Jurisdiction - Singapore
Reports and Analysis
Singapore – Personal Data Protection (Enforcement) Regulations 2014 Issued.

18 July, 2014

 

 

With the Personal Data Protection Act 2012 (“PDPA”) fully in force, organisations will need to start dealing with access or correction requests, or complaints about the same. Accordingly, it is timely to look at its procedures for enforcement. These are dealt with in the Personal Data Protection (Enforcement) Regulations 2014 which came into operation on 2 July 2014, as well as the PDPA and the Rules of Court.

 

What May Be Complained About?

 

An individual (the “Individual”) may bring a complaint to the Personal Data Protection Commission (“PDPC”) about an organisation (the “Organisation”) in respect of any of the following:
 
  • A refusal to provide access to personal data requested by the Individual;
  • A failure to provide access to personal data requested by the Individual within a reasonable time;
  • A refusal to correct personal data in accordance with a request by the Individual;
  • A failure to correct personal data in accordance with a request by the Individual within a reasonable time; and
  • A fee required from the Individual by the Organisation in relation to a request to provide access or correct personal data by the Individual.
 

How May A Complaint Be Brought?

 

The Individual must first submit a review application to the PDPC. The application must set out the basic particulars of the complaint and may be made using the prescribed form.

 

The PDPC will first consider whether the application, on its face, discloses a case against the Organisation. If it does not, the review process will end there. The Individual may, however, apply to ask the PDPC to reconsider its decision (for more on this, please see below).

 

If the PDPC is of the view that the application discloses, on its face, a case against the Organisation, it will notify the Organisation of the application and provide it with a copy of the same (in addition to other specified documents). It will also give the Organisation a specified time period to submit a written response to the application. After receiving the respondent’s response, the PDPC may require the Individual to submit a reply.

 

Alternatively, instead of deciding on the matter itself, the PDPC may also require the Individual and the Organisation to refer the matter to mediation to resolve the complaint and to try to reach a settlement.

 

What Decisions May The PDPC Make?

 

After reviewing the review application, the response, and (if relevant) the reply, the PDPC may do any of the following:

 

  • Confirm the refusal to provide access to the personal data, or direct the Organisation to provide access to the personal data, within such time as the PDPC may specify;
  • Confirm, reduce, or disallow a fee, or direct the Organisation to make a refund to the Individual;
  • Confirm the refusal to correct the personal data, or direct the Organisation to correct the personal data, in such manner and within such time as the PDPC may specify; or
  • Require the Organisation to pay a financial penalty of such amount not exceeding SGD 1m as the PDPC thinks fit.
 

What May Be Done If The Individual Or Organisation Is Dissatisfied With The PDPC’s Decision?

 

If the Individual or Organisation is dissatisfied with the PDPC’s decision, he or it has 28 days after the issue of the decision to make a written application to the PDPC to reconsider the decision. As with the review application process, the application to reconsider must set out the particulars of the application. The PDPC will send a copy of the application to the counterparty who may file a response to the same. The applicant may be asked to file a reply to the response. The PDPC will then reconsider the decision, and affirm, revoke, or vary the decision as it thinks fit.

 

What Avenues Of Appeal Are There From The PDPC’s Decision?

 

Appeal process Any Organisation or Individual aggrieved by the PDPC’s decision may within 28 days after the issue of the decision concerned, appeal to the Chairman of the Data Protection Appeal Panel against that direction or decision. The matter will be heard by an Appeal Committee, which may confirm, vary, or set aside the decision.

 

The decision of the Appeal Committee may be appealed to the High Court but only on the following limited grounds:

  • On a point of law arising from a direction or decision of the Appeal Committee; or
  • From any direction of the Appeal Committee as to the amount of a financial penalty.
 

How May The PDPC Enforce Its Decision?

 

 If an Organisation does not comply with the PDPC’s decision, the PDPC may apply for the direction to be registered in the District Court. Once registered, the Organisation may seek to challenge the registration of the PDPC’s decision by applying to have the registration set aside. The Rules of Court do not state on what grounds a registration may be set aside, however, given the ability to appeal the decision to the High Court, it is unlikely that the court will allow a reconsideration of the merits of the PDPC’s decision at this stage.

 

What Is The Effect of Registration Of The PDPC’s Decision?

 

Upon registration, the PDPC’s decision will have the same force as an order of court. This may be enforced via any of the usual court orders for enforcement as may be relevant (for example, an order to pay a financial penalty could be enforced by garnishing the Organisation’s bank account or by writ of seizure and sale). In addition, any further refusal to comply with the decision may result in the Organisation or its officers facing contempt of court proceedings.

 

Can The PDPC Only Act If There Is a Complaint?

 

No, the PDPC may act on its own cognizance. It is empowered to conduct an investigation on its own motion if it believes that an Organisation is not complying with the requirements of the PDPA. It may, if it thinks fit in the circumstances to ensure compliance with the PDPA, give the Organisation all or any of the following directions:

 

  • To stop collecting, using, or disclosing personal data in contravention of the PDPA;
  • To destroy personal data collected in contravention of the PDPA;
  • To comply with any direction of the PDPA given pursuant to a complaint by an Individual; and
  • To pay a financial penalty of such amount not exceeding SGD 1m as the PDPC thinks fit.
 

An Organisation aggrieved by the PDPC’s directions may apply to it to reconsider its direction and also has the same avenues of appeal as those set out above in respect of decisions of the PDPC arising from complaints by Individuals.

 

wongpartnershiplogo

 

For further information, please contact:

 

Chung Nian Lam, Partner, WongPartnership

chungnian.lam @wongpartnership.com

 

Jeffrey Lim, Partner, WongPartnership

jeffrey.lim @wongpartnership.com

 

WongPartnership TMT Practice Profile in Singapore

 

Homegrown TMT Firms in Singapore

Comments are closed.