{"id":142166,"date":"2026-05-18T11:16:17","date_gmt":"2026-05-18T11:16:17","guid":{"rendered":"https:\/\/my.legal500.com\/guides\/?post_type=comparative_guide&#038;p=142166"},"modified":"2026-05-18T11:16:17","modified_gmt":"2026-05-18T11:16:17","slug":"singapore-data-protection-cybersecurity","status":"publish","type":"comparative_guide","link":"https:\/\/my.legal500.com\/guides\/chapter\/singapore-data-protection-cybersecurity\/","title":{"rendered":"Singapore: Data Protection &amp; Cybersecurity"},"content":{"rendered":"","protected":false},"template":"","class_list":["post-142166","comparative_guide","type-comparative_guide","status-publish","hentry","guides-data-protection-cybersecurity","jurisdictions-singapore"],"acf":[],"appp":{"post_list":{"below_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Drew &amp; Napier LLC<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2019\/03\/Drew-Napier.jpg\"\/><\/span><\/div>"},"post_detail":{"above_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Drew &amp; Napier LLC<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2019\/03\/Drew-Napier.jpg\"\/><\/span><\/div>","below_title":"<span class=\"guide-intro\">This country specific Q&amp;A provides an overview of Data Protection &amp; Cybersecurity laws and regulations applicable in Singapore<\/span><div class=\"guide-content\"><div class=\"filter\">\r\n\r\n\t\t\t\t<input type=\"text\" placeholder=\"Search questions and answers...\" class=\"filter-container__search-field\">\r\n\t\t\t<\/div>\r\n\r\n\t\t\t\r\n\r\n\r\n\t\t\t<ol class=\"custom-counter\">\r\n\r\n\t\t\t\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please provide an overview of the legal and regulatory framework governing data protection, privacy and cybersecurity in your jurisdiction (e.g., a summary of the key laws; who is covered; what sectors, activities or data do they regulate; and who enforces the relevant laws).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Personal Data Protection Act 2012 (2020 Revised Edition) (\u201c<strong>PDPA<\/strong>\u201d) is the principal data protection legislation in Singapore. The PDPA applies to all private sector organisations, whether or not (a) formed or recognised under the laws of Singapore, or (b) resident, or having an office or a place of business in Singapore.<\/p>\n<p>There are two main sets of provisions under the PDPA: Parts 3 to 6B of the PDPA set out obligations of organisations in respect of the collection, use, disclosure, access, correction, care, protection, retention, and cross-border transfer of personal data (collectively, \u201c<strong>Data Protection Provisions<\/strong>\u201d); while Parts 9 and 9A of the PDPA set out provisions pertaining to Singapore\u2019s national Do Not Call (\u201c<strong>DNC<\/strong>\u201d) Registry and the obligations of organisations in relation to sending marketing messages to Singapore telephone numbers (\u201c<strong>DNC Provisions<\/strong>\u201d).<\/p>\n<p>The PDPA and its subsidiary legislation, including the Personal Data Protection Regulations 2021 (\u201c<strong>PDP Regulations<\/strong>\u201d), are administered and enforced by the Personal Data Protection Commission (\u201c<strong>PDPC<\/strong>\u201d).<\/p>\n<p>Over the years, the PDPC has issued a number of advisory guidelines and guides which aim to provide greater clarity on the interpretation of the provisions of the PDPA.<\/p>\n<p>The Personal Data Protection (Amendment) Act 2020 was passed on 2 November 2020 (\u201c<strong>PDP<\/strong> <strong>Amendment Act<\/strong>\u201d). This introduced a number of changes to the PDPA, including an expansion of the concept of deemed consent (to include deemed consent by notification and deemed consent by contractual necessity), the introduction of new exceptions to consent (in particular, the legitimate interests exception and business improvement exception), the introduction of a mandatory data breach notification regime, an enhanced financial penalty regime, new offences for individuals, and provisions on data portability. Most of the changes under the PDP Amendment Act came into effect on 1 February 2021. On 1 October 2022, the PDP Amendment Act provisions relating to enhanced financial provisions came into effect. The provisions relating to data portability will only come into force at a later date.<\/p>\n<p><u>Sectoral Laws<\/u><\/p>\n<p>The PDPA sets the baseline for data protection and operates concurrently with sector-specific laws and regulations, which imposes additional data protection and cybersecurity requirements in relation to regulated entities.<\/p>\n<p>We set out some examples of sector-specific regulations below:<\/p>\n<p>a. the Healthcare Services Act 2020 (No. 3 of 2020) (\u201c<strong>HCSA<\/strong>\u201d), as well as the regulations and licensing conditions issued thereunder address the confidentiality and retention of medical records;<\/p>\n<p>b. the Code of Practice for Competition in the Provision of Telecommunication Services 2012 (\u201c<strong>Telecom Competition Code<\/strong>\u201d, \u201c<strong>TCC<\/strong>\u201d) issued under the Telecommunications Act 1999 (2020 Revised Edition) governs the use of end-user service information by telecoms licensees; and<\/p>\n<p>c. the Banking Act 1970 (2020 Revised Edition) (\u201c<strong>Banking Act<\/strong>\u201d) contains a number of banking secrecy provisions which govern customer information obtained by banks.<\/p>\n<p>The above legislations are administered and enforced by the relevant sector regulators, namely, the Ministry of Health (\u201c<strong>MOH<\/strong>\u201d), the Info-communications Media Development Authority (\u201c<strong>IMDA<\/strong>\u201d), and the Monetary Authority of Singapore (\u201c<strong>MAS<\/strong>\u201d).<\/p>\n<p>Aside from the above sector-specific regulations, the Cybersecurity Act 2018 (No. 9 of 2018) (\u201c<strong>Cybersecurity Act<\/strong>\u201d) requires owners and operators of critical information infrastructure (\u201c<strong>CII<\/strong>\u201d) to comply with cybersecurity policies and standards, conduct audits and risk assessments, and implement incident reporting measures. The Cybersecurity Act also creates a framework for the licensing and regulation of certain types of cybersecurity services. The Chief Executive of the Cybersecurity Agency of Singapore (\u201c<strong>CSA<\/strong>\u201d) administers the Cybersecurity Act as the Commissioner of Cybersecurity.<\/p>\n<p>The Cybersecurity Act empowers the Commissioner of Cybersecurity to designate computer systems as CIIs if they are essential for the continuous delivery of services critical to national interests. The First Schedule to the Cybersecurity Act lists the essential services covered, spanning industries such as energy, information and communications, water, healthcare, banking and finance, emergency services, aviation, land and maritime transport, government services, and media. Sectors where CIIs are commonly designated include finance, healthcare, and government, where uninterrupted operations are vital.<\/p>\n<p>Under the Cybersecurity Act, the Commissioner may designate a computer or computer system as a CII if it is satisfied that:<\/p>\n<p>a. the computer or computer system is necessary for the continuous delivery of an essential service, and the loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore; and<\/p>\n<p>b. the computer or computer system is located wholly or partly in Singapore. (However, please see our response to Question 2 on the Cybersecurity Amendment Act.)<\/p>\n<p>CII owners are subject to a range of obligations, including the mandatory reporting of cybersecurity incidents (Section 14), regular cybersecurity audits and risk assessments (Section 15), and the provision of detailed information on the design, configuration, and security of their systems upon request (Section 10).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any expected changes in the data protection, privacy or cybersecurity landscape in 2026 - 2027 (e.g., new laws or regulations coming into effect, enforcement of such laws and regulations, expected regulations or amendments)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>On 7 May 2024, the Cybersecurity (Amendment) Act 2024 (\u201cCybersecurity Amendment Act\u201d) was passed. Several key provisions of the Cybersecurity Amendment Act came into force on 31 October 2025.<\/p>\n<p>Pursuant to the Cybersecurity Amendment Act, existing provisions in the Cybersecurity Act would be updated to take into account new business models and changes in technology. In particular, the definitions of \u201ccomputer\u201d and \u201ccomputer system\u201d would be expanded to include \u201cvirtual computer\u201d and \u201cvirtual computer system\u201d respectively. Further, the Commissioner would be able to designate computers \/ computer systems located wholly outside Singapore as CIIs (if its owner is in Singapore, among other things).<\/p>\n<p>The Cybersecurity Amendment Act would also widen the CSA\u2019s oversight to cover the following new categories:<\/p>\n<p>(a) providers of essential services who do not own the CII used for the delivery of the essential services (i.e. providers of essential services who rely on third-party owned CII) (in effect as of 31 October 2025);<\/p>\n<p>(b) providers of major foundational digital infrastructure (\u201cFDI\u201d), namely cloud computing and data centre facility services (the covered services would be specified in the Third Schedule to the Cybersecurity Act), where the loss or impairment of their service would likely lead to disruption or deterioration of the operation of a large number of organisations (to come into effect at a later date to be notified);<\/p>\n<p>(c) owners of systems of temporary cybersecurity concern (\u201cSTCCs\u201d), which refers to systems that are at high risk of cyber-attacks for a time-limited period and would have a detrimental effect on Singapore\u2019s national interests if compromised (in effect as of 31 October 2025);<\/p>\n<p>(d) entities of special cybersecurity interest (\u201cESCI\u201d), where the disruption of a sensitive function that they perform, or the disclosure of sensitive information that they hold, will have a significant detrimental effect on Singapore\u2019s national interests (to come into effect at a later date to be notified).<\/p>\n<p>In the healthcare sector, the Health Information Bill was passed in Parliament on 12 January 2026 and the Health Information Act 2026 (\u201cHIA\u201d) is expected to come into effect in early 2027. The HIA establishes a dedicated framework governing the sharing, access and disclosure of health information in Singapore through the National Electronic Health Record (\u201cNEHR\u201d) system. The HIA restricts access to, and disclosure of, health information to authorised persons and for specified purposes only, and creates criminal offences for improper or unauthorised access, collection, or disclosure of health information (Sections 38 to 42 of the HIA). However, the HIA will not impede the sharing of NEHR information as required or permitted under other laws (e.g. where disclosure is required under the Criminal Procedure Code 2010 to facilitate criminal investigations by the Singapore Police Force).<\/p>\n<p>Separately, under the PDP Amendment Act, a new obligation concerning data portability has been introduced (\u201cData Portability Obligation\u201d). Although the relevant provisions (Part 6B of the PDPA) have already been passed, they will come into force at a later stage, once accompanying regulations are issued. These upcoming regulations are expected to specify key aspects such as the types of data covered by the data portability requirement, and the technical and procedural mechanisms for data transmission. At the time of writing, there is no indication as to when the accompanying regulations may be released.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any identifiable trends or regulatory priorities in privacy, data protection and\/or cybersecurity-related enforcement activity in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As of April 2026, the PDPC has published a total of 268 grounds of decisions or summaries of grounds of decisions, with a significant majority of these cases relating to breaches of the Protection Obligation under Section 24 of the PDPA. Common types of breaches of the Protection Obligation include lack of data protection policies, poor password policies, poor vendor management, personal data inadvertently made publicly accessible, and lack of multi-factor authentication.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any registration or licensing requirements for entities covered by these data protection and cybersecurity laws, and if so what are the requirements? Are there any exemptions? What are the implications of failing to register \/ obtain a licence?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the PDPA, there is currently no requirement for organisations to register with or obtain any licence from the PDPC. However, the PDPC does encourage organisations to inform the PDPC of their Data Protection Officer\u2019s (\u201cDPO\u201d) contact details as this will help DPOs keep abreast of any relevant personal data protection developments in Singapore.<\/p>\n<p>Sectoral laws and regulations apply to the relevant licensed or otherwise regulated organisations. Registration or licensing requirements and the exemptions available depend on the specific organisation.<\/p>\n<p>Under the Cybersecurity Act, cybersecurity service providers that provide managed security operations centre (\u201cSOC\u201d) monitoring services and penetration testing services must be licensed (under the Second Schedule to the Cybersecurity Act).<\/p>\n<p>The licensing requirements are set out in Section 26 of the Cybersecurity Act. Applications must be submitted to the licensing officer in the form and manner prescribed by the regulations. In practice, providers of licensable cybersecurity services must apply to the Cybersecurity Services Regulation Office (\u201cCSRO\u201d) for a licence and pay the applicable fee (S$2,500 for business entities and S$1,250 for individuals). Where applications are approved on or after 16 March 2026, this licence shall be valid for 5 years from the date of licence issuance. Additionally, the applicant must satisfy the &#8220;fit and proper person&#8221; criteria to be granted or to retain a licence. Under Section 26(8) of the Cybersecurity Act, the licensing officer may consider these factors when assessing this criterion:<\/p>\n<p>(a) In the case of an individual \u2014<\/p>\n<p>(i) that the individual has been convicted in Singapore or elsewhere of any offence involving fraud, dishonesty or moral turpitude;<\/p>\n<p>(ii) that the individual has had a judgment entered against the individual in civil proceedings that involves a finding of fraud, dishonesty or breach of fiduciary duty on the part of the individual;<\/p>\n<p>(iii) that the individual is or was suffering from a mental health condition (for example, psychotic disorder, psychosis, schizophrenia, schizoaffective disorder, delusional disorder, bipolar disorder, psychotic depression, or personality disorder, etc.)<\/p>\n<p>(iv) that the individual is an undischarged bankrupt or has entered into a composition with the creditors of the individual; or<\/p>\n<p>(v) that the individual has had a licence revoked by the licensing officer previously.