are not within the scope of the DNC Registry. The PDPC recognises that B2B marketing calls or messages may be essential to the day-to-day operations between businesses and note that consumers will not be affected by the exclusion of B2B marketing calls or messages as they are targeted at organisations.

However, organisations may register their Singapore telephone numbers with the DNC Registry, and telemarketers that call or send a message to these registered numbers may not market to the individual. In general, only the account-holder or subscriber of the telephone line should register the telephone number with the DNC Registry. Where the account-holder of subscriber of the telephone line is the organisation and not the employee, employees should seek permission of the organisation if they wish to register their business numbers.

Back to top

12. Are telemarketing messages sent through applications such as WhatsApp covered under the DNC provisions?

Under the PDPA, organisations are prohibited from sending specified messages addressed to Singapore telephone numbers registered with the DNC Registry. In situations where specified messages are sent through smartphone applications that use a telephone number as an identifier, such as WhatsApp, such messages will be covered by the DNC provisions. Specified messages sent via other technologies such as those using a mobile data connection will be treated similarly, as long as the specified message is addressed to a Singapore telephone number. However, some data-based phone applications do not use phone numbers as identifiers, and may use other identifiers such as email addresses instead. In the situations where the message is sent to those applications where the message is not addressed to a telephone number, such messages will not be covered by the DNC provisions.

Back to top

13. Are emails and mail delivered by post covered under the DNC Registry?

The DNC Registry covers marketing messages sent to Singapore telephone numbers. Emails and mails delivered by post are not included within the scope of the DNC registry.

Emails are not included within the scope of the DNC Registry as unsolicited emails can be blocked through email filters. They also cause less of a nuisance to delete when received, as compared to telephone calls, SMS and fax messages, which are more difficult for the individual to filter. Furthermore, the Spam Control Act also helps to complete the framework by setting out requirements in relation to the sending of unsolicited commercial electronic messages in bulk.

As for junk mail, there are existing ways for individuals to reduce the volume of such mail, such as through the use of letterboxes with anti-junk mail features. Junk mail may also be less of a nuisance than telephone calls, SMS or MMS messages, or faxes, which are more likely to inconvenience an individual or interrupt his activities.

Back to top

14. If an organisation has obtained consent from an individual who is registered with the DNC Registry, can the organisation send telemarketing messages to him or her?

An organisation that has been given clear and unambiguous consent by the individual, in written or other accessible form, to send him or her marketing messages, may do so regardless of when he or she registers with the DNC Registry.

The individual, however, shall be allowed to withdraw the consent given but this shall not affect the legal consequences arising from the withdrawal.

Back to top

15. What are the payment modes available?

Organisations can pay online using credit card (MasterCard, Visa and AMEX) or internet direct debit for consumers with DBS/POSB, OCBC, UOB or Citibank Internet Banking accounts. For purchase of pre-paid credits, offline payment option via telegraphic or bank transfer is available for amount of $5,000 and above.

Back to top

16. What information will appear on my credit card statement?

The transaction will appear on your credit card statement as PDPC DNC.

Back to top

17. What is the PDPC's bank account information?

Bank : DBS Bank Ltd
Bank Code : 7171
Branch Code: 003
Account name: PDPC
Account number: 003-920724-7
SWIFT Code: DBSSSGSG

Once the transfer has been made, please email to info@pdpc.gov.sg with your organisation name and the DNC transaction reference number in the Subject. Please also include the following details in the content of the email:
• Date and time of the transfer
• Amount transferred
• Contact details of the person who made the transfer

Please allow up to 5 working days after the receipt of payment for processing your request.

Back to top

Do Not Call Registry - Account Creation

1. How can an organisation create an account with or check the DNC Registry?

From 2 December 2013, organisations can create an account with the DNC Registry by logging on to www.dnc.gov.sg. Similarly, organisations can begin to check the DNC Registry at the same website from 2 January 2014.

Back to top

2. How much will it cost organisations to create an account with and check the DNC Registry?

There will be a one-time fee of $30 to create each account with the DNC Registry ($60 for organisations based overseas). To cater for organisations which may only need to check a few telephone numbers, the DNC Registry will enable organisations to check 500 telephone numbers for free each year. Fees for the checking of additional numbers can be found on the DNC Registry Business Rules page. One credit is required for each number checked.

