ARRANGEMENT OF REGULATIONS PART 1 PRELIMINARY 1. Citation and commencement PART 1A BUSINESS CONTACT INFORMATION 1A. Business contact information of designated individuals PART 2 REQUESTS FOR ACCESS TO AND CORRECTION OF PERSONAL DATA 2. Definitions of this Part 3. How to make request 4. Duty to respond to request under section 21(1) of Act 5. Notification of timeframe for response 6. Refusal to confirm or deny existence, use or disclosure of personal data 7. Fees 8. Preservation of copies of personal data PART 3 TRANSFER OF PERSONAL DATA OUTSIDE SINGAPORE 9. Definitions of this Part 10. Requirements for transfer 11. Legally enforceable obligations Regulation 12. Recipients holding specified certifications PART 4 DEEMED CONSENT BY NOTIFICATION AND LEGITIMATE INTERESTS 13. Excluded purposes under section 15A(3) of Act 14. Assessment of effect of proposed collection, use or disclosure of personal data for purposes of section 15A of Act 15. Assessment of effect of proposed collection, use or disclosure of personal data for purposes of Part 3 of First Schedule to Act PART 4A DEFENCES TO OFFENCES UNDER PART IXB OF ACT 15A. Defence to offence under section 48D(1) of Act 15B. Defence to offence under section 48E(1) of Act PART 5 MISCELLANEOUS 16. Exercise of rights under Act in respect of deceased individual 17. Symbol of Commission 18. Revocation 19. Saving and transitional provisions The Schedules In exercise of the powers conferred by section 65 of the Personal Data Protection Act 2012, the Personal Data Protection Commission, with the approval of the Minister for Communications and Information, makes the following Regulations:
Citation and commencement
BUSINESS CONTACT INFORMATION [S 734/2021 wef 01/10/2021] Business contact information of designated individuals 1A. —
For the purposes of section 11(5A) of the Act, an organisation is deemed to have satisfied section 11(5) of the Act if the organisation makes available the business contact information of any individual designated by the organisation under section 11(3) of the Act in any of the following manners: (a) where the organisation is registered under an applicable Act — in a record relating to the organisation that is made available on the Internet website of the Accounting and Corporate Regulatory Authority at https://www.bizfile.gov.sg; (b) in a readily accessible part of the organisation ’ s official website.
In paragraph (1) — “ applicable Act ” means — (a) the Business Names Registration Act 2014 (Act 29 of 2014); (b) the Companies Act (Cap. 50); (c) the Limited Liability Partnerships Act (Cap. 163A); or (d) the Limited Partnerships Act (Cap. 163B); “ official website ” , for an organisation, means a website that is accessible by the public and through which the organisation provides information about the organisation to the public. [S 734/2021 wef 01/10/2021]
REQUESTS FOR ACCESS TO AND CORRECTION OF PERSONAL DATA Definitions of this Part
— “ applicant ” means an individual who makes a request; “ data protection officer ” , in relation to an organisation, means an individual designated by the organisation under section 11(3) of the Act or an individual to whom the responsibility of the data protection officer has been delegated under section 11(4) of the Act; “ individual ’ s personal data ” means personal data about an individual; “ request ” means a request to an organisation made by an individual under section 21(1) or 22(1) of the Act; “ use and disclosure information ” means the information specified in section 21(1)(b) of the Act. How to make request
—
A request to an organisation must be made in writing and must include sufficient detail to enable the organisation, with a reasonable effort, to identify — (a) the applicant making the request; (b) in relation to a request under section 21(1) of the Act, the personal data and use and disclosure information requested by the applicant; and (c) in relation to a request under section 22(1) of the Act, the correction requested by the applicant.
A request must be sent to the organisation — (a) in accordance with section 48A of the Interpretation Act (Cap. 1); (b) by sending the request to the organisation ’ s data protection officer in accordance with the business contact information provided under section 11(5) of the Act; or (c) in any other manner that is acceptable to the organisation. Duty to respond to request under section 21(1) of Act
—
Subject to section 21(2), (3), (3A) and (4) of the Act and regulations 6 and 7(3), an organisation must respond to each request made to it under section 21(1) of the Act on or after 1 February 2021 as accurately and completely as necessary and reasonably possible.
The organisation must provide an applicant access to the applicant ’ s personal data requested under section 21(1) of the Act on or after 1 February 2021 — (a) by providing the applicant with a copy of the personal data and use and disclosure information in documentary form; (b) if sub-paragraph (a) is impracticable in any particular case, by allowing the applicant a reasonable opportunity to examine the personal data and use and disclosure information; or (c) in any other form requested by the applicant as is acceptable to the organisation. Notification of timeframe for response
respond to the request. Refusal to confirm or deny existence, use or disclosure of personal data
(a) the existence of personal data mentioned in paragraph 1(h) of the Fifth Schedule to the Act as in force before, on or after 1 February 2021; (b) the use or disclosure of personal data without consent under the following provisions for any investigation or proceedings, if the investigation or proceedings and related appeals have not been completed: (i) paragraph 3 of Part 3 of the First Schedule to the Act as in force on or after 1 February 2021; (ii) paragraph 1(e) of the Third Schedule to the Act or paragraph 1(f) of the Fourth Schedule to the Act (as the case may be) as in force before 1 February 2021. Fees
—
Subject to section 28 of the Act as in force immediately before 1 February 2021 or section 48H of the Act (as the case may be), an organisation may charge an applicant who makes a request to it under section 21(1) of the Act a reasonable fee for services provided to the applicant to enable the organisation to respond to the applicant ’ s request.
An organisation must not charge a fee to respond to the applicant ’ s request under section 21(1) of the Act unless the organisation has — (a) provided the applicant with a written estimate of the fee; and (b) if the organisation wishes to charge a fee that is higher than the written estimate provided under sub-paragraph (a), notified the applicant in writing of the higher fee.
An organisation does not have to respond to an applicant ’ s request under section 21(1) of the Act unless the applicant agrees to pay the following fee: (a) where the organisation has notified the applicant of a higher fee under paragraph (2)(b) — (i) if the Commission — (A) has reviewed the higher fee under section 28(1) of the Act as in force immediately before 1 February 2021, the fee allowed by the Commission under section 28(2) of the Act as in force immediately before that date; or (B) has reviewed the higher fee under section 48H(1) of the Act, the fee allowed by the Commission under section 48H(2) of the Act; or (ii) if sub-paragraph (i) does not apply, the higher fee notified under paragraph (2)(b); (b) where sub-paragraph (a) does not apply and the organisation has provided the applicant with an estimated fee under paragraph (2)(a) — (i) if the Commission — (A) has reviewed the estimated fee under section 28(1) of the Act as in force immediately before 1 February 2021, the fee allowed by the Commission under section 28(2) of the Act as in force immediately before that date; or (B) has reviewed the estimated fee under section 48H(1) of the Act, the fee allowed by the Commission under section 48H(2) of the Act; or (ii) if sub-paragraph (i) does not apply, the estimated fee provided under paragraph (2)(a).
To avoid doubt, an organisation must not charge the applicant any fee to comply with its obligations under section 22(2) of the Act. Preservation of copies of personal data
—
For the purposes of section 22A(1) of the Act, the prescribed period for the preservation of a copy of the personal data that an organisation has refused to provide is the period beginning immediately after the date of the organisation ’ s refusal and ending immediately after the relevant date.