<\/p>\n<p>(b) In the case of a business entity \u2014<\/p>\n<p>(i) that the business entity has been convicted in Singapore or elsewhere of any offence involving fraud, dishonesty or moral turpitude;<\/p>\n<p>(ii) that the business entity has had a judgment entered against the business entity in civil proceedings that involves a finding of fraud, dishonesty or breach of fiduciary duty on the part of the business entity;<\/p>\n<p>(iii) that any officer of the business entity is not a fit and proper person to be an officer of a business entity holding the licence;<\/p>\n<p>(iv) that the business entity is in liquidation or is the subject of a winding up order, or there is a receiver appointed in relation to the business entity, or the business entity has entered into a composition or scheme of arrangement with the creditors of the business entity; or<\/p>\n<p>(v) that the business entity has had a licence revoked by the licensing officer previously.<\/p>\n<p>Any person who provides any licensable cybersecurity service to other persons and fails to obtain a licence is guilty of an offence and shall be liable on conviction to a fine not exceeding S$50,000 or to imprisonment for a term not exceeding 2 years or to both.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What does \u201cpersonal data,\u201d \u201cpersonal information\u201d or other equivalent terms (hereafter \u201cpersonal data\u201d) mean under data protection laws in your jurisdiction? Does the definition broadly include information about all individuals? For example, would this include individuals acting in a personal or household capacity, as well as those acting in a business or commercial capacity (such as on behalf of a business or corporate entity or employer) or otherwise?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the PDPA, \u201cpersonal data\u201d is defined as data, whether true or not, about an individual who can be identified: (a) from that data; or (b) from that data and other information to which the organisation is likely to have access. This definition is broad and covers information relating to all identifiable individuals.<\/p>\n<p>However, organisations are not required to obtain consent before collecting, using or disclosing any business contact information or comply with any other obligation in the Data Protection Provisions in relation to business contact information, unless expressly stated in the PDPA. \u201cBusiness contact information\u201d is defined as \u201c<em>an individual\u2019s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his personal purposes<\/em>\u201d.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are certain types of personal data considered more sensitive or highly regulated under data protection laws in your jurisdiction?  Please include the relevant defined terms for such data (e.g., special categories of personal data,\u201d \u201csensitive data\u201d or \u201csensitive personal information\u201d?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPA does not distinguish between specific categories of personal data, and the term \u201csensitive personal data\u201d is not defined within the PDPA. However, there is an element of \u201creasonableness\u201d embedded \u00a0in various obligations. For example, Section 24 of the PDPA requires that organisations protect personal data \u201cby making reasonable security arrangements\u201d. In this regard, the PDPC has made clear that a higher standard of protection is required for more sensitive personal data, which includes insurance, medical and financial data (see <em>Re Aviva Ltd<\/em> [2017] SGPDPC 14).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What principles apply to the processing of personal data in your jurisdiction? For example: is it necessary to establish a \u201clegal basis\u201d for processing personal data?; are there specific transparency requirements?; must personal data only be kept for a certain period? Please provide details of such principles.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>All organisations that collect, use or disclose personal data are required to comply with the Data Protection Provisions under the PDPA.<br \/>\nThe data protection obligations that are presently in force comprise the following:<\/p>\n<p>(a) Consent Obligation (Sections 13 to 17 of the PDPA): Subject to certain exceptions, an individual\u2019s consent is required before an organisation is allowed to collect, use or disclose his\/her personal data for a specific purpose.<\/p>\n<p>(b) Purpose Limitation Obligation (Section 18 of the PDPA): An organisation may only collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances, and provide notification to the individual concerned.<\/p>\n<p>(c) Notification Obligation (Section 20 of the PDPA): An organisation is required to notify the individual of the purpose(s) for which it intends to collect, use or disclose his\/her personal data on or before such collection, use or disclosure.<\/p>\n<p>(d) Access and Correction Obligations (Sections 21 and 22 of the PDPA): Subject to certain exceptions as specified in the PDPA, an organisation must allow an individual to access and correct his\/her personal data in its possession or under its control upon request in accordance with the requirements in Part 2 of the PDP Regulations. In addition, it must provide the individual with information about the ways in which the personal data may have been used or disclosed during the past year.<\/p>\n<p>(e) Accuracy Obligation (Section 23 of the PDPA): An organisation must make a reasonable effort to ensure that personal data collected by it is accurate and complete, if it is likely to use such personal data to make a decision that affects the individual concerned, or disclose such personal data to another organisation.<\/p>\n<p>(f) Protection Obligation (Section 24 of the PDPA): An organisation will be required to protect personal data in its possession or under its control by making reasonable security arrangements to prevent (a) unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks, and (b) the loss of any storage medium or device on which personal data is stored.<\/p>\n<p>(g) Retention Limitation Obligation (Section 25 of the PDPA): An organisation is required to cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that the retention of such personal data no longer serves the purpose for which it was collected, and is no longer necessary for legal or business purposes.<\/p>\n<p>(h) Transfer Limitation Obligation (Section 26 of the PDPA): An organisation must not transfer personal data to a country or territory outside Singapore except in accordance with requirements prescribed under the PDPA and Part 3 of the PDP Regulations to ensure that the overseas recipient provides a standard of protection to the transferred personal data that is comparable to that under the PDPA.<\/p>\n<p>(i) Accountability Obligation (Sections 11 and 12 of the PDPA): An organisation must develop and implement policies and practices that are necessary for it to meet its obligations under the PDPA, and to make information about such policies and practices publicly available.<\/p>\n<p>The organisation is also required to communicate to its staff information about its personal data protection policies and practices.<\/p>\n<p>The organisation is also required to designate one or more individuals (i.e., the DPO) to be responsible for ensuring that it complies with the PDPA.<\/p>\n<p>(j) Data Breach Notification Obligation (Sections 26A to 26E of the PDPA): An organisation must assess a data breach that affects personal data in its possession or under its control, and is required to notify the PDPC if the data breach results in, or is likely to result in, significant harm to individuals or if the data breach is of a significant scale. Further, if the data breach results in, or is likely to result in, significant harm, an organisation is required to notify the affected individuals (subject to certain exceptions).<\/p>\n<p>There is another data protection obligation that was introduced in the PDP Amendment Act, namely, the Data Portability Obligation. Under the Data Portability Obligation, an organisation, upon receiving a data porting request from an individual, must transmit the applicable data specified in the data porting request to the organisation specified in the request in accordance with any prescribed requirements relating to technical, user experience, and consumer protection matters, amongst others. As mentioned above, the Data Portability Obligation will only come into effect at a later date, which has yet to be announced.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any circumstances for which consent is required or typically obtained in connection with the processing of personal data? What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Consent Obligation (Sections 13 to 17 of the PDPA) requires that an organisation obtain the consent (either express or deemed) from an individual before collecting, using, or disclosing his personal data for any purpose, unless an exception in the First or Second Schedules to the PDPA applies, or it is otherwise authorised under other written law. Therefore, in Singapore, consent is often relied on by organisations for processing personal data, especially of their consumers.<\/p>\n<p>Under the PDPA, organisations that are relying on consent to collect, use and disclose personal data are required to notify the individuals of the purposes for such collection, use and disclosure in accordance with the Notification Obligation (Section 20 of the PDPA).<\/p>\n<p>Furthermore, under the PDPA, consent would be invalid where:<\/p>\n<p>a. the organisation, as a condition of providing the product or service, requires the individual to consent to the collection, use or disclosure of his personal data beyond what is reasonable to provide the product or service; or<\/p>\n<p>b. the organisation obtains consent by providing false or misleading information or using misleading and deceptive practices.<\/p>\n<p>In this regard, the PDPA does not expressly prescribe any specific means by which the organisation is to obtain consent, or the specific manner or form in which an organisation is to inform an individual of the purposes.<\/p>\n<p>The Advisory Guidelines on Key Concepts in the PDPA (revised 16 May 2022) (\u201c<strong>Key Concept Guidelines<\/strong>\u201d) state that organisations should determine the best way of notifying individuals such that they are provided with sufficient information to understand the purposes for which their personal data will be collected, used or disclosed.<\/p>\n<p>While the PDPA does not set out rules specifically regarding the issue of obtaining consent through incorporation into a broader document such as a terms of use \/ service or obtaining consent for multiple matters, an organisation must ensure that it provides reasonable notice of its purposes. In particular, the PDPA contains a general obligation that an organisation must consider what a reasonable person would consider appropriate when complying with the other obligations in the PDPA such as the Notification and Consent Obligations.<\/p>\n<p>Consent should be in writing or recorded in a manner that is accessible for future reference (except where consent is deemed as described below). The PDPC recommends that organisations obtain consent from an individual through a positive action of the individual (i.e. \u201copt-in\u201d consent). In the event that an organisation intends to adopt the \u201copt-out\u201d approach in seeking consent, there may be a risk that the organisation may not have satisfied the Notification and Consent Obligations.<\/p>\n<p><u>Deemed Consent<\/u><\/p>\n<p>Sections 15 and 15A of the PDPA provide for three specific types of circumstances where consent may be deemed: (a) deemed consent by conduct; (b) deemed consent by contractual necessity; and (c) deemed consent by notification.<\/p>\n<p>a. Deemed consent by conduct<\/p>\n<p>Deemed consent by conduct is where the individual voluntarily provides their personal data to the organisation and it is reasonable for them to do so (Section 15(1) of the PDPA). However, the purposes of collection, use or disclosure are limited to those that are objectively obvious and reasonably appropriate from the surrounding circumstances. Consent is deemed to be given to the extent that the individual intended to provide his\/her personal data and took the action required for the data to be collected by the organisation (Key Concept Guidelines).<\/p>\n<p>b. Deemed consent by contractual necessity<\/p>\n<p>Where an individual provides his\/her personal data to one organisation A with a view to entering into a contract with A or in relation to a contract he\/she has entered into with A, deemed consent by contractual necessity covers the situation where it is reasonably necessary for A to disclose the personal data to another organisation B for the conclusion or performance of the contract between the individual and A respectively (Sections 15(3) and 15(6) of the PDPA). This extends to subsequent downstream disclosures by B to other organisations, where such disclosure and collection are reasonably necessary to fulfil the contract between the individual and A.<\/p>\n<p>c. Deemed consent by notification<\/p>\n<p>An individual may be deemed to have consented to the collection, use or disclosure of personal data for a purpose that he\/she had been notified of, and he\/she has not taken any action to opt out (Section 15A of the PDPA).<\/p>\n<p>An organisation must satisfy the following requirements in order to rely on deemed consent by notification:<\/p>\n<p>(a) conduct an assessment to determine that the proposed collection, use or disclosure of personal data is not likely to have an adverse effect on the individual;<\/p>\n<p>(b) take reasonable steps to ensure that the following information are brought to the individual\u2019s attention \u2013<\/p>\n<p>(i) the organisation\u2019s intention to collect, use or disclose the personal data;<\/p>\n<p>(ii) the purpose of such collection, use or disclosure; and (iii) a reasonable period within which, and a reasonable manner by which, an individual can opt out; and<\/p>\n<p>(c) retain a copy of the assessment during the period that the organisation is relying on this Section 15A and provide a reasonable opt-out period.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What special requirements, if any, are required for processing particular categories of personal data (e.g., health data, children\u2019s data, special category or sensitive personal data, etc.)? Are there any prohibitions on specific categories of personal data that may be collected, disclosed, or otherwise processed?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><u>Sensitive Personal Data<\/u><\/p>\n<p>The PDPA does not expressly define \u201csensitive personal data\u201d, nor does it prescribe any special requirements for the processing of \u201csensitive personal data\u201d.<\/p>\n<p>Nonetheless, a number of the Data Protection Provisions adopt a standard of reasonableness, and thus, the sensitivity of the personal data in question could, in practice, affect the position which PDPC takes with respect to whether there is a contravention and the directions issued for such a contravention (for instance, the quantum of the financial penalty imposed).<\/p>\n<p>Specifically, in relation to the Protection Obligation (Section 24 of the PDPA), the PDPC has taken the position in several enforcement decisions that an organisation has to implement reasonable security arrangements that commensurate with the sensitivity (and volume) of the data in question. Therefore, a higher standard of protection is required for personal data that is more sensitive in nature, such as financial or medical information, personal data of minors, and national identification numbers (see\u00a0<em>Re Aviva Ltd<\/em>\u00a0[2017] SGPDPC 14).<\/p>\n<p>We further highlight that the Personal Data Protection (Notification of Data Breaches) Regulations 2021 provide for certain prescribed categories or classes of personal data that would be deemed to cause significant harm to an individual in the event of a data breach.<\/p>\n<p><u>National Registration Identity Card (\u201c<strong>NRIC<\/strong>\u201d) and Other National Identification Numbers<\/u><\/p>\n<p>The PDPA also does not outright prohibit the collection of any type of personal data. However, the PDPC\u2019s Advisory Guidelines on the PDPA for NRIC and other National Identification Numbers (issued 31 August 2018) (\u201c<strong>NRIC Guidelines<\/strong>\u201d) states that organisations are generally not allowed to collect, use or disclose NRIC numbers (or copies of NRIC), unless such collection, use or disclosure:<\/p>\n<p>a. is required under the law (or an exception under the PDPA applies); or<\/p>\n<p>b. is necessary to accurately establish or verify the identities of the individuals to a high degree of fidelity.<\/p>\n<p>Generally, the requirements in the NRIC Guidelines apply to other national identification numbers such as birth certificate numbers, Foreign Identification Numbers, work permit numbers, passport numbers.<\/p>\n<p>In February 2026, the PDPC announced that private organsiations must cease the use of NRIC numbers for authentication purposes by 31 December 2026. Organisations that continue to use full or partial NRIC numbers as authentication credentials may be considered in breach of Section 24 of the PDPA for failing to implement reasonable security measures, with stricter enforcement expected from 1 January 2027.<\/p>\n<p>This position builds on a joint advisory issued in June 2025 by the PDPC and the CSA, which clarified that NRIC numbers should not be used for authentication. Organisations should not use NRIC numbers as default passwords, or pair full or partial NRIC numbers with other easily obtainable information (e.g. names or dates of birth).The Ministry of Health has also issued related guidelines for the healthcare sector, which set out scenarios where authentication (rather than identification) may be required and possible authentication methods.<\/p>\n<p>Specifically with regard to children\u2019s data, the PDPC issued its Advisory Guidelines on the PDPA for Children\u2019s Personal Data in the Digital Environment on 28 March 2024, which apply to organisations whose online products or services are likely to be accessed by children (i.e. individuals who are 18 years of age and below). The PDPC has also dealt with the topic of minors\u2019 (i.e. individuals below the age of 21) personal data in its Guidelines on the PDPA for Selected Topics (revised 23 May 2024) (\u201c<strong>Selected Topics Guidelines<\/strong>\u201d). These advisory guidelines set out the PDPC\u2019s interpretation of how the PDPA applies in the context of minors\u2019 personal data. See Question 10 below for further details on both advisory guidelines.<\/p>\n<p><u>Sectoral Laws<\/u><\/p>\n<p>As mentioned above, sector-specific laws also apply in conjunction with the PDPA. For example, information relating to customers of financial institutions would be governed by financial sector laws (e.g. Banking Act); and health \/ medical information may fall under the scope of healthcare sector laws (e.g. the Healthcare Services Act 2020, Health Products Act 2007 and the Medicines Act 1975).<\/p>\n<p>In the event of any inconsistency between the PDPA and the provisions of other legislation, such other legislation will prevail to the extent of the inconsistency.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction have special or particular requirements, restriction, or rules regarding the collection, use, disclosure or processing of personal information from or about children or minors?  If so, what is the age threshold and key requirements\/restrictions that go beyond those applicable, generally?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The provisions in the PDPA do not provide for special requirements or restrictions concerning the processing of a personal data from or about children or minors. However, the\u00a0 PDPC has released advisory guidelines that set out the PDPC\u2019s interpretation of how the Data Protection Provisions under PDPA apply to the processing of personal data in different contexts.<\/p>\n<p><u>Children\u2019s and Minors\u2019 Personal Data<\/u><\/p>\n<p>The PDPC has also published its Advisory Guidelines on the PDPA for Children\u2019s Personal Data in the Digital Environment, which apply to organisations whose online products or services are likely to be accessed by children (i.e. individuals who are 18 years of age and below) (e.g. social media services, technology-aided learning, online games and smart toys and devices). Children\u2019s personal data are generally regarded as sensitive personal data and must be afforded a higher standard of protection under the PDPA. Notably, the PDPC considers it unreasonable to use a child\u2019s personal data or profile to target harmful or inappropriate content at him or her.<\/p>\n<p>The advisory guidelines also state that children between 13 and 17 years of age may provide valid consent when the policies on the collection, use and disclosure of the child\u2019s personal data, as well as the withdrawal of consent, are readily understandable to them. This includes ensuring that the child understands the consequences of providing and withdrawing his consent. If an organisation has reason to believe that a child lacks sufficient understanding of the nature and consequences of giving consent, it should obtain consent from the child\u2019s parent or guardian.<\/p>\n<p>The abovementioned guidelines supplement the PDPC\u2019s Selected Topics Guidelines, which provide general guidance for data activities in relation to minors. With respect to consent, the Selected Topic Guidelines state that a minor who is at least 13 years old would typically have sufficient understanding to be able to consent on his own behalf for the purposes of the PDPA. However, if an organisation has reason to believe, or it can be shown, that a minor does not have sufficient understanding, the organisation should obtain consent from someone who can legally provide consent on the minor\u2019s behalf (e.g. parent or legal guardian). The Selected Topics Guidelines also encourages organisations to put in place additional security measures with respect to the collection, use and disclosure of personal data of minors. For example, organisations should take extra steps to verify the accuracy of personal data about a minor, especially where such inaccuracy may have severe consequences for the minor.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction include any derogations, exemptions, exclusions or limitations other than those already described? If so, please describe the relevant provisions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><u>General Exceptions under the PDPA<\/u><\/p>\n<p>Broadly, with respect to the application of the Data Protection Provisions, certain categories of \u201corganisations\u201d are excluded from the application of the PDPA, specifically:<\/p>\n<p>a. individuals acting in a personal or domestic capacity;<\/p>\n<p>b. employees acting in the course of their employment with an organisation;<\/p>\n<p>c. public agencies; and<\/p>\n<p>d. any other organisations or personal data, or classes of organisations or personal data, prescribed under the PDPA or its subsidiary legislation.<\/p>\n<p>The PDPA does not apply to, or applies in a limited extent to, certain types of personal data. For example, the Data Protection Provisions do not apply to business contact information; or to personal data that has been contained in a record that has been in existence for at least 100 years.<\/p>\n<p>In relation to personal data pertaining to deceased individuals, organisations will be subject to a limited scope of obligations, i.e. organisation need to comply only with the Protection Obligation (Section 24 of the PDPA) and the requirements relating to disclosure of personal data, and only for 10 years from the deceased\u2019s date of death.<\/p>\n<p><u>Exceptions to Specific Provisions<\/u><\/p>\n<p>There are also exceptions with respect to specific Data Protection Provisions. For instance, as stated above, an organisation does not need to obtain consent for the collection, use or disclosure of personal data if an exception under the First or Second Schedules to the PDPA applies.<\/p>\n<p>Some of these exceptions in the First or Second Schedules to the PDPA include where the collection, use or disclosure of personal data is necessary in the national interest; is necessary to respond to an emergency that threatens the life, health or safety of the individual; is publicly available; is necessary for evaluative purposes; is necessary for any investigation or proceedings; is reasonable for the purpose of managing or terminating an employment relationship, etc.<\/p>\n<p>In relation to the Access Obligation, an organisation is not required to provide an individual with his personal data or other information, in respect of the matters specified under the Fifth Schedule to the PDPA. There are also further exceptions under Section 21(3) of the PDPA.<\/p>\n<p>Similarly, in relation to the Correction Obligation, Section 22(7) of the PDPA provides that an organisation is not required to comply with the Correction Obligation in respect of the following matters specified in the Sixth Schedule to the PDPA. In addition, Section 22(6) of the PDPA clarifies that an organisation is not required to correct or otherwise alter an opinion.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Does your jurisdiction require or recommend privacy risk or impact assessments in connection with personal data processing activities and, if so, under what circumstances? How are these assessments typically carried out?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>If an organisation seeks to rely on deemed consent by notification under Section 15A of the PDPA, it must first conduct an assessment to determine that the proposed collection, use or disclosure of the personal data is not likely to have an adverse effect on the individual. This assessment must specify all of the following information:<\/p>\n<p>a. the types and volume of personal data to be collected, used or disclosed;<\/p>\n<p>b. the purpose or purposes for which the personal data will be collected, used or disclosed;<\/p>\n<p>c. the method or methods by which the personal data will be collected, used or disclosed;<\/p>\n<p>d. the mode by which the individual will be notified of the organisation\u2019s proposed collection, use or disclosure of the individual\u2019s personal data;<\/p>\n<p>e. the period within which, and the mode by which, the individual may notify the organisation that the individual does not consent to the organisation\u2019s proposed collection, use or disclosure of the individual\u2019s personal data;<\/p>\n<p>f. the rationale for the period and mode mentioned in sub\u2011paragraph (e).<\/p>\n<p>Likewise, if an organisation seeks to rely on the legitimate interests exception under Part 3 of the First Schedule to the PDPA, the organisation is required to conduct an assessment to determine whether the collection, use or disclosure of personal data about the individual is in the legitimate interests of the organisation or another person; and whether the legitimate interests of the organisation or other person outweigh any adverse effect on the individual. This assessment must:<\/p>\n<p>a. specify \u2014<\/p>\n<p>(i) the types and volume of personal data to be collected, used or disclosed;<\/p>\n<p>(ii) the purpose or purposes for which the personal data will be collected, used or disclosed; and<\/p>\n<p>(iii) the method or methods by which the personal data will be collected, used or disclosed;<\/p>\n<p>b. identify any residual adverse effect on any individual after implementing any reasonable measures to eliminate the adverse effect, reduce the likelihood that the adverse effect will occur, or mitigate the adverse effect;<\/p>\n<p>c. identify the legitimate interests that justify the collection, use or disclosure by the organisation of personal data about the individual;<\/p>\n<p>d. where the legitimate interests identified under sub\u2011paragraph (c) relate to a person other than the organisation, identify that other person by name or description; and<\/p>\n<p>e. set out the reasons for the organisation\u2019s conclusion that the legitimate interests identified under sub\u2011paragraph (c) outweigh any adverse effect on the individual.<\/p>\n<p>Additionally, to assist organisations in complying with the PDPA, the PDPC has issued its Guide to Data Protection Impact Assessments (published 14 September 2021) (\u201c<strong>DPIA Guide<\/strong>\u201d), which provides guidance to organisations when conducting a DPIA to identify, assess and address personal data protection risks based on the organisation\u2019s functions, needs and processes.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any specific codes of practice, or self-regulatory codes applicable in your jurisdiction regarding the processing of personal data (e.g., codes of practice for processing children\u2019s data or health data)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><u>Children\u2019s and Minors\u2019 Personal Data<\/u><\/p>\n<p>As noted in response to Question 10, the PDPC has issued advisory guidelines setting out its interpretation of how the obligations under the PDPA apply to the processing of personal data in different contexts.<\/p>\n<p><u>Health Data<\/u><\/p>\n<p>Regarding the collection, use and disclosure of personal data by healthcare institutions, the PDPC has published its Advisory Guidelines for the Healthcare Sector (updated 20 September 2023) (\u201c<strong>Healthcare Guidelines<\/strong>\u201d). The Healthcare Guidelines address the application of some data protection provisions of the PDPA in various scenarios in the healthcare sector (e.g. how consent may apply in common healthcare scenarios, how exceptions to consent may apply, how to handle access and correction requests). For completeness, it ought to be noted that sectoral laws have specific requirements in relation to health data. In particular, the Healthcare Services Act 2020, the Healthcare Services (General) Regulations 2021, as well as the licensing conditions thereunder contain provisions which address the confidentiality and retention of medical records. The Human Biomedical Research Act 2015 also set out specific requirements in respect of biomedical research and tissue banking activities.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are organisations required to maintain any records of their data processing activities or establish internal processes or written documentation? If so, please describe how businesses typically meet such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><u>Internal Processes or Written Documentation<\/u><\/p>\n<p>As part of the Accountability Obligation, Section 12 of the PDPA requires the development and implementation of policies and practices that are necessary for the organisation to comply with the PDPA. PDPC considers this to include internal data protection policies and processes. Generally, these policies and practices would need to be in writing (see\u00a0<em>Re Cricket Association and others<\/em>\u00a0[2018] SGPDPC 19).<\/p>\n<p>These \u201cinternal policies and processes\u201d are intended to ensure that all employees of the organisation are aware of the specific practices they must adhere to when handing personal data. They include, for example, the notifications to be given to individuals when their personal data is collected, how access and correction requests should be handled, how personal data must be kept and secured, how personal data must be disposed of when no longer required by the organisation and password policies.<\/p>\n<p>The specific internal policies and practices which may be required for a particular organisation would depend on factors such as the types and amount of personal data collected by the organisation.