Legal Bulletin October 2017

Home : Publications:Legal Bulletin October 2017

Published date: 31 Oct 2017

Application of European Union General Data Protection Regulation to Singapore organisations from 25 May 2018

On 4 October 2017, the Personal Data Protection Commission (“PDPC”) posted a factsheet on its website which highlights the key requirements of the European Union General Data Protection Regulation (“EU GDPR”) to organisations in Singapore. To read the factsheet from the PDPC website, please click here.
The EU GDPR replaces the EU Directive and will enter into force from 25 May 2018. For more information, please visit the EU GDPR website
The following information is strictly based on the factsheet posted by PDPC.
How are Singapore organisations affected
The EU GDPR will apply to a Singapore organisation that processes personal data of individuals in the EU in relation to the offer of goods or services to individuals in the EU, or the monitoring of the behaviour of individuals in the EU.
The use of a language or currency that is generally used in one or more EU member states, with the possibility of ordering goods or services in that language are factors which may determine whether the organisation is offering goods or services to individuals in the EU.
Where the EU GDPR applies, the Singapore organisation may be required to appoint a representative in an EU member state. An EU representative is not required to be appointed where the processing by the organisation is only occasional and does not include processing of special categories of personal data on a large scale.
Responsibilities of organisations include:
·         Putting in place appropriate measures to ensure that, by default, only personal data that is necessary for the specific purpose is processed.
·         Assessing the impact of processing on the protection of personal data in certain circumstances.
·         Designating a data protection officer in certain cases.
Data breach notification
In the case of a personal data breach, the EU GDPR requires the organisation to notify the supervisory authority without undue delay, but not later than 72 hours where feasible. The organisation must also notify the individual without undue delay, if the personal breach is likely to result in a high risk to the rights and freedoms of the individual.
A data processor must also notify the organisation without undue delay after becoming aware of a breach.
Rights of individuals and basis of processing
Under the EU GDPR, organisations must provide individuals with a number of rights, including the right to the erasure of personal data concerning the individual in certain circumstances, the right to restriction of processing in certain situations and the right to data portability by receiving personal data concerning the individual or data which he has provided the organisation, in a structured, commonly used and machine-readable format, and the right to transmit that data to another organisation.
The factsheet also sets out the factors which determine when the processing of personal data is lawful under the EU GDPR. For instance, under the EU GDPR, processing of personal data is lawful if consent is given by the individual for the processing for one or more specific purposes, or if it is necessary for the performance of a contract, or it is necessary to protect vital interests of the individual or another natural person.
Administrative fines
Depending on the provision infringed upon, the following administrative fines may be imposed:
·         Up to 10 million EUR or 2% of worldwide annual turnover of preceding financial year (whichever
is higher); or
·         Up to 20 million EUR or 4% of worldwide annual turnover of preceding financial year (whichever
is higher).
Reference materials
The factsheet is available from the PDPC website, or by clicking here.
For further information, please contact:
+65 6890 7883
+65 6890 7852
+65 6890 7526
+65 6890 7627
+65 6890 7833

<Back to Legal Bulletin October 2017

Find a Publication

For more information on Singapore law, please go to: