Document type
Legislation
Country
Singapore introduced its first comprehensive data protection legislation in the form of the Personal Data Protection Act in 2012 (“PDPA”). The PDPA subjects all Singapore organizations as “data organizations” to various data protection obligations regarding the collection, processing and use of personal data. Data intermediaries however only have to observed a qualified set of data protection obligations. "Data intermediaries” are defined in the PDPA as “an organisation which processes personal data on behalf of another organisation but does not include an employee of that other organization.” An organization that qualifies as a “data intermediary” only has to observe limited obligations regarding use of reasonable security arrangements to protect personal data from unauthorized access and similar risks (PDPA section 24) and the obligation to cease to retain personal data when it is reasonable to assume that the purpose for which the personal data was collected is no longer being served or when its retention is no longer necessary for legal or business purposes (PDPA section 25). No other data protection obligations are imposed on “data intermediaries”. For instance, if an individual directs his inquiry to a “data intermediary”, under the PDPA, the “data intermediary” has no obligation to respond to the individual’s request, for instance, to be notified of purpose of the data collection, use or disclosure (PDPA section 20), to be provided with information about the ways in which his personal data has been or may have been used or disclosed and access to his personal data (PDPA section 21) and to correct an error or omission in his personal data (PDPA section 22) as these obligations are only to be observed by the “data organisation”.
Country
Year
2012
Topic, claim, or defense
Privacy or Data Protection
Document type
Legislation
Issuing entity
Legislative Branch
Type of service provider
General or Non-Specified
Type of law
Civil