Back to top

3. What are the types of accounts available?

There are three types of accounts, for:

  1. Organisations registered in Singapore - UEN (Unique Entity Number) and SingPass required
  2. Overseas organisations not registered or present in Singapore - authentication documents required eg. Utility bill
  3. Any individual who conducts telemarketing activities eg. Freelancers, agents

Each organisation or individual can only create one main account.

Back to top

4. How many sub accounts can be created?

Main account holders can create as many sub accounts as required. The one-time fee for each sub-account is $30.

Back to top

5. When will the account be activated?

After the account has been created and payment made, an email notification will be sent to the account holder’s email address with the instructions to activate the account.

Back to top

6. Can the sub-account be issued to a different business entity such as a subsidiary?

The main account holder will be held responsible for all the sub accounts, hence organisations should only issue sub-accounts to business entities that they can account for.

Back to top

7. Can we terminate our DNC Registry account and request for a refund of the account creation fee?

Request for refund of account creation fee is subject to review and approval by PDPC on a case-by-case basis. You may request for refund for the account creation fee by sending an email to info@pdpc.gov.sg after you have submitted an account termination request by logging into its account in the DNC Registry. General guidelines that the PDPC will consider when a request for refund is received are as follows:

  1. The termination request should be submitted within 14 calendar days from date of account creation;
  2. the free credits are not utilised; AND
  3. a valid reason for the request to refund.

Back to top

Do Not Call Registry - Checking the Registry

1. When must an organisation check the DNC Registry?

Organisations need to check the DNC Registry before sending marketing messages to a Singapore telephone number. Organisations may rely on the information given by the DNC Registry on whether any number is registered on any of the Registers for up to 30 days. If the organisation intends to send the marketing message after the 30 days has lapsed, it must check the DNC Registry again. To allow organisations to familiarise themselves with the requirements relating to the DNC Registry, the prescribed duration (i.e. the 30 days referred to above) will be 60 days instead of 30 days for the first six months of the DNC Registry’s operations.

Back to top

2. How can an organisation check the DNC Registry?

From the DNC Registry website, there are two methods an organisation can check its list of numbers against the Registry:

  1. Small Number Lookup - for up to 10 numbers at a time. Results will be displayed immediately.
  2. Bulk Filtering - for upload of as many numbers as required in a CSV file. Results will be returned within 24 hours. An email notification will be sent once the results are ready.

Back to top

3. Can an organisation directly upload its list of telephone numbers to the DNC Registry?

Yes, please use the Bulk Filtering method. The list of numbers has to be in CSV format.

Back to top

4. If an organisation checks on behalf of another organisation, does the latter also need an account with the DNC Registry?

No, the latter organisation does not need to create an account. Only the organisation that is doing the checking will need an account.

Back to top

5. What is the validity period of the telephone numbers that have been submitted to the DNC Registry for checking?

Results from the DNC Registry are valid for 60 days between 2 January to 31 May 2014 (both dates inclusive).

For results received between 1 June to 1 July 2014 (both dates inclusive), the numbers are valid until 31 July 2014. This is the transition period.

From 2 July 2014, results received are valid for 30 days.

Back to top

6. Will organisations be required to develop IT systems in order to check the DNC Registry?

No development of an IT system is necessary. Organisations will simply have to create an account with the DNC Registry and submit their list of Singapore telephone numbers online for checking.

Back to top

7. Can an organisation link its own system with the DNC Registry to facilitate checks?

No, the current design of the DNC Registry does not allow direct API (Application Programming Interface) connection to an external system for security reasons.

Back to top

8. Does the PDPC endorse any third-party aggregator that offers to check the DNC Registry on behalf of others?

No, the PDPC neither endorses nor recommends any third-party service provider to help organisations check the DNC Registry on their behalf. Organisations that engage such services should ensure that they have a contractual agreement with the third-party service provider that clearly indicates the roles and responsibilites with regard to checking the DNC Registry.

Back to top

9. Can we request for a refund of the duplicate numbers or duplicate files that were submitted for checking?

The DNC Registry will automatically filter out invalid format telephone numbers and will not check them. No credits will be charged for these invalid numbers. However, the onus is on the organisation to ensure that their list of telephone numbers submitted does not contain duplicate telephone numbers as they are considered valid telephone numbers. Once the DNC Registry has processed your submission, the credits will be deducted for every valid telephone number checked against the DNC Registry. You may write in to info@pdpc.gov.sg to request for refund on for checks made on duplicate file or duplicate telephone numbers that you have submitted but it is subject to PDPC’s approval.

