Your Organisation's 11 PDPA Obligations

Your organisation should demonstrate responsibility through proper management and protection of personal data, and should make information about its data protection practices, policies and complaints processes upon request.  Contact information of your Data Protection Officer should also be made readily available.

Your organisation may collect, use and/or disclose only the personal data of individuals who have consented to such collection, use and/or disclosure.

These individuals must also be given the option to withdraw their consent, subject to them giving reasonable notice. Upon the withdrawal of consent, your organisation must cease collecting, using and/or disclosing the personal data of these individuals.

Your organisation may only collect, use or disclose personal data of individuals for the purpose(s) for which consent has been given. 

These individuals should also not be required to consent to the collection, use and/or disclosure of their personal data beyond what is considered reasonable for the organisation to provide a particular product or service.

Your organisation should notify individuals of the purpose(s) for which their personal data is being collected, used and/or disclosed.

Your organisation should take reasonable effort to ensure that the personal data collected is accurate and complete.

Your organisation should put in place reasonable security measures to protect the personal data in its possession or control, this includes both physical data and electronic data, in order to prevent unauthorised access, collection, use and/or disclosure of such data.

Examples would include storage of physical data in locked cabinets and implementation of robust network security systems. 

Your organisation should retain the personal data only for as long as is necessary for business or legal purposes.  This includes the proper disposal of personal data when no longer required. 

If your organisation is transferring the personal data to another country, e.g. storing the data on the “cloud”, on networks which may be based overseas, ensure that the country to which the data is being transferred offers a comparable level of data protection as is provided by the PDPA.

Upon request, your organisation is obliged to provide individuals with access to their personal data, as well as information on how their data was collected/used/disclosed in the past 1 year before the request. 

An individual can also request that your organisation rectify any error or omission in his or her personal data. Your organisation must accede to the request (unless it falls under one of the exceptions under the Act), and send the corrected data to other organisations to which the data was disclosed, as soon as practicable. 

In the event of a data breach, your organisation will have to determine if it is notifiable.  In general, a breach is notifiable if it has caused (or is likely to cause) significant harm to affected individuals, or if it has affected at least 500 individuals.  In cases of a notifiable breach, the Personal Data Protection Commission (PDPC) and affected individuals must be informed of the breach.

At the individual’s request, your organisation is required to transmit the individual’s data that is in your possession or under its control, to another organisation in a commonly used machine-readable format.