No time to read? Scroll all the way down to the conclusion.
Based on European data protection rules, which are considered to be the strictest, Iubenda’s privacy policies are designed to be compliant with international laws and regulations so as to be a framework that can be useful to a great number of people who require a compliant privacy notice for their website or app.
Additional wording and clauses have been added for international use cases, such as compliance with United States laws, (mainly Californian law as well as the national children’s privacy regulation, COPPA).
Does iubenda comply with the Singapore Personal Data Protection Act 2012?
You will have to make this determination yourself based on regulations concerning notice requirements, which we will ouline below.
There are other considerations such as consent, language, whether you are subject to the act and the validity of potential transfers of personal data.
It is not possible for one to give consent to something they have not been properly informed of. An organisation may collect, use or disclose personal data about an individual only for purposes that are reasonable under the circumstances and only if that individual has been properly informed about these practices (which you will find codified in 14(1)(a) and 18(b) of the act).
The notification requirements are to be found in section 20(1)(a). They remain somewhat vague, stating that the individual shall be informed about “the purposes for the collection, use or disclosure of the personal data, as the case may be, on or before collecting the personal data;“.
More detailed information can be found in the advisory guideline concerning The Notification Obligation. The guide states the following regarding information to be included when stating the purposes of the data processing:
An organisation should state its purposes at an appropriate level of detail for the individual to determine the reasons for which the organisation will be collecting, using or disclosing his personal data. As explained earlier in the section on “Purposes”, an organisation need not specify every activity it will undertake in relation to collecting, using or disclosing personal data when notifying individuals of its purposes. This includes activities that are directly related to the collection, use or disclosure of personal data or activities that are integral to the proper functioning of the overall business operations related to the purpose. For example, if an organisation wishes to obtain consent to collect or use personal data for the purpose of providing a service to an individual, the organisation does not need to seek consent for: (a) every activity it will undertake to provide that service; and (b) internal corporate governance processes such as allowing auditors to access personal data as part of an audit.
The following considerations are copied verbatim from the guide.
In considering how specific to be when stating its purposes, organisations may have regard to the following:
The following considerations are – again – taken verbatim from the guide provided by the data protection agency.
In considering how to notify individuals of their purposes, organisations should consider:
As a best practice, the business contact information of the relevant person should be readily accessible from Singapore, operational during Singapore business hours and in the case of telephone numbers, be Singapore telephone numbers. This is especially important if the relevant person is not physically based in Singapore. This would facilitate the organisation’s ability to respond promptly to any complaint or query on its data protection policies and practices.
These guides may also be interesting to you: