This guide explores the fundamental data subject rights under Singapore’s PDPA, highlighting the rights and protections that this vital legislation grants individuals in an age of digital information. Understanding these data subject rights is essential for individuals aiming to protect their personal data and organizations striving to comply with Singapore’s Personal Data Protection Act (PDPA) and ensure their organization’s practices comply with the law.
PDPA Data Subject Rights
Singapore’s PDPA grants data subjects (individuals) various data subject rights. These include:
Right to Access
Individuals have the right to access their personal data held by the organization. When an individual requests it, an organization is required to respond to their request as quickly as is reasonable and to give them access to any personal data about them that is in the organization's possession or control, along with details about any uses or disclosures the organization may have made of the information within the year prior to the request.
However, an organization is not obligated to furnish an individual with the individual's personal data or other information concerning the matters outlined in the Fifth Schedule of the PDPA. The Fifth Schedule encompasses subjects such as opinion data maintained exclusively for evaluative purposes, personal information whose disclosure could expose confidential commercial information potentially harmful to the organization's competitive standing as deemed by a reasonable person, and personal data protected by legal privilege, among other considerations.
Right to Correction
Individuals have the right to correction where they may request an organization to correct an error or omission in the personal data about the individual in the possession or under the organization's control.
The organization must update the personal data as soon as it is practical unless it is convinced for valid reasons that correcting it is unnecessary. The organization must send a corrected copy of personal data to every other organization that received the data within the year preceding the correction unless the receiving organization does not require the corrected information for legal or business purposes.
However, organizations are not required to fulfill the correction requests regarding the matters outlined in the Sixth Schedule. Subjects covered in the Sixth Schedule may involve opinion data maintained exclusively for evaluative purposes, the personal data of beneficiaries in a private trust retained solely for trust administration, and documents associated with a prosecution that remains incomplete regarding all related proceedings, among other considerations.
Right to Withdraw Consent
Individuals have the right to withdraw consent at any time by giving reasonable notice to the organization. Upon receipt of the withdrawal request, the organization must inform the individual about the probable consequences of withdrawing consent.
Right to Accuracy
Individuals have the right to accuracy where an organization is required to use reasonable efforts to ensure that any personal data they collect—whether from themselves or another organization—is accurate and complete, particularly if that personal data is likely to be used to make decisions that will have an impact on the individual to whom it relates or may be disclosed to other organizations.
Right to Protection
Individuals have the right to protection where an organization must protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal, or similar risks and the loss of any storage medium or device on which personal data is stored.
Right of Private Action
An individual who suffers direct loss or damage due to an organization's violation of specific provisions has the right to seek redress through civil proceedings in a court.
The PDPA requires organizations to inform individuals in certain circumstances. The organization must inform the individual of the purposes for collecting, using, or disclosing personal data at the time of collection. The organization shall also disclose any additional purpose for using or disclosing personal data, not previously informed, before such use or disclosure. Moreover, the organization shall also provide, upon request, the business contact information of a person capable of addressing the individual's inquiries regarding the collection, use, or disclosure of personal data on behalf of the organization.
Following the stipulations of this Act, organizations are mandated to establish and enact policies and practices to fulfill their obligations. Furthermore, organizations must devise a formal process for addressing complaints that may arise under this Act. Any individual can request information from organizations regarding these policies and practices.
Additionally, in the event of a notified data breach, an organization shall notify every individual affected by this data breach.
How Securiti Can Help
Securiti’s Data Command Center enables organizations to comply with Singapore’s Personal Data Protection Act (PDPA) by leveraging contextual data intelligence and automation to unify data controls across security, privacy, compliance, and governance through a single, fully integrated platform.
Organizations can overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, enabling organizations to swiftly comply with privacy, security, governance, and compliance requirements.
Request a demo to learn more.
