Singapore’s Personal Data Protection Commission (PDPC) is on a drive to urge companies to register their Data Protection Officers (DPOs). The PDPC has actively reached out to organizations, reminding them to file their DPO information through ACRA BizFile+. In this post, we’ll address the key questions surrounding Singapore’s DPO requirements and offer guidance on how your organization can stay compliant.
What law regulates data protection in Singapore?
Singapore’s Personal Data Protection Act 2012 (PDPA) governs the collection, use, and disclosure of personal data. The law, which came into effect on July 2, 2014, was later amended by the Personal Data Protection (Amendment) Act 2020 to strengthen the protection of personal data and bolster individuals’ rights.
Who does Singapore’s PDPA apply to?
While the PDPA lacks explicit territorial scope provisions, it is understood that the law applies to any organization—whether based in Singapore or abroad—that handles personal data in Singapore. This means that if your organization collects, uses, or discloses personal data in Singapore, you are subject to the PDPA. Even foreign companies that gather data from individuals in Singapore, such as through an online form, may arguably fall within the PDPA’s scope.
Who must appoint a DPO in Singapore?
Under Section 11(3) of the PDPA, every organization subject to the PDPA must designate at least one individual as its DPO. Unlike other regulations, such as the EU’s GDPR, there is no minimum threshold that triggers the need to appoint a DPO. All organizations handling personal data in Singapore, regardless of size or industry, must comply.
The PDPC further clarifies that even holding companies—whether they have employees or not—must appoint a DPO. This requirement also applies to dormant companies, those in liquidation, or organizations that are ceasing operations, provided they are handling personal data.
Who can serve as a DPO for Singapore?
An organization has the flexibility to appoint either an internal employee or an external provider as its DPO. Many organizations choose to appoint an external DPO since they do not have internal skills or resources for this role. However, it must be remembered that the organization remains accountable for fulfilling its data protection responsibilities, regardless of who serves in the DPO role.
The DPO does not need to be a Singaporean national or even based in Singapore, but they must be accessible to individuals in Singapore in case they would like to reach out about the processing of their personal data. Whether an internal team member or an external consultant, the DPO must have a direct line of communication with senior management to ensure the organization’s data protection practices are robust and compliant.
What qualifications must a DPO have?
According to the PDPC, a DPO must have the appropriate skills and knowledge to fulfill their responsibilities effectively. Although not explicitly required by law, training and certification are highly recommended to ensure the DPO can properly oversee the organization’s compliance with the PDPA.
Is it mandatory to register a DPO in Singapore?
Although appointing a DPO is mandatory under the PDPA, there is no legal requirement to register the DPO’s details or notify the PDPC of the appointment. However, the PDPC strongly encourages organizations to register their DPO via BizFile+, the platform operated by Singapore’s Accounting and Corporate Regulatory Authority (ACRA). Note that only ACRA-registered entities in Singapore can use BizFile+. Non-ACRA registered organizations that have a Unique Entity Number (UEN) can submit an online form to the PDPC. Foreign organizations that do not have a UEN will not be able to register their DPO on BizFile+ or by way of the PDPC’s online form. However, they must still publish their DPO’s contact details, for example, in their privacy notice.
DPOs who register with the PDPC will automatically be a part of a DPO community and gain access to free workshops and resources, the latest updates on PDPA and best practices, exclusive networking events, and insights on key trends for data breach prevention.
How should a DPO’s contact information be published?
The PDPA requires that organizations make their DPO’s contact details publicly accessible. While the law doesn’t specify how this should be done, Singaporean companies can register their DPO details on BizFile+ or by submitting a registration form to the PDPC. The requirement can also be met by including the information in an organization’s online privacy notice, which might be the best option for foreign organizations that are not registered in Singapore. The DPO contact details may include a general company email or phone number, meaning the specific DPO’s direct contact information need not be shared. The PDPC has clarified that it is not mandatory to use a Singapore telephone number.
If there is a change in the appointed DPO, the organization must promptly update and publish the new DPO’s contact information.
What are the penalties for non-compliance?
Failure to appoint a DPO can lead to an investigation by the PDPC. The commission has the authority to issue warnings, directions, and even financial penalties for breaches of the PDPA. While the PDPC cannot impose fines for failing to register a DPO’s details with BizFile+, failure to appoint a DPO or comply with other PDPA obligations can result in penalties.
Takeaways
If your organization is subject to Singapore’s PDPA, it must appoint a Data Protection Officer (DPO), regardless of its size, the volume of personal data it processes, or its current operational status. If your organization handles personal data, this requirement applies even if it:
- Is dormant
- Is undergoing liquidation or going to cease its operations soon
- Has no employees, such as in the case of a holding company.
The DPO can be either an internal employee or an external service provider and must have direct access to senior management. Organizations must make the DPO’s contact information publicly accessible. While registering the DPO via BizFile+ is not mandatory, it is strongly encouraged by the PDPC for ACRA-registered companies. The PDPA does not prescribe the nationality of a DPO or where they should be based. Failure to appoint a DPO can lead to investigations, warnings, and financial penalties up to SGD1 million or 10% of annual turnover, whichever is higher.
Do you need assistance appointing a DPO or ensuring your organization’s compliance with the PDPA? Our team is here to help. We offer tailored solutions, including acting as your external DPO and offering guidance on all aspects of PDPA compliance. Contact us today for more information.
Related topics: Other Privacy Laws, Compliance Tools and Advice
You may also like:
Attorney-Client Privilege and the DPO Role
A Comprehensive Guide to Data Protection Officers
DPO Roles in the Philippines: Can an External DPO Be Appointed?