Global Data Protection Agency
  • HOME
  • CONTACT US

IMPLEMENTATION: Implementation timeframe

The interpretation of the PDPA in Part II of these Guidelines clarifies the applicable standard for the permissible collection...

eBOOK ● PDPC-SEGMENT 6-PART 3 ● KNOWLEDGE BANK 

July 31, 2019

APPLICATION OF DATA PROTECTION PROVISIONS: Alternatives to NRIC

PDPC does not prescribe the types of identifiers that organisations should adopt in place of NRIC numbers...

eBOOK ● PDPC-SEGMENT 6-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

APPLICATION OF DATA PROTECTION PROVISIONS: Retention of Physical NRIC

Given the importance of the NRIC as a national identification document that is issued to all citizens and permanent residents of Singapore...

eBOOK ● PDPC-SEGMENT 6-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

APPLICATION OF DATA PROTECTION PROVISIONS: Collection, use or disclosure of NRIC numbers (or copies of NRIC)

Organisations are generally not allowed to collect, use or disclose NRIC numbers (or copies of NRIC)...

eBOOK ● PDPC-SEGMENT 6-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

INTRODUCTION: Overview of the Data Protection Provisions

Organisations are generally not allowed to collect, use or disclose NRIC numbers (or copies of NRIC)...

eBOOK ● PDPC-SEGMENT 6-PART 1 ● KNOWLEDGE BANK 

July 31, 2019

INTRODUCTION: Background

These Guidelines should be read in conjunction with the document titled “Introduction to the Guidelines"...

eBOOK ● PDPC-SEGMENT 6-PART 1 ● KNOWLEDGE BANK 

July 31, 2019

DO NOT CALL PROVISIONS

The Do Not Call Provisions under the PDPA generally apply to marketing messages sent to a Singapore telephone number...

eBOOK ● PDPC-SEGMENT 5-PART 1 ● KNOWLEDGE BANK 

July 31, 2019

DATA PROTECTION PROVISIONS: Openness Obligation

The Data Protection Provisions contain a number of obligations in various sections which require organisations to develop and implement policies...

eBOOK ● PDPC-SEGMENT 5-PART 1 ● KNOWLEDGE BANK 

July 31, 2019

DATA PROTECTION PROVISIONS: Retention Obligation

A political party and election candidate must cease to retain documents containing personal data, or anonymise it...

eBOOK ● PDPC-SEGMENT 5-PART 1 ● KNOWLEDGE BANK 

July 31, 2019

DATA PROTECTION PROVISIONS: Protection Obligation

A political party or election candidate must protect all personal data in its possession or under its control by making reasonable security arrangements...

eBOOK ● PDPC-SEGMENT 5-PART 1 ● KNOWLEDGE BANK 

July 31, 2019

DATA PROTECTION PROVISIONS: Accuracy Obligation

A political party or election candidate must make a reasonable effort to ensure that personal data collected by or on behalf of the political party...

eBOOK ● PDPC-SEGMENT 5-PART 1 ● KNOWLEDGE BANK 

July 31, 2019

DATA PROTECTION PROVISIONS: Access and Correction Obligations

A political party or election candidate must, upon request, (a) provide an individual with his or her personal data in the possession...

eBOOK ● PDPC-SEGMENT 5-PART 1 ● KNOWLEDGE BANK 

July 31, 2019

DATA PROTECTION PROVISIONS: Notification Obligation

A political party or election candidate must notify the individual of the purposes for which it intends to collect...

eBOOK ● PDPC-SEGMENT 5-PART 1 ● KNOWLEDGE BANK 

July 31, 2019

DATA PROTECTION PROVISIONS: Purpose Limitation Obligation

A political party or election candidate may collect, use or disclose personal data about an individual only for purposes that a reasonable person...

eBOOK ● PDPC-SEGMENT 5-PART 1 ● KNOWLEDGE BANK 

July 31, 2019

DATA PROTECTION PROVISIONS: Consent Obligation

A political party or election candidate must obtain the consent of the individual before collecting, using or disclosing his or her personal data for a purpose...

eBOOK ● PDPC-SEGMENT 5-PART 1 ● KNOWLEDGE BANK 

July 31, 2019

DATA PROTECTION PROVISIONS

The Data Protection Provisions contain nine key obligations which political parties and election candidates are required to comply with...

eBOOK ● PDPC-SEGMENT 5-PART 1 ● KNOWLEDGE BANK 

July 31, 2019

RIGHTS AND OBLIGATIONS ETC UNDER OTHER LAWS

Section 4(6) of the PDPA states that unless otherwise provided in the PDPA, nothing in Parts III to VI of the PDPA shall affect any authority...

eBOOK ● PDPC-SEGMENT 5-PART 1 ● KNOWLEDGE BANK 

July 31, 2019

APPLICATION OF PDPA TO ELECTION ACTIVITIES: Application of the PDPA to data intermediaries

A data intermediary is defined under the PDPA as an organisation that processes personal data on behalf of another organisation...

eBOOK ● PDPC-SEGMENT 5-PART 1 ● KNOWLEDGE BANK 

July 31, 2019

APPLICATION OF PDPA TO ELECTION ACTIVITIES: Application of the PDPA to political parties and election candidates

Under the PDPA, political parties and election candidates that conduct election activities involving the collection...

eBOOK ● PDPC-SEGMENT 5-PART 1 ● KNOWLEDGE BANK 

July 31, 2019

APPLICATION OF PDPA TO ELECTION ACTIVITIES

Personal data is defined in the PDPA as “data, whether true or not, about an individual who can be identified...

eBOOK ● PDPC-SEGMENT 5-PART 1 ● KNOWLEDGE BANK 

July 31, 2019

INTRODUCTION

The Personal Data Protection Act 2012 (No. 26 of 2012) (“PDPA”) governs the collection...

eBOOK ● PDPC-SEGMENT 5-PART 1 ● KNOWLEDGE BANK 

July 31, 2019

APPEALS AND RIGHTS OF PRIVATE ACTION: Rights of private action

Section 32(1) of the PDPA provides that any person who suffers loss or damage directly as a result of a contravention of any provision in Parts IV, V or VI of the PDPA...

eBOOK ● PDPC-SEGMENT 4-PART 8 ● KNOWLEDGE BANK 

July 31, 2019

APPEALS AND RIGHTS OF PRIVATE ACTION: Appeals to High Court and Court of Appeal

Section 35(1) of the PDPA provides that an appeal against, or with respect to, a decision or direction of a Data Protection Appeal Committee may be made to the High Court...

eBOOK ● PDPC-SEGMENT 4-PART 8 ● KNOWLEDGE BANK 

July 31, 2019

APPEALS AND RIGHTS OF PRIVATE ACTION: Data Protection Appeal Committee’s decisions and directions

Section 34(4) of the PDPA provides that the Data Protection Appeal Committee hearing an appeal may, after hearing the appeal...

eBOOK ● PDPC-SEGMENT 4-PART 8 ● KNOWLEDGE BANK 

July 31, 2019

APPEALS AND RIGHTS OF PRIVATE ACTION: Appeal against decision or direction

Section 31(4)(b) of the PDPA provides that the Commission may, after reconsidering the contested decision, affirm, revoke or vary the contested decision as the Commission thinks fit...

eBOOK ● PDPC-SEGMENT 4-PART 8 ● KNOWLEDGE BANK 

July 31, 2019

RECONSIDERATION: Commission’s decisions and directions upon reconsideration

Section 31(4)(b) of the PDPA provides that the Commission may, after reconsidering the contested decision, affirm, revoke or vary the contested decision as the Commission thinks fit...

eBOOK ● PDPC-SEGMENT 4-PART 7 ● KNOWLEDGE BANK 

July 31, 2019

RECONSIDERATION: Reconsideration procedure

The procedures that the Commission will adopt in a reconsideration under section 31(1) of the PDPA are mainly set out in Part III of the Enforcement Regulations...

eBOOK ● PDPC-SEGMENT 4-PART 7 ● KNOWLEDGE BANK 

July 31, 2019

RECONSIDERATION: Reconsideration of a decision or direction

Section 31(1) of the PDPA provides that an organisation or individual aggrieved by a decision or direction...

eBOOK ● PDPC-SEGMENT 4-PART 7 ● KNOWLEDGE BANK 

July 31, 2019

COMMON ISSUES RELATING TO THE COMMISSION’S DECISIONS AND DIRECTIONS: Enforcement of the Commission’s directions

Section 30 of the PDPA provides that the Commission may register a direction under section 28(2) or 29 of the PDPA in the District Court...

eBOOK ● PDPC-SEGMENT 4-PART 6 ● KNOWLEDGE BANK 

July 31, 2019

COMMON ISSUES RELATING TO THE COMMISSION’S DECISIONS AND DIRECTIONS: Commission’s power to publish decisions and directions

Regulations 17, 18 and 19 of the Enforcement Regulations provides that the Commission may, where it has made a decision or...

eBOOK ● PDPC-SEGMENT 4-PART 6 ● KNOWLEDGE BANK 

July 31, 2019

DIRECTIONS TO SECURE COMPLIANCE: How financial penalties are determined

In this section, the Commission sets out a non-exhaustive list of some aggravating and mitigating factors that the Commission may consider when it calculates a financial penalty...

eBOOK ● PDPC-SEGMENT 4-PART 5 ● KNOWLEDGE BANK 

July 31, 2019

DIRECTIONS TO SECURE COMPLIANCE: Directions to pay financial penalties

In considering whether to direct an organisation to pay a financial penalty, the Commission will take into account certain factors...

eBOOK ● PDPC-SEGMENT 4-PART 5 ● KNOWLEDGE BANK 

July 31, 2019

DIRECTIONS TO SECURE COMPLIANCE: Power to issue directions to secure compliance

The Commission’s power to issue directions to secure an organisation’s compliance with the Data Protection Provisions is set out in section 29 of the PDPA...

eBOOK ● PDPC-SEGMENT 4-PART 5 ● KNOWLEDGE BANK 

July 31, 2019

INVESTIGATIONS: Public communications

Organisations that intend to issue any media releases or public disclosure of matters related to the alleged breach are advised to consider...

eBOOK ● PDPC-SEGMENT 4-PART 4 ● KNOWLEDGE BANK 

July 31, 2019

INVESTIGATIONS: Suspension or conclusion of an investigation

Section 50(3) of the PDPA lists various situations in which the Commission may suspend or discontinue an investigation...

eBOOK ● PDPC-SEGMENT 4-PART 4 ● KNOWLEDGE BANK 

July 31, 2019

INVESTIGATIONS: Power to enter premises with a warrant

Under paragraph 3 of the Ninth Schedule to the PDPA, the Commission is empowered to enter and search premises without prior notice, upon production of a warrant...

eBOOK ● PDPC-SEGMENT 4-PART 4 ● KNOWLEDGE BANK 

July 31, 2019

INVESTIGATIONS: Power to enter premises without a warrant

Under paragraph 2 of the Ninth Schedule to the PDPA, the Commission is empowered to enter premises without a warrant in connection with an investigation...

eBOOK ● PDPC-SEGMENT 4-PART 4 ● KNOWLEDGE BANK 

July 31, 2019

INVESTIGATIONS: Power to require production of documents and information

Under paragraph 1 of the Ninth Schedule to the PDPA, the Commission may, by notice in writing to any organisation...

eBOOK ● PDPC-SEGMENT 4-PART 4 ● KNOWLEDGE BANK 

July 31, 2019

INVESTIGATIONS: Commission’s powers of investigation

The Commission’s powers of investigation are set out in the Ninth Schedule to the PDPA. In brief, these include...

eBOOK ● PDPC-SEGMENT 4-PART 4 ● KNOWLEDGE BANK 

July 31, 2019

INVESTIGATIONS: Making a complaint to the Commission

A complaint concerning a contravention or possible contravention of the PDPA may be made to the Commission by providing the relevant information...

eBOOK ● PDPC-SEGMENT 4-PART 4 ● KNOWLEDGE BANK 

July 31, 2019

INVESTIGATIONS: Circumstances under which the Commission may commence an investigation

Section 50 of the PDPA sets out the Commission’s powers of investigation in respect of contraventions of the PDPA...

eBOOK ● PDPC-SEGMENT 4-PART 4 ● KNOWLEDGE BANK 

July 31, 2019

REVIEWS: Commencing an investigation related to a review

The Commission may, in certain situations, commence an investigation in relation to an organisation’s compliance with section 21 or 22 of the PDPA prior to or during a review...

eBOOK ● PDPC-SEGMENT 4-PART 3 ● KNOWLEDGE BANK 

July 31, 2019

REVIEWS: Commission’s decisions and directions following a review

Section 28(2) of the PDPA provides that the Commission may, upon the completion of a review...

eBOOK ● PDPC-SEGMENT 4-PART 3 ● KNOWLEDGE BANK 

July 31, 2019

REVIEWS: Withdrawal of review application

An applicant may withdraw his application for a review at any time before the Commission gives notice of its decision or direction...

eBOOK ● PDPC-SEGMENT 4-PART 3 ● KNOWLEDGE BANK 

July 31, 2019

REVIEWS: Suspension of a review

The Commission may suspend a review at any stage of the review in the circumstances set out in regulation 9 of the Enforcement Regulations...

eBOOK ● PDPC-SEGMENT 4-PART 3 ● KNOWLEDGE BANK 

July 31, 2019

REVIEWS: Commission’s powers when conducting a review application

The Commission may exercise the following powers under the Enforcement Regulations when conducting a review...

eBOOK ● PDPC-SEGMENT 4-PART 3 ● KNOWLEDGE BANK 

July 31, 2019

REVIEWS: Summary dismissal of review application

The Commission may, at any time, dismiss a review application in the circumstances set out in Regulation 5 of the Enforcement Regulations...

eBOOK ● PDPC-SEGMENT 4-PART 3 ● KNOWLEDGE BANK 

July 31, 2019

REVIEWS: Procedure during a review. Seeking further information or clarifications from the applicant or respondent

The Commission may, at any stage of the review, seek further information, clarifications or documents from either the applicant or the respondent...

eBOOK ● PDPC-SEGMENT 4-PART 3 ● KNOWLEDGE BANK 

July 31, 2019

REVIEWS: Procedure during a review. Inviting the applicant to submit a reply to the organisation’s response to the review application

Where the respondent submits a response, the Commission may, where it considers it appropriate...

eBOOK ● PDPC-SEGMENT 4-PART 3 ● KNOWLEDGE BANK 

July 31, 2019

REVIEWS: Procedure during a review. Submission of a response by the respondent

In most cases, respondents will be required to submit a response within 14 days of the date of the notice of review application...

eBOOK ● PDPC-SEGMENT 4-PART 3 ● KNOWLEDGE BANK 

July 31, 2019

REVIEWS: Procedure during a review. Serving a copy of the review application to the organisation concerned

The following describes in brief the procedure for a review set out in the Enforcement Regulations...

eBOOK ● PDPC-SEGMENT 4-PART 3 ● KNOWLEDGE BANK 

July 31, 2019

REVIEWS: Procedure during a review

The procedures that the Commission will adopt in a review under section 28(1) of the PDPA are mainly set out in Part II of the Enforcement Regulations...

eBOOK ● PDPC-SEGMENT 4-PART 3 ● KNOWLEDGE BANK 

July 31, 2019

REVIEWS: Submitting a review application to the Commission

When submitting a review application to the Commission, the review application should include the following information...

eBOOK ● PDPC-SEGMENT 4-PART 3 ● KNOWLEDGE BANK 

July 31, 2019

REVIEWS: Matters to note before applying to the Commission for a review

Before applying to the Commission for a review, individuals should note and, if necessary, clarify the following with the organisation concerned as...

eBOOK ● PDPC-SEGMENT 4-PART 3 ● KNOWLEDGE BANK 

July 31, 2019

REVIEWS: Applying to the Commission for a review

An individual who has made an access request or a correction request to an organisation may apply to the Commission under section 28(1) of the PDPA...

eBOOK ● PDPC-SEGMENT 4-PART 3 ● KNOWLEDGE BANK 

July 31, 2019

REVIEWS: Commission’s power to review

Section 28 of the PDPA sets out the Commission’s powers in relation to the conduct of a review...

eBOOK ● PDPC-SEGMENT 4-PART 3 ● KNOWLEDGE BANK 

July 31, 2019

ALTERNATIVE DISPUTE RESOLUTION: Measures to facilitate resolution of a complaint

Where appropriate, the Commission may, take any or all of the following measures when seeking to facilitate the resolution of a complaint...

eBOOK ● PDPC-SEGMENT 4-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

ALTERNATIVE DISPUTE RESOLUTION: Commission’s approach to resolving complaints

Upon receiving a complaint, the Commission will first consider whether it may be more appropriately resolved by adopting some or...

eBOOK ● PDPC-SEGMENT 4-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

ALTERNATIVE DISPUTE RESOLUTION: Commission’s powers relating to alternative dispute resolution

Section 27 of the PDPA sets out the Commission’s powers in relation to the resolution of complaints. These include...

eBOOK ● PDPC-SEGMENT 4-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

INTRODUCTION AND OVERVIEW: Overview of enforcement framework and approach

The PDPA confers various powers on the Commission to enforce the Data Protection Provisions. Broadly, these powers may be categorised as follows...

eBOOK ● PDPC-SEGMENT 4-PART 1 ● KNOWLEDGE BANK 

July 31, 2019

INTRODUCTION AND OVERVIEW: Introduction

The Personal Data Protection Act 2012 (the “PDPA”) establishes a general data protection law in Singapore that governs the collection...

eBOOK ● PDPC-SEGMENT 4-PART 1 ● KNOWLEDGE BANK 

July 31, 2019

Application of sections 14(2)(a) and 46(1) of the PDPA to marketing purposes: Application to common scenarios

This portion of the Guidelines seeks to illustrate the principles articulated in the above paragraphs through the use of common scenarios...

eBOOK ● PDPC-SEGMENT 3-PART 3 ● KNOWLEDGE BANK 

July 31, 2019

Application of sections 14(2)(a) and 46(1) of the PDPA to marketing purposes: Requiring consent for marketing purposes

If organisations wish to obtain consent for marketing purposes, they should generally provide the individuals the option whether or not to give consent...

eBOOK ● PDPC-SEGMENT 3-PART 3 ● KNOWLEDGE BANK 

July 31, 2019

Application of sections 14(2)(a) and 46(1) of the PDPA to marketing purposes: Definition of “marketing purposes”

These Guidelines will focus on the application of sections 14(2)(a) and 46(1) to situations where organisations wish to require an individual’s consent for...

eBOOK ● PDPC-SEGMENT 3-PART 3 ● KNOWLEDGE BANK 

July 31, 2019

Overview of the relevant PDPA provisions and general principles: Effect of sections 14(2)(a) and 46(1) of the PDPA

The effect of section 14(2)(a) (read with section 14(3)) and section 46(1) is that organisations cannot refuse to provide an individual an item because...

eBOOK ● PDPC-SEGMENT 3-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

Overview of the relevant PDPA provisions and general principles: Comparison of sections 14(2) and 46(1) of the PDPA

For the purposes of the discussion in the subsequent paragraphs, we shall refer to “product or service”...

eBOOK ● PDPC-SEGMENT 3-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

Overview of the relevant PDPA provisions and general principles: Obtaining consent under the Do Not Call Provisions

An organisation that wishes to send a “specified message” (as defined in the PDPA) to a Singapore telephone number must comply with the Do Not Call Provisions...

eBOOK ● PDPC-SEGMENT 3-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

Overview of the relevant PDPA provisions and general principles: Obtaining consent under the Data Protection Provisions

Section 13 of the PDPA, on the requirement to obtain consent, states that...

eBOOK ● PDPC-SEGMENT 3-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

Introduction

These Guidelines should be read in conjunction with the document titled “Introduction to the Guidelines” and are subject to the disclaimers set out therein...

eBOOK ● PDPC-SEGMENT 3-PART 1 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Data Activities Relating to Minors. Should organisations take extra measures to verify the accuracy of personal data about minors?

When establishing measures to comply with the Accuracy Obligation under the Data Protection Provisions...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Data Activities Relating to Minors. Should organisations adopt a different treatment for the collection, use or disclosure of personal data about minors?

The PDPA does not contain provisions that specifically address the collection, use or disclosure of personal data about minors...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Data Activities Relating to Minors. When is a minor deemed to have given consent on his own behalf under the PDPA?

Under section 15(1) of the PDPA, an individual may be deemed to have consented to the collection...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Data Activities Relating to Minors. Can a minor’s parents or other legal guardians provide valid consent on behalf of the minor under the PDPA?

Section 14(4) of the PDPA provides that consent given or deemed to have been given by an individual for the collection...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Data Activities Relating to Minors. When can a minor give valid consent on his own behalf under the PDPA?

The PDPA does not specify the situations in which a minor (that is, an individual who is less than 21 years of age)...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Online Activities. Are organisations allowed to use cookies for behavioural targeting?

Where behavioural targeting involves the collection and use of personal data, the individual’s consent is required...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Online Activities. Must consent be obtained for the use of cookies?

Cookies are text files created on a client computer when its web browser loads a website or web application...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Online Activities. Are IP addresses personal data?

IP addresses of networked devices are automatically captured whenever a connection is made over the Internet...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Personal Data of Employees. Do the exceptions to the Consent Obligation for the collection, use and disclosure of personal data of employees also apply to individuals that may act on behalf of an organisation, but are not the organisation’s employees?

The exception relating to “managing or terminating an employment relationship” only apply when there is an employment relationship...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Personal Data of Employees. Are organisations responsible if their employees do not comply with the PDPA? Are volunteers considered employees?

Under the PDPA, an organisation is responsible for the personal data in its possession or under its control...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Personal Data of Employees. How long can organisations continue to hold personal data of former employees?

Section 25 of the PDPA requires an organisation to cease to retain its documents containing personal data...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Personal Data of Employees. What is the difference between the exception for evaluative purposes and the exception for the purpose of managing and terminating an employment relationship?

There are instances where employers have to collect the same set of personal data for both the purposes of (i) managing or terminating the employment relationship and (ii) evaluation...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Personal Data of Employees. Collecting, using and disclosing personal data for the purpose of managing or terminating an employment relationship between the organisation and the individual

Under the PDPA, the collection by organisations of personal data from their employees that is reasonable for the purpose of managing or terminating their employment relationships...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Personal Data of Employees. Collecting, using and disclosing employee personal data for evaluative purposes

Organisations may collect, use and disclose personal data without consent where this is necessary for evaluative purposes...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Personal Data of Employees. How does the PDPA apply to employment records of employees?

Most organisations maintain some form of employment records on their current employees...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Employment. How does the PDPA apply to recruitment agencies?

Recruitment companies, employment agencies, head-hunters and other similar organisations...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Employment. Can job applicants ask the organisation to reveal how much information the organisation has on them or find out why they were not selected?

Under the PDPA, individuals have the right to obtain access and request corrections to their personal data held by organisations...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Employment. How long can an organisation keep the personal data of job applicants who are not hired?

After an organisation has decided which job applicant to hire, the personal data that the organisation had collected from the other job applicants should...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Employment. Can organisations use the information in business cards for recruitment?

The Data Protection Provisions in the PDPA do not apply to “business contact information”, which is defined in the PDPA as...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Employment. Can organisations or recruitment agencies collect and use personal data on individuals from social networking sites or publicly available sources to contact them for prospective job opportunities?

The PDPA does not require organisations to obtain the consent of the individual when collecting or using personal data that is publicly available...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Employment. Can organisations collect and use personal data on the job applicant from social networking sources (e.g. Facebook or Twitter)?

The PDPA does not require organisations to obtain the consent of the individual when collecting personal data that is publicly available...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Employment. Does an organisation need to seek the consent of a job applicant for the collection and use of his personal data?

Organisations may receive personal data from job applicants who provide it voluntarily through a job application, either in response to a recruitment advertisement or otherwise...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Drones. What should organisations do if personal data was unintentionally collected by the drones?

The Commission would encourage organisations to ensure that they adhere to the pre-determined flight path of drones and adopt policies...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Drones. What should organisations do if the drones used are likely to capture personal data?

Among other obligations, the Data Protection Provisions require organisations to inform individuals of the purposes for which their personal data will be collected...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Drones. What should organisations consider when using drones?

Organisations will need to consider whether the drones they deploy are likely to capture personal data of individuals...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Drones

Increasingly, organisations are making use of drones that may be equipped with photography, video and/or audio recording capabilities...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Closed-Circuit Television Cameras (“CCTVs”). What does “video masking” or “masking” refer to?

“Video masking” of images refers to the process of concealing parts of the video from view...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Closed-Circuit Television Cameras (“CCTVs”). Where an organisation is providing a copy of the CCTV footage upon request of an individual, must the copy be a video or can it be provided in other formats?

The PDPA does not specify the format of the personal data to be provided in relation to an access request made by an individual...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Closed-Circuit Television Cameras (“CCTVs”). Can the organisation require that the individual sign a contract to agree not to disclose to any third party the CCTV footage to be provided to him?

The PDPA does not prohibit this. However, such a contract would not override any rights or obligations under the PDPA...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Closed-Circuit Television Cameras (“CCTVs”). Is there a requirement that CCTV footage or video stills be of minimum resolution when provided to individuals upon request?

The PDPA does not prescribe any minimum resolution...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Closed-Circuit Television Cameras (“CCTVs”). Is an organisation required to accede to requests to delete CCTV footage?

No. The PDPA does not require an organisation to delete personal data upon request from an individual...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Closed-Circuit Television Cameras (“CCTVs”). Can two or more individuals make an access request for the same CCTV footage containing their personal data, if they consent to their own personal data being revealed to the others making the access request?

Yes. It would be reasonable for certain groups of individuals...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Closed-Circuit Television Cameras (“CCTVs”). Can compromising an organisation’s security arrangements or competitive position be sufficient reason to deny access to CCTV footage?

The Commission’s view is that, depending on the specific facts and circumstances, compromising an organisation’s security arrangements or harming an organisation’s...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Closed-Circuit Television Cameras (“CCTVs”). Is an organisation required to provide a copy of CCTV footage pursuant to an access request for the footage?

Organisations should provide a copy of the CCTV footage and have the option of charging the individual a reasonable fee for providing the copy...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Closed-Circuit Television Cameras (“CCTVs”). Must an organisation provide access to CCTV footage if it doesn’t have the technical ability or it is too costly to mask the other individuals whose personal data are captured in the footage?

Generally, an organisation is required to provide for access requests...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Closed-Circuit Television Cameras (“CCTVs”). Is an organisation required to provide access to CCTV footage if it also reveals the personal data of other individuals?

Generally, an organisation is required to provide the individual access to personal data requested, unless the request falls within one of the prohibitions...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Closed-Circuit Television Cameras (“CCTVs”). If my organisation installs CCTVs that also capture footage beyond the boundaries of our premises, is that allowed?

The PDPA requires that an organisation consider what a reasonable person would consider appropriate under the circumstances in meeting its obligations under the PDPA...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Closed-Circuit Television Cameras (“CCTVs”). Is notification still required if CCTVs are there to covertly monitor the premises for security reasons, and notification of the CCTV’s location would defeat the purpose of using the CCTVs?

The Commission does not require the placement or content of notifications to reveal the exact location of the CCTVs...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Closed-Circuit Television Cameras (“CCTVs”). What should such notices state?

The PDPA does not prescribe the content of notifications...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Closed-Circuit Television Cameras (“CCTVs”). Where should notices be placed?

Notices or other forms of notifications should generally be placed so as to enable individuals to have sufficient awareness that CCTVs have been deployed for a particular purpose...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Closed-Circuit Television Cameras (“CCTVs”). Do organisations always have to provide notifications when CCTVs are deployed?

The PDPA requires organisations to inform individuals of the purposes for which their personal data will be collected, used or disclosed in order to obtain their consent...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Closed-Circuit Television Cameras (“CCTVs”)

CCTVs are commonly used to capture video recordings, and some of them may also be equipped with audio recording capabilities...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Photography and Videography. Does the PDPA affect the copyright in a photograph or video recording?

The Data Protection Provisions do not affect any right conferred or obligation imposed by or under other laws, including the Copyright Act...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Photography and Videography. Can individuals withdraw consent for the publication of photographs or video recordings, or request under the PDPA for the removal of photographs or video recordings that have been published?

The PDPA provides that individuals may at any time withdraw any consent given or deemed to have been given under the PDPA for the collection...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Photography and Videography. Is an individual who submits a photograph or video recording taken when acting in a personal or domestic capacity for a competition, still acting in a personal or domestic capacity?

An individual’s submission of a photograph or video recording for a competition is, on its own, insufficient to determine whether he is acting in a personal or domestic capacity...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Photography and Videography. Does the exception for collection of personal data “solely for artistic or literary purposes” apply to the taking of photographs or video recordings of individuals?

In accordance with paragraph 1(g) of the Second Schedule, an organisation is permitted to collect personal data about an individual...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Photography and Videography. Do professional photographers or videographers need to sign contracts with the event organiser before they can provide photography or videography services at an event?