Back to top

Do Not Call Registry - Credits

1. What is the difference between purchasing credits through Pre-paid and Pay-per-use?

Pre-paid refers to purchasing credits in advance, or when there are insufficient remaining credits at the point of checking the Registry. Purchased credits are valid for up to 3 years from the date of purchase.

Pay-per-use refers to paying a fee each time to submit telephone numbers for checking. The minimum purchase value is $10. Prices will be rounded to the nearest cent.

Back to top

2. How soon can an organisation use the credits purchased?

Credits purchased through online payment options will be immediate. For offline payments, the credits will be credited only after the PDPC has received the payment. This can take up to 7 working days.

Back to top

3. Are the credits separately tagged to each main or sub account?

Yes, the credits for each account are independent of one another. This means that each sub-account may purchase and use their own credits.

Back to top

4. Can the credits be transferred between sub accounts?

No, only the main account may transfer its credits to the sub accounts.

Back to top

5. Will unused credits be refunded?

Organisations can get a refund of their pre-paid credits when their main account is terminated or when their credits have expired three years from the date of purchase.

When sub-accounts are terminated by the main account, the pre-paid credit balance will be returned to the main account.

Back to top

6. Can we opt for offline payment for transactions less than $5,000?

The offline payment methods offered are via telegraphic or bank transfer and a minimum $5,000 transaction is required.

Back to top

7. Can we get a refund of the pre-paid credits that we have purchased but not utilised?

Generally, unused pre-paid credits will be refunded to the main account holder when the main account is terminated or when the pre-paid credits has expired after 3 years. However, you may write in to the PDPC at info@pdpc.gov.sg to request for refund on its unused pre-paid credits at any point subject to the approval of PDPC.

Back to top

Informal Guidance

1. Will the PDPC respond to all informal guidance applications?

The PDPC will assess each application and seeks to review genuine complex cases that are not covered in the published FAQs or guidelines on the PDPC website. The PDPC may refer applicants to existing guidelines if the scenarios are already covered therein.

Back to top

2. How soon can an organisation expect a response from the PDPC?

In the event that the informal guidance application is accepted and depending on the level of complexity or uniqueness of the issues involved, the PDPC aims to provide its response within 60 days. A longer period may be required for more complex or novel cases.

Back to top

3. Will informal guidance still be available when the PDPA is fully enforced?

The goal of information guidance is to provide organisations greater clarity on compliance with the PDPA. Thus, informal guidance process will continue to be available even after the PDPA comes into full effect on 2 July 2014.

Back to top

4. If the PDPC has agreed to provide informal guidance on an organisation's practices, will its practices be considered in breach of the PDPA while awaiting PDPC's informal guidance on these practices?

During the transition period, these obligations are not yet in force and hence an organisation will not be found to be in breach of these obligations before 2 January 2014 for DNC obligations and 2 July 2014 for the other data protection obligations. Please note that once the obligations under the PDPA comes into force, the PDPC's powers to investigate and enforce the PDPA are not fettered by the informal guidance process and the PDPC may use in an investigation or commence an investigation based on information provided by the applicant.

Back to top

5. Will the submissions in informal guidance be used against an organisation in any future investigations organised by the PDPC?

The informal guidance is not legal advice or an opinion of the PDPC. The intention for the informal guidance is to highlight the requirements of the PDPA and aid organisations in reviewing their current personal data protection processes. The PDPC is unlikely to rely on the information provided in previous informal guidance submission for subsequent investigation cases.

Back to top

6. If an organisation's application is selected, will it be published?

The PDPC may publish all or parts of the informal guidance provided to allow similarly-situated organisations to also benefit from the clarity provided in informal guidance issued by the PDPC. However, if the organisation considers any part of the information submitted as confidential, it can set out that part of the information separately and provide an explanation as to why the information is confidential. The PDPC will take such request into consideration and will notify the organisation in advance if it intends to publish the informal guidance provided.

Back to top

7. What is the scope of the informal guidance?

The informal guidance is not legal advice or an opinion of the PDPC on the organisation’s legal position. The intention for the informal guidance is to highlight the requirements of the PDPA and aid organisations in their review of their current personal data protection processes. An organisation should consider the matters noted by the PDPC in the informal guidance and decide on its preferred course of action, if necessary, with further advice from its legal advisors and other consultants.

