Singapore PDPA vs GDPR: How Do They Differ?
Singapore PDPA and the EU GDPR are two regulations that govern the data privacy of individuals and data processing.
Non-compliance with either of the laws can mean significant penalties, so it’s important to pay attention to both, especially if you’re an international business.
In this article, we’ll explore the main similarities and differences between Singapore PDPA vs GDPR to give you a better understanding of both laws.
- The biggest differences between the Singapore PDPA vs GDPR are in scope, jurisdiction, certain individual rights, and some legal grounds for processing
- The two laws both require the assignment of a DPO, emphasize consent and accountability, and define data controllers and processors similarly
- Under GDPR, unlike the PDPA, the person has the right to erase their data and to receive them in a transferable form (data portability)
What is Singapore PDPA?
haring of personal data of Singapore’s citizens by businesses.
The Singapore PDPA became effective on 2nd January 2013 and is enforced by the PDPC (Personal Data Protection Commission).
The law applies only to private-sector companies but not to public-sector, government agencies, national security, or law enforcement.
Two major provisions of this law include:
- An obligation to notify individuals before processing their data and,
- An obligation to obtain consent before processing their data
What is GDPR?
GDPR, or the General Data Protection Regulation, is a data protection regulation that governs processing, including collection, storing, use, disclosure or selling) of personal data of EU citizens by businesses.
The EU GDPR went into effect on 25th May 2018, and each EU member state has its supervisory authority that enforces the law on its territory.
The regulation applies to any organization, including for-profit, non-profit, government agencies, etc., that collects, stores, uses, or otherwise processes personal information of EU residents.
GDPR also has many important provisions, including:
- The requirement to obtain explicit and informed consent from data subjects before processing data
- The requirement to notify individuals of the processing of their personal information, according to the principle of “lawfulness, fairness, and transparency”
- The right of individuals to correct inaccurate data or erase data (“right to be forgotten”)
Differences Between Singapore PDPA vs GDPR
While PDPA and GDPR have a lot in common, including the overall purpose, certain provisions, and so on, they still have a few note differences.
One of the major differences between these two laws is that PDPA applies only to private sector bodies and excludes the public sector and organizations acting on their behalf. It applies to all businesses that process Singaporean personal information.
On the other hand, GDPR applies equally to private and public entities processing data of EU resident data.
The PDPA applies to businesses that collect, use, or disclose the personal information of Singapore residents. This includes companies that don’t have a physical presence (office) in Singapore.
The GDPR applies to any organization with or without a presence in the EU territory as long as it offers goods and services or monitors the behavior of EU residents.
3. Data Subject Rights
- To control how their data is collected, used, and disclosed
- To access the data held by a business
- To request correction of their data
- To opt out of unsolicited marketing via the Do Not Call (DNC) registry
The data subject rights under GDPR include:
- Right to access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to object
- Right to data portability
As you can see, the GDPR has more individual rights than the PDPA. In particular, the PDPA does not grant the right to request the erasure or deletion of your data or the right to data portability and receive data in a format that allows them to transfer it to another entity.
4. Children’s Data
With regard to children’s data, the PDPA requires that the child’s parent or legal guardian give consent in their name and that the organization take due care when collecting data on minors (people under 14).
The GDPR requires explicit consent by a parent or guardian if the person is under 16 years of age, but the individual EU member states can lower the age limit to 13. Additionally, the EU GDPR considers children to be “vulnerable natural persons.
5. Legal Basis
PDPA states that collecting, using, and disclosing personal data without the individual’s consent can only be done if it is required or authorized by the PDPA or another law.
The law considers the following as legal grounds for data processing:
- Protecting the vital interests of the person
- When the processing concerns national interests
- When the data is publicly available
- For legitimate interests of an organization processing data
- When carrying out business asset transactions
- And to improve the business
The GDPR considers these as the legal basis for data processing:
- If the processing is required for the contract
- To comply with the legal obligations of the data controller
- If the processing is in the public interest
- When there is a legitimate interest of the data controller, and this does not go above the data subject’s fundamental rights
- And to protect the vital interests of the individual
In general, the GDPR focuses more on the fundamental rights of data subjects over the business interests. At the same time, the PDPA emphasizes the legitimate interests of the business as long as it outweighs any adverse effects on the data subject.
One of the key differences here is that PDPA allows data processing if it serves to improve the business, while the GDPR does not consider this to be a “legal basis” for processing data.
6. Records of Processing Activities
Under PDPA, companies don’t have to maintain a record of their processing activities (RoPA). However, they have to keep a record of access requests made by individuals for a certain period.