The PDPA does not prescribe the contractual arrangements that organisations may wish to enter into in order to ensure that they comply with their obligations under the PDPA...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Photography and Videography. Is a photographer or videographer required to obtain consent from individuals in the background when a photograph or video recording is taken?

As noted above, consent will generally be required for taking a photograph or video recording of an identifiable individual although consent may be deemed to have been given...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Photography and Videography. How may an individual’s consent be obtained for photo-taking or video recording at a private event/space?

The Data Protection Provisions do not prescribe the ways in which consent may be obtained for photo-taking or video recording...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Photography and Videography. Does a photographer or videographer need to obtain an individual’s consent to take a photograph or video recording of the individual in a public place?

The PDPA sets out various exceptions to the Consent Obligation...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Photography and Videography. Does a photographer or videographer need to obtain an individual’s consent to take a photograph or video recording of the individual?

Among other obligations, the Data Protection Provisions require consent from the individual to be obtained for the purposes of the collection, use or disclosure of his personal data...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Photography, Video and Audio Recordings

Photography, video and audio recordings are increasingly ubiquitous with such capabilities being included in more devices...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Anonymisation. Managing the risks of re-identification when using or disclosing anonymised data

Before using or disclosing anonymised data, the organisation should apply the appropriate anonymisation techniques to ensure robust anonymisation of the data...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Anonymisation. General test for assessing risks of re-identification

As a general test for assessing the risks of re-identification and the robustness of the anonymisation, a useful starting point is the ‘motivated intruder’ test highlighted...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Anonymisation. Assessing the risks of re-identification

Re-identification can occur as a result of combining separate datasets...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Anonymisation. Considerations for anonymising data

When deciding whether to anonymise data for use or disclosure, organisations should keep in mind that not all datasets can be effectively or meaningfully anonymised...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 31, 2019

SELECTED TOPICS: Anonymisation. Anonymisation techniques

The following is a non-exhaustive list of commonly used anonymisation techniques, and examples of how each technique can be used...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 30, 2019

SELECTED TOPICS: Anonymisation. What is anonymisation?

In general, anonymisation refers to the process of removing identifying information such that the remaining data cannot be used to identify any particular individual...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 30, 2019

SELECTED TOPICS: Analytics and Research. How does the PDPA apply to organisations that want to conduct analytics and research activities?

The Personal Data Protection Act 2012 (the “PDPA”) establishes a general data protection law in Singapore which governs the collection...

eBOOK ● PDPC-SEGMENT 2-PART 2 ● KNOWLEDGE BANK 

July 30, 2019

INTRODUCTION AND OVERVIEW: Introduction

The Personal Data Protection Act 2012 (the “PDPA”) establishes a general data protection law in Singapore which governs the collection...

eBOOK ● PDPC-SEGMENT 2-PART 1 ● KNOWLEDGE BANK 

July 30, 2019

OTHER RIGHTS, OBLIGATIONS AND USES: Use of personal data collected before the appointed day

The Data Protection Provisions in the PDPA have taken effect from the appointed day. Section 19 of the PDPA provides that notwithstanding the other provisions of Part IV...

eBOOK ● PDPC-SEGMENT 1-PART 4 ● KNOWLEDGE BANK 

July 30, 2019

OTHER RIGHTS, OBLIGATIONS AND USES: Rights and obligations, etc. under other laws

Section 4(6)(a) of the PDPA provides that the Data Protection Provisions will not affect any authority, right, privilege or immunity conferred...

eBOOK ● PDPC-SEGMENT 1-PART 4 ● KNOWLEDGE BANK 

July 30, 2019

OTHER RIGHTS, OBLIGATIONS AND USES: Overview

Although not expressly provided for in the PDPA, organisations may wish to consider conducting Data Protection Impact Assessments...

eBOOK ● PDPC-SEGMENT 1-PART 4 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Accountability Obligation. Other measures relating to accountability

Although not expressly provided for in the PDPA, organisations may wish to consider conducting Data Protection Impact Assessments...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Accountability Obligation. Other provisions related to the Accountability Obligation

The Data Protection Provisions also provide for specific circumstances where organisations have to be answerable to individuals and the PDPC...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Accountability Obligation. Developing and implementing data protection policies and practices

Section 12 of the PDPA sets out four additional key requirements which form part of the Accountability Obligation...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Accountability Obligation. Appointing a Data Protection Officer

Section 11(3) of the PDPA requires an organisation to designate one or more individuals to be responsible for ensuring that the organisation...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Accountability Obligation

In data protection, the concept of accountability refers to how an organisation discharges its responsibility for personal data which it has collected or obtained for processing...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Transfer Limitation Obligation. Data in transit

Data in transit refers to personal data transferred through Singapore in the course of onward transportation to a country or territory outside Singapore...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Transfer Limitation Obligation. Scope of contractual clauses

In setting out contractual clauses that require the recipient to comply with a standard of protection in relation to the personal data transferred to him...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Transfer Limitation Obligation. Conditions for transfer of personal data overseas

Regulations issued under the PDPA will specify the conditions under which an organisation may transfer personal data overseas...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Transfer Limitation Obligation

Section 26 of the PDPA limits the ability of an organisation to transfer personal data outside Singapore...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Retention Limitation Obligation. Anonymising personal data

An organisation will be considered to have ceased to retain personal data when it no longer has the means to associate the personal data with particular individuals...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Retention Limitation Obligation. Factors relevant to whether an organisation has ceased to retain personal data

In considering whether an organisation has ceased to retain personal data the Commission will consider the following factors in relation to the personal data in question...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Retention Limitation Obligation. Ceasing to retain personal data

Where there is no longer a need for an organisation to retain personal data, it must take prompt action to ensure it does not hold such personal data...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Retention Limitation Obligation. How long personal data can be retained

The Retention Limitation Obligation prevents organisations from retaining personal data in perpetuity where it does not have legal or business reasons to do so...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Retention Limitation Obligation

Section 25 of the PDPA requires an organisation to cease to retain its documents containing personal data, or remove the means by which the personal data...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Protection Obligation. Examples of security arrangements

Security arrangements may take various forms such as administrative measures, physical measures, technical measures or a combination of these...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Protection Obligation

Section 24 of the PDPA requires an organisation to make reasonable security arrangements to protect personal data in its possession or under its control...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Accuracy Obligation. Ensuring accuracy when collecting personal data from a third party source

An organisation should also be more careful when collecting personal data about an individual from a source other than the individual in question...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Accuracy Obligation. Ensuring accuracy when personal data is provided directly by the individual

Organisations may presume that personal data provided directly by the individual concerned is accurate in most circumstances...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Accuracy Obligation. Requirement of reasonable effort

The Accuracy Obligation requires organisations to make a reasonable effort to ensure the accuracy and completeness of personal data...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Accuracy Obligation

Section 23 of the PDPA requires an organisation to make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Access and Correction Obligations. Form of access and correction requests

While organisations may provide standard forms or procedures for individuals to submit access and/or correction requests...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Access and Correction Obligation. Response time for a correction request

Subject to exceptions as described above, an organisation is required to correct the personal data as soon as practicable from the time the correction request is made...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Access and Correction Obligations. Exceptions to the obligation to correct personal data

Section 22(6) provides that an organisation is not required to correct or otherwise alter an opinion, including a professional or an expert opinion...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Access and Correction Obligations. Obligation to correct personal data

Section 22(1) of the PDPA provides that an individual may submit a request for an organisation to correct an error or omission in the individual’s personal data..

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Access and Correction Obligations. Preservation of personal data after rejecting an access request

If an organisation determines that it is appropriate under section 21 of the PDPA and Part II of the Personal Data Protection Regulations...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Access and Correction Obligations. Preservation of personal data when processing an access request

If an organisation has scheduled periodic disposal or deletion of personal data...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Access and Correction Obligations. Rejecting an access request

Subject to the PDPA and the Personal Data Protection Regulations, an organisation is to provide a reply to the individual even if the organisation is not providing access to...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Access and Correction Obligations. Access request relating to legal proceedings

In the event an individual who is engaged in legal proceedings with an organisation makes an access request to obtain relevant personal data or other information...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Access and Correction Obligations. Access request relating to disclosure to prescribed law enforcement agency

Section 21(4) of the PDPA contains an additional obligation of organisations in relation to the Access and Correction Obligations...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Access and Correction Obligations. Access that may reveal personal data about another individual

One of the prohibitions, section 21(3)(c), requires that an organisation must not provide access to the personal data or other information...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Access and Correction Obligations. Providing personal data of an individual without the personal data of other individuals

Section 21(5) of the PDPA provides that if an organisation is able to provide the individual with his personal data and other information requested under 21(1) without...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Access and Correction Obligations. Exceptions to the obligation to provide access to personal data

The obligation in section 21(1) is subject to a number of exceptions in sections 21(2) to 21(4) including some mandatory exceptions relating...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Access and Correction Obligations. Fees chargeable for access to personal data

Organisations may charge an individual a reasonable fee for access to personal data about the individual...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Access and Correction Obligations. Response time frame for an access request

Subject to the PDPA and the Personal Data Protection Regulations, an organisation is required to comply with section 21(1) of the PDPA...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Access and Correction Obligations. Information relating to ways which personal data has been used or disclosed

As stated in section 21(1) of the PDPA, if an individual requests for information relating to the use or disclosure of his personal data by the organisation...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Access and Correction Obligations. Obligation to provide access to personal data

Section 21(1) of the PDPA provides that, upon request by an individual, an organisation shall provide the individual with the following as soon as reasonably possible...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Access and Correction Obligations

Sections 21 and 22 of the PDPA set out the rights of individuals to request for access to their personal data and for correction of their personal data that is in the possession or...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Notification Obligation. Use and disclosure of personal data for a different purpose from which it was collected

