This publication is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to. Readers should take legal advice before applying the information contained in this publication to specific issues or transactions.

Adriel Chia 
Senior Associate

T +65 6416 3348
M +65 8139 1521

28 June 2018

The European Union's General Data Protection Regulation and Singapore Companies and Businesses

On 25 May 2018, the European Union's General Data Protection Regulation ("GDPR") came into force. Unlike most laws, the GDPR will have extra-territorial effect and will apply to Singapore companies and businesses ("Singapore Entities").

Singapore Entities are required to comply with the GDPR if they process1 personal data and the processing of personal data is related to:

  • the offering of goods and/or services to individuals in the European Union ("EU") irrespective of whether or not any payment is made for those goods and/or services; or
  • the monitoring of those individuals' behaviour in the EU.

Under the GDPR, processing of personal data is lawful in certain circumstances, such as where consent has been given by the individual for the processing of his or her personal data for one or more specific purposes, or where processing is necessary for the performance of a contract.

Pertinently, Singapore Entities should note that compliance with the Personal Data Protection Act 2012 ("PDPA") does not necessarily mean that they are in compliance with the GDPR. 

For example, Singapore Entities that are regulated by the GDPR are under a positive obligation to notify the supervisory authority and the individuals concerned in the event of a data breach, and must appoint a data protection representative2 in the EU unless:

  • the processing of personal data is merely occasional;

  • does not include, on a large scale, processing of sensitive personal data3; and

  • is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing.

Further, Singapore Entities should be aware of certain rights provided to data subjects by the GDPR:

  • Right to access personal data and information including the purposes for which their personal data is processed, and to whom their personal data has been disclosed or will be disclosed.

  • Right to rectify inaccuracies in their personal data.

  • Right to erasure of their personal data in certain circumstances, e.g., when the personal data is no longer necessary for the purposes for which it was collected or processed, or when consent is withdrawn.

  • Right to restrict the use of personal data in certain circumstances, e.g., when the personal data is no longer needed for processing but is otherwise required by the individual in relation to legal claims.

  • Right to data portability by receiving their personal data or personal data provided by that individual to the organisation, in a structured, commonly used and machine-readable format, and to have that data transmitted to another organisation.

  • Right to object to the processing of personal data including for the purpose of direct marketing.

  • Right not to be subject to automated decision-making including profiling where this has a legal effect on the individual or significantly affects that individual.

Depending on the particular provision breached, Singapore Entities may be subject to an administrative fine of up to: 

  • €10 million or 2% of its total worldwide annual turnover in the preceding financial year (whichever is higher); or

  • €20 million or 4% of its total worldwide annual turnover in the preceding financial year (whichever is higher).

In light of the hefty fines that may be imposed for breaches of the GDPR, it is crucial that Singapore Entities thoroughly review their data privacy policies to ensure compliance with the GDPR.

1* Defined in the GDPR as including collecting, recording, storing, adapting, using, etc..

2*  This obligation is in addition to the appointment of a Data Protection Officer in Singapore pursuant to the PDPA

3* Such as data about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, sex life or sexual orientation, or data concerning criminal convictions and offences.


If you would like to have more information or know how the GDPR may affect your business in Singapore, please contact the following individuals:

Dawn Tan 
Founding ​Director

T +65 6416 9518
M +65 9088 3810

Tristan Teo

T +65 6416 3358
M +65 8139 1527