In Article 30, the GDPR, however, requests that organizations must keep a record of processing activities in writing or electronic form. This applies to any data controller or processor with 250 or more employees and must include:
- Contact details of the data controller, data processor, and data protection officer (DPO)
- Categories of data subjects
- Data processing purpose
- Categories of data processed
- Data transfers outside the EU and EEA
- Data security measures
- Deletion time limits
- Data processing legal basis
7. Pseudonymized Data
PDPA does not define the term “pseudonymized data.” However, in their Anonymization Guide (PDF), the PDPC describes “pseudonymization” as:
“The replacement of identifying data with made-up values.”
The GDPR defines “pseudonymization” in Article 4(5) as:
“The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information…”
Similarities Between Singapore PDPA vs GDPR
All that said, the Singapore PDPA and the EU GDPR are not all that dissimilar. Both have a few things in common, including:
1. Material Scope
Both PDPA and GDPR define personal data as “data about an individual that can be identified” and apply to the processing (GDPR) and the collection, use, and disclosure of personal data (GDPR).
Additionally, both the Singapore and EU data privacy laws do not apply to the processing of data for personal, domestic, or household purposes or to law enforcement and national security, although PDPA also includes organizations acting on behalf of public agencies here as well.
Both also exclude processing for academic, research, artistic, or journalistic purposes.
2. Data Controllers and Data Processors
Although the PDPA uses the terms “organization” instead of “data controller” and “data intermediary” instead of “data processor” the overall idea is the same as it is for GDPR.
The PDPA defines “organizations” as any individual, company, association, or body of persons… a) formed under the law of Singapore or b) resident or having an office… in Singapore
The “data intermediary” is an organization that processes personal data on behalf of another organization.
Similarly, GDPR defines a data controller as a business, person, agency, or body that collects, manages, and is responsible for the consumer data it holds.
GDPR also defines a data processor as a natural or legal person, public authority, or other body that processes personal data on behalf of the controller.
3. Data Protection Officer
Another important similarity is that both PDPA and GDPR require the organization to assign a data protection officer (DPO) if data is dealt with at a high volume or sensitive data is involved, whose contact information must be made publicly available.
4. Data Processing Impact Assessment (DPIA)
Both the PDPA and the GDPR require data controllers and processors to conduct a data processing impact assessment (DPIA) in certain circumstances.
PDPA requires a DPIA when collecting, using, or disclosing personal data without express consent and instead relying on deemed consent or legitimate interest.
The GDPR has a slightly longer list of DPIA requirements:
- Using new technologies
- Tracking the behavior or location of individuals
- Systematically monitoring a publicly accessible place on a large scale
- Processing “special categories of data” (sensitive data)
- If the processing is used to make automated decisions
- Processing of children’s data
- If the processing can result in legal or other harm for the individual if data is leaked
Accountability is one of the fundamental obligations and principles in both PDPA and GDPR.
PDPA, for instance, recognizes The Openness Obligation (PDF) and that “an organization must implement the necessary policies and procedures to meet its obligation under the PDPA and make information about its policies and procedures publicly available.”
In Article 5(2), GDPR states that the controller is responsible for demonstrating compliance… (accountability).
Although Singapore and the EU are almost 10,000km away from each other and 7 hours apart, protecting the data privacy of individuals is still important in both.
As you can see, there are many similarities and differences between the Singapore PDPA vs GDPR that you need to consider.
Captain Compliance experts can help you with compliance with the PDPA and GDPR. Get in touch with us today to ensure and maintain data privacy compliance for your business.
Does GDPR apply in Singapore?
In general, the General Data Protection Regulation (GDPR) does not apply outside of the EU. However, if a business outside of the EU is processing the data of EU residents, the GDPR applies to it, regardless if it is located in the European Union or not.
Is PDPA similar to GDPR?
Singapore PDPA and EU GDPR have a few similarities but are two distinct data privacy regulations.
For example, both PDPA and GDPR define data controllers and processors similarly, although PDPA uses the terms “organization” and “data intermediary” instead.
Also, both PDPA and GDPR require the assignment of a DPO and conducting a DPIA.
Of course, the two laws are also similar in that they greatly emphasize consent as the legal basis for processing.
Want to know how similar GDPR is to CCPA and LGPD? Find out in this article.
Who enforces PDPA in Singapore?
The Personal Data Protection Act (PDPA) is enforced by the Personal Data Protection Commission (PDPC) of Singapore.
The PDPC is responsible for overseeing and ensuring the regulatory compliance of businesses processing personal information of Singapore citizens and exacting penalties and fines for non-compliance.