On July 2, 2014 Singapore’s new Personal Data Protection Act (the “PDPA” or the “Act”)) will go into force, requiring companies that have a physical presence in Singapore to comply with many new data protection obligations under the PDPA. Fortunately, in advance of the Act’s effective date, the Singapore Personal Data Commission has recently promulgated Personal Data Protection Regulations (2014) (the “Regulations”) to clarify companies’ obligations under the Act.
Under the PDPA, an individual may request from an organization that is subject to the Act access to, and correction of, the personal data that the organization holds about that individual. The Regulations clarify that the request must be made in writing and must include sufficient identifying information in order for the organization to process the request. The Regulations also specify that the request for access or correction should be made to the company’s Data Protection Officer (which companies are now required to appoint under the Act). Under the Regulations, an organization must respond to the request for access to personal data “as soon as practicable” but if it is anticipated that it will take longer than 30 days to do so, the organization must so inform the individual within that 30 day period.
The Regulations confirm that individuals under the Act are entitled to expansive access rights: a company must provide them with access to all personal data requested, as well as “use and disclosure information in documentary form”. If such is not possible however, the organization can provide the applicant with a “reasonable opportunity to examine the personal data and use and disclosure information.”
Perhaps in an effort to reduce the burden and expense to organizations complying with an access request by an individual, the Regulations provide that an organization may charge an individual a “reasonable fee” to respond to an individual’s request for access to the personal data the company holds related to the individual, provided it has previously communicated an estimate of the fee to the applicant.
The Regulations also contain a number of details regarding the transfer of personal data outside Singapore. Specifically, the Regulations clarify that before transferring personal data to another jurisdiction, the transferring organization in Singapore must ensure that the recipient is “legally bound by enforceable obligations… to provide to the transferred personal data a standard of protection that is at least comparable to the protection under the Act.”
“Enforceable obligations” under the PDPA are similar to that under the European Union, and include the existence of a comparable data protection law, a written contract that provides for sufficient protections, as well as “binding corporate rules.”
The Regulations (together with recently issued Advisory Guidelines On Key Concepts In The Personal Data Protection Act (revised on 16 May 2014)) now provide much needed guidance in helping companies comply with their new data protection obligations under the Act.