Singapore PDPA vs. GDPR: Understanding the Key Differences

Due to technological advancements and a more connected world, companies are increasingly acquiring, handling, and trading personal data. This, in turn, requires laws to regulate data privacy and provide customers with protection.

The General Data Protection Regulation (GDPR) of Europe was enforced in May 2018. It’s dubbed as the gold standard of data protection laws as it has one of the most stringent data privacy regulations, along with a wider scope (covering all states in the EU).

Singapore’s Personal Data Protection Act (PDPA) is comparable to the GDPR but differs in scope, jurisdiction, and some mandates. It was enacted in 2012 and then extended in February 2021, owing to technological and business model advancements. Furthermore, by October 2022, it will have fines that are higher than the GDPR.

» Is your business GDPR compliant? Follow these steps to ensure GDPR compliance

Comparing GDPR & Singapore PDPA

While GDPR and PDPA have some similarities, there are key differences you should be aware of.

1. Applicability, Jurisdiction & Enforcement

GDPR is enforced by data protection authorities (DPAs) from the 27 EU member states. It applies to any organization or entity that processes the personal data of EU residents, even if it’s a non-EU organization. However, it doesn’t apply to “purely personal or household activity” and to organizations with less than 250 employees.

Meanwhile, Singapore’s PDPA broadly extends to all private organizations that collect, use, or disclose the personal information of individuals with the following exceptions:

• Those operating in individual or household capacities
• Workers operating within the scope of their job with an organization
• Public entities
• Any other organization or personal data that might be prescribed

Bulleted List

The PDPC manages and enforces the PDPA. It appears to have a smaller scope as it excludes persons in the public sector and any entity working as an agent for a public agency.

» How does GDPR affect non-EU businesses? Discover the impact of GDPR on non-EU businesses and US e-commerce stores

2. Individual & Data Protection

The following data protections are outlined in Article 5 of the GDPR:

• Storage Limitation Personal data must be preserved so it can’t identify people longer than needed. It can only be extended for public interest purposes, provided there are adequate mechanisms in place.
• Integrity and Confidentiality Personal data must be guaranteed security, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage.

Bulleted List

Article 6 of GDPR states that processing is lawful only if:

• Subject consented explicitly
• The data subject needs it to fulfill a contract
• The data controller complies with the law
• It will save a life
• The controller is performing a public or official responsibility

Bulleted List

It’s required for the data controller’s or a third party’s legitimate interests, unless the data subject’s rights and freedoms exceed it, especially if they’re a minor.

The main data protection obligations set out in PDPA are as follows:

• Care of Personal Data Any personal data collected by or for an organization must be correct and complete in case it’s utilized to make decisions impacting the individual or disclosed with another organization.
• Protection There should be safeguards in place to prevent unauthorized data access, collection, use, disclosure, copying, modification, and destruction.
• Retention Limitation When personal data is no longer needed for its original purpose or for legal or business objectives, organizations must erase or anonymize it.
• Transfer Limitation Personal data cannot be sent outside Singapore unless the receiving nation complies with the Act and has similar data protections in place. Singapore also has a national Do Not Call Registry with names of those who should not receive unwanted marketing.

Bulleted List

3. Individual Rights

Individual rights are one area where the two differ significantly.

• Right to Erasure Under GDPR, individuals can request the free erasure or deletion of their personal data if they withdraw their consent, there’s no other legal reason for processing, or the data is no longer needed for the original intent. PDPA only requires that data be deleted when its original purpose has been accomplished.
• Right to Be Informed Both require data controllers to notify subjects about the purpose of data collection and processing. They must also provide contact details in case the data subject has any concerns.
• Right to Object Both allow data subjects to withdraw consent to personal data processing at any time. GDPR also grants data subjects the right to object to the processing of their personal data for specific circumstances, but PDPA does not.
• Right of Access GDPR demands responses within 1 month, without “undue delay”. It can be extended by 2 months, but the subject must be notified. PDPA requires organizations to reply within 30 days or specify a timeframe. For both, access can be denied if the request is unfounded, disproportionate to the individual’s interest, or frivolous.
• Right to Data Portability Only GDPR provides the right to acquire data processed based on a contract or permission in a structured, machine-readable manner and to transfer it without restriction.

Bulleted List

4. Data Processing Consent & Privacy Requirements

PDPA prohibits organizations from processing a person’s personal data unless that person gives, or is “deemed” to have given consent. An organization may deem a person’s consent even if they don’t opt-out within a certain period of time. In the GDPR, consent must be explicitly given or affirmed in an unambiguous statement, whether oral or written.

5. Monetary Penalties & Civil Remediation

After October 1, 2022, companies that breach the PDPA may be fined up to SGD 1 million or 10% of their annual revenue in Singapore. Anyone who suffers loss or harm due to a PDPA violation can also file a civil suit. However, it can be employed only after all appeals for the PDPC’s infringement ruling have been explored.

GDPR penalties can reach €20 million or 4% of global revenue. GDPR allows individuals to seek compensation for damages if a company breaches their data privacy rights. It includes “material damage” (e.g., financial losses) and “non-material damage” (e.g., distress and suffering).

» How does PIPEDA compare to GDPR? Learn the difference between PIPEDA vs GDPR

Are GDPR and PDPA Enough?

Both the GDPR and Singapore PDPA address the importance of personal data protection. GDPR is more stringent in certain aspects, such as individuals’ rights and legal enforcement measures. It also has a much wider scope. However, PDPA’s amended penalties may be harsher than GDPR.

Although both laws are being developed for the purpose of protecting individuals’ data, the differences between them may require businesses to adapt to the specific needs of the two countries. Be sure to take the necessary precautions to keep your customer’s data safe and stay in compliance with these privacy regulations.

» Worried about remaining compliant in different territories? Partner with PieEye to find a solution