In this regulation — “ date of refusal ” , in relation to an organisation ’ s refusal, means the date on which the organisation notifies an individual of the organisation ’ s refusal; “ date of withdrawal ” — (a) in relation to an application made by a complainant under section 48H(1) of the Act in relation to an organisation ’ s refusal, means the date on which the complainant withdraws the application or the Commission dismisses the application under the Personal Data Protection (Enforcement) Regulations 2021 (G.N. No. S 62/2021); (b) in relation to an application or appeal made by a complainant in relation to a decision or direction made by the Commission, means the date on which the complainant withdraws the application or appeal; or (c) in relation to an application or appeal made by an organisation in relation to a decision or direction made by the Commission, means the date of compliance by the organisation with the decision or direction; “ organisation ’ s refusal ” means an organisation ’ s refusal to provide, pursuant to an individual ’ s request under section 21(1)(a) of the Act, the individual ’ s personal data in the possession or under the control of the organisation; “ relevant date ” , in relation to an organisation ’ s refusal, means — (a) the 30th day after the date of refusal; or (b) where, on or before the day mentioned in paragraph (a) or while the personal data concerned in relation to the organisation ’ s refusal is in the possession or under the control of the organisation on or after that date, the organisation has notice of any of the following applications or appeals — the latest of the following dates applicable to those applications or appeals: (i) an application to the Commission under section 48H(1)(a) of the Act to review the organisation ’ s refusal — the date of withdrawal of the application or the 28th day after the Commission issues its decision or direction made under section 48H(2) of the Act in relation to the application; (ii) an application for reconsideration made to the Commission under section 48N(1) of the Act in relation to the organisation ’ s refusal — the date of withdrawal of the application or the 28th day after the date of issue of the Commission ’ s decision made under section 48N(6)(b) of the Act in relation to the application; (iii) an application under section 48N(5) of the Act to extend the prescribed period for an application for reconsideration in relation to the organisation ’ s refusal — the date of withdrawal or refusal of the application or the date of expiry of the extended period allowed for the application, if any; (iv) an appeal under section 48Q(1) of the Act against the Commission ’ s decision or direction made under section 48H(2) of the Act or decision made under section 48N(6)(b) of the Act (as the case may be) in relation to the organisation ’ s refusal — the date of withdrawal of the appeal or the 28th day after the Appeal Committee hearing the appeal issues its direction or decision; (v) an appeal against, or with respect to, a direction or decision of the Appeal Committee mentioned in sub-paragraph (iv) under section 48R of the Act — the date of withdrawal of the appeal or the date the General Division of the High Court or Court of Appeal (as the case may be) determines the appeal.
TRANSFER OF PERSONAL DATA OUTSIDE SINGAPORE Definitions of this Part
— “ data in transit ” means personal data transferred through Singapore in the course of onward transportation to a country or territory outside Singapore, without the personal data being accessed or used by, or disclosed to, any organisation (other than the transferring organisation or an employee of the transferring organisation acting in the course of the employee ’ s employment with the transferring organisation) while the personal data is in Singapore, except for the purpose of such transportation; “ individual ’ s personal data ” means personal data about an individual; “ recipient ” , in relation to personal data transferred from Singapore to a country or territory outside Singapore, means any organisation that receives in a country or territory outside Singapore the personal data transferred to it by or on behalf of the transferring organisation, but does not include — (a) the transferring organisation; (b) any employee of the transferring organisation acting in the course of the employee ’ s employment with that organisation; (c) any organisation that receives the personal data solely as a network service provider or carrier; or (d) any organisation that receives the personal data from a recipient of that personal data; “ transferring organisation ” — (a) in relation to any personal data transferred from Singapore to a country or territory outside Singapore, means the organisation that transfers the personal data from Singapore to the country or territory outside Singapore; or (b) in relation to data in transit, means the organisation that transfers the personal data through Singapore to the country or territory outside Singapore; “ transportation ” includes transmission in electronic form. Requirements for transfer
—
For the purposes of section 26 of the Act, a transferring organisation must, before transferring an individual ’ s personal data to a country or territory outside Singapore on or after 1 February 2021, take appropriate steps to ascertain whether, and to ensure that, the recipient of the personal data is bound by legally enforceable obligations (in accordance with regulation 11) to provide to the transferred personal data a standard of protection that is at least comparable to the protection under the Act.
A transferring organisation is taken to have satisfied the requirements of paragraph (1) in respect of an individual ’ s personal data which it transfers to a recipient in a country or territory outside Singapore if — (a) subject to paragraph (3), the individual consents to the transfer of the individual ’ s personal data to that recipient in that country or territory; (b) the individual is deemed to have consented to the disclosure by the transferring organisation of the individual ’ s personal data to that recipient under section 15(3), (4), (5), (6), (7) or (8) of the Act; (c) the transfer of the personal data to the recipient is necessary for the personal data to be used or disclosed under Part 1 or paragraph 2 of Part 2 of the First Schedule to the Act, and the transferring organisation has taken reasonable steps to ensure that the personal data so transferred will not be used or disclosed by the recipient for any other purpose; (d) the personal data is data in transit; or (e) the personal data is publicly available in Singapore.
For the purposes of paragraph (2)(a), an individual is not taken to have consented to the transfer of the individual ’ s personal data to a country or territory outside Singapore if — (a) the individual was not, before giving his or her consent, given a reasonable summary in writing of the extent to which the personal data to be transferred to that country or territory will be protected to a standard comparable to the protection under the Act; (b) the transferring organisation required the individual to consent to the transfer as a condition of providing a product or service, unless the transfer is reasonably necessary to provide the product or service to the individual; or (c) the transferring organisation obtained or attempted to obtain the individual ’ s consent for the transfer by providing false or misleading information about the transfer, or by using other deceptive or misleading practices.
This Part does not prevent an individual from withdrawing any consent given for the transfer of the personal data to a country or territory outside Singapore. Legally enforceable obligations
—
For the purposes of regulation 10(1), legally enforceable obligations include obligations imposed on a recipient of personal data under — (a) any law; (b) any contract in accordance with paragraph (2); (c) any binding corporate rules in accordance with paragraph (3); or (d) any other legally binding instrument.
A contract mentioned in paragraph (1)(b) must — (a) require the recipient to provide a standard of protection for the personal data transferred to the recipient that is at least comparable to the protection under the Act; and (b) specify the countries and territories to which the personal data may be transferred under the contract.
The binding corporate rules mentioned in paragraph (1)(c) — (a) must require every recipient of the transferred personal data that is related to the transferring organisation and does not already satisfy paragraph (1)(a), (b) or (d), to provide a standard of protection for the personal data transferred to the recipient that is at least comparable to the protection under the Act; (b) must specify — (i) the recipients of the transferred personal data to which the binding corporate rules apply; (ii) the countries and territories to which the personal data may be transferred under the binding corporate rules; and (iii) the rights and obligations provided by the binding corporate rules; and (c) may only be used for recipients that are related to the transferring organisation.
For the purposes of paragraph (3)(a) and (c), a recipient of personal data is related to the transferring organisation transferring that personal data if — (a) the recipient, directly or indirectly, controls the transferring organisation; (b) the recipient is, directly or indirectly, controlled by the transferring organisation; or (c) the recipient and the transferring organisation are, directly or indirectly, under the control of a common person. Recipients holding specified certifications
—
For the purposes of regulation 10(1), a recipient of an individual ’ s personal data in a country or territory outside Singapore is taken to be bound by legally enforceable obligations to provide a standard of protection for the transferred personal data that is at least comparable to the protection under the Act if the recipient holds a specified certification that is granted or recognised under the law of that country or territory to which the personal data is transferred.
In this regulation, “ specified certification ” , in relation to a recipient of an individual ’ s personal data, means a certification under — (a) where the recipient is a data intermediary — the Asia-Pacific Economic Cooperation Privacy Recognition for Processors System or the Asia-Pacific Economic Cooperation Cross Border Privacy Rules System; or (b) in any other case — the Asia-Pacific Economic Cooperation Cross Border Privacy Rules System.
