Organisations need to be careful to collect, protect, or disclose these personal data.

— About PDPA

In this post, we wish to share some information about the Personal Data Protection Act 2012 and how it impacts your organisation. Whenever you send out mass marketing emails or when your customer submits a form with their personal data on your website, do keep PDPA in mind.

By now, you should have heard of the Personal Data Protection Act 2012 (PDPA). In short, there is a law that says each individual has the right to protect their personal data. Organisations need to be careful to collect/protect/disclose these personal data. For individuals, they can opt out of being contacted by organisations. From organisations point of view, there are some ‘rules’ you need to follow to comply with PDPA. Below are just some of the obligations of the organisation.

  • Consent Obligation
    You (as an organisation) can only collect, use or disclose personal data of an individual provided he/she gave you the consent to do so. In addition, you need to allow the individual to withdraw their consent. In the case of mass marketing emails, this means you MUST have an unsubscribe link for user to opt out of the mailing list.
  • Purpose Limitation Obligation
    You (as an organisation) can only collect, use or disclose the personal data of an individual for the purpose that is related to the product or service you are providing. In other words, if you are using the data for X use, it cannot be used or disclosed to ABC Company for another entirely unrelated usage.
  • Notification Obligation
    If you (as an organisation) are going to collect, use or disclose the personal data of an individual, make sure that he/she is aware and notified of the purposes the data will be used for. Eg. If you are collecting the email of an individual for a specific purpose, notify the person that you will be sending email to him/her for that specific purpose.


Please refer to more details on the other rules that can be found on the PDPC website.

In addition, organisations are required to designate at least 1 individual (or a team), a Data Protection Officer, to ensure compliance with PDPA. From the PDPC website, you can subscribe to newsletter that will keep you abreast of the PDPC happenings.

Finally, a short note about existing data which you (as an organisation) have already collected, before the PDPA act came into effect – Your organisation may continue to use the personal data collected, unless the individual withdrew his consent. Should the use of the personal data be for a different purpose now, your organisation will need to seek the individual for (new) consent.

There is a checklist which you can download to see how well your organisation protects personal data.

PLUS, PDPC has a handy PDF which you can download to learn more, comply with and manage the personal data correctly.

Source: PDPC Website