<\/p>\n<p><u>Internal Records of Data Processing Activities<\/u><\/p>\n<p>There is no express requirement under the PDPA for organisations to maintain internal records of its data processing activities.<\/p>\n<p>However, the PDPC has stated in its Guide to Developing a Data Protection Management Programme that known risks should be managed through a good understanding of the life cycle of personal data in your organisation, e.g., through data inventory maps or data flow diagrams. In this regard, the PDPC recommends that the data inventory also include information on the business purposes for collection, use and disclosure of personal data, how and where the data was collected, whether and how consent was obtained, the individuals and third parties who handle the personal data, as well as the classification of the data to manage user access. The data inventory should also deal with when and how the organisation should dispose of or anonymise the personal data for long-term archival.<\/p>\n<p>In <em>Eatigo International Pte. Ltd<\/em>. [2022] SGPDPC 9, the PDPC reiterated that for an organisation to effectively safeguard personal data, it must first know what its personal data assets are, and that the surest way to ensure such visibility is to maintain a comprehensive personal data asset inventory.<\/p>\n<p>Separately, where an organisation refuses to provide personal data pursuant to an individual\u2019s request for access under Section 21 of the PDPA, the organisation must preserve a complete and accurate copy of such data for the prescribed period, i.e., In brief, for a period of at least 30 calendar days after rejecting the access request to allow time for the individual to seek the PDPC\u2019s review and if the individual submits an application for review to the PDPC, until the review by the PDPC is concluded and any right of the individual to apply for a reconsideration and appeal is exhausted (Section 22A of the PDPA, read with Regulation 8 of the PDP Regulations).<\/p>\n<p>Further, Section 50(4) of the PDPA imposes an obligation on organisations to retain records relating to an investigation, for one year or such longer period as directed, after completion of such investigation. In <em>Re NTUC Income Insurance Co-operative Ltd<\/em>\u00a0[2018] SGPDPC 10, the PDPC stated that all organisations have the duty to preserve evidence and that the PDPC does not look favourably on the destruction or deletion of potentially relevant documents and records. Depending on the circumstances, the PDPC may impose sanctions on the relevant organisation.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically impose data retention limitations? If so, please describe such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPA requires that organisations cease to retain their documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that the purpose for which that personal data was collected is no longer being served by retention of the personal data, and such retention is no longer necessary for any legal or business purposes (Section 25 of the PDPA).<\/p>\n<p>With respect to data retention periods, the duration of time whereby an organisation can retain personal data is assessed on a standard of reasonableness, having regard to the purposes for which the personal data was collected and retained, and legal or business purposes for which retention of the personal data is necessary. As such, legal or specific industry-standard requirements for retention may apply.<\/p>\n<p>The PDPC, in considering whether an organisation has ceased to retain personal data, will consider factors such as whether the organisation has any intention to use or access the personal data, how much effort and resources the organisation would need to expend in order to use or access the personal data again, whether any third parties have been given access to the personal data, and whether the organisation has made a reasonable attempt to destroy, dispose of or delete the personal data in a permanent and complete manner (Key Concept Guidelines).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Under what circumstances is it required or recommended to consult with the applicable data protection regulator(s)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There is no requirement under the PDPC for organisations to consult the PDPC. However, where an organisation is required to notify affected individuals of a data breach, it should notify the affected individuals at the same time or after it notifies the PDPC. Further, the PDPC\u2019s\u00a0<a href=\"https:\/\/www.pdpc.gov.sg\/-\/media\/files\/pdpc\/pdf-files\/other-guides\/guide-on-managing-and-notifying-data-breaches-under-the-pdpa-15-mar-2021.pdf\">Guide on Managing and Notifying Data Breaches<\/a>\u00a0(revised 15 March 2021)\u00a0explains that \u201c<u>for data breaches which are likely to attract widespread public attention and\/or interest, or those which organisations require guidance on notifying the affected individuals, organisations are strongly encouraged to notify and seek advice from the PDPC first before notifying the affected individuals.<\/u>\u201d<\/p>\n<p>In particular, where a data breach involves information related to adoption matters or the identification of vulnerable individuals, organisations should first notify the PDPC for guidance on notifying affected individuals.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require the appointment of a data protection officer, chief information security officer, or other person responsible for data protection? If so, what are their legal responsibilities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The appointment of a DPO is mandatory under the PDPA.<\/p>\n<p>Section 11(3) of the PDPA requires an organisation to designate one or more individuals to be responsible for ensuring that the organisation complies with the PDPA (i.e. a DPO).<\/p>\n<p>Some of the main responsibilities of a DPO include:<\/p>\n<p>a. ensuring compliance with the PDPA including developing and implementing policies and processes for handling personal data;<\/p>\n<p>b. fostering a data protection culture among employees and communicating personal data protection policies to stakeholders;<\/p>\n<p>c. managing personal data protection related queries and complaints;<\/p>\n<p>d. alerting management to any risks that might arise with regard to personal data; and<\/p>\n<p>e. liaising with the PDPC on data protection matters, if necessary.<\/p>\n<p>The business contact information of at least one such DPO must be made available to the public, such that the DPO is able to answer questions relating to the collection, use or disclosure of personal data on behalf of the organisation. Under the PDP Regulations, this requirement is satisfied if the organisation makes available their DPO\u2019s contact information in any of the following manners:<\/p>\n<p>a. where the organisation is registered under an applicable Act \u2013 in a record relating to the organisation that is made available on the Internet website of the Accounting and Corporate Regulatory Authority at <a href=\"https:\/\/www.bizfile.gov.sg\">https:\/\/www.bizfile.gov.sg<\/a> (at the time of writing, this is unavailable); or<\/p>\n<p>b. in a readily accessible part of the organisation\u2019s official website.<\/p>\n<p>However, since 1 December 2024, DPO registration on the Accounting and Corporate Regulatory\u2019s (\u201c<strong>ACRA<\/strong>\u201d) \u00a0BizFile+, has been unavailable until further notice. Organisations seeking to register a new DPO or update DPO information can do so through an online form available on the Personal Data Protection Commission (PDPC) website at\u00a0<a href=\"https:\/\/www.pdpc.gov.sg\/dpo\">pdpc.gov.sg\/dpo<\/a>.<\/p>\n<p>As best practice, the business contact information of the DPO should be readily accessible from Singapore, operational during Singapore business hours and in the case of telephone numbers, be Singapore telephone numbers. This would facilitate the organisation\u2019s ability to respond promptly to any complaint or query on its data protection policies and practices.<\/p>\n<p>To be clear, the legal responsibility for complying with the PDPA remains with the organisation and is not transferred to such designated individual(s).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require or recommend employee training related to data protection? If so, please describe such training requirement(s) or recommendation(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Section 12(c) of the PDPA require organisations to communicate information to its staff about the organisations\u2019 policies and practices that are necessary for the organisations to meet their obligations under the PDPA. Such communication could be incorporated into organisations\u2019 employee training programmes.<\/p>\n<p>Employee training is also an example of an administrative measure which an organisation should implement to fulfil its obligation to make reasonable security arrangements in accordance with the Protection Obligation (Section 24 of the PDPA; Key Concepts Guidelines).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require controllers to provide notice to data subjects of their processing activities? If so, please describe such notice requirement(s) (e.g., posting an online privacy notice).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>An organisation is required to develop and implement policies and procedures that are necessary for the organisation to meet its obligations under the PDPA, and a process to receive and respond to complaints, and to make information relating to the foregoing available on request (Section 12 of the PDPA).<\/p>\n<p>A data protection notice is the most common way to make available information about the organisation\u2019s policies and procedures.<\/p>\n<p>In practice, a data protection notice would usually contain the following information:<\/p>\n<p>(a) the type of personal data the organisation collects, uses and discloses;<\/p>\n<p>(b) the purposes for which the organisation collects, uses and discloses personal data;<\/p>\n<p>(c) details on how the organisation processes personal data (including transfers to third parties or data intermediaries (if any);<\/p>\n<p>(d) details on how the organisation will keep the personal data accurate and up-to-date;<\/p>\n<p>(e) the duration of time for which the organisation will keep the personal data;<\/p>\n<p>(f) procedures for individuals to make access and correction requests;<\/p>\n<p>(g) procedures for individuals to withdraw their consent;<\/p>\n<p>(h) details regarding the transfer of personal data to an entity located in another country and the safeguards taken to protect the transferred personal data; and<\/p>\n<p>(i) business contact information of the DPO and any complaint\/feedback channels.<\/p>\n<p>Additionally, under the Notification Obligation (Section 20 of the PDPA), organisations are required to inform individuals of the purposes for the collection, use or disclosure of personal data, prior to such collection, use or disclosure of such personal data. Generally, organisations must also notify individuals of the purposes for which it collects, uses and discloses personal data through their data protection notices.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction distinguish between the responsibilities of \u201ccontrollers\u201d and those of \u201cprocessors\u201d (or equivalent terms) of personal data? If so, how are such terms defined and what are the key distinctions between the obligations of controllers and processors (or equivalent terms)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There is no definition of \u201cdata controller\u201d or \u201cdata processor\u201d under the PDPA. However, an equivalent concept is that of the \u201corganisation\u201d and \u201cdata intermediary\u201d.<\/p>\n<p>An \u201corganisation\u201d is subject to all the Data Protection Provisions under the PDPA. Where an organisation engages a data intermediary to process personal data on its behalf, Section 4(3) provides that the organisation remains responsible for such processing as if it had carried it out itself.<\/p>\n<p>A \u201cdata intermediary\u201d is an entity that processes personal data on behalf of and for the purposes of an organisation. Where such processing is carried out pursuant to a contract evidenced or made in writing, the data intermediary is subject only to limited obligations pursuant to Section 4(2) of the PDPA, namely, the Protection Obligation (Section 24 of the PDPA), Retention Limitation Obligation (Section 25 of the PDPA), and the Data Breach Notification Obligation (Sections 26C(3) and Section 26E of the PDPA).<\/p>\n<p>In this regard, \u00a0the PDPC\u2019s Guide to Managing Data Intermediaries states that the primary means by which an organisation may ensure appropriate protection of the personal data processed by its data intermediary is through a contract, and that it would be a breach of the PDPA if there is no contractual agreement or document setting out the key obligations and responsibilities of the data intermediary.<\/p>\n<p>The PDPC\u2019s Key Concepts Guidelines additionally state that it is important that an organisation is clear as to its rights and obligations when dealing with its vendor and, where appropriate, include provisions in their written contracts that clearly set out each party\u2019s responsibilities and liabilities in relation to the personal data in question, including whether one party is to process personal data on behalf of and for the purposes of the other organisation. Without clarity, the risks of omissions will likely fall on the organisation. If there is no contract evidenced or made in writing with the organisation, the data intermediary may also be held directly responsible for the Data Protection Provisions in respect of the personal data that is processed on behalf of the organisation.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction, including through the use of tracking technologies such as cookies. How are these or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><u>Monitoring and Profiling<\/u><\/p>\n<p>The PDPA does not place any direct restrictions on monitoring or profiling <em>per se<\/em> (including through the use of tracking technologies such as cookies). Nonetheless, the PDPC has provided guidance on the usage of cookies.<\/p>\n<p>According to the Selected Topic Guidelines, if the data collected from monitoring or profiling activities constitutes personal data, the organisation would be required to comply with the PDPA, such as the Consent Obligation (Sections 13 to 17 of the PDPA).<\/p>\n<p>In addition, the Purpose Limitation Obligation (Section 18 of the PDPA) limits any collection, use or disclosure of personal data about an individual for purposes that, <em>inter alia<\/em>, a reasonable person would consider appropriate in the circumstances. Therefore, should there be any personal data collected through monitoring or profiling activities carried out by an organisation, this would require the organisation to ensure that the purposes for which any collection, use and\/or disclosure is done, are what a reasonable person would consider appropriate in the circumstances.<\/p>\n<p>Ultimately, it depends on whether the cookies in question involve the processing of personal data. The PDPA will not apply if the cookies in question do not store or collect personal data. For example, if the session cookie only collects and stores technical data needed for video playback on a website, consent would not be needed.<\/p>\n<p><u>Automated Decision-making<\/u><\/p>\n<p>The PDPA does not provide individuals with a right not to be subject to a decision based solely on automated decision-making.