The following summarises selected key issues related to how PDPC may exercise its enforcement powers in cases of PDPA breaches.
Organizations Covered by the PDPA
The Personal Data Protection Act 2012 (PDPA) applies to organizations, including:
“…any individual, company, association or body of persons, corporate or unincorporated, whether or
(a) formed or recognized under the law of Singapore; or
(b) resident, or having an office or a place of business, in Singapore;”
The data protection obligations in the PDPA do not impose any obligations on:
- any individual acting in a personal or domestic capacity;
- any employee acting in the course of his employment with an organization;
- any public agency or an organization in the course of acting on behalf of a public agency in relation to the collection, use or disclosure of the personal data; or
- any other organizations or personal data, or classes of organizations or personal data, prescribed for the purposes of this provision.
Personal Data Protection Complaint Handling
The PDPC expects organizations to take individuals’ concerns about their personal data seriously and to work actively with individuals to sort out their concerns.
When a complaint is received by the PDPC, the PDPC may assess if it can help to address the individual’s concerns by facilitating communications between the individual and organization. If an individual and an organization are unable to resolve the matter directly and require additional assistance, the PDPC may refer the matter for mediation by a qualified mediator. The PDPC will only do so if both the individual and the organization agree that the matter is referred to mediation. If the matter is resolved amicably, the PDPC will generally not proceed with further investigations. Where applicable, the PDPC may direct the parties to resolve the matter through alternative dispute resolution.
General Offenses and Penalties
It is an offense under section 51(3)(b) and (c) of the PDPA Breach Guidelines to:
- obstruct or impede the PDPC, its inspectors or other authorized officers in the exercise of their powers or performance of their duties under the PDPA; or
- knowingly or recklessly make a false statement to the PDPC, or knowingly misleads or attempts to mislead the PDPC, in the course of the performance of the duties or powers of the PDPC under the PDPA.
An organization or person that commits an offense under section 51(3)(b) or (c) of the PDPA is liable to:
in the case of an individual, to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 12 months or to both; and
in any other case, to a fine not exceeding $100,000.
Access to Legal Advice
If the PDPC exercises its powers to effect entry into the occupier’s premises, the occupier of the premises may request to consult its legal advisor. The investigating officer, authorized person, inspector or person required by the inspector may allow this request if he thinks that it is reasonable and the time taken occupier’s legal adviser to arrive at the premises is reasonable. The exercise of the right to consult a legal advisor must not delay or impede the inspection. The investigating officer authorized person, inspector or person required by the inspector may not wait for an external legal adviser to arrive, if the occupier has an in-house legal advisor present on the premises, or if the occupier was given prior notice of the intended entry.
Directions to Secure Compliance
Section 29(1) of the PDPA provides that the PDPC may if it is satisfied that an organization is not complying with any of the Data Protection Provisions, give the organization such directions as the PDPC thinks fit in the circumstances to ensure the organization’s compliance with that provision.
Section 29(2) of the PDPA further provides that the PDPC may (without prejudice to section 29(1) of the PDPA) give an organization that is not complying with any of the Data Protection Provisions any or all of the following directions:
- to stop collecting, using or disclosing personal data in contravention of the PDPA;
- to destroy personal data collected in contravention of the PDPA;
- to comply with any direction of the PDPC under section 28(2) of the PDPA;
- to pay a financial penalty of such amount not exceeding $1 million as the PDPC thinks fit.