DEEMED CONSENT BY NOTIFICATION AND LEGITIMATE INTERESTS Excluded purposes under section 15A(3) of Act
Assessment of effect of proposed collection, use or disclosure of personal data for purposes of section 15A of Act
—
This regulation applies where an organisation intends to collect, use or disclose personal data about an individual under section 15A(2) of the Act.
An assessment mentioned in section 15A(4)(a) of the Act to determine that a proposed collection, use or disclosure of personal data by an organisation is not likely to have an adverse effect on an individual must specify all of the following information: (a) the types and volume of personal data to be collected, used or disclosed, as the case may be; (b) the purpose or purposes for which the personal data will be collected, used or disclosed, as the case may be; (c) the method or methods by which the personal data will be collected, used or disclosed, as the case may be; (d) the mode by which the individual will be notified of the organisation ’ s proposed collection, use or disclosure (as the case may be) of the individual ’ s personal data; (e) the period within which, and the mode by which, the individual may notify the organisation that the individual does not consent to the organisation ’ s proposed collection, use or disclosure (as the case may be) of the individual ’ s personal data; (f) the rationale for the period and mode mentioned in sub-paragraph (e).
The organisation must retain a copy of its assessment mentioned in section 15A(4)(a) of the Act relating to the collection, use or disclosure of personal data about an individual throughout the period that the organisation collects, uses or discloses personal data about the individual under section 15A(2) of the Act. Assessment of effect of proposed collection, use or disclosure of personal data for purposes of Part 3 of First Schedule to Act
—
This regulation applies where an organisation intends to collect, use or disclose personal data about an individual under paragraph 1(1) of Part 3 of the First Schedule to the Act.
An assessment mentioned in paragraph 1(2)(a) of Part 3 of the First Schedule to the Act in respect of the intended collection, use or disclosure of personal data must — (a) specify — (i) the types and volume of personal data to be collected, used or disclosed, as the case may be; (ii) the purpose or purposes for which the personal data will be collected, used or disclosed, as the case may be; and (iii) the method or methods by which the personal data will be collected, used or disclosed, as the case may be; (b) identify any residual adverse effect on any individual after implementing any reasonable measures mentioned in paragraph 1(3)(b) of Part 3 of the First Schedule to the Act; (c) identify the legitimate interests that justify the collection, use or disclosure (as the case may be) by the organisation of personal data about the individual; (d) where the legitimate interests identified under sub-paragraph (c) relate to a person other than the organisation, identify that other person by name or description; and (e) set out the reasons for the organisation ’ s conclusion that the legitimate interests identified under sub-paragraph (c) outweigh any adverse effect on the individual.
The organisation must retain a copy of the assessment it conducted in accordance with paragraph 1(2)(a) of Part 3 of the First Schedule to the Act relating to the collection, use or disclosure of personal data about an individual throughout the period that the organisation collects, uses or discloses personal data about the individual under paragraph 1(1) of Part 3 of the First Schedule to the Act.
DEFENCES TO OFFENCES UNDER PART IXB OF ACT [S 734/2021 wef 01/10/2021] Defence to offence under section 48D(1) of Act 15A. In proceedings for an offence under section 48D(1) of the Act, it is a defence to the charge for the accused to prove, on a balance of probabilities, that where the charge relates to personal data in the possession or under the control of an organisation, the accused disclosed, or caused the disclosure of, that personal data with the prior consent of the individual to whom that personal data relates. [S 734/2021 wef 01/10/2021] Defence to offence under section 48E(1) of Act 15B. In proceedings for an offence under section 48E(1) of the Act, it is a defence to the charge for the accused to prove, on a balance of probabilities, that where the charge relates to personal data in the possession or under the control of an organisation, the accused used that personal data with the prior consent of the individual to whom the personal data used relates. [S 734/2021 wef 01/10/2021]
Exercise of rights under Act in respect of deceased individual
—
The persons specified in paragraph (2) may exercise all or any of the following rights in relation to section 24 of the Act or any provision of the Act relating to the disclosure of personal data, in respect of a deceased individual who has been dead for 10 years or fewer: (a) the right to give or withdraw any consent for the purposes of the Act; (b) the right to bring an action — (i) under section 32 of the Act as in force immediately before 1 February 2021 in respect of a contravention, before 1 February 2021, by an organisation of section 24 of the Act or other provision of the Act relating to the disclosure of personal data (as the case may be) as in force before that date; or (ii) under section 48O of the Act in respect of a contravention, on or after 1 February 2021, by an organisation or a person of section 24 of the Act or other provision of the Act relating to the disclosure of personal data (as the case may be) as in force on or after that date; (c) the right to bring a complaint under the Act.
The following persons are specified for the purposes of paragraph (1): (a) a person appointed under the deceased individual ’ s will to exercise the right mentioned in paragraph (1) which is to be exercised or a personal representative of the deceased individual, unless the person or personal representative (as the case may be) has renounced the grant of such right; (b) if no person or personal representative mentioned in sub-paragraph (a) is able to exercise such right or power, the deceased individual ’ s nearest relative determined in accordance with the First Schedule.
Subject to Part II of the Probate and Administration Act (Cap. 251) (if applicable), the renunciation of the grant of any right under paragraph (1) must be made expressly in writing.
Any notice or other communication to be given under the Act concerning any consent, action or complaint mentioned in paragraph (1) may be given to the person who may exercise the right related to that consent, action or complaint under that paragraph.
This regulation does not — (a) enable any person to exercise any right under paragraph (1) if that person is legally incapable of exercising such a right on that person ’ s own behalf; or (b) affect the authority of any person under any other law to exercise any right mentioned in paragraph (1).
A person does not cease to be a personal representative for the purposes of this regulation merely because that person has completed the administration of the deceased individual ’ s estate. Symbol of Commission
Revocation
Saving and transitional provisions
—
Despite regulation 18 — (a) regulation 4(1) of the revoked Regulations continues to apply to a request made to an organisation before 1 February 2021 under section 21(1) of the Act as in force immediately before that date; and (b) regulations 8, 9, 10 and 10A of the revoked Regulations continue to apply to a transferring organisation in relation to the transfer, before 1 February 2021, of an individual ’ s personal data to a country or territory outside Singapore.
In this regulation, “ revoked Regulations ” means the Personal Data Protection Regulations 2014 revoked by regulation 18. FIRST SCHEDULE Regulation 16(2)(b) DETERMINATION OF NEAREST RELATIVE
(a) the deceased individual ’ s spouse at the time of death; (b) the deceased individual ’ s child; (c) the deceased individual ’ s parent; (d) the deceased individual ’ s brother or sister; (e) an other relative of the deceased individual.
— (a) a reference to a deceased individual ’ s child means a legitimate, legitimated or adopted child of the deceased individual; (b) a reference to a deceased individual ’ s brother, sister or relative includes, respectively, a brother, sister or relative of the deceased individual by adoption; and (c) there is to be no distinction between those who are related to a deceased individual through the father or the mother of the deceased individual.
— (a) dies; (b) is legally incapable of exercising the right mentioned in regulation 16(1); or (c) is unable or refuses to make a decision concerning the exercise of the right mentioned in regulation 16(1), FIRST SCHEDULE — continued the individual who is next in priority to P is regarded as the next nearest relative of the deceased individual.
temporary inability or temporary unavailability to make such a decision. SECOND SCHEDULE SYMBOL OF COMMISSION Regulation 17 Made on 28 January 2021. [AG/LEGIS/SL/227A/2020/3 Vol. 1] CHAN YENG KIT Chairman, Info-communications Media Development Authority, Singapore.