The European Union General Data Protection Regulation (EU GDPR) entered into force on 25 May 2018. The EU GDPR will apply to an organisation established outside of the EU, so long as the organisation offers goods or services to individuals in the EU, or monitors their behavior within the EU.
The PDPC has developed a factsheet on the EU GDPR which highlights the key requirements of the EU GDPR.
Frequently Asked Questions
1. When does an organisation based in Singapore have to comply with the EU GDPR?
The EU GDPR may apply to organisations in Singapore if they offer goods or services (whether or not payment is required) to individuals in the EU or monitor the behavior of individuals in the EU.
For example, presenting a version of your organisation's website in the vernacular language of a EU Member State, publishing the price of products or services in Euros or the currency of a EU Member State (e.g. Swedish krona or Danish krone), and offering to ship goods to the EU Member State, may amount to offering goods to individuals in the EU.
If an organisation is targeting individuals in the EU in this sense, it may be required to designate a European representative if it processes data on a large scale (i.e. not just occasional processing) or if it processes special categories of personal data as defined in Articles 9(1) and 10 of the GDPR.
2. Does compliance with Singapore's Personal Data Protection Act (PDPA) equate to compliance with the EU GDPR?
Compliance with the PDPA does not necessarily mean the organisation is in compliance with the EU GDPR as there are differing requirements under the two regimes. However, with the amendments introduced in the enhanced PDPA that came into effect on 1 February 2021, the exceptions to consent under the PDPA have been streamlined and categorised broadly in ways that are similar to the EU GDPR’s six legal bases for processing of personal data.
The PDPC has developed an infographic to illustrate the broad comparison between the PDPA’s exceptions to consent and the EU GDPR’s legal bases for processing of personal data.
3. What do organisations need to do to comply with the EU GDPR?
The European regulators have provided guidance on how to comply with the EU GDPR. Organisations may refer to the resources issued by the European regulators on the EU GDPR requirements (eg. https://ec.europa.eu/info/law/law-topic/data-protection_en), or seek professional legal advice on compliance with the EU GDPR where necessary.
PDPC's factsheet on the EU GDPR, which highlights the key requirements of the EU GDPR, may be useful for organisations' information. The factsheet is available here.
The following scenarios illustrate when EU GDPR is likely or unlikely to apply to the processing of personal data:
|Examples where EU GDPR is likely to apply|
|Examples where EU GDPR is unlikely to apply|
The contents herein are not intended to be an authoritative statement of the law or substitute for legal or other professional advice. The scenarios are intended to illustrate how organisations in Singapore may be impacted by the EU GDPR. It does not provide an interpretation of the EU GDPR. Please refer to the EU GDPR text and the resources issued by the European regulators on the interpretation of the EU GDPR. Where further assistance is required, organisations may wish to seek professional legal advice to ensure compliance with the EU GDPR.