Privacy Matters

DLA Piper's Global Privacy and Data Protection Resource

SINGAPORE: Increased financial penalties under the PDPA now in effect

11 January 2023 / , , ,

Authors: Carolyn Bigg, Yue Lin Lee

The provision setting out significantly higher financial penalties for Singapore’s Personal Data Protection Act 2012 (“PDPA”) is now in force.

There is now an increased risk for organisations contravening the PDPA in Singapore.

This means that in relation to any intentional or negligent contravention of:

  1. the data protection provisions, organisations may now have to pay a financial penalty of up to SGD 1 million or 10% of the organisation’s annual turnover in Singapore (where the organisation’s annual turnover in Singapore exceeds SGD 10 million), whichever is higher;
  2. the do-not-call provisions involving the use of dictionary attacks and address-harvesting software:
    • individuals may now have to pay a financial penalty of up to SGD 200,000; and
    • organisations, a financial penalty of up to SGD 1 million or 5% of the organisation’s annual turnover in Singapore (where the organisation’s annual turnover in Singapore exceeds SGD 20 million).

To recap, when the Personal Data Protection Commission is deciding whether a financial penalty is warranted, they will, among other things:

  1. assess the incident based on the principles of harm and culpability:
    • “Harm” includes the number of affected individuals, categories of affected personal data, duration of the incident etc.;
    • “Culpability” refers to the organisation’s conduct in the incident. The PDPC will consider the nature of the specific breach of the PDPA as well as the organisation’s overall compliance with the PDPA; and
  2. consider other relevant factors such as whether the organisation or person took any action to mitigate the effects and consequences of the non-compliance.

Key takeaways

Given the higher financial penalties, organisations must:

  • review their policies and practices for compliance with new provision;
  • update employees about the increased penalties and the accompanying increased risk for the organisation.

You may access the revised financial penalties here, and the Advisory Guidelines on Enforcement of the Data Protection Provisions here.

You may access our previous alert regarding the increased financial penalties here.

Please contact Carolyn Bigg (Partner) or Yue Lin Lee (Senior Associate) if you have any questions or to see what this means for your organisation.

DLA Piper Singapore Pte. Ltd. is licensed to operate as a foreign law practice in Singapore. Where advice on Singapore law is required, we will refer the matter to and work with licensed Singapore law practices where necessary.

Resources:

Linkedin-in Twitter Facebook-f Instagram Youtube Weixin
© 2023 DLA Piper. DLA Piper is a global law firm operating through various separate and distinct legal entities. For further information about these entities and DLA Piper’s structure, please refer to the Legal Notices page. All rights reserved. Attorney advertising.​