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the laws in your jurisdiction include specific rules, requirement or regulator guidance regarding the use of cookies, pixels, online tracking and\/or targeted advertising? Please describe any restrictions on targeted advertising and\/or cross context behavioral advertising. How are these terms or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPA does not define or use the terms \u201ccookies\u201d, \u201cpixels\u201d, \u201conline tracking\u201d and \u201ctargeted advertising\u201d.<\/p>\n<p>As discussed in Question 21, to the extent cookies or similar tracking technologies involve the collection of personal data, organisations must comply with the applicable obligations under the PDPA. For further discussion on cookies, please refer to our response to Question 21 above.<\/p>\n<p>Insofar as targeted and behavioural advertising involves the collection or use of personal data, the individual\u2019s consent under the PDPA should be obtained. PDPC also recommends that organisations provide individuals with the ability to set their cookie preferences within the website to enable or disable the use of such cookies for personalised advertisement targeting.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically restrict or regulate  the \u201csale\u201d of personal data and\/or \u201cdata brokers\u201d? How is \u201csale\u201d and\/or \u201cdata broker\u201d or (similar\/related terms) defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The sale or purchase of personal data are activities that fall under the scope of the PDPA. The sale of personal data constitutes disclosure and purchase of personal data constitutes collection. As such, organisations engaging in the sale of personal data have a duty to comply with the data protection obligations under the PDPA, specifically the Consent and Notification Obligations (see <em>Re Amicus Solutions Pte. Ltd.<\/em>\u00a0[2019] SGPDPC 33). Individuals whose personal data is sold must be notified of, and consent to, the sale of their personal data before such data is collected, used or disclosed.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically regulate or restrict marketing and electronic communications, including telemarketing\/telephone solicitations and \u2018robocalls\u2019, email marketing, SMS\/text messaging or other direct marketing? Please provide an overview.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. In Singapore, marketing and electronic communications are specifically regulated under (a) the PDPA, as well as complementary provisions under (b) the DNC Provisions, and (c) the Spam Control Act 2007 (2020 Revised Edition) (\u201c<strong>Spam Control Act<\/strong>\u201d).<\/p>\n<p>Under the PDPA, orgnaisations must comply with the Data Protection Provisions when using personal data for marketing purposes. In particular, organisations are required to obtain the individual\u2019s consent before collecting, using or disclosing personal data for direct marketing. Under the Key Concepts Guidelines, such consent should generally be obtained on an opt-in basis (for example, requiring an individual to check an unchecked box). The use of opt-out mechanisms (such as pre-ticked boxes) is not considered appropriate for obtaining consent for direct marketing.<\/p>\n<p>In addition, the DNC Provisions under the PDPA regulate, inter alia, marketing messages and calls (i.e. \u201cspecified messages\u201d as defined under Section 37 of the PDPA) to Singapore telephone numbers. Under the DNC Provisions, no person shall send a specified message addressed to a Singapore telephone number unless the sender:<\/p>\n<p>a. prior to the sending of the specified message, either:<\/p>\n<p>(i) verifies against the relevant DNC register to confirm that the telephone number is not listed before sending the message or calling;<\/p>\n<p>(ii) obtains from a checker information that the telephone number is not listed in the relevant DNC register (i.e., the \u201crelevant information\u201d) and has no reason to believe that, and is not reckless as to whether \u2014<\/p>\n<p>i. the prescribed period in relation to the relevant information has expired; or<\/p>\n<p>ii. the relevant information is false or inaccurate; or<\/p>\n<p>(iii) obtains clear and unambiguous consent to the sending of the specified message to that number is obtained in evidential form;<\/p>\n<p>b. includes information identifying the sender and details on how the sender can be readily contacted, and that such details and contact information should be reasonably likely to be valid for at least 30 days after the sending of the message; and<\/p>\n<p>c. for voice calls, does not conceal or withhold the calling line identity from the recipient.<\/p>\n<p>The DNC Provisions also provide that no person shall send, cause to be sent, or authorise the sending of, messages to Singapore telephone numbers generated or obtained through the use of (a) a dictionary attack; or (b) an address harvesting software.<\/p>\n<p>Separately, the Spam Control Act 2007 (\u201c<strong>Spam Control Act<\/strong>\u201d) provides for the control of spam, i.e., unsolicited commercial communications sent in bulk by electronic mail or by text or multi-media messaging to mobile telephone numbers or instant messaging accounts.<\/p>\n<p>Section 2 of the Spam Control Act defines an \u201celectronic address\u201d as email addresses, instant messaging accounts, as well as mobile telephone numbers to which an electronic message can be sent, and an \u201celectronic message\u201d is defined as a message sent to an electronic address, whether or not the electronic address exists or whether the message reaches its intended destination. However, an \u201celectronic message\u201d does not include a voice call made using a telephone service.<\/p>\n<p>Under the Spam Control Act, no person shall send, cause to be sent, or authorise the sending of, an electronic message to electronic addresses generated or obtained through the use of (a) a dictionary attack; or (b) an address harvesting software. Additionally, any person sending unsolicited commercial electronic messages in bulk must comply with the requirements in the Second Schedule of the Spam Control Act, including:<\/p>\n<p>a. information on the sender;<\/p>\n<p>b. a clear and conspicuous statement in English setting out the procedure to submit an unsubscribe request;<\/p>\n<p>c. a title in its subject field that is reflective of the message\u2019s content;<\/p>\n<p>d. a label \u201c&lt;ADV&gt;\u201d with a space before the title of the subject field, or in the absence of a title, the first word of the message;<\/p>\n<p>e. header information that is not false or misleading; and<\/p>\n<p>f. an accurate and functional email address or telephone number by which the sender is readily contactable.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction regulate, restrict or impose specific obligations on the processing of biometric data, such as facial recognition. If so, how are the relevant terms defined?  Are these obligations focused on the collection, use and processing of unique biometric \u2018identifiers\u2019 (rather than any sort of biometric measurements) ?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPA does not specifically regulate the processing of biometric data, such as facial recognition technology. However, the PDPC in its Guide on the Responsible Use of Biometric Data in Security Applications (\u201c<strong>Biometrics Guide<\/strong>\u201d) defines \u201cbiometric data\u201d as biometric samples (i.e. data relating to the physiological, biological or behavioural characteristics of an individual) or biometric templates created through technical processing of biometric samples. Biometric data when associated with other information about an individual will form part of that personal data of that individual.<\/p>\n<p>If so, the organisation employing the biometrics solution would be subject to the data protection obligations, such as the Consent Obligation, under the PDPA. The PDPC also issued the Biometrics Guide to help organisations (e.g. Management Corporation Strata Titles, building or premise owners and security services companies) to use security cameras and biometric recognition systems responsibly and to safeguard individuals\u2019 biometric data where it is collected, used or disclosed.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any data protection laws in your jurisdiction that specifically address or apply to artificial intelligence or machine learning (\u201cAI\u201d).  If so, do these laws specifically apply to the processing of personal information related to AI, or more broadly?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. While there are no data protection laws in Singapore that are specifically dedicated to AI or machine learning, the PDPA governs any processing of personal data, including the development and deployment of AI systems. The PDPA applies broadly to all private organisations that collect, use and disclose personal data, and does not contain AI-specific obligations.<\/p>\n<p>On 21 January 2020, the IMDA and PDPC published the voluntary Model Artificial Intelligence Governance Framework (Second Edition) (\u201c<strong>Model Framework<\/strong>\u201d). The Model Framework states that decisions made by AI should be explainable, transparent and fair, and that AI solutions should be human-centric.<\/p>\n<p>In relation to personal data, the PDPC has published its Advisory guidelines on Use of Personal Data in AI Recommendation and Decision Systems (\u201c<strong>AI Guidelines<\/strong>\u201d) on 1 March 2024. The AI Guidelines provide guidance on how the PDPA applies when organisations use personal data to develop and train AI systems, the information that PDPC expects to be notified to consumers, and also set out best practices for service providers (e.g. systems integrators) who support organisations implementing bespoke or fully customisable AI systems.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any data localization requirements in your jurisdiction?  In other words, are there any circumstances where some or all personal data is required to be stored locally, or prohibited from being transferred to or stored in certain jurisdictions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Singapore does not impose data localisation requirements under the PDPA. There is no specific legislation that expressly requires personal data to be stored locally, nor are there strict prohibitions against personal data from being transferred to or stored in certain jurisdictions.<\/p>\n<p>However, transfers of personal data out of Singapore must comply with the Transfer Limitation Obligation under Section 26 of the PDPA (see Question 28 below).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Is the transfer of personal data outside your jurisdiction restricted, under certain circumstances? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism or notification to or authorization from a regulator?)<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The transfer of personal data outside of Singapore is subject to organisations meeting the requirements under the Transfer Limitation Obligation (Section 26 of the PDPA).<\/p>\n<p>The Transfer Limitation Obligation under the PDPA requires organisations transferring personal data abroad to do so only in accordance with the requirements prescribed under the PDPA and the PDP Regulations, to ensure that the recipients of the personal data provide a standard of protection to the transferred personal data that is comparable to the PDPA.<\/p>\n<p>Under Part 3 of the PDP Regulations, the transferring organisation must, prior to the transfer of personal data outside of Singapore, take appropriate steps to ascertain whether, and ensure that, the recipient of the personal data in that country or territory outside Singapore is bound by legally enforceable obligations to provide to the transferred personal data a standard of protection that is at least comparable to the protection afforded under the PDPA.<\/p>\n<p>In Part 3 of the PDP Regulations, legally enforceable obligations include obligations imposed on a data recipient under:<\/p>\n<p>a. any law;<\/p>\n<p>b. any contract which (i) requires the recipient to provide a standard of protection to the transferred personal data that is at least comparable to the PDPA, and (ii) specifies the countries and territories to which the personal data may be transferred under the contract; and<\/p>\n<p>c. any binding corporate rules that may only be used for recipients that (i) are related to the transferring organisation, (ii) requires every recipient of the transferred personal data that is related to the transferring organisation and does not already have another legally enforceable obligation, to provide a standard of protection for the personal data transferred to the recipient that is at least comparable to the protection under the PDPA, and (iii) must specify the recipients of the transferred personal data to which the binding corporate rules apply, the countries and territories to which the personal data may be transferred under the binding corporate rules, and the rights and obligations provided by the binding corporate rules.<\/p>\n<p>Under the PDP Regulations, a recipient of personal data is related to the transferring organisation transferring that data if (a) the recipient, directly or indirectly, controls the transferring organisation; (b) the recipient is, directly or indirectly, controlled by the transferring organisation; or (c) the recipient and the transferring organisation are, directly or indirectly, under the control of a common person.<\/p>\n<p>Alternatively, a recipient is taken to have satisfied the requirements under the Transfer Limitation Obligation (Section 26 of the PDPA) if (a) it is receiving the personal data as an organisation and it holds a valid Asia Pacific Economic Cooperation Cross Border Privacy Rules (\u201c<strong>APEC CBPR<\/strong>\u201d) certification; or (b) it is receiving the personal data as a data intermediary and it holds either a valid APEC CBPR or Asia Pacific Economic Cooperation Privacy Recognition for Processors (\u201c<strong>APEC PRP<\/strong>\u201d) certification, or both. The Transfer Limitation Obligation may also be taken to satisfied in other prescribed circumstances.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What personal data security obligations are imposed by the data protection laws  in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Protection Obligation under Section 24 of the PDPA requires each organisation to protect personal data in its possession or under its control by making reasonable security arrangements to prevent (a) unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks; and (b) the loss of any storage medium or device on which personal data is stored.<\/p>\n<p>No specific security arrangements are prescribed, given that there is no one-size-fits-all solution. To this end, the PDPC has recommended, in its Key Concepts Guidelines, that each organisation should:<\/p>\n<p>(a) design and organise its security arrangements to fit the nature of the personal data held by the organisation, taking into account the possible harm that might result from a security breach;<\/p>\n<p>(b) identify reliable and well-trained personnel responsible for ensuring information security;<\/p>\n<p>(c) implement robust policies and procedures for ensuring appropriate levels of security for personal data of varying levels of sensitivity; and<\/p>\n<p>(d) be prepared and able to respond to information security breaches promptly and effectively.