SINGAPORE'S PDPC Flashcards
What is the role of the Personal Data Protection Commission (PDPC)?
The PDPC is the primary regulatory body responsible for administering and enforcing the PDPA. It provides guidelines - oversees compliance - investigates complaints - and takes enforcement actions against organizations that violate data protection laws.
How many members can the PDPC have and who appoints them?
The PDPC can have up to 17 members - appointed by the Minister.
What authority does the PDPC have regarding organizations’ data practices?
The PDPC can issue directions to organizations to stop collecting - using - or disclosing personal data in violation of the PDPA - require the destruction of personal data - conduct investigations - enforce remedial actions - publicize non-compliance - and impose financial penalties up to SGD 1 million.
What can individuals do if they believe their data protection rights have been infringed?
Individuals can lodge complaints with the PDPC - which will investigate and take appropriate enforcement actions.
What is the complaint-based approach used by the PDPC
An individual or organization files a complaint with the PDPC - which conducts a preliminary assessment and a thorough investigation if the complaint is valid. The PDPC then issues a decision that may include corrective actions - fines - or other enforcement measures. Parties can appeal to the Data Protection Appeal Committee (DPAC) and subsequently to the Singapore courts.
What is the audit-based approach used by the PDPC?
The PDPC selects organizations for audit based on criteria such as industry sector - previous compliance history - or random selection. The PDPC conducts the audit - prepares a report with findings and recommendations - and may conduct follow-up audits to ensure compliance.
What guidance and positions does the PDPC provide?
The PDPC provides guidelines - issues advisory guidelines - and publishes positions to help organizations comply with data protection obligations and clarify various aspects of the PDPA. This includes guidelines on obtaining consent - handling access and correction requests - notifying about data breaches - and integrating data protection into business processes.
What are the PDPC guidelines on research activities?
Organizations conducting research activities must comply with the PDPA - although some research may be allowed without consent.
What are the PDPC guidelines regarding CCTV surveillance?
Organizations should post notices indicating CCTV surveillance and provide access to footage upon request unless exempt under specific schedules. They must charge a reasonable fee for access - especially if masking is necessary.
What are the PDPC guidelines regarding photography?
An image of an identifiable individual is personal data - and consent is required unless the photo is taken for domestic use or in a public place. Artistic and literary purposes are an exception - but caution must be taken.
What must organizations do if they intend to use personal data for a new purpose?
They must obtain fresh consent from the individual - clearly explaining the new purpose and providing sufficient information for an informed decision.
What records must organizations maintain regarding consent?
Organizations must maintain records of consent obtained - including information about the consent - the date - time - manner - and specific purposes - as well as records of any withdrawal of consent and actions taken.
What authority does the PDPC have in enforcing the PDPA?
The PDPC can investigate complaints - require the production of documents - enter premises - issue cease and desist orders - correction directions - data protection measures - data breach notifications - temporary suspension of data processing - and data erasure. It can impose financial penalties up to SGD 1 million.
What factors does the PDPC consider when determining penalty amounts?
Factors include the nature and severity of the breach - the organization’s level of cooperation during the investigation - and any previous compliance history.
What are the possibilities for appeal against PDPC decisions?
Organizations can appeal to the Data Protection Appeal Committee (DPAC) within 28 days of the PDPC’s decision. If dissatisfied with the DPAC’s decision - organizations can further appeal to the High Court.