新加坡个人资料保护bob体ob体与软件下载法-贵公司需要了解的内容

On 2 January 2013, the Singapore Personal Data Protection Act 2012 (PDPA) came into force with the formation of the Personal Data Protection Commission (PDPC) – a new body responsible for administering and enforcing this act. The PDPA is applicable to all organizations in Singapore, except organizations in the public sector.

PDPA旨在规范组织在收集、使用或披露个人数据方面的活动，并为个人提供可能由组织管理的个人数据的访问权限。该法还规定建立一个全国不打电话登记处，使个人能够通过在登记处登记电话号码，选择不接收任何推销广告、销售电话、短信或传真。该法将分阶段逐步实施；各组织将有18个月的过渡期来简化其政策和流程，以确保合规性。虽然该法案的主要条款将从2014年7月开始生效，但DNC登记册将于2014年1月2日生效。

PDPC has the legal power to review complaints from affected parties and refer parties to mediation. PDPC is also empowered to enter premises of an organization without warrant after issuing two days of advanced notice, obtain warrant to search and seize, and issue directions to an organization to a) stop collecting data or b) destroy data. PDPC can also impose financial penalties of up to S$1 million.

因此,组织收集数据的刊物特色duals in Singapore have to be mindful of their obligations under this new law to avoid incurring legal actions on the grounds of non-compliance. Organizations engaging in telemarketing activities are required to honor their obligations under the Do Not Call Registry.

Why the Need?

Whenever you open a bank account, join a social networking website or book a flight online, you hand over vital personal information such as your name, address, and credit card number. What happens to this data? Could it fall into the wrong hands? What rights do you have regarding your personal information?

The information-based economy has led to the emergence of a new asset class – personal data that has overarching potential. Consequently, legislation to guard this new asset class has become a necessity. In line with other advanced economies, Singapore has joined the data-guardians club with the enactment of the Personal Data Protection Act 2012 (PDPA).

In Singapore collection of personal data such as phone number, address and NRIC number has remained a common practice, be it for an all important bank account opening or simply to gain access into a secured office building. Besides this direct data collection, information about individuals is discreetly being collected by the various social networking, messaging, mailing platforms and hoards of mobile applications that are avidly used by the digitally savvy residents of Singapore.

The seemingly insignificant data thus collected by organizations or voluntarily shared by the individuals is evolving into high value property in the evolving Big Data eco-system. Unscrupulous players can trade or misuse this property. Owing to its potential value, it requires legislative protection, requiring the organizations in possession of such data to comply with the regulations to ensure the security and integrity of the data.

PDPA Scope and Applicability

PDPA seeks to regulate the activities of organizations with regard to collecting, using or disclosing personal data, and it provides individuals with access to any personal data kept by organizations.

The term ‘Personal Data’ according to the Act refers to data, true or otherwise, about an individual who can be identified from that data or from the combination of that data with other information accessible to an organization. The PDPA covers personal data stored in both electronic and non-electronic forms, therefore organizations recording and keeping CCTV footage or recording their events and live promotions in photo and video formats also have to be vary of their obligations when they are used in publications or other forms of distribution.

The Act is applicable to all private sector organizations in Singapore as well as all organizations located outside Singapore that are engaged in data collection, processing or disclosure of such data within Singapore. Therefore organizations using offshore call centers for their marketing or sales and services are also required to ensure compliance with PDPA requirements. It must be noted that data intermediaries – the organizations involved in processing data on behalf of a principle owner of such data, are exempted from most of the requirements under the PDPA but have to comply with the regulations relating to data protection and retention.

PDPA不取代任何现有的行业特定法律或普通法；因此，各组织必须确保遵守普通法以及特定于其部门的任何相关立法，如监管银行收集的客户信息的《银行法》或《私人医院和诊所法》，它规定了医院、诊所或实验室持有的病人信息的保密性。

PDPA does not apply to individuals acting in individual or domestic capacity, employees acting in the course of their employment, organizations acting on behalf of a public agency, and business contact information.

使用“cookies”收集个人数据的组织同样要遵守PDPA的要求。其网站将其cookie策略通知其用户的组织被视为已获得用户收集个人数据的视同同意。

For personal data collected and held by organizations prior to the enforcement of PDPA, the organizations are required to obtain consent from the individual if the data is to be used for a purpose different from the original purpose for which it was obtained, or if it is be used or disclosed for new purposes.

Key Requirements

In general the regulations under the PDPA underscore four concepts consent, purpose, legitimacy and protection.

Consent

Organizations are required to obtain consent from the individual to collect, use or disclose personal data for a specified purpose. The consent must be validly obtained without any deceptive or misleading information. The consent may be either express or deemed. It is considered a deemed consent when the individual voluntarily gives personal data or it is reasonable to assume that the individual would voluntarily provide the personal data. Some exemptions have been provided to this requirement for circumstances involving investigation, employment, debt, and interest of the individual.

目的

Organizations may collect, use or disclose personal data only for the stated purpose for which the individual has consented. If the personal data is to be used for a different purpose other than the original then fresh consent must be obtained.

Legitimacy

组织必须采取合理的努力，确保他们收集的个人数据是准确和完整的。收集个人数据的组织必须指定一名或多名个人担任组织的数据保护官员。这些官员将负责确保组织符合PDPA的规定，并且必须公开至少一个此类官员的业务联系信息。bob体ob体与软件下载

Protection

Organization would need to make reasonable security arrangements to protect, and prevent unauthorized access to or the collection, use, disclosure, copying, modification or disposal of personal data in its possession or under its control. Depending on the sensitivity of the data collected, robust measures must be in place to ensure the security of such data. Organizations must establish plans and procedures to promptly respond to any security breaches. However the Act does not provide specific details on the required arrangements for data security. Personal data collected by an organization cannot be retained when such retention is no longer necessary for legal or business purposes or the purpose for which it was obtained is no longer valid. Organizations transferring personal data out of Singapore are required to provide a standard of protection to the transferred personal data that is comparable to the protection under the PDPA.

Non-compliance with certain provisions under the PDPA may constitute an offence, for which a fine and/or a term of imprisonment may be imposed. Individuals suffering a loss or damage because of an organization’s non-compliance may file a private civil suit.

Individuals have the right to request for their personal data that is in the possession or control of the organization and to obtain information about the use of such data. Individuals have the right to request correction of inaccurate data and the organization should take steps to correct such inaccuracy, unless there are reasonable grounds to refuse to do so. The Act also provides certain exemption for such access to individuals. Individuals can withdraw their consent or deemed consent by serving a notice of withdrawal. Upon receipt of such withdrawal notice, an organisation should inform the consequences of withdrawal to the individual but should not prohibit such withdrawals.

DNC注册将于2014年初生效。拨打或发送电话营销电话和信息的组织将被要求定期检查DNC注册处，以确保其收件人的号码不在DNC注册处列出。在DNC登记处运作的头六个月内，这些组织需要至少每60天检查一次DNC登记处，此后至少每30天检查一次。任何违规行为将被处以最高10000新元的罚款。

《个人数据保护法》的颁布对于新加坡成为一个值得信赖的数据资产国际商业中心来说是一个重要的里程碑。该法是在仔细审查主要管辖区的数据保护制度之后起草的。然而，与任何新的立法一样，一些方面将呈现出一个未知的迷宫，组织和个人将不得不穿过，一些灰色区域必然会出现。考虑到这一点，政府（与各利益相关者协商）于2013年9月发布了第一份咨询指南。该咨询意见提供了关于同意、核实bob体ob体与软件下载等义务的指导方针，并建议各组织不要过度收集个人数据。预计今后会有进一步的指导方针。GuideMeSingapore将监测这一景观，并在出现新的发展时提供更新；如果你想及时了解这些更新，请订阅我们的博客。bob体彩

一个完整的个人数据保护法的副本bob体ob体与软件下载available在这里。