Documentation index

International, languages & localization ›

Singapore’s Personal Data Protection Act 2012 & iubenda


No time to read? Scroll all the way down to the conclusion.

Ember

Iubenda‘s privacy policy has been created with the international situation in mind. We always intended for it to be a framework that could help as many people as possible with creating a compliant privacy notice for their websites or apps. It’s built & based on European data protection rules, which are largely considered to be the strictest around for the most part. Additional wording and additional clauses have been 

Additional wording and clauses have been added and provided for international use cases, like compliance for the United States (mainly being compliance with California law and the national children’s privacy regulation, COPPA). 

That being said, does iubenda fit the Singapore Personal Data Protection Act 2012?

It’s important to understand that you will have to answer this question for yourself since I’m only going to outline the rules found in the regulation about the notice requirement, which iubenda helps create. 

There are other considerations you’ll have to make such as consent, language, do you actually fall under the act and validity of potential transfer of personal data. 

Singapore Personal Data Protection Act 2012 & iubenda

You can find the Data Protection Commission here for more information and contacts. The legislation itself can be read here. Make sure not to miss out on the helpful advisory guidelines.

The notification obligation 

An individual cannot give consent for something he hasn’t been properly informed about. An organisation may collect, use or disclose personal data about an individual only for purposes that are reasonable under the circumstances and only if that individual has been properly informed about these practices (which you will find codified in 14(1)(a) and 18(b) of the act). 

The notification requirements are to be found in section 20(1)(a)  and they remain slightly vague circling around the fact that the individual shall be informed about “the purposes for the collection, use or disclosure of the personal data, as the case may be, on or before collecting the personal data;“.

More detailed information can be found in the advisory guideline about The Notification Obligation. The guide says the following about information to be included when stating purposes:

An organisation should state its purposes at an appropriate level of detail for the individual to determine the reasons for which the organisation will be collecting, using or disclosing his personal data. As explained earlier in the section on “Purposes”, an organisation need not specify every activity it will undertake in relation to collecting, using or disclosing personal data when notifying individuals of its purposes. This includes activities that are directly related to the collection, use or disclosure of personal data or activities that are integral to the proper functioning of the overall business operations related to the purpose. For example, if an organisation wishes to obtain consent to collect or use personal data for the purpose of providing a service to an individual, the organisation does not need to seek consent for: (a) every activity it will undertake to provide that service; and (b) internal corporate governance processes such as allowing auditors to access personal data as part of an audit.

How specific do the purposes have to be when stating them in a notice?

The following considerations are copied verbatim from the guide. 

In considering how specific to be when stating its purposes, organisations may have regard to the following:

  1. whether the purpose is stated clearly and concisely;

  2. whether the purpose is required for the provision of products or services (as distinct from optional purposes);

  3. if the personal data will be disclosed to other organisations, how the organisations should be made known to the individuals;

  4. whether stating the purpose to a greater degree of specificity would be a help or hindrance to the individual understanding the purpose(s) for which his personal data would be collected, used, or disclosed; and

  5. what degree of specificity would be appropriate in light of the organisation’s business processes.

How to notify individuals of the purposes?

The following considerations are – again – taken verbatim from the guide provided by the data protection agency.

In considering how to notify individuals of their purposes, organisations should consider:

  1. Drafting notices that are easy to understand and appropriate to the intended audience, providing headings or clear indication of where the individuals should look to determine the purposes for which their personal data would be collected, used or disclosed and avoiding legalistic language or terminology that would confuse or mislead individuals reading it;

  2. Using a ‘layered notice’ where appropriate, by providing the most important (e.g. summary of purposes) or basic information (e.g. contact details of the organisation’s Data Protection Officer) more prominently (e.g. on the first page of an agreement) and more detailed information elsewhere (e.g. on the organisation’s website). A layered approach is useful when individuals do not want to read all the information at the point of transaction, or when the medium of transaction is not suitable for conveying detailed information (e.g. telephone conversation);

  3. Considering if some purposes may be of special concern or be unexpected to the individual given the context of the transaction, and whether those purposes should be highlighted in an appropriate manner;

  4. Selecting the most appropriate medium(s) to provide the notification (e.g. in writing through a form, on a website, or orally in person); and

  5. Developing processes to regularly review the effectiveness of and relevance of the notification policies and practices.

Conclusion for iubenda as a privacy notice framework for Singapore based websites and apps

There aren’t too many rules for the information and form for your Singapore privacy notice to be found and the ones that are, we think iubenda’s privacy policy generator fits very well in: 

  • iubenda’s privacy policy is written to be easily understandable;
  • iubenda’s layered approach (summary and full view) works well with the recommendations laid out in the above-quoted guide;
  • all of the information is bundled in purposes like “email newsletter” or “analytics” from an information architecture standpoint;

Now when you are generating your privacy policy don’t forget to accompany that with some of the other rules you may have to follow. Here is one interesting example for the business contact information:

As a best practice, the business contact information of the relevant person should be readily accessible from Singapore, operational during Singapore business hours and in the case of telephone numbers, be Singapore telephone numbers. This is especially important if the relevant person is not physically based in Singapore. This would facilitate the organisation’s ability
to respond promptly to any complaint or query on its data protection policies and practices.

Also these guides may be interesting for you:

Now go and generate your privacy policy


Still have questions?

Visit our support forum Email us