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there more specific security obligations for certain types of personal data (e.g., sensitive data or special categories of personal data)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPA does not prescribe additional security obligations for specific categories of personal data. However, as noted in our response to Question 9, under the Protection Obligation (Section 24 of the PDPA), an organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent (a) unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks; and (b) the loss of any storage medium or device on which personal data is stored. These \u201creasonable security arrangements\u201d must be commensurate with the sensitivity and volume of the personal data in question. Accordingly, a higher standard of protection is expected for more sensitive data.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction impose obligations in the context of security breaches which impact personal data? If so, how do such laws define a security breach (or similar term) and under what circumstances and within what timeframe must such a breach be reported to regulators, impacted individuals, law enforcement, or other persons or entities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, there is a mandatory data breach notification regime under Part 6A of the PDPA. Under the Data Breach Notification Obligation (Sections 26A to 26E of the PDPA), in the event of a data breach, an organisation is required to conduct an assessment if the data breach is a notifiable data breach, i.e., whether the data breach would (a) result in, or likely result in, significant harm to an affected individual; or (b) is, or is likely to be, of a significant scale. If so, the organisation must notify PDPC within 3 calendar days after the organisation makes that assessment, as well as notify affected individuals in any manner that is reasonable in the circumstances, unless an exception applies. See Question 31 below.<\/p>\n<p>A \u201cdata breach\u201d in relation to personal data is defined in the PDPA as, (a) the unauthorised access, collection, use, disclosure, copying, modification or disposal of personal data; or (b) the loss of any storage medium or device on which personal data is stored in circumstances where the unauthorised access, collection, use, disclosure, copying, modification or disposal of the personal data is likely to occur.<\/p>\n<p>There is a mandatory data breach notification regime under Part 6A of the PDPA (i.e., Sections 26A to 26E of the PDPA). Under this Data Breach Notification Obligation, an organisation must conduct an assessment of a data breach, in a reasonable and expeditious manner, to determine if the data breach is a \u201cnotifiable data breach\u201d (Section 26C of the PDPA).<\/p>\n<p>A notifiable data breach is defined as a data breach that (a) results in, or is likely to result in, significant harm to any individual to whom any personal data affected by a data breach relates; or (b) is, or is likely to be, of a significant scale (i.e. 500 or more individuals).<\/p>\n<p>Upon assessing that the data breach is a \u201cnotifiable data breach\u201d, the organisation must notify the PDPC as soon as practicable, but no later than 3 calendar days, after it makes the assessment (Section 26D of the PDPA). This notification to the PDPC must contain all the relevant information of the data breach to the best of the knowledge and belief of the organisation.<\/p>\n<p>According to the Personal Data Protection (Notification of Data Breaches) Regulations 2021, a data breach is deemed to result in significant harm to an individual if the data breach relates to:<\/p>\n<p>a. the individual\u2019s full name or alias or identification number, and any of the personal data or classes of personal data relating to the individual set out in Part 1 of the Schedule, subject to Part 2 of the Schedule; or<\/p>\n<p>b. all of the following personal data relating to an individual\u2019s account with an organisation:<\/p>\n<p>(i) the individual\u2019s account identifier, such as an account name or number;<\/p>\n<p>(ii) any password, security code, access code, response to a security question, biometric data or other data that is used or required to allow access to or use of the individual\u2019s account.<\/p>\n<p>The categories under Part 1 of the Schedule to the Personal Data Protection (Notification of Data Breaches) Regulations 2021 broadly include personal data in the following categories (non-exhaustive list):<\/p>\n<p>a. financial information which is not publicly disclosed;<\/p>\n<p>b. personal data which would lead to the identification of vulnerable individuals (e.g., leading to identification of a minor who has been arrested for an offence),<\/p>\n<p>c. life, accident and health insurance information which is not publicly disclosed;<\/p>\n<p>d. specified medical information, including the assessment and diagnosis of HIV infections;<\/p>\n<p>e. information related to adoption matters; or<\/p>\n<p>f. a private key used to authenticate any or digitally sign an electronic record or transaction.<\/p>\n<p>Upon notifying the PDPC, the organisation must also notify each individual affected by the data breach in a reasonable manner, unless an exception applies. An organisation does not need to notify affected individuals in two circumstances:<\/p>\n<p>a. if, on or after assessing that the data breach is a \u201cnotifiable data breach\u201d, the organisation takes any action that renders it unlikely that the data breach will result in significant harm to the affected individual; or<\/p>\n<p>b. if the organisation had implemented, prior to the occurrence of the data breach, any technological measure that renders it unlikely that the data breach will result in significant harm to the affected individual.<\/p>\n<p>One notable exception to the duty to notify is where a data breach takes place within an organisation. A data breach that relates to the unauthorised access, collection, use, disclosure, copying or modification of personal data only within an organisation is deemed not to be a notifiable data breach (Section 26B(4) of the PDPA).<\/p>\n<p>When a data intermediary has reason to believe that a data breach has occurred in relation to personal data that the data intermediary is processing on behalf of and for the purposes of another organisation, the data intermediary is required to, without undue delay, notify the other organisation of the occurrence of the data breach. As a good practice, organisations should establish clear procedures for complying with the Data Breach Notification Obligation when entering into contractual arrangements with their data intermediaries.<\/p>\n<p>Apart from the requirements under the PDPA, organisations may also be subject to reporting requirements under sectoral laws and regulations, and would need to report data breaches or other cybersecurity incidents fulfilling certain threshold requirements to regulatory authorities such as CSA or MAS.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction establish specific rights for individuals, such as the right to access and the right to deletion? If so, please provide a general description of such rights, how they are exercised, and any exceptions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPA imposes obligations on organisations to safeguard the personal data of individuals. Some \u201crights\u201d that individuals have include the right to withdraw consent, the right to request access to their personal data, and the right to request a correction to their personal data.<\/p>\n<p><u>Withdrawal of consent<\/u>: Individuals are allowed to withdraw consent upon giving reasonable notice, and the organisation is required to cease collecting, using or disclosing the personal data, subject to certain exceptions (Section 16 of the PDPA).<\/p>\n<p><u>Access and correction requests<\/u>: Pursuant to the Access and Correction Obligations (Sections 21 and 22 of the PDPA), individuals may request an organisation for access to their personal data, or to correct an error or omission in their personal data, subject to certain exceptions. The individual may also make an application to the PDPC for a review of an organisation\u2019s refusal to provide access to their personal data.<\/p>\n<p>To be clear, an individual\u2019s right to make an access or correction request is not an unfettered one. The Access Obligation is subject to exceptions in Section 21 and the Fifth Schedule, while the Correction Obligation is subject to the exceptions in Section 22 and the Sixth Schedule. For example, one exception to providing an individual with access to his personal data is where the personal data, if disclosed, would reveal confidential commercial information that could, in the opinion of a reasonable person, harm the competitive position of the organisation (Paragraph 1(g) of the Fifth Schedule).<\/p>\n<p>While there is no right to deletion of personal data, organisations are subject to the Retention Limitation Obligation (Section 25 of the PDPA).<\/p>\n<p>Apart from the PDPA, there exists a framework of common law and statutory torts that collectively protect an individual\u2019s privacy, and individuals may be able to pursue their claims for invasions into their privacy under these torts.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction allow or provide for a private right of action for violations?  If so, does your jurisdiction also allow \u201cclass action\u201d litigation (i.e., on behalf of a class or (\u2018many\u2019) claimants)? Please explain under what circumstances in which a private right of action applies and\/or a class action may be brought, and whether types of claims\/violations present a higher risk of a private right of action or class action (e.g., are there statutory damages or presumed harm for certain violations)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, the PDPA provides for a right of private action for individuals. Under Section 48O of the PDPA, any person who suffers loss or damage directly as a result of a contravention of any provision in Parts 4, 5 or 6, 6A or 6B (Part 6B \u2013 which relates to data portability \u2013 is not yet in force) by an organisation shall have a right of action for relief in civil proceedings in a court, and the court may grant to the applicant relief by way of (a) injunction or declaration; (b) damages; and\/or (c) such other relief as the court thinks fit. However, if the PDPC has made a decision under the PDPA in respect of a contravention, a private action cannot be brought in respect of that contravention, until the PDPC\u2019s decision has become final as a result of there being no further right of appeal.<\/p>\n<p>Singapore does not have a formal class action regime akin to that in jurisdictions such as the United States or Australia. However, Order 4 Rule 6 (1) of the Rules of Court 2021 permit representative proceedings where \u201cnumerous persons\u201d have a \u201ccommon interest\u201d in the proceedings. In such cases, one or more persons may commence proceedings on behalf of others with a common interest interest, and any judgment will be binding on those represented.<\/p>\n<p>In practice, representative actions are uncommon in Singapore. The courts adopt a strict approach to the \u201ccommon interest\u201d requirement and will also consider whether the circumstances justify proceeding on a representative basis.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are individuals entitled to monetary damages or compensation if they are affected by breaches of data protection law? Does the law require actual and material damage to have been sustained, or is non-material injury to feelings, emotional distress or similar sufficient for such purposes?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, individuals may be entitled to, amongst others, monetary damages or compensation if they are affected by a breach of the PDPA. A civil proceeding brought under Section 48O of the PDPA requires the claimant to show that he has suffered loss or damage directly as a result of a contravention of any provision in Parts 4, 5, 6, 6A or 6B of the PDPA.<\/p>\n<p>In the Court of Appeal decision of <em>Reed, Michael v Bellingham, Alex (Attorney-General, intervener) <\/em>[2022] SGCA 60, it was held that \u201closs or damage\u201d for an actionable claim under the previous Section 32 (now Section 48O) of the PDPA includes emotional distress, but does not include loss of control over personal data. However, in this specific case, the Court of Appeal upheld the District Judge\u2019s grant of an injunction and undertaking order, while noting that monetary damages would have been inadequate in light of the risk of further misuse of the personal data and the concomitant need to prevent additional emotional distress.<\/p>\n<p>In the more recent decision of <em>Piper, Martin v Singapore Kindness Movement <\/em>[2025] SGHC 173, the Court held that a &#8220;strict causal link&#8221; is required to establish actionable loss. Specifically, any &#8220;loss or damage&#8221; including emotional distress must have been suffered &#8220;directly as a result of&#8221; a PDPA contravention. On the facts, the Court found that the defendant, Singapore Kindness Movement, was not the direct cause of the appellant\u2019s, Mr Piper\u2019s alleged emotional distress. Instead, the subsequent conduct of a third-party, Ms Loi, constituted an intervening act that broke the chain of causation, as she filed a Protection from Harassment Act claim and publicised it. Mr Piper&#8217;s claim for emotional distress therefore failed.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are data protection laws in your jurisdiction typically enforced? What regulatory body(ies) have enforcement authority?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPC is in charge of enforcing the PDPA. In its Guide to Active Enforcement (revised on 1 October 2022), the PDPC sets out the approach it takes in enforcing the provisions under the PDPA.<\/p>\n<p>When considering whether to take enforcement action, the PDPC is guided by three key objectives:<\/p>\n<p>(a) to respond effectively to breaches of the PDPA where the focus is on those that adversely affect large groups of individuals and where the data involved are likely to cause harm or loss to the affected individuals;<\/p>\n<p>(b) to be proportionate and consistent in the application of enforcement action on organisations that are found in breach of the PDPA; where penalties imposed serve as an effective deterrent to those that risk non-compliance to the PDPA; and<\/p>\n<p>(c) to ensure that organisations that are found in breach take proper steps to correct gaps in the protection of personal data.<\/p>\n<p>When a potential personal data incident is surfaced to the PDPC (via complaint, self-notification or otherwise), the PDPC will first consider whether it should open an investigation into the matter. The Commissioner may not conduct an investigation into the matter if he is of the view that:<\/p>\n<p>(a) the case is better referred to facilitation and\/or mediation for resolution;<\/p>\n<p>(b) there does not appear to be a breach of the data protection obligations on the facts of the case; or<\/p>\n<p>(c) the organisation allegedly in breach is regulated by a sectoral regulator, and the matter would be best handled by the other regulator.<\/p>\n<p>If the PDPC is of the view, however, that an investigation should be conducted, the PDPC will officially open a detailed investigation into the matter, and the investigation process will include the PDPC:<\/p>\n<p>(a) issuing notices to produce documents and information to the relevant organisations;<\/p>\n<p>(b) conducting interviews and taking statements from the relevant organisations and individuals; and<\/p>\n<p>(c) potentially conducting site visits to glean a full view of the facts.<\/p>\n<p>The organisation allegedly in breach will also be given the opportunity to make representations to the PDPC.