Back to top

8. How can an organisation follow up on an Informal Guidance query sent?

Please call our general enquiries hotline at 6377 3131 or email corporate@pdpc.gov.sg to enquire on the status.

Back to top

Advisory Guidelines

1. How can the Advisory Guidelines help organisations?

The Advisory Guidelines (Guidelines) are sets of guidance on the manner in which the Commission will interpret provisions of the PDPA. These Guidelines aim to give organisations and individuals greater clarity by elaborating on specific requirements and obligations under the PDPA. The Guidelines also illustrate some good practices which organisations can consider adopting.

Back to top

2. Will an organisation be considered compliant with the PDPA so long as it adheres to the Guidelines?

The PDPC will take reference from the Guidelines when conducting an investigation but they will not be binding on the PDPC. The PDPC will make an assessment based on the specific circumstances of the case.

Back to top

3. Are the Guidelines considered legal advice by the PDPC?

The Guidelines do not constitute legal advice. They are advisory in nature and are not legally binding on the PDPC or any other party.

Back to top

4. Do I have to pay for the Guidelines?

The Guidelines are available for download free-of-charge.

Back to top

5. When will the PDPC issue the next set of Guidelines? What will the Guidelines cover?

The PDPC will continually assess the need to issue guidelines to facilitate understanding of the Commission’s interpretation of the PDPA obligations. Organisations and consumers responding to the consultation are welcome to highlight to the PDPC the areas in which they would like more clarity.

Back to top

Enforcement

1. How will the PDPC conduct an investigation into a DNC offence?

After a complaint is received, the PDPC may carry out preliminary investigations and make enquiries to the organisation to clarify the situation or obtain more information.

If the PDPC has reasonable grounds to suspect that the PDPA has been infringed, then PDPC may issue a notice requiring the organisation to provide evidence of clear and unambiguous consent.

In certain circumstances, the PDPC has the power to enter premises  to obtain the evidence in the form of documents, equipment or information.

Any person who obstructs or impedes the Commission or an authorised officer in the exercise of their powers under the PDPA will be guilty of an offence and may be liable:

  1. in the case of an individual, to a fine of up to $10,000 or to imprisonment for a term not exceeding 12 months or to both; and
  2. in any other case, to a fine not exceeding $100,000.

Back to top

2. What are the penalties for DNC Registry related offences?

Any person who contravenes section 43(1), 44(1) or 45(1) of the PDPA, which relate to the sending of specified messages, shall be guilty of an offence and shall be liable on conviction by the courts to a fine of up to $10,000. However, PDPC may compound such an offence that for a sum not exceeding $1,000 per offence.

Back to top

3. Do organisations have to keep records of ‘clear and unambiguous consent’ by individuals and when do organisations need to show that such consent was obtained?

The PDPC adopts a complaint-based approach for the enforcement of the DNC provisions. An individual who has registered his/ her telephone number with the DNC Registry but still continues to receive marketing messages from an organisation can report the matter to the PDPC for investigations. The PDPC encourages individuals who are unsure as to why they have received the message from the organisation or whether they have provided clear and unambiguous consent, to contact the organisation to confirm this. However, in the event of a dispute, or an investigation by the PDPC, the onus will be on the organisation to prove that they have obtained ‘clear and unambiguous’ consent from the individual to be contacted for marketing messages.

Back to top

4. Can an organisation carry on with business during an inspection by the PDPC?

It will depend on the circumstances of the case. The PDPC may require the business or part thereof to cease when the inspection is carried out if it feels that the continuation of business or part thereof is likely to obstruct, hinder or delay the investigations. The PDPC may also cordon off part of the premises or seal cabinets, etc, to prevent tampering of the documents stored within.

Back to top

5. Will the PDPC take away any original documents during an on-site investigation?

When entry into an organisation’s premises is done with a warrant, the PDPC is entitled to take away original documents if it appears necessary to preserve or prevent interference with the documents or when it is not reasonably practicable to take copies of the document on the premises. However, the organisation may request for a copy of the document and such a copy will be provided as soon as practicable.

Back to top

6. What can an organisation do if it does not have any of the documents or information which the PDPC has requested for it to produce during an investigation?

The organisation should immediately inform the PDPC if it is unable to produce any documents or information, and state to the best of its knowledge and belief, where such documents or information may be found. The organisation must also inform the PDPC of the reasons for not being able to produce any documents or information, where appropriate.

Back to top

7. Can the PDPC enter an organisation’s premises without a warrant?

The PDPC may effect entry into the organisation’s premises upon serving a written notice which gives at least 2 working days’ notice of the intended entry and indicates the subject matter and purpose of the investigation.

The PDPC may also effect entry into any premises without a warrant and without notice, if a PDPC inspector has reasonable grounds for suspecting that the premises are, or have been, occupied by an organisation which is being investigated in relation to a contravention of the PDPA (and the inspector has taken reasonable practicable steps to give notice but has not been able to).

An inspector of the PDPC or person assisting the inspector entering the premises may:

  1. take with him such equipment as appears to him to be necessary;
  2. require any person on the premises —
    1. to produce any document which he considers relates to any matter relevant to the investigation; and
    2. if the document is produced, to provide an explanation of it;
  3. require any person to state, to the best of the person’s knowledge and belief, where any such document is to be found;
  4. take copies of, or extracts from, any document which is produced;
  5. require any information which is stored in any electronic form and is accessible from the premises and which he considers relates to any matter relevant to the investigation, to be produced in a form in which it can be taken away and in which it is visible and legible; and
  6. take any step which appears to be necessary for the purpose of preserving or preventing interference with any document which he considers relates to any matter relevant to the investigation.

Back to top

8. Can an organisation request for legal advice before the PDPC enters its premises?

If the PDPC enters into an organisation's premises, the organisation may request for its legal advisor to be present. The PDPC will allow a reasonable time for the organisation's legal advisor to arrive before entering the premises, provided that it is reasonable in the circumstances and does not cause undue delay or impede investigations. The request may also be subject to the organisation’s compliance with certain conditions as may be considered appropriate, which may include (without limitation) sealing of cabinets, keeping business records in the same state and place as when entry into the premises was effected, suspending external email and allowing the inspector to remain in occupation of selected offices.

The PDPC may immediately effect entry into an organisation’s premises if the organisation’s internal legal advisor is on site or if prior written notice had been given to the organisation.

Back to top

9. If an organisation has certain security policies such as the prohibition of entry to those with cameras or laptops, can the organisation stop the PDPC from bringing such items into its premises?

When entering into premises under a warrant, the PDPC may take such equipment as appears to be necessary for the investigations. The PDPC would, however, consider the occupant's reasons and representations behind such security policies and may bear them in mind, as far as practicable in the circumstances, when using such equipment.

Back to top

Outreach

1. Where can an organisation seek help?

The PDPC provides various resources to help organisations in their data protection journey, including introductory briefing sessions, PDP Workshop and informal guidance. SMEs may also look to SME Centres for further assistance. Generally the PDPC does not conduct customised briefings and workshops for specific organisations as each organisation will have to determine its own data protection policies to meet its own business needs and to communicate these policies to their respective officers who handle personal data within the organisation. Click here for more details.

Back to top

2. Are the events organised by the PDPC chargeable?

In general, the briefings and seminars are free-of-charge, unless otherwise stated. Registration is on a first-come-first-served basis.

For the PDP Workshop, there will be a fee of S$107 (inclusive of GST) for each participant. The participant fee is for the purpose of covering administrative charges.

Back to top

3. Who are the target audiences for the events?

C-level Management, Heads of Corporate Governance or appointed Data Protection Officers, and decision makers and key influencers of organisations' data management from all industries are encouraged to attend.

Back to top

4. How many employees can an organisation send to attend the events?

We are flexible in this aspect, as long as participants are in a data protection-related field.

Back to top

5. What is the maximum number of participants for each event?

Please refer to the relevant event for details.

Back to top

6. How often does the PDPC organise such events?

Aside from the annual seminar, the frequency of briefings and workshops is organised based on demand. Please refer to the Events page for details.

Back to top

7. Where can the details of each event be found?

The sessions and details of the events are updated on our Events page.

Back to top

8. How can organisations be kept up to date about PDPC's outreach activities?

Organisations may sign up for our RSS feeds for updates on our news and events.

Back to top

9. Should organisations attend data protection courses offered by third parties and are these courses endorsed by PDPC?

The PDPC is unable to comment on courses conducted by third parties. You should assess if the curriculum offered by third parties meet your requirements before signing up for such course. For a list of events organised by the PDPC please visit the Events page of our website.

Back to top