The Data Protection Provisions recognise that there will be circumstances in which an organisation would like to use or disclose an individual’s personal data...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Notification Obligation. Good practice considerations relating to the Notification Obligation

Informing the individual of the purposes for which his personal data will be collected, used or disclosed is an important aspect of obtaining consent for the purposes...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Notification Obligation. Information to be included when stating purposes

An organisation should state its purposes at an appropriate level of detail for the individual to determine the reasons and manner in which the organisation will be collecting...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Notification Obligation. Providing notification through a Data Protection Policy

The PDPA requires organisations to develop and implement policies and procedures that are necessary for the organisation to meet its obligations under the PDPA...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Notification Obligation. The manner and form in which an organisation should inform the individual of its purposes

The PDPA does not specify a specific manner or form in which an organisation is to inform an individual of the purposes for which it is collecting...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Notification Obligation. When an organisation must inform the individual of its purposes

Under section 20 (1) and (4) of the PDPA, an organisation must inform the individual of the purposes for which his personal data will be collected...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Notification Obligation

As noted in the previous sections on the Consent Obligation and the Purpose Limitation Obligation, organisations must inform individuals...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Purpose Limitation Obligation

Section 18 of the PDPA limits the purposes for which and the extent to which an organisation may collect, use or disclose personal data...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Consent Obligation. Publicly available data

One significant exception in the Second, Third and Fourth Schedules to the PDPA relates to personal data that is publicly available...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Consent Obligation. Exceptions to the Consent Obligation

Section 17 of the PDPA permits the collection, use and disclosure of personal data without consent (and, in the case of collection, from a source other than the individual)...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Consent Obligation. Actions organisations must take upon receiving a notice of withdrawal

Once an organisation has received from an individual a notice to withdraw consent, the organisation should inform the individual...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Consent Obligation. Effect of a withdrawal notice

In determining the effect of any notice to withdraw consent, the Commission will consider all relevant facts of the situation...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Consent Obligation. Organisations must allow and facilitate the withdrawal of consent

In general, organisations must allow an individual who has previously given (or is deemed to have given) his consent to the organisation for collection...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Consent Obligation. Withdrawal of consent

Section 16 of the PDPA provides that individuals may at any time withdraw any consent given or deemed to have been given under the PDPA...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Consent Obligation. Obtaining personal data from third party sources without the consent of the individual

An organisation (“A”) may collect personal data from a third party source (“B”) (as described in the previous section) without the consent of the individual...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Consent Obligation. Exercising appropriate due diligence when obtaining personal data from third party sources

Organisations obtaining personal data from third party sources should exercise the appropriate due diligence to check and ensure that the third party source can validly give consent for...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Consent Obligation. Obtaining personal data from third party sources with the consent of the individual

As noted above, there are two situations in which organisations may obtain personal data about an individual with the consent of...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Consent Obligation. Deemed consent

Section 15 of the PDPA addresses two situations in which an individual may be deemed to consent even if he has not actually given consent...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Consent Obligation. When consent is not validly given

Section 14(2) of the PDPA sets out additional obligations that organisations must comply with when obtaining consent...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Consent Obligation. Obtaining consent from a person validly acting on behalf of an individual

Section 14(4) of the PDPA provides that consent may be given, or deemed to have been given, by any person validly acting on behalf of the individual for the collection...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Consent Obligation. Failure to opt out

The Commission notes that there are various means of obtaining an individual’s consent to the collection, use and disclosure of his personal data for a specified purpose...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Consent Obligation. Obtaining consent verbally

In situations where the organisation cannot conveniently obtain consent from an individual in writing, it may choose to obtain verbal consent...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Consent Obligation. Obtaining consent from an individual

Section 14(1) of the PDPA states how an individual gives consent under the PDPA...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: The Consent Obligation

Section 13 of the PDPA prohibits organisations from collecting, using or disclosing an individual’s personal data unless the individual gives...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: Applicability to Inbound Data Transfers

The Data Protection Provisions apply to organisations carrying out activities involving personal data in Singapore...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

THE DATA PROTECTION PROVISIONS: Overview of the Data Protection Provisions

Organisations are required to comply with the Data Protection Provisions in Parts III to VI of the PDPA...

eBOOK ● PDPC-SEGMENT 1-PART 3 ● KNOWLEDGE BANK 

July 30, 2019

IMPORTANT TERMS USED IN THE PDPA: Reasonableness

A number of provisions in the PDPA make reference to the concept of reasonableness...

eBOOK ● PDPC-SEGMENT 1-PART 2 ● KNOWLEDGE BANK 

July 30, 2019

IMPORTANT TERMS USED IN THE PDPA: Purposes

The PDPA does not define the term “purpose”. As will be seen later, a number of Data Protection Provisions refer to the purposes for which an organisation collects...

eBOOK ● PDPC-SEGMENT 1-PART 2 ● KNOWLEDGE BANK 

July 30, 2019

IMPORTANT TERMS USED IN THE PDPA: Collection, Use and Disclosure

Part IV of the PDPA sets out the obligations of organisations relating to the collection, use and disclosure of personal data...

eBOOK ● PDPC-SEGMENT 1-PART 2 ● KNOWLEDGE BANK 

July 30, 2019

IMPORTANT TERMS USED IN THE PDPA: Organisations. “Agents” who may be data intermediaries

Generally, the legal relationship of agency refers to a relationship that exists between two persons, an agent and a principal...

eBOOK ● PDPC-SEGMENT 1-PART 2 ● KNOWLEDGE BANK 

July 30, 2019

IMPORTANT TERMS USED IN THE PDPA: Organisations. Determination of who the data intermediary is

There is a diverse range of scenarios in which organisations may be considered data intermediaries for another organisation...

eBOOK ● PDPC-SEGMENT 1-PART 2 ● KNOWLEDGE BANK 

July 30, 2019

IMPORTANT TERMS USED IN THE PDPA: Organisations. Considerations for organisations using data intermediaries

Section 4(3) provides that an organisation has the same obligations under the PDPA in respect of personal data processed on its behalf by a data intermediary...

eBOOK ● PDPC-SEGMENT 1-PART 2 ● KNOWLEDGE BANK 

July 30, 2019

IMPORTANT TERMS USED IN THE PDPA: Organisations. Obligations of data intermediaries

The PDPA provides that a data intermediary that processes personal data on behalf of and for the purposes of another organisation pursuant to a contract...

eBOOK ● PDPC-SEGMENT 1-PART 2 ● KNOWLEDGE BANK 

July 30, 2019

IMPORTANT TERMS USED IN THE PDPA: Organisations. Data intermediaries

The PDPA defines a data intermediary as “an organisation that processes personal data on behalf of another organisation but does not include an employee of that other organisation”...

eBOOK ● PDPC-SEGMENT 1-PART 2 ● KNOWLEDGE BANK 

July 30, 2019

IMPORTANT TERMS USED IN THE PDPA: Organisations. Public agencies and organisations acting on behalf of public agencies

The PDPA defines a public agency to include the following...

eBOOK ● PDPC-SEGMENT 1-PART 2 ● KNOWLEDGE BANK 

July 30, 2019

IMPORTANT TERMS USED IN THE PDPA: Organisations. Individuals acting as employees

The second significant exclusion for individuals in the PDPA relates to employees who are acting in the course of their employment with an organisation...

eBOOK ● PDPC-SEGMENT 1-PART 2 ● KNOWLEDGE BANK 

July 30, 2019

IMPORTANT TERMS USED IN THE PDPA: Organisations. Individuals acting in a personal or domestic capacity

Although individuals are included in the definition of an organisation, they benefit from two significant exclusions in the PDPA...

eBOOK ● PDPC-SEGMENT 1-PART 2 ● KNOWLEDGE BANK 

July 30, 2019

IMPORTANT TERMS USED IN THE PDPA: Organisations. Excluded organisations

The PDPA provides that the Data Protection Provisions do not impose any obligations on the following entities...

eBOOK ● PDPC-SEGMENT 1-PART 2 ● KNOWLEDGE BANK 

July 30, 2019

IMPORTANT TERMS USED IN THE PDPA: Organisations

The PDPA defines an organisation as “any individual, company, association or body of persons, corporate or unincorporated whether or not formed or recognised under the law of Singapore...

eBOOK ● PDPC-SEGMENT 1-PART 2 ● KNOWLEDGE BANK 

July 30, 2019

IMPORTANT TERMS USED IN THE PDPA: Personal data. Ownership of personal data

Personal data, as used in the PDPA, refers to the information comprised in the personal data and not the physical form or medium in which it is stored, such as a database or a book...

eBOOK ● PDPC-SEGMENT 1-PART 2 ● KNOWLEDGE BANK 

July 30, 2019

IMPORTANT TERMS USED IN THE PDPA: Personal data. Personal data of deceased individuals

As noted earlier, the term “individual” includes both living and deceased individuals. Hence, the provisions of the PDPA will apply to protect the personal data of deceased individuals...

eBOOK ● PDPC-SEGMENT 1-PART 2 ● KNOWLEDGE BANK 

July 30, 2019

IMPORTANT TERMS USED IN THE PDPA: Personal data. Business contact information

The Data Protection Provisions do not apply to business contact information. Business contact information is defined in the PDPA as “an individual’s name...

eBOOK ● PDPC-SEGMENT 1-PART 2 ● KNOWLEDGE BANK 

July 30, 2019

IMPORTANT TERMS USED IN THE PDPA: Personal data. Excluded personal data

The PDPA does not apply to, or applies to a limited extent to, certain categories of personal data...

eBOOK ● PDPC-SEGMENT 1-PART 2 ● KNOWLEDGE BANK 

July 30, 2019

IMPORTANT TERMS USED IN THE PDPA: Personal data. Personal data relating to more than one individual

Information about one individual may contain information about another individual...

eBOOK ● PDPC-SEGMENT 1-PART 2 ● KNOWLEDGE BANK 

July 30, 2019

IMPORTANT TERMS USED IN THE PDPA: Personal data. True and false personal data

It should be noted that the PDPA’s definition of personal data does not depend on whether the data is true or false. If organisations collect personal data which is false...

eBOOK ● PDPC-SEGMENT 1-PART 2 ● KNOWLEDGE BANK 

July 30, 2019

IMPORTANT TERMS USED IN THE PDPA: Personal data. Individual who can be identified

Data constitutes personal data if it is data about an individual who can be identified from that data on its own...

eBOOK ● PDPC-SEGMENT 1-PART 2 ● KNOWLEDGE BANK 

July 30, 2019

IMPORTANT TERMS USED IN THE PDPA: Personal data. Data about an individual

The most basic requirement for data to constitute personal data is that it is data about an individual...

eBOOK ● PDPC-SEGMENT 1-PART 2 ● KNOWLEDGE BANK 

July 30, 2019

IMPORTANT TERMS USED IN THE PDPA: Personal data

Personal data is defined in the PDPA as “data, whether true or not, about an individual who can be identified...

eBOOK ● PDPC-SEGMENT 1-PART 2 ● KNOWLEDGE BANK 

July 30, 2019

IMPORTANT TERMS USED IN THE PDPA: Individuals

The PDPA defines an individual as “a natural person, whether living or deceased”...

eBOOK ● PDPC-SEGMENT 1-PART 2 ● KNOWLEDGE BANK 

July 30, 2019

IMPORTANT TERMS USED IN THE PDPA: Definitions and related matters

Before considering the various Data Protection Provisions, it is important to take note of some terms which are used throughout the Data Protection Provisions...

eBOOK ● PDPC-SEGMENT 1-PART 2 ● KNOWLEDGE BANK 

July 30, 2019

INTRODUCTION AND OVERVIEW: Overview of the PDPA

The PDPA governs the collection, use and disclosure of individuals’ personal data by organisations in a manner that recognises both the right of individuals...

eBOOK ● PDPC-SEGMENT 1-PART 1 ● KNOWLEDGE BANK 

July 30, 2019

INTRODUCTION AND OVERVIEW: Introduction

The Personal Data Protection Act 2012 (the “PDPA”) establishes a general data protection law in Singapore which governs the collection, use and disclosure of individuals’ personal data...

eBOOK ● PDPC-SEGMENT 1-PART 1 ● KNOWLEDGE BANK 

July 30, 2019

APP COMPLIANCE ● GDPR COMPLIANCE

©2007-2022 GDPA

SHARE YOUR KNOWLEDGE

Submit your article
Article will be submitted and published after review.

You are not allowed to submit content, please register or sign in.

Q: Will my membership with GDPA reduce my Insurance premium?

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Q: Will I get fined for non-compliance?

Let’s not kid ourselves, the biggest threat to organisations from GDPR is running the risk of massive fines.

In saying that, GDPR law is not about handing our fines, it’s about putting the rights of the individual first.

Before a fine is handed out, a serious of sanctions take place.

Whilst it may not be financial to begin with, it will definitely place a massive dent in the reputation of the offending party. When you lose the trust with your audience and/or your staff, it’s pretty much game over.

One thing is for certain, there is no room for complacency, not matter where in the world you are.

 question sent in by Zachary.T from Singapore

Q: Why isn’t GDPR Registrar a free service?

As much as we would like to make it a free platform, it would be beyond our personal financial ability in doing so.

We researched extensively to find the fair price medium, one that will make it a value added incentive on your behalf and one that would maintain the costs in operating and evolving this site.

Bottom line is we have settled on a pricing model for the many and not for the few.

question sent in by Joyce.T from Ireland

Q: Why are your membership prices so low?

Knowledge has no price limit and yes we could quite easily charge more.

The reason we don’t is simple. This platform has been designed to offer the tools to the many and not the few. We believe our pricing structure is fair and affordable to everyone, without compromising on our objectives to our members and to our purpose of existence.

If you wish to shout our team a cup of coffee then we won’t say no. Simply spin the wheel below to see how many of our staff will enjoy your shout.

So you know, its €1 per shout.

[wof_wheel id=”2854″]
 question sent in by Mo Chou from China

Q: Who does GDPR apply to?

GDPR applies to anyone that applies, handles, processes, and/or monitors personal data of residents (full-time or temporary including foreign tourists) within the European Union, no matter where in the world this activity is conducted from.

Furthermore, it matters not whether you hold onto the data for 1 minute or 10 years.

 question sent in by Andrea.F from Australia

Q: Who do GDPR privacy protocols apply to?

GDPR protocols apply to all forms of relationships where in concerns European Union Residents (full-time or temporary including foreign tourists).

The types of relationship fall under 3 categories:

✍ B2B (business to business) where third party relationships are involved in the processing of personal data.

✍ B2C (business to consumer) where you are required to demonstrate responsibility towards personal data.

✍ B2E (business to employee) where the data you hold on current, past and prospective employees is managed within the boundaries of GDPR protocols.

 question sent in by John.K from Belgium

Q: Who can I email?

To clear the air and any confusion, you can email both B2B (Business to Business) and B2C (Business to Consumer) based on the following parameters:

 B2B (Business to Business) in 5 steps

  1. Make sure the business you are targeting is relevant to your email.
  2. Define your legitimate interest when emailing them.
  3. Allow them to unsubscribe easily and/or to opt-out of future emails.
  4. Keep your database clean and up to date.
  5. Make sure the business email is not a personal name, example:
    • wrong: john@businessname.com (unless you have prior consent)
    • wrong: mary@businessname.com (unless you have prior consent)
    • right: info@businessname.com
    • right: support@businessname.com
    • right: contact@businessname.com
    • right: enquiry@businessname.com
    • right: hr@businessname.com
    • right: marketing@businessname.com
    • right: ceo@businessname.com
    • etc…

 B2C (Business to Consumer) in 5 steps

  1. Don’t pressure or confuse individuals to grant you consent by making it a pre-requisite for signing up to your site and/or service. Keep it simple and let them decide.
  2. Adjust your lead generation and consent forms, permitting the users to opt-in freely, be specific, keep it simple, and easy to understand.
  3. When collecting data for multiple marketing channels (sms, postal mail, email…) give the user the option to pick which channels they wish to receive communications from you. Provide separate options for each channel.
  4. Be clear with your audience should the information you collect from them is likely to be shared with 3rd parties.
  5. Allow them to unsubscribe easily and/or to opt-out of future emails.
question sent in by Nicole.D from Greece

Q: What rights will individuals have under privacy laws such as the GDPR?

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Q: What responsibilities will companies have under the privacy laws such as the GDPR?

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Q: What personal information can I ask for?

As a data subject (that’s how you are referred to), GDPR presents you with 8 rights to which you can make a specific request and be assured that your personal data is not being misused for purposes other than the legitimate purpose for which it was originally provided by you to the entity.

A data subject is referred to as an individual:

♀ ♂ Candidate
♀ ♂ Client
♀ ♂ Commuter
♀ ♂ Consumer
♀ ♂ Contractor
♀ ♂ Creditor
♀ ♂ Customer
♀ ♂ Debtor
♀ ♂ Employee
♀ ♂ End User
♀ ♂ Guest
♀ ♂ Individual
♀ ♂ Job Applicant
♀ ♂ Patron
♀ ♂ Prospect
♀ ♂ Purchaser
♀ ♂ Representative
♀ ♂ Tenant
♀ ♂ Tourist
♀ ♂ Vacationer
♀ ♂ Vendor
♀ ♂ Visitor

A data subject has 8 legal rights of request, including:

1: Right to Object:  The right to object to the processing of ♀ or ♂ personal data.

2: Right to be Forgotten: The right to ask for the deletion of ♀ or ♂ data, also referred to as the “right to erasure”.

3: Right to Access: The right to get access to ♀ or ♂ personal data that is being processed.

4: Right to Withdraw Consent: The right to withdraw a previously given consent for processing of ♀ or ♂ personal data for a purpose.

5: Right to Object to Automated Processing: The right to object to a decision based on automated processing including Machine Learning and Artificial Intelligence of ♀ or ♂ personal data.

6: Right to Rectification: The right to ask for modifications to ♀ or ♂ personal data in case the data subject believes that this personal data is not up to date or accurate.

7: Right to Data Portability: The right to ask for the transfer of ♀ or ♂ personal data in a machine-readable electronic format.

8: Right to Information: The right to ask a company for information about what ♀ or ♂ personal data is being processed and the reasoning for such processing.

This right given to you by GDPR is referred to as DSAR (Data Subject Access Request).

A DSAR can be made by an individual or an individual’s appointed representative. Such requests are made in writing and mailed to the entities registered GDPR Postal address and/or via Email.

Important to note that the violating entity must have a registered address within the EU to receive GDPR mail (irrelevant if the request is sent by post or via email).

question sent in by Angela.S from Greece

Q: What is the process for me to demonstrate that I comply with privacy laws such as the GDPR and how do I notify all my suppliers, customers, employees and stakeholders that I am complaint ?

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Q: What is pseudonymization?

It’s when digitally stored data (information entered via a computer, mobile device, laptop, etc…) is encrypted in such a way where it makes it impossible for unauthorized people to trace it back to an individual.

The 5 key methods used to achieve pseudonymization are:

♒ Encryption (involving the rendering of the original data as unreadable and which cannot be rendered readable without an encryption key)

♒ Tokenization (involving the substitution of sensitive data elements with a non-sensitive elements, that hold no extrinsic or exploitable meaning or value)

♒ Blurring (involving obfuscation just like media outlets rendering the faces of anonymous sources unrecognizable)

♒ Masking (involving the masking of data where it still permits you to identify the data “example a credit card: XXXX XXXX XXXX 1964” without identifying the individual )

♒ Scrambling (involving a combination or obfuscation of alpha/numeric characters)

question sent in by Vincent.X from Sweden

Q: What is Personal Data?

