A Member Firm of Andersen Global

Contact Us

GDPR Compliance in Singapore Organisations

The European Union General Data Protection Regulation (EU GDPR) was first published in April 2016 and then put into force on 25 May 2018.

Overseas business organisations either supplying goods and services to individual consumers in the EU or identifying and monitoring their behaviour, either directly or indirectly within the EU come under the ambit of this regulation. The organisations may or may not have any physical presence in the EU.

Singapore is the largest trading partner of the EU in ASEAN and many organisations in Singapore come under the jurisdiction of EU GDPR.

When does a Singaporean organisation come under the jurisdiction of EU GDPR?

GDPR is a European regulatory standard and its applicability extends far beyond its borders. Companies must opt for GDPR compliance in Singapore if they are involved in some of the following activities

  • Personal data processing of individuals in the EU in the context of offers and supplies of goods and services made to the individuals in the EU.
  • Identifying and monitoring the behaviour of the individuals in the EU.
  • Publishing the price of products or services in Euros or the currency of an EU Member State.
  • Using online identifiers including IP address, unique IDs, cookies, RFID tags, search & browser history and many more.
  • Making business websites in the vernacular language of an EU Member State

If a Singaporean organisation’s target audience includes individuals in the EU for business purposes, it needs to engage a European representative if

  • personal data processing is carried out on a large scale or
  • special categories of personal data as defined in Articles 9(1) and 10 of the GDPR are processed

There are sensitive data that can not be processed as per EU GDPR subject to certain exceptions and include

  • Racial or Ethnicity data
  • Data relating to sexual orientation
  • Data relating to trade union membership
  • Data relating to religious, political or philosophical beliefs
  • Genetic or biometric data

Does compliance with Singapore's Personal Data Protection Act (PDPA) mean EU GDPR compliance?

No, because the two regulatory regimes namely GDPR and PDPA spell out different sets of requirements, Singapore data protection compliance does not necessarily mean the organisation complies with the EU GDPR. While there are exemptions given to public agencies and their agents, employees, or individuals acting in a personal capacity in PDPA, there is no such waivers in GDPR and applies to everyone equally.

The revised and more detailed Singapore data protection compliance regulation enacted by the Singapore government on 1st February 2021 is however a more streamlined and converged approach towards the European regulation on data protection almost resembling the six legal bases for personal data processing specified in GDPR. The recent amendments incorporated in Singapore data protection compliance requirements include

Mandatory data breach notification

An exception to consent for legitimate interest

Increased financial penalties

Deemed consent by notification

The Personal Data Protection Commission (PDPC) Singapore illustrated through an infographic model the broad categorization highlighting differences between these two regulations with the exceptions to consent and legal bases of personal data processing as per GDPR

What is needed for Singaporean organisations to be compliant with the EU GDPR?

There are guidelines provided by the European regulators for being compliant with the EU GDPR with references to specific online resources on the regulatory requirements. Business organisations can use this link for necessary GDPR compliance in Singapore. Legal help and advice may also be sought whenever needed.

The key requirements for EU GDPR have been highlighted in the factsheet pdpc issued by the PDPC and can be used by businesses in Singapore as an organizational database.

For GDPR compliance in Singapore, business organisations need to do the following

Data processing as a Necessity

Establish data processing as a necessity

Data Retention and Deletion

Decide on data retention and deletion

Data Encryption

Ensure that all data are encrypted

GDPR Awareness

Spread GDPR awareness

Train Employees on Proper Data Handling Techniques

Train employees on proper data handling techniques

Transfer Data Governance Policies

Frame data governance policies for transferring EU specific data to other countries outside the EU

Procedures to GDPR

Ensure appropriate procedures and processes for all data subject to GDPR compliance

The Personal Data Protection Commission (PDPC) Singapore illustrated through an infographic model the broad categorization highlighting differences between these two regulations with the exceptions to consent and legal bases of personal data processing as per GDPR.

Are there penalties for non-compliance with GDPR?

Yes, non-compliance with GDPR can bring severe consequences for non-compliant organisations with hefty administrative fines imposed by GDPR supervisory authorities.

  • For minor infringements such as failure in notifying data breaches and implementing data protection by default, a fine up to 10 million Euros or 2% of the yearly global turnover of the preceding financial year and whichever is higher.
  • For major infringements such as violating the conditions for consent or failure to adhere to regulations while transferring personal data to a third country or an international organisation, a fine of up to 20 million Euros or 4% of the yearly global turnover of the preceding financial year and whichever is higher.

In contrast to Singapore data protection compliance the penalties for GDPR non-compliance apply equally to business organisations and individuals.

Besides huge penalties, any violation in GDPR compliance also damages the organizational reputation and adversely impacts the customer base and future growth prospects.

Conclusion

The EU with a population of 440 million is a huge market for Singapore which is only expected to grow over time. This will undoubtedly drive an increased number of businesses to go for GDPR compliance in Singapore.

GDPR is unmatched legislation for enhancing the rights and transparency of individuals over their data and is embraced by Singaporean businesses with spirit and enthusiasm.

We’ve been
helping customers globally.

Book a consultation appointment with our professionals now.

We’ve been
helping customers globally.

Book a consultation appointment with our professionals now.

What our customers are saying

Best Consultant to set up company in Singapore. Excellent team of People. Perfectly oriented and guided by team. Best in the country as well as business.

— Karan Patel

We have been taking IMC service more more than a year now. They have been completely professional in their approach and they give us an overall perspective for each query we have.

— Monisha Wadhwa

We approached IMC for our trademark applications and have been working closely with Mayuri from the IMC team in Singapore. We had an absolutely stress-free experience.

— Anjana Singhvi

IMC Singapore is one of the best Consultant to set up company in Singapore, they have an excellent team of People who guide you right from the begining to start up new company in Singapore .

— Saket Brijendra

Have any project
in mind?

Let's Talk
about your project

Book a consultation appointment with our professionals now.

Reach us at

+65-91269927

Get updated by Signup
to our Newsletter!

Get Started

About

Locations

© 2023 IMC Group. All Rights Reserved.

Get Started

About

Locations

© 2023 IMC Group. All Rights Reserved.

Get Started

About

Locations

© 2023 IMC Group. All Rights Reserved.

Let's Talk