This publication is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to. Readers should take legal advice before applying the information contained in this publication to specific issues or transactions.
T +65 6416 3348
M +65 8139 1521
28 June 2018
On 25 May 2018, the European Union's General Data Protection Regulation ("GDPR") came into force. Unlike most laws, the GDPR will have extra-territorial effect and will apply to Singapore companies and businesses ("Singapore Entities").
Singapore Entities are required to comply with the GDPR if they process1 personal data and the processing of personal data is related to:
Under the GDPR, processing of personal data is lawful in certain circumstances, such as where consent has been given by the individual for the processing of his or her personal data for one or more specific purposes, or where processing is necessary for the performance of a contract.
Pertinently, Singapore Entities should note that compliance with the Personal Data Protection Act 2012 ("PDPA") does not necessarily mean that they are in compliance with the GDPR.
For example, Singapore Entities that are regulated by the GDPR are under a positive obligation to notify the supervisory authority and the individuals concerned in the event of a data breach, and must appoint a data protection representative2 in the EU unless:
Further, Singapore Entities should be aware of certain rights provided to data subjects by the GDPR:
Depending on the particular provision breached, Singapore Entities may be subject to an administrative fine of up to:
In light of the hefty fines that may be imposed for breaches of the GDPR, it is crucial that Singapore Entities thoroughly review their data privacy policies to ensure compliance with the GDPR.
1* Defined in the GDPR as including collecting, recording, storing, adapting, using, etc..
2* This obligation is in addition to the appointment of a Data Protection Officer in Singapore pursuant to the PDPA
3* Such as data about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, sex life or sexual orientation, or data concerning criminal convictions and offences.
If you would like to have more information or know how the GDPR may affect your business in Singapore, please contact the following individuals:
T +65 6416 9518
M +65 9088 3810
T +65 6416 3358
M +65 8139 1527