Personal Data is any information relating to an identified or identifiable natural person (otherwise referred to as a ‘data subject’).

An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifiers or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Here is an extensive list of Personal Data:

✍ Activity on the site
✍ Age
✍ Arrest records
✍ Bank account
✍ Bankruptcies
✍ Bio-metric identifiers
✍ Birth certificate
✍ Browser
✍ Browsing history (elsewhere online)
✍ Car insurance records
✍ Cell/Mobile phone
✍ Chat history (elsewhere online)
✍ Children’s names
✍ City of birth
✍ Cloud storage files
✍ Contacts list
✍ Cookies
✍ Credit card number
✍ Credit report
✍ Criminal offenses & convictions
✍ Current employer
✍ Current home address
✍ Current income
✍ Current location (physical)
✍ Daily life activities
✍ Date of birth
✍ Debit card number
✍ Device ID / MAC address
✍ Digital fingerprint
✍ Donations to organizations
✍ Driver’s license / state ID
✍ Education history
✍ Email records
✍ Employment history
✍ Event attendance
✍ Eye color
✍ Face photographs
✍ Facial geometry
✍ Family health history
✍ Fingerprints
✍ First name
✍ Friends’ names
✍ Gender
✍ Genetic information
✍ Hair color
✍ Handwriting
✍ Health insurance records
✍ Height
✍ Home phone
✍ Home value
✍ Homeowner status
✍ HR issues & disciplinary actions
✍ Income history
✍ Investment records
✍ IP address
✍ ISP (internet service provider)
✍ Judgements
✍ Language preference
✍ Last name
✍ Length of current residence
✍ Liens
✍ Life insurance records
✍ Likes & ratings
✍ Loan records
✍ Location history (physical)
✍ Maiden name
✍ Marital status
✍ Media preferences
✍ Medical card number
✍ Medical records
✍ Messages on the site
✍ Nationality
✍ Number of people in household
✍ Occupation
✍ Operating system
✍ Other financial statements
✍ Other identifying photographs
✍ Other names used
✍ Pardons
✍ Parents’ names
✍ Passport information
✍ Password
✍ Performance evaluations
✍ Personal email address
✍ Pets & animals
✍ Phone call records
✍ Photo location data
✍ Physical or mental disability
✍ PIN number
✍ Political affiliations & opinions
✍ Political party affiliation
✍ Postal activity
✍ Power of attorney
✍ Prescriptions
✍ Previous addresses
✍ Professional license records
✍ Property records
✍ Racial & ethnic origin
✍ Recreational license records
✍ Reference interviews
✍ Religion & philosophical beliefs
✍ Retina scan
✍ Schools attended
✍ Search history (elsewhere)
✍ Search history on the site
✍ Security question & answer
✍ Sexual orientation
✍ Sexual partners
✍ Shopping & purchase history (elsewhere online)
✍ Shopping & purchase history (offline)
✍ Shopping & purchase history (on the site)
✍ Siblings’ names
✍ Signature
✍ Social media accounts
✍ Social media posts & history
✍ Social security / social insurance number
✍ Spouse name
✍ Surveys (online)
✍ Surveys (offline)
✍ Tax file number
✍ Tax returns
✍ Text message history
✍ Third-party login
✍ Topics of interest
✍ Trade union membership
✍ Username
✍ Vehicle registration records
✍ Veteran status
✍ Video footage
✍ Voice recording
✍ Voice signature
✍ Voter registration records
✍ Website
✍ Weight
✍ Work address
✍ Work email address
✍ Work phone
✍ Writing sample (electronic)

list compiled by TIM BOUCHER
question sent in by Fei Hung from China

Q: What is GDPRs global reach?

The impact of GDPR is global.

GDPR is a legal chapter established by the European Union and affects directly any entity worldwide that that applies, handles, processes, and/or monitors personal data of residents (full-time or temporary including foreign tourists) within the European Union, no matter where in the world this activity is conducted from. Simply put, you cannot hide from it or avoid it.

Currently, over 23,000,000 companies worldwide in 191 countries conduct some form of business activity which involves European Union residents. Chances are you’re one of these companies.

Here are the 3 key questions you need to immediately ask yourself:

  1. Do you have a registered mailing address within the European Union for all your GDPR related matters?
  2. Do you have someone with exceptional GDPR knowledge and data protection experience within the European Union to be your first line of contact regarding GDPR related matters?
  3. Have you taken the first basic steps towards GDPR compliance?

If you answered NO to any one of the 3 questions then we can assist you. GDPR Registrar is designed to provide the platform for entities such as yourself to commit to compliance and to be registered & represented within the European Union as required by law.

For further details CLICK HERE.

question sent in by Theresa.C from Dubai

Q: What is biometrics?

Biometrics is the measurement and statistical analysis of people’s unique physical and behavioral characteristics. The technology is mainly used for identification and access control, or for identifying individuals who are under surveillance.

The basic premise of biometric authentication is that every person can be accurately identified by his or her intrinsic physical or behavioral traits.

Biometric identifiers are divided into 2 categories, Behavioral and Physiological.

♀♂Behavioral characteristics are related to the pattern of behavior of a person, including but not limited to typing rhythm, gait, and voice, otherwise referred to as behaviometrics.

♀♂Physiological characteristics are related to the shape of the body, including but not limited to fingerprint, palm veins, face recognition, DNA, palm print, hand geometry, iris recognition, retina and odor and/or scent.

Examples of biometrics include token-based identification systems, such as a driver’s license or passport, and knowledge-based identification systems, such as a password or personal identification number.

Since biometric identifiers are unique to individuals, they are more reliable in verifying identity than token and knowledge-based methods; however, the collection of biometric identifiers raises privacy concerns about the ultimate use of this information.

question sent in by Marylin.S from Canada

Q: What information can’t I ask for?

You don’t have the right to make a request and gain access to the information of a 3rd party individual, unless you have been properly appointed as the authorized representative of the original individual seeking access to their information.

The entity receiving your request requires:

  1. sufficient evidence on your behalf to verify the identity of the data subject making such a request and
  2. sufficient details on your behalf so it can locate your request.

If the responsible person refuses your Data Subject Access Request on behalf of the entity, they must clearly set out in writing the reasons for the rejection.

If you are not satisfied with the outcome of your request, then you have the right to ask the entity for the details to their independent DPO (Data Protection Officer) to review your case.

question sent in by Frank.A from UK

Q: What if we cannot afford the costs to comply?

One thing people forget, and we wish to make this very clear, especially for small to medium size businesses. GDPR is not designed to put you out of business!!! 

GDPR requires you to DEMONSTRATE that you are committed in working towards being compliant.

Don’t act from a position of fear, that’s the biggest and most costly mistake you’ll make.

Do yourself a favor:

  1. Take a step back.
  2. Take a deep breath.
  3. Take a structured approach towards compliance.

When you register for free with us, we’ll give you your free step-by-step plan of action. CLICK HERE TO REGISTER FOR FREE .

We’re not going to lie to you, once you have gone through the plan, you will most likely become a registered member with us and/or with another quality organization for reasons that will become clear to you.

question sent in by Mario.D from Italy

Q: What does GDPR mean for social media strategies?

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Q: What does GDPR and privacy laws mean for property marketers?

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Q: What do you need to do if you own or manage property?

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Q: What do you do with my information?

We use your information in fulfilling our obligations to you as a member and as permitted to us via GDPR Article 6 “Lawfulness of Processing”, where the processing shall be lawful only if and to the extent that at least one of the following applies:

✍ the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

✍ processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

✍ processing is necessary for compliance with a legal obligation to which the controller is subject;

✍ processing is necessary in order to protect the vital interests of the data subject or of another natural person;

✍ processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

✍ processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. (shall not apply to processing carried out by public authorities in the performance of their tasks.)

We don’t abuse, take unlawful advantage or compromise your trust when you provide your information to us, and as such:

☑ We don’t share your information with 3rd parties, unless it is required to complete your request. (One example is when you file a complaint against a third party via our platform, we may be required to share your information with relevant 3rd parties to address your DSAR complaint.)

☑ We don’t sell your information to 3rd parties, period!

☑ We don’t ask or gather irrelevant information from you just for the hell of it.

☑ We don’t hold onto your credit-card information and will never ask for your credit card details. (All payments made by you to us will be via Paypal or Stripe gateways or Direct Bank Transfer.)

☑ We don’t make deliberate errors, therefore if you find something on our site not to be right, feel free to tell us and we’ll address it.

☑ We don’t proclaim to be perfect, though perfection is something we continually strive for.

☑ We don’t display your personal name on our site publicly unless you have given us explicit consent.

☑ We don’t share your details with co-workers within our organization unless they have a legitimate interest within their role.

☑ We don’t store your information on physical servers outside of the European Union.

☑ We don’t spam!

☑ We don’t work with entities that do not comply to GDPR Regulations.

question sent in by Elizabeth.B from UK

Q: What do we need to understand about GDPR?

As someone that handles personal data of residents (full-time or temporary including foreign tourists) within the European Union, you need to:

☑ Fully understand on how you use your data.

☑ Make certain that you’re incorporating GDPR into your data management.

☑ Conduct a thorough evaluation of your current & future data requirements.

☑ Assess the capabilities in managing such data.

☑ Be prepared to execute major changes in how you manage your data.

question sent in by David.M from Hong Kong

Q: What do I need to keep in mind about GDPR?

The top 12 key factors to keep in mind about GDPR protocols regrading European Union Residents (EURs) (full-time or temporary including foreign tourists) within the European Union, no matter where in the world this activity is conducted from include:

☑ Handling data on EURs.

☑ Offering goods and/or services to EURs.

☑ Monitoring and/or tracking the activities of EURs.

☑ Conducting any form of business or commercial activities with EURs.

☑ How serious you are about doing the right thing with EURs data.

☑ How you store EURs data.

☑ How you process EURs data.

☑ How you access EURs data.

☑ How you transfer EURs data.

☑ How you disclose EURs data.

☑ How you interact with EURs data.

☑ How you react to an infringement on EURs data.

question sent in by Patricia.Z from Hong Kong

Q: What are the principles of GDPR based on?

The principles are based on entities being responsible in considering what accountability they may or may not need to comply with. This is strictly based on the unique and specific circumstances of their activities and how they utilize the data they receive.

Each entities principles of compliance will differ according to interpretation and circumstances. The core principle is being able to demonstrate that you are committed to GDPR Compliance and are being proactive in achieving this target, whilst being able to demonstrate it when required.

Taking this approach will direct you in the right direction towards compliance.

 question sent in by Frances.R from USA

Q: What are cookies?

Cookies are small pieces of data stored on a user’s device which allow websites to perform specified actions or preferences.

Cookies are divided 5 categories:

☀ Targeted Cookies: Used to deliver multiple types of targeted digital ads. They store your user data and behavioral information, allowing advertising services to target you within specified audience groups according to variables including but not limited to: ✍age ✍gender ✍location ✍personal interests ✍website habits ✍search engine habits ✍social media habits, just to name a few.

☀ Necessary Cookies: Used by a website to deliver you the information and services they offer in a secure and optimized manner. In most cases, you must accept these “necessary cookies” to be able to make use of their online systems.

☀ Functional Cookies: They are essential for a website to work, for example: ✍making sure that you don’t have to keep logging into the website each time you visit a different page ✍keeping track of your shopping cart on the website ✍making sure the online live support maintains contact with you, especially when navigating the site.

☀ Performance Cookies: Used for internal purposes to help the website in providing you with a better user experience. The cookies help the operators of the website to better understand how it’s used by visitors, shoppers and members. From this information they can improve the way the site works and deliver better content to you. One example is when they use an external company such as Google to perform such an analysis via their services. In this instance, they may set third party cookies to enable this to function correctly.

☀ Undefined Cookies: This is something of a hit and miss scenario as undefined cookies can come from a number of factors including your personal settings on your device.

You can always run a check as to what cookies a website uses via online tools such as COOKIE METRIX or COOKIEBOT

question sent in by Mandy.Y from Cyprus

Q: My business collects personal information through electronic platfoms such as text messages. Do I need to comply with privacy laws such as GDPR

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Q: Is photography subject to GDPR regulations?

Yes, photography is subject to the GDPR regulations.

You’ll need to have a privacy policy in place and you’ll need to make sure it’s in line with GDPR.

Make sure you have the privacy policy linked to your online pages, including website/s and social pages.

question sent in by Joshua.H from Germany

Q: Is GDPR just a fad?

Once upon a time there were only 2 things certain in life & now there are 3.

The sooner you come to grips with GDPR, the better of you’ll be in the long run.

  1. Define your policies for GDPR compliance
  2. Define your processes for GDPR compliance.
  3. Define your stakeholders for GDPR compliance.
  4. Discover what data you need to protect and manage.
  5. Control the access to your data.
  6. Centralize your data across your organization.

Following these six steps will place you in good standing with GDPR protocols, setting your path towards a bright future with your audience.

Forget bitcoin, trust is the new currency of the future!

question sent in by Beth.V from UK

Q: If my EU representative is based in the UK will I be compliant after Brexit or do I need to nominate a representative outside the UK

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Q: If I’m just a social network user do I need to comply with privacy laws and what are the consequences if I don’t?

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Q: If I have an Instagram account do I need to comply with data protection privacy laws

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Q: If I have a facebook business page do I need to be GDPR compliant?

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Q: I’m just a sole trader who employs contractors from time to time. Do I need to comply with privacy regulations such as the GDPR?

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Q: I’m a trades person and often take before and after shots of the work I do. Do I need to comply with privacy laws such as the GDPR?

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Q: I’m a marketer who advertises products and services and receives enquiries. Do I need to comply with privacy laws such as the GDPR?

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Q: I’m a consumer, how do I know that my personal information is protected?

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Q: I’m a business that wants to comply and implement data privacy and protection best practice and I don’t know how to do it. Who will help me do this

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Q: I’m a business that buys and sells products and services on Ebay. Do I need to comply with privacy laws such as the GDPR?

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Q: I’m a business in Australia that orders parts and services from Europe. Do I need to comply with privacy laws such as the GDPR ?

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Q: I have a You tube account, Im a you tube user, post videos, music and other information. Do I need to comply with Privacy Regulations such as the GDPR?

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Q: I have a data base of past customers and enquiries. Can I keep this data base on file?

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Q: How will GDPR and other Privacy laws affect Property managers and Agents?

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Q: How long can someone hold onto my data for?

When it’s for contractual reasons, for example you purchased a product, service, made a donation and actions of similar nature, it generally ranges about 6-7 years.

It’s always good to reach out to the entity to clarify this for you. You’ll find that the majority of companies will be more than happy to answer your question. Keep in mind that they have 30 days to respond to you.

If they don’t, then you can file an official complaint via our online form FILE A COMPLAINT. This service is also part of our free membership.

Here is a great infograph from Erik Underwood c/o TechRepublic, with interesting insights into why your data is being collected.

question sent in by Anna.A from Spain

Q: How does someone get fined outside of the EU?

Article 27 of the GDPR is the first line of defense. It requires companies without operations in the EU to appoint an EU representative. If that doesn’t happen, non-EU companies will be perused via local enforcement actions within their country via mutual legal assistance treaties (MLAT), and private prosecutions under similar local laws.

 question sent in by Claire.M from Taiwan

Q: How does GDPR affect social media advertising

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Q: How do I process and file personal information that I receive over Text messages in order to be compliant with privacy laws such as the GDPR

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Q: Does SMS marketing need to comply with privacy laws such as the GDPR?

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Q: Does my Australian business need to be GDPR compliant?

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Q: Do non EU entities have to comply to GDPR?

Yes, Non EU Entities have to comply the moment they apply, handle, process, and/or monitor personal data of residents (full-time or temporary including foreign tourists) within the European Union.

Furthermore, it matters not whether you hold onto the data for 1 minute or 10 years.

 question sent in by John.K from Taiwan

Q: Do I need to train my staff?

The logical answer is yes you do, as they are your controllers and processors of the information you receive. Furthermore it matters not whether you are a small family business or a large organization,

The purpose of a certification is to develop a code-of-conduct for your staff to follow, which in return helps them understand the requirements and actions needed in being compliant.

Richard Branson said it best:  “Customers come second, employees first. It’s a philosophy that brings unexpected benefits to both the company and its clients.”

 question sent in by Konstantinos.M from Greece

Q: Do I have rights under the privacy act when I use social networking sites?

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Q: Do all organization now need to appoint a Data Protection Officer in order to comply with Privacy laws such as the GDPR?

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Q: Can I keep my customers details on file once our transaction has completed?

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Q: Can I get insurance against Data breaches?

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Q: Can I cancel my membership at any time

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Q: Can a Controller or Processor be fined?

The short answer is yes.

In saying that, a monetary fine is only one of the corrective measures included in the GDPR to apply pressure on controllers and processors to comply with the regulation.

Not all violations will result in a monetary fines, and not all fines will be based on the maximum amount, though rest assured it won’t be pocket change either.

A monetary fine is the last step in a long process designed to address the scope of an infringement by a Controller and/or Processor, concurrently assessing on how the organization allowed the infringement to happen in the first place and to monitor what steps have been taken to address the violation and any further violations.

 question sent in by Victoria.F from Germany

Q: As an employee or contractor what rights do I have under privacy laws such as the GDPR?

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Q: As a career working in the aged care, disability and child support sector. Do I need to comply with privacy laws such as the GDPR?

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Q: Are Photographs, videos & audio considered personal data

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

GDPA VIDEO CONFERENCING

OVERVIEW

For us at GDPA, providing you a conference platform you can rely on is the most important thing. That means, amongst other things, we are very mindful of the security and privacy aspects that affect our users.

Security and privacy are very broad topics so we are going to try and go through some practical use cases to demonstrate what’s at play.

Fully secure you say… What does this mean exactly?

In many respects meetings are simply private by design.

To begin with, all meeting rooms are ephemeral: they only exist while the meeting is actually taking place.

They get created when the first participant joins and they are destroyed when the last one leaves. If someone joins the same room again, a brand new meeting is created with the same name and there is no connection to any previous meeting that might have been held with the same name.

This is all very important. Some of the systems that let people “pre-create” rooms, have subtle indications that let a potential attacker distinguish reserved from unreserved meetings which then makes the reserved meetings easier to identify and target.

That said, since a name is all that one needs to actually access a room, we have to be really careful about how we choose them. We don’t want others accidentally stumbling into your meetings, just as we want to keep pranksters and snoopers away. Therefore you simply create a unique name for your conference or use our random code generator below. Once created, it’s what you will share with the people you want to participate.

If you start a meeting with the name “Test”, “Demo” or “Family” for example, chances of having some random uninvited people joining are very, very high. How does one pick a good room name then? Our random meeting name generator below is a great start. It offers names that are easy to remember and read out loud on a phone call, and come from a set of over a trillion possible combinations. Picking out one of the auto-generated names is therefore quite safe.

COPY & SHARE YOUR UNIQUE CONFERENCE CODE
https://meet.jit.si/

If entering via Web Browser then share/use the full link: https://meet.jit.si/#########

If entering via GDPA Video Conferencing then share/use the 9 digits: #########