No time to read? Scroll all the way down to the conclusion.
Additional wording and clauses have been added and provided for international use cases, like compliance for the United States (mainly being compliance with California law and the national children’s privacy regulation, COPPA).
That being said, does iubenda fit the Singapore Personal Data Protection Act 2012?
It’s important to understand that you will have to answer this question for yourself since I’m only going to outline the rules found in the regulation about the notice requirement, which iubenda helps create.
There are other considerations you’ll have to make such as consent, language, do you actually fall under the act and validity of potential transfer of personal data.
An individual cannot give consent for something he hasn’t been properly informed about. An organisation may collect, use or disclose personal data about an individual only for purposes that are reasonable under the circumstances and only if that individual has been properly informed about these practices (which you will find codified in 14(1)(a) and 18(b) of the act).
The notification requirements are to be found in section 20(1)(a) and they remain slightly vague circling around the fact that the individual shall be informed about “the purposes for the collection, use or disclosure of the personal data, as the case may be, on or before collecting the personal data;“.
More detailed information can be found in the advisory guideline about The Notification Obligation. The guide says the following about information to be included when stating purposes:
An organisation should state its purposes at an appropriate level of detail for the individual to determine the reasons for which the organisation will be collecting, using or disclosing his personal data. As explained earlier in the section on “Purposes”, an organisation need not specify every activity it will undertake in relation to collecting, using or disclosing personal data when notifying individuals of its purposes. This includes activities that are directly related to the collection, use or disclosure of personal data or activities that are integral to the proper functioning of the overall business operations related to the purpose. For example, if an organisation wishes to obtain consent to collect or use personal data for the purpose of providing a service to an individual, the organisation does not need to seek consent for: (a) every activity it will undertake to provide that service; and (b) internal corporate governance processes such as allowing auditors to access personal data as part of an audit.
The following considerations are copied verbatim from the guide.
In considering how specific to be when stating its purposes, organisations may have regard to the following:
whether the purpose is stated clearly and concisely;
whether the purpose is required for the provision of products or services (as distinct from optional purposes);
if the personal data will be disclosed to other organisations, how the organisations should be made known to the individuals;
whether stating the purpose to a greater degree of specificity would be a help or hindrance to the individual understanding the purpose(s) for which his personal data would be collected, used, or disclosed; and
what degree of specificity would be appropriate in light of the organisation’s business processes.
The following considerations are – again – taken verbatim from the guide provided by the data protection agency.
In considering how to notify individuals of their purposes, organisations should consider:
Drafting notices that are easy to understand and appropriate to the intended audience, providing headings or clear indication of where the individuals should look to determine the purposes for which their personal data would be collected, used or disclosed and avoiding legalistic language or terminology that would confuse or mislead individuals reading it;
Using a ‘layered notice’ where appropriate, by providing the most important (e.g. summary of purposes) or basic information (e.g. contact details of the organisation’s Data Protection Officer) more prominently (e.g. on the first page of an agreement) and more detailed information elsewhere (e.g. on the organisation’s website). A layered approach is useful when individuals do not want to read all the information at the point of transaction, or when the medium of transaction is not suitable for conveying detailed information (e.g. telephone conversation);
Considering if some purposes may be of special concern or be unexpected to the individual given the context of the transaction, and whether those purposes should be highlighted in an appropriate manner;
Selecting the most appropriate medium(s) to provide the notification (e.g. in writing through a form, on a website, or orally in person); and
Developing processes to regularly review the effectiveness of and relevance of the notification policies and practices.
As a best practice, the business contact information of the relevant person should be readily accessible from Singapore, operational during Singapore business hours and in the case of telephone numbers, be Singapore telephone numbers. This is especially important if the relevant person is not physically based in Singapore. This would facilitate the organisation’s ability
to respond promptly to any complaint or query on its data protection policies and practices.
Also these guides may be interesting for you: