The PDPA provides safeguards against the misuse of individuals’ personal data by regulating the management of personal data.
Individuals have the right to be informed of the purposes for which businesses are collecting, using or disclosing your personal data, giving you more control over how your personal data is used.
How the PDPA Applies to Individuals
Collection, Use and Disclosure of Your Personal Data
- Organisations generally have to obtain your consent and inform you of the purpose(s) for the collection, use and disclosure of your personal data. If you have any questions, you may contact the organisation’s data protection officer (DPO).
- Organisations should not, as a condition of supplying a product or service, require you to consent to the collection, use or disclosure of personal data beyond what is reasonable to provide that product or service to you.
- You are deemed to have given consent if you voluntarily provide your personal data to the organisation for a purpose. Deemed consent also applies when your personal data is disclosed by one organisation to another as part of its contractual obligations, or when you are notified about the collection, use and disclosure of your data and did not take any action to opt out.
- You may withdraw your consent at any time with reasonable notice. Organisations should inform you of the likely consequences of the withdrawal, and cease collecting, using or disclosing your personal data.
Accessing and Correcting Your Personal Data
- You can request an organisation to grant you access to your personal data that is in its possession or control, or for information about how the data was used or disclosed in the preceding 12 months. However, exceptions apply if access to the personal data or other information could
- threaten your safety, physical or mental health or that of another individual,
- reveal personal data about another individual,
- reveal the identity of another individual who has not consented to the disclosure of his or/ identity, or
- be contrary to national interest.
- You can request an organisation to correct or rectify any error or omission related to your personal data in its possession. Organisations should correct your personal data as soon as practicable. They should also send the corrected data to other organisations which the data has been shared with (or only to specific organisations that you have consented to) within a year of making the correction.
How Organisations Manage Your Personal Data
Organisations have to ensure that
- reasonable security arrangements are in place to protect your personal data,
- your personal data is accurate and complete,
- your personal data is disposed of when it is no longer necessary for it to be retained for legal or business purposes,
- your personal data is transferred outside of Singapore only if the receiving organisation has put in place measures that are comparable to the protection under the PDPA, unless exemption has been granted by the PDPC, and
- you are notified when a data breach occurs and is likely to result in significant harm or impact to you.
However, there are exceptions to these rules, for example, in emergency situations, investigations, the use of publicly-available data, or where the personal data is used for evaluative purposes.
If you have concerns over how an organisation has handled your personal data, approach the organisation first for clarification. Please refer to this page for more information.
For more tips and resources for individuals, click here.