The Personal Data Protection Act

The Personal Data Protection Act (PDPA) requires businesses to obtain clients’ consent before obtaining and using their personal data. This article aims to help companies comply with the PDPA requirements when obtaining and using clients’ personal data. Personal data refers to information that can identify the client. This data includes but is not limited to the client’s name, contact number, email and home addresses.

Before obtaining a client’s personal data, you will need the client’s consent. This can be in the form of a notice which the client has to sign to acknowledge that the data is being obtained. On the notice, it should also state the ways in which the data will be used.

Do note that the ways in which the client’s personal data can be used will only be restricted to what is indicated and agreed upon in the notice. You also cannot insist that the client provides you with the personal data for your use for any other purpose other than as needed to provide them with the product or service that they are purchasing or subscribing to. For example, if you are a pest control company, the client will need to provide you with the address to which he or she needs the pest control to be done. You cannot use this address for marketing purposes if the client does not agree. For example, if this is an online store, you can instead put an option stating that the client agrees to receive marketing and promotional information at the service address at the point of check out.

You cannot insist that they must agree that they provide you with their email address and telephone number or insist that they agree to be contacted with marketing and promotional information as a precursor for selling them that particular good or service. i.e. if they do not agree you will not provide them with the good or service. This is not right.


Withdrawal of consent

Consent given by a customer is revocable. You cannot obtain an irrevocable consent. The customer can write to you to withdraw the consent he previously gave to you. If you receive a request, you should write back to explain what steps will be taken to accede to his request.

If he confirms his request, you should delete his personal data and ensure that other affiliated companies who were using his data also do the same.


Non-compliance with the PDPA consent requirements

The fine for non-compliance with the PDPA consent requirements is up to SGD$1 million.


If you need assistance with appointing a data protection officer you may contact us at [email protected].


When in doubt, seek legal advice or consult an experienced ACRA Filing Agent.

Yours Sincerely,
The editorial team at Singapore Secretary Services

For more useful articles and videos, visit the Singapore Secretary Services resource page.


Related articles:

What is a Data Protection Officer?

Key proposed changes to the Personal Data Protection Act (PDPA)

Registering your company’s Data Protection Officer information with ACRA via BizFile+