Singapore’s Personal Data Protection Act 2012 & iubenda

No time to read? Scroll all the way down to the conclusion.


Based on European data protection rules, which are considered to be the strictest, Iubenda’s privacy policies are designed to be compliant with international laws and regulations so as to be a framework that can be useful to a great number of people who require a compliant privacy notice for their website or app.

Additional wording and clauses have been added for international use cases, such as compliance with United States laws, (mainly Californian law as well as the national children’s privacy regulation, COPPA). 

Does iubenda comply with the Singapore Personal Data Protection Act 2012?

You will have to make this determination yourself based on regulations concerning notice requirements, which we will ouline below.

There are other considerations such as consent, language, whether you are subject to the act and the validity of potential transfers of personal data.

Singapore Personal Data Protection Act 2012 & iubenda

You can find the Data Protection Commission here for more information and contacts. The legislation itself can be read here. These helpful advisory guidelines are also available.

The notification obligation

It is not possible for one to give consent to something they have not been properly informed of. An organisation may collect, use or disclose personal data about an individual only for purposes that are reasonable under the circumstances and only if that individual has been properly informed about these practices (which you will find codified in 14(1)(a) and 18(b) of the act).

The notification requirements are to be found in section 20(1)(a).  They remain somewhat vague, stating that the individual shall be informed about “the purposes for the collection, use or disclosure of the personal data, as the case may be, on or before collecting the personal data;“.

More detailed information can be found in the advisory guideline concerning The Notification Obligation. The guide states the following regarding information to be included when stating the purposes of the data processing:

An organisation should state its purposes at an appropriate level of detail for the individual to determine the reasons for which the organisation will be collecting, using or disclosing his personal data. As explained earlier in the section on “Purposes”, an organisation need not specify every activity it will undertake in relation to collecting, using or disclosing personal data when notifying individuals of its purposes. This includes activities that are directly related to the collection, use or disclosure of personal data or activities that are integral to the proper functioning of the overall business operations related to the purpose. For example, if an organisation wishes to obtain consent to collect or use personal data for the purpose of providing a service to an individual, the organisation does not need to seek consent for: (a) every activity it will undertake to provide that service; and (b) internal corporate governance processes such as allowing auditors to access personal data as part of an audit.

How specific do the purposes have to be when stating them in a notice?

The following considerations are copied verbatim from the guide.

In considering how specific to be when stating its purposes, organisations may have regard to the following:

  1. whether the purpose is stated clearly and concisely;
  2. whether the purpose is required for the provision of products or services (as distinct from optional purposes);
  3. if the personal data will be disclosed to other organisations, how the organisations should be made known to the individuals;
  4. whether stating the purpose to a greater degree of specificity would be a help or hindrance to the individual understanding the purpose(s) for which his personal data would be collected, used, or disclosed; and
  5. what degree of specificity would be appropriate in light of the organisation’s business processes.

How to notify individuals of the purposes?

The following considerations are – again – taken verbatim from the guide provided by the data protection agency.

In considering how to notify individuals of their purposes, organisations should consider:

  1. Drafting notices that are easy to understand and appropriate to the intended audience, providing headings or clear indication of where the individuals should look to determine the purposes for which their personal data would be collected, used or disclosed and avoiding legalistic language or terminology that would confuse or mislead individuals reading it;
  2. Using a ‘layered notice’ where appropriate, by providing the most important (e.g. summary of purposes) or basic information (e.g. contact details of the organisation’s Data Protection Officer) more prominently (e.g. on the first page of an agreement) and more detailed information elsewhere (e.g. on the organisation’s website). A layered approach is useful when individuals do not want to read all the information at the point of transaction, or when the medium of transaction is not suitable for conveying detailed information (e.g. telephone conversation);
  3. Considering if some purposes may be of special concern or be unexpected to the individual given the context of the transaction, and whether those purposes should be highlighted in an appropriate manner;
  4. Selecting the most appropriate medium(s) to provide the notification (e.g. in writing through a form, on a website, or orally in person); and
  5. Developing processes to regularly review the effectiveness of and relevance of the notification policies and practices.

Conclusion for iubenda as a privacy notice framework for Singapore based websites and apps

Given the above, there are limited rules for the content and form of your Singapore privacy notice. We believe iubenda’s privacy policy generator is adequate for the following reasons:

  • iubenda’s privacy policy is written to be easily understandable;
  • iubenda’s layered approach (summary and full view) works well with the recommendations laid out in the above-quoted guide;
  • all of the information is bundled in purposes like “email newsletter” or “analytics” from an information architecture standpoint;

When you generate your privacy policy don’t forget that there are other regulations that you may have to comply with. Here is one example regarding business contact information:

As a best practice, the business contact information of the relevant person should be readily accessible from Singapore, operational during Singapore business hours and in the case of telephone numbers, be Singapore telephone numbers. This is especially important if the relevant person is not physically based in Singapore. This would facilitate the organisation’s ability to respond promptly to any complaint or query on its data protection policies and practices.

These guides may also be interesting to you:

Generate your privacy policy here

Still have questions?

Visit our support forum Email us