<\/p>\n<p>After having considered the facts of the case as well as the representations made, the PDPC will then issue its decision on whether the organisation has breached any of the data protection obligations under the PDPA, as well directions (if appropriate), which may include a financial penalty of up to a maximum of 10% of the organisation\u2019s annual turnover in Singapore, or S$1 million, whichever is higher.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?  Are there any guidelines or rules for the calculation of such fines or the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Pursuant to Section 48J(6) of the PDPA, the PDPC must have regard to, and give such weight as it considers appropriate to, all the following factors:<\/p>\n<p>(a) the nature, gravity and duration of the non-compliance by the organisation;<\/p>\n<p>(b) the type and nature of the personal data affected by organisation\u2019s non-compliance;<\/p>\n<p>(c) whether the organisation, as a result of the non-compliance, gained any financial benefit or avoided any financial loss;<\/p>\n<p>(d) whether the organisation took any action to mitigate the effects and consequences of the non-compliance, and the timeliness and effectiveness of that action;<\/p>\n<p>(e) whether the organisation, despite the non-compliance, implemented adequate and appropriate measures for compliance with the PDPA;<\/p>\n<p>(f) whether the organisation had previously failed to comply with the PDPA;<\/p>\n<p>(g) the compliance of the organisation with any previous direction issued by the PDPC;<\/p>\n<p>(h) whether the financial penalty to be imposed is proportionate and effective, having regard to achieving compliance and deterring non-compliance with the PDPA;<\/p>\n<p>(i) the likely impact of the imposition of the financial penalty on the organisation, including the organisation\u2019s ability to continue its usual activities; or<\/p>\n<p>(j) any other matter that may be relevant (e.g., voluntary notification of the data breach).<\/p>\n<p>Recently, the PDPC also clarified the PDPA\u2019s penalty framework in the case of Re Marina Bay Sands Pte. Ltd. [2025] SGPDPC, to promote clarity and consistency in the determination of penalties. The framework is guided by overarching principles of ensuring effective deterrence, maintaining proportionality to the seriousness of the breach, and achieving consistent treatment across organisations, which takes into account differences in annual turnover. Further details are provided in Question 46 below.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to  appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, enforcement decisions of the PDPC are open to appeal in Singapore.<\/p>\n<p><u>Reconsideration<\/u><\/p>\n<p>An organisation or an individual aggrieved by a decision or direction may apply to the PDPC for the PDPC to reconsider its decision or direction within 28 days of the issuance of the decision or direction. The PDPC may affirm, revoke or vary the contested decision as it thinks fit, and there shall be no further application for reconsideration.<\/p>\n<p><u>Appeal to Data Protection Appeal Panel<\/u><\/p>\n<p>Any organisation or individual aggrieved by, amongst others, any direction, decision, or any reconsideration may, within 28 days after the issue of the direction concerned, appeal to the Chairman of the Data Protection Appeal Panel. The Chairman of the Data Protection Appeal Panel shall appoint a Data Protection Appeal Committee to hear the appeal.<\/p>\n<p>An Appeal Committee hearing an appeal may confirm, vary or set aside the direction or decision which is the subject of the appeal, and, in particular, may:<\/p>\n<p>a.remit the matter to the PDPC;<\/p>\n<p>b. impose or revoke, or vary the amount of, a financial penalty;<\/p>\n<p>c. give such direction, or take such other step, as the PDPC could itself have given or taken; or<\/p>\n<p>d. make any other direction or decision which the PDPC could itself have made.<\/p>\n<p>If the Appeal Committee confirms the direction or decision which is the subject of the appeal, it may nevertheless set aside any finding of fact on which the direction or decision was based.<\/p>\n<p><u>Appeal to High Court and Court of Appeal<\/u><\/p>\n<p>An appeal against, or with respect to, a direction or decision of an Appeal Committee shall lie to the High Court: (a) on a point of law arising from a direction or decision of the Appeal Committee; or (b) from any direction of the Appeal Committee as to the amount of a financial penalty.<\/p>\n<p>The appeal to the High Court may be made only at the instance of:<\/p>\n<p>a. the organisation aggrieved by the direction or decision of the Appeal Committee;<\/p>\n<p>b. if the decision relates to a complaint, the complainant; or<\/p>\n<p>c. the PDPC.<\/p>\n<p>The High Court shall hear and determine the appeal, and may (a) confirm, modify or reverse the direction or decision of the Appeal Committee; and (b) make such further or other order on such appeal, whether as to costs or otherwise, as the Court may think fit.<\/p>\n<p>An appeal to the High Court may be further appealed to the Court of Appeal, as if the appeal heard by the High Court was heard in exercise of its original civil jurisdiction.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the implementation of specific cybersecurity risk management measures and\/or require that organisations take specific actions relating to cybersecurity? If so, please provide an overview of these obligations and explain their scope\/applicability.  For example, are all organizations subject to the requirement or only to certain organizations (e.g., based on size, sector, critical infrastructure designation, public company)?  Are there specific and\/or additional regulations for different industries (e.g., finance, healthcare, government)?.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, Singapore\u2019s cybersecurity framework requires organisations, such as owners of CII, to implement specific cybersecurity risk management measures. Under the Cybersecurity Act, and pursuant to Section 11(6), CII owners must comply with the Cybersecurity Code of Practice for Critical Information Infrastructure (the &#8220;<strong>Cybersecurity Code<\/strong>&#8220;), effective from 4 July 2022.<\/p>\n<p>The Cybersecurity Code sets out minimum protection standards that CII owners must establish to safeguard their infrastructure. These obligations include developing and maintaining a written cybersecurity risk management framework, a cybersecurity incident response plan, and a crisis communication plan. In addition, CII owners are required to prepare a Business Continuity Plan (\u201c<strong>BCP<\/strong>\u201d) and a Disaster Recovery Plan (\u201c<strong>DRP<\/strong>\u201d) to ensure the continued delivery of essential services in the event of disruptions caused by cybersecurity incidents.<\/p>\n<p>Similarly, the\u00a0designated provider responsible for third\u2011party\u2011owned CII obtain a legally binding commitment from the owner of the third\u2011party\u2011owned CII, that the owner will ensure that any applicable prescribed technical or other standards relating to cybersecurity are maintained in respect of that third-party-owned CII.<\/p>\n<p>The Commissioner is also empowered to issue written directions to ensure the cybersecurity of CIIs (Section 12), and the Cybersecurity Amendment Act will allow such directions to mandate compliance with prescribed technical and cybersecurity standards.<\/p>\n<p>Apart from the above, there are also sector-specific requirements that apply to industries such as financeand healthcare.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose formal cybersecurity audit or certification requirements? If so, please provide an overview.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, under Section 15 of the Cybersecurity Act, an owner of a CII must (a) at least once every 2 years (or at such higher frequency as may be directed by the Commissioner in any particular case), starting from the date of the notice designating the owner of a computer or computer system as a CII (issued under Section 7), cause an audit of the compliance of the CII with the Cybersecurity Act and the applicable codes of practice and standards of performance, to be carried out by an auditor approved or appointed by the Commissioner; and (b) at least once a year, starting from the date of the notice designating the owner of a computer or computer system as a CII (issued under Section 7), conduct a cybersecurity risk assessment of the CII in the prescribed form and manner.<\/p>\n<p>The audit itself must follow two main principles: (a) to verify the compliance of CII against requirements provided for in Part 3 of the Cybersecurity Act, including the subsidiary legislation, applicable written directions, Code of Practices (\u201c<strong>CoPs<\/strong>\u201d) and Standards of Performance (\u201c<strong>SoPs<\/strong>\u201d); and (b) assess the adequacy and effectiveness of controls or measures put in place to meet the requirements provided for in Part 3 of the Cybersecurity Act, including any subsidiary legislation, applicable written directions, CoPs and SoPs.<\/p>\n<p>Under the 2024 amendments, providers responsible for third-party owned CIIs are now expected to ensure that the owners conduct regular audits and cybersecurity risk assessments (16J of the Cybersecurity Act). The designated providers of a third party owned CII must obtain a legally binding commitment from the third-party CII owner to cause a Comissioner-approved audit at least once every two years and a cybersecurity risk assessment of the third-party owned CII at least once a year. Audit and risk assessment reports must be furnished to the designated providers within 30 days of completion, and the providers must in turn, submit them to the Comissioner within 14 days of receipt. \u00a0The Commissioner retains powers to direct repeat or additional audits where prior audits are found unsatisfactory, where the CII appears non-compliant with prescribed standards, or following a material change made to the design, configuration, security or operation of the third-party owned CII.<\/p>\n<p>A designated provider that fails to obtain the requisite audit and risk assessment reports, or fails to comply with a Commissioner&#8217;s direction to conduct a repeat or additional audit, or obstructs or impedes an audit or risk assessment, commits an offence punishable by a fine of up to S$100,000, \u00a0imprisonment of up to two years, or both, with a continuing fine of up to S$5,000 per day. Where the designated provider fails to obtain the requisite legally binding commitment from the third-party owner altogether, the Commissioner may also order it to cease using that CII entirely, where non-compliance with such an order would carry the same maximum penalties as the above. Failure to furnish reports to the Commissioner within the prescribed 14-day period carries a fine of up to S$25,000, an imprisonment of up to 12 months, or both, with a continuing daily fine of up to S$2,500.<\/p>\n<p>A significant development was announced in March 2026, which made the previously voluntary Cyber Trust Mark (\u201c<strong>CTM<\/strong>\u201d) mandatory for certain entities. CSA will require CII owners, CII auditors, and licensed cybersecurity service providers offering penetration testing and managed SOC monitoring services to attain the CTM, with the aim of raising baseline national cybersecurity standards and addressing supply chain risks. The CTM operates across five preparedness levels covering up to 22 domains. CII owners must attain Level 5 by end-2027; CII auditors must attain Level 5 by end-2026; and licensed cybersecurity service providers must attain Level 3 by end-2026. The CTM is valid for three years with an annual audit conducted by CSA-appointed certification bodies.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose specific requirements regarding vendor and supply chain management? If so, please provide details of these requirements.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The CSA has recognised the increasing complexity and risks in digital supply chains. Therefore, in 2022, the CSA launched the CII Supply Chain Management Programme.<\/p>\n<p>This national strategy aims to enhance the cybersecurity resilience of Singapore\u2019s CIIs against growing cyber supply chain threats. The programme proposes a multi-pronged approach with five foundational initiatives: (a) a Cyber Supply Chain Assessment Toolkit to inventory and assess vendor risks; (b) a Cyber Contractual Handbook to standardise cybersecurity terms in vendor contracts; (c) a Vendor Certification Programme to incentivise better cybersecurity practices; (d) a Learning Hub to raise awareness and share best practices; and (e) an International Cooperation platform to collaborate globally on cyber supply chain security. The strategy emphasises transparency, standardisation, continuous risk management, and cross-sector collaboration to protect essential services against sophisticated cyber threats.<\/p>\n<p>This programme serves as a policy guide and a set of recommended measures rather than a binding requirement regarding supply chain management.<\/p>\n<p>Further, the Cybersecurity Amendment Act introduces regulatory oversight of CIIs that are outsourced to third parties (&#8220;<strong>third-party-owned CIIs<\/strong>&#8220;). Under the new Part 3A, owners of these systems must meet obligations such as furnishing information on the third-party-owned CII (new Section 16E), adhering to codes of practice, standards of performance, and written directions (new Sections 16G and 35A), conducting regular audits and risk assessments (new Section 16J), and participating in cybersecurity exercises (new Section 16L). They must also secure legally binding commitments from third-party service providers to ensure compliance with the Act (new Sections 16E, 16F, 16G, 16H, 16I, and 16J). Reporting obligations under Part 3A are further detailed in our response to Question 42 below.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the appointment of a chief information security officer, regulatory point of contact, or other person responsible for cybersecurity? If so, please provide an overview of the requirement, including whether there are any formalities that must be observed regarding such appointment (e.g., board-approval, reporting line structure, notification to regulatory body).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Cybersecurity Act does not expressly require the appointment of chief information security officers, regulatory points of contact, or other persons responsible for cybersecurity within organisations. However, the Commissioner may require the owner of provider-owned CIIs to provde the name and contact of every individual having overall responsibility for the cybersecurity of the particular CII.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose specific reporting or notice obligations in the context of cybersecurity incidents?  If so, how do such laws define a cybersecurity incident and what are the reporting and notification requirements (please also note whether these laws require reporting of certain cyber security incidents, regardless of whether there has been a \u2018breach of personal data\u2019)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the Cybersecurity Act, a CII owner must notify the Commissioner of the following occurrences: (a) a prescribed cybersecurity incident in respect of the CII; (b) a prescribed cybersecurity incident in respect of any computer or computer system under the owner\u2019s control that is interconnected with or that communicates with the CII; (c) any other type of cybersecurity incident in respect of the CII that the Commissioner has specified by written direction to the owner, within 2 hours of becoming aware of the occurrence (Section 14 of the Cybersecurity Act; Regulation 5(1) of the CII Regulations).<\/p>\n<p>A \u201cprescribed cybersecurity incident\u201d refers to either of the following: (a) any unauthorised hacking of the CII or the interconnected computer or computer system to gain unauthorised access to or control of the CII or interconnected computer or computer system; (b) any installation or execution of unauthorised software, or computer code, of a malicious nature on the CII or the interconnected computer or computer system; (c) any man\u2011in\u2011the\u2011middle attack, session hijack or other unauthorised interception by means of a computer or computer system of communication between the CII or the interconnected computer or computer system, and an authorised user of the CII or the interconnected computer or computer system; (d) any denial of service attack or other unauthorised act or acts carried out through a computer or computer system that adversely affects the availability or operability of CII or the interconnected computer or computer system (Regulation 5(3) of the CII Regulations).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Can individuals bring a private right of action for cybersecurity incidents or other violations of cybersecurity laws?  If so, does your jurisdiction also allow \u201cclass action\u201d litigation (i.e., on behalf of a class or (\u2018many\u2019) claimants)? Please explain under what circumstances in which a private right of action and\/or a class action may be brought?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Where a cybersecurity incident gives rise to a private right of action, the affected individual may seek recourse against the organisation responsible for that incident.<\/p>\n<p>The Cybersecurity Act defines a &#8220;cybersecurity incident&#8221; as &#8220;an act or activity carried out without lawful authority on or through a computer or computer system that jeopardises or adversely affects its cybersecurity or the cybersecurity of another computer or computer system.&#8221;<\/p>\n<p>The Cybersecurity Act does not, in and of itself, confer on individuals a private right of action in respect of cybersecurity incidents or contraventions of its provisions. That said, a cybersecurity incident may well result in a data breach or involve unauthorised hacking and other offences under Part 2 of the Computer\u00a0 Misuse Act 1993 (\u201c<strong>CMA<\/strong>\u201d), either of which may engage the private rights of action available under the PDPA and the CMA respectively.<\/p>\n<p>Section 48O of the PDPA expressly provides for a right of private action. Where any person suffers &#8220;loss or damage&#8221; as a direct result of an organisation&#8217;s contravention of the Data Protection Provisions, that person shall have a right of action for relief in civil proceedings in a court. This includes any breach of Section 24 of the PDPA, which imposes on organisations an obligation to make &#8220;reasonable security arrangements to protect personal data&#8221; in their possession or under their control (see Question 33 above).<\/p>\n<p>Under the CMA, the court may order the offender to pay compensation to any person for damage caused to that person&#8217;s computer, program or data. Any such compensation order does not affect the victim&#8217;s right to pursue a separate civil remedy for damages beyond the amount already compensated.<\/p>\n<p>Depending on the circumstances of an incident, one or more tortious causes of action may also be available. Notably, where an organisation has failed to put in place adequate measures to prevent an incident and that failure constitutes a breach of a duty of care owed to the affected individual, liability in the tort of negligence may arise.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are cybersecurity laws in your jurisdiction typically enforced? What regulatory body(ies) have enforcement authority?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Commissioner of Cybersecurity, in collaboration with the team at the CSA, oversees the enforcement of the provisions set out in the Cybersecurity Act. At the time of writing, there are no published enforcement actions that have been taken against owners of CII under the Cybersecurity Act.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What powers of oversight \/ inspection \/ audit do regulators have in your jurisdiction under cybersecurity laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the Cybersecurity Act, the Commissioner of Cybersecurity is granted authority under Sections 19 and 20 to investigate and respond to cybersecurity incidents. These powers include the ability to issue a written notice requiring any individual to produce physical or electronic records or documents to an incident response officer appointed by the Commissioner.<\/p>\n<p>Additionally, the new Section 29A of the Cybersecurity Amendment Act provides licensing officers, who oversee licensable cybersecurity service providers, with monitoring powers. These powers encompass the authority to enter premises, conduct inspections, and require the production of records, accounts, and documents from licensed providers. Non-compliance with such requirements constitutes a criminal offence.<\/p>\n<p>Under the Cybersecurity Amendment Act, the CSA will also be authorised to inspect the facilities of CII owners if the Commissioner of Cybersecurity has reason to believe that a CII owner has failed to meet its statutory obligations, or has provided false, misleading, inaccurate, or incomplete information, as stipulated under the new Section 15(4) of the Cybersecurity Act.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violations of cybersecurity laws in your jurisdiction? What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?  Are there any guidelines or rules for the calculation of such fines or the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the Cybersecurity Act, a CII owner who, without reasonable excuse, fails to report a cybersecurity incident involving a CII commits an offence. Upon conviction, the owner may be subject to a fine of up to S$100,000, imprisonment for up to two years, or both.<\/p>\n<p>Following the Cybersecurity Amendment Act, stricter penalties will apply to offences involving ECSI and FDI service providers. These offences will carry a fine of up to the greater of S$200,000 or 10% of the organisation\u2019s annual turnover in Singapore. In cases of continuing offences, an additional fine of up to S$5,000 may be imposed for each day the offence persists after conviction.<\/p>\n<p>The amendments also introduce a new civil penalty framework. Under the new Section 37A of the Cybersecurity Act, the CSA is empowered to impose civil penalties instead of pursuing prosecution for breaches of any provision under Parts 3, 3A, 3B, 3C, or 3D. The civil penalty may be as high as 10% of the business\u2019s annual turnover in Singapore or S$500,000, whichever amount is greater.<\/p>\n<p>As of the date of this publication, there are no published enforcement actions that have been taken against owners of CIIs under the Cybersecurity Act.<\/p>\n<p>In relation to a breach of the Data Protection Provisions, the organisation may find itself liable to pay a financial penalty of up to S$1 million or 10% of the organisation\u2019s annual turnover in Singapore, whichever amount is greater.<\/p>\n<p>In Re Marina Bay Sands Pte. Ltd. [2025] SGPDPC 6, the PDPC fined Marina Bay Sands Pte. Ltd. (&#8220;MBS&#8221;) S$315,000 for violating the Protection Obligation (Section 24 of the PDPA). This penalty is the second largest individual fine issued under the PDPA to date, and the largest since the 2021 PDPA amendments raised the penalty cap from S$1 million to up to 10% of an organisation&#8217;s annual Singapore turnover (with a minimum cap of S$1 million).<\/p>\n<p>The decision also provided the PDPC an opportunity to set out its framework for calculating financial penalties for breaches under the PDPA following the 2021 amendments (the &#8220;Penalty Framework&#8221;).<\/p>\n<p>The PDPC highlighted that the framework is only a guide and does not constrain its statutory powers. The Penalty Framework rests on four guiding principles: (a) penalties must deter non-compliance effectively while remaining proportionate to its seriousness; (b) when balancing deterrence against proportionality, regard must be had to the PDPA&#8217;s overarching aim of reconciling individuals&#8217; right to protect their personal data with organisations&#8217; legitimate need to process it; (c) the two-tier penalty regime, covering organisations with annual turnover of S$10 million or below, and those above that threshold, must be applied consistently and equitably, with annual turnover carrying greater weight for larger organisations and other relevant factors being weighted similarly across comparable cases; and (d) the framework must be applied in a fact-sensitive manner.<\/p>\n<p>The Penalty Framework comprises the following steps:<\/p>\n<p>(a) Preliminary Step: The PDPC first identifies the statutory maximum penalty under section 48J(3) of the PDPA, then applies a percentage rate or quantum cap \u2014 not exceeding that maximum \u2014 based on the nature of the breach. Intentional breaches attract higher rates than negligent ones. The result is the ceiling or maximum penalty applicable in the specific case.<\/p>\n<p>(b) A five-step methodology then follows:<\/p>\n<p>Step 1 &#8211; Culpability and Harm: The PDPC assesses all relevant factors to classify the organisation&#8217;s culpability as &#8220;low&#8221;, &#8220;medium&#8221; or &#8220;high&#8221;. Relevant considerations include the nature, gravity and duration of the non-compliance. Harm is then classified as &#8220;slight&#8221;, &#8220;moderate&#8221; or &#8220;severe&#8221;, having regard to factors such as the type, nature and sensitivity of the affected data, the number of individuals affected, and the extent of harm or prejudice suffered.<\/p>\n<p>Step 2 &#8211; Starting Penalty: Drawing on the culpability and harm levels identified in Step 1, the PDPC determines an indicative range and derives an approximate starting penalty figure within that range.<\/p>\n<p>Step 3 &#8211; Aggravating and Mitigating Factors: The starting figure from Step 2 is then adjusted upward or downward to account for any relevant aggravating or mitigating factors. Mitigating factors include, but are not limited to: (a) voluntarily taking timely and effective action to mitigate the effects and consequences of non-compliance; (b) cooperation with the PDPC\u2019s investigations; (c) voluntarily admitting to non-compliance; (d) implementation of otherwise adequate and appropriate measures for compliance with the PDPA; and (e) compliance with any direction given by the PDPC under Section 48I or 48L(4) of the PDPA in relation to remedying or mitigating the effect of the non\u2011compliance. Aggravating factors include, but are not limited to: (a) previous failures to comply with the PDPA; (b) any financial benefit gained or financial loss avoided as a result of the non-compliance; (c) acting in a dilatory or uncooperative manner during the PDPC\u2019s investigations; and (d) failing to comply with any direction issued by the PDPC under section 48I or 48L(4) in relation to remedying or mitigating the effect of the non-compliance.<\/p>\n<p>Step 4 &#8211; Financial Impact on the Organisation: The PDPC considers whether the penalty would affect the organisation&#8217;s ability to continue its normal operations. The organisation bears the responsibility of making representations to the PDPC regarding the likely effect of the financial penalty on its financial health, supported by evidence. Where it is found that the organisation\u2019s ability to carry on its usual activities would be adversely affected, the PDPC may grant additional time to pay, permit instalment payments, or reduce the penalty amount.<\/p>\n<p>Step 5 &#8211; Final Adjustments: The PDPC makes any final calibrations to ensure the outcome is both effective and proportionate, striking an appropriate balance between deterrence and proportionality.<\/p>\n<p>Applying this framework to MBS, the PDPC determined that the applicable maximum penalty was 10% of MBS&#8217;s annual turnover, and that the breach was negligent rather than intentional. MBS&#8217;s culpability was assessed as low, though the harm was rated moderate given the large number of individuals affected. The starting penalty was accordingly placed in the low-moderate band. On mitigating factors, the PDPC treated MBS&#8217;s clean prior PDPA record as a neutral factor, but gave mitigatory weight to its voluntary notification of affected individuals. Greater mitigatory weight was also accorded to the prompt, voluntary remedial steps it had taken. These factors collectively brought the final penalty down to S$315,000.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>For CII owners, the Cybersecurity Act provides mechanisms to appeal to Minister under Section 17. A CII owner who is aggrieved by:<\/p>\n<p>(a) the decision of the Commissioner to issue the notice under Section 7(1) designating the CII as such;<\/p>\n<p>(b) a written direction of the Commissioner under Sections 12 or 16(2); or<\/p>\n<p>(c) any provision in any code of practice or standard of performance issued or approved by the Commissioner that applies to the owner, or any amendment made to it,<br \/>\nmay file an appeal to the Minister against the decision, direction, provision or amendment.<\/p>\n<p>Appeals must be filed within 30 days after the date of the notice or direction, or the issue, approval or amendment (as the case may be) of the code of practice or standard of performance, as the case may be, (unless extended by the Minister). The appeal must clearly state the circumstances under which the appeal arises, the issues and grounds for the appeal and submit to the Minister all relevant facts, evidence and arguments for the appeal.<\/p>\n<p>The Minister may confirm, vary, or reverse decisions, or order reconsideration by the Commissioner of any decision, notice, direction, provision of a code of practice or standard of performance, or an amendment to such code or standard.<\/p>\n<p>Before determining an appeal, the Minister may consult any Appeals Advisory Panel established for the purpose of advising the Minister in respect of the appeal. For technically complex cases, the Minister may also establish an Appeals Advisory Panel under Section 18 of the Cybersecurity Act comprising experts to provide advice to the Minister in respect of the appeal. The Minister is not bound by the advice of the Panel.<\/p>\n<p>Crucially, unless otherwise directed, the original decision remains enforceable during the appeal process, and the Minister\u2019s final determination cannot be further appealed.<\/p>\n<p>For Cybersecurity Service Providers, under Section 35 of the Cybersecurity Act, any person whose application for a licence or for the renewal of a licence has been refused by the licensing officer may, within the relevant period after being notified of such refusal, appeal against the refusal in the prescribed manner to the Minister. The \u201crelevant period\u201d is 14 days or such longer period as the Minister allows. The Minister\u2019s determination under this section is final.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\r\n<div class=\"word-count-hidden\" style=\"display:none;\">Estimated word count: <span class=\"word-count\">18999<\/span><\/div>\r\n\r\n\t\t\t<\/ol>\r\n\r\n<script type=\"text\/javascript\" src=\"\/wp-content\/themes\/twentyseventeen\/src\/jquery\/components\/filter-guides.js\" async><\/script><\/div>"}},"_links":{"self":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide\/142166","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide"}],"about":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/types\/comparative_guide"}],"wp:attachment":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/media?parent=142166"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}