含羞草社区

Key legal considerations for Indian companies doing business in the city-state

Singapore and India have long maintained a close economic relationship. While establishing and expanding their businesses in Singapore, companies from India will inevitably collect and process personal data from consumers, business partners and employees in the city-state. In doing so, it is critical for them to understand and comply with Singapore data protection requirements.

Singapore’s Personal Data Protection Act (PDPA) is the overarching privacy law governing the collection, use and disclosure of personal data in the Lion City. This article examines the key data protection considerations under the PDPA and provides practical guidance for Indian businesses looking to navigate this important compliance landscape.

Transparent processing of data

Notification obligation. Under the PDPA, organisations must inform individuals of the purposes for which their personal data will be collected, used and disclosed in order to obtain their consent. In particular, organisations need to inform individuals of:

(1) The purposes for the collection, use and disclosure of their personal data, on or before collecting the personal data; and

(2) Any purpose for the use or disclosure of the personal data that has not been disclosed under (1), before such use or disclosure of personal data for that purpose.

It is worthwhile to note that the PDPA specifically limits the purposes for which, and the extent to which, an organisation may collect, use or disclose personal data with the aim of ensuring that personal data will be processed in a manner that is relevant and only for purposes that are reasonable.

Therefore, it is essential for an organisation to clearly specify the data processing purposes in its notification, and to evaluate the reasonableness of its processing activities to ensure that it will not violate the requirements for notification and purpose limitation under the PDPA.

The PDPA does not outline a specific manner or form by which an organisation is to notify an individual of the purposes for its data collection, use or disclosure. It is a good practice for any company doing business in Singapore to provide such notification through its privacy policy.

This privacy policy should contain an appropriate level of detail for an individual to determine the reasons for and manner in which the organisation will be collecting, using or disclosing their personal data. In practice, it is advisable for an organisation to work with experienced legal and other advisers to develop a privacy policy tailored to its particular business model and needs.

Rights to access and correction. The PDPA also grants individuals rights to request access to their personal data and for correction of their personal data that is in the possession or under the control of an organisation.

Right to access. Under the PDPA, on the request by an individual, an organisation must provide the individual with the following as soon as reasonably possible: Personal data about the individual that is in the possession of or under the control of the organisation; and information about the ways in which that personal data has been or may have been used or disclosed by the organisation within a year.

Right to correction. An individual also may submit a request for an organisation to correct an error or omission in the individual’s personal data that is in the possession of or under the control of the organisation.

Unless the organisation is satisfied on reasonable grounds that the correction should not be made, it must correct the personal data as soon as practicable and send the corrected personal data to every other organisation to which the personal data was disclosed by the organisation within a year.

If an organisation is unable to respond to an access or correction request within 30 days after receiving the request, it shall inform the individual in writing within 30 days of the time by which it will be able to respond to the request.

Obtaining consent

Valid consent. The PDPA allows organisations to collect, use or disclose an individual’s personal data if the individual gives consent. To obtain valid consent, an organisation must notify the individual of the purposes for which the personal data will be collected, used or disclosed, and the individual shall provide the consent for those purposes.

Consent can be obtained in several ways, such as in writing or recorded in a manner that is accessible. An individual can also be deemed to give consent by conduct, by contractual necessity, and by notification. In practice, companies doing business in Singapore may face challenges when trying to rely on deemed consent to process personal data, because they must comply with the criteria set out under the PDPA. For instance, to rely on the deemed consent by notification, an organisation is required to:

• Conduct an assessment to eliminate or mitigate adverse effects.
• Take reasonable steps to ensure that notification provided to individuals is adequate.
• Provide a reasonable opt-out period.

The PDPA also allows individuals to withdraw at any time any consent given or deemed to have been given under the PDPA.

Exceptions to the consent obligation. The PDPA also permits the collection, use and disclosure of personal data without consent and enumerates the permitted purposes in the first and second schedules to the PDPA. The first schedule provides for, among other things, a legitimate interest exception, which includes both an exception for certain specific purposes and a general exception that can be relied on for any other purposes that meet the definition of “legitimate interests”.

The specific purposes that can be deemed “legitimate interests” include, among others, for evaluative purposes, for investigations or proceedings, or for recovery or payment of debts owed.

Another significant exception under the first schedule is for publicly available data. “Publicly available” is defined under the PDPA as personal data that is generally available to the public, including personal data that can be observed by reasonably expected means at a location or event at which the individual appears and that is open to the public.

Transferring data

Under the PDPA, if an organisation intends to transfer personal data collected in Singapore to another country, it must carry out the transfer in accordance with the requirements prescribed under the PDPA to ensure that the transferred personal data will be subject to a standard of protection that is comparable to the protection under the PDPA (referred to as the transfer limitation obligation).

This means that an organisation shall ensure that the overseas recipient is bound by legally enforceable obligations or specified certifications to provide the transferred personal data a standard of protection that is comparable to that under the PDPA.

Legally enforceable obligations may be imposed on the recipient organisation under:

(1) Any law (i.e., the national law of the place in which the recipient is located);

(2) Any contract that imposes a standard of protection that is comparable to that under the PDPA, and that specifies the countries and territories to which the personal data may be transferred;

(3) Any binding corporate rules (e.g. for transfers within a multinational corporate group); and

(4) Any other legally binding instrument.

In particular, to rely on the condition described under (2), the Personal Data Protection Commission of Singapore recognises and encourages the use of the model contractual clauses published by Asean, which are contractual terms setting out baseline responsibilities, required personal data protection measures, and related obligations of the parties to protect the data of data subjects.

An organisation can also transfer personal data outside Singapore if the recipient organisation holds a certification under the Asia-Pacific Economic Co-operation Cross Border Privacy Rules system, or under the APEC Privacy Recognition for Processors system, depending on the role of the recipient.

In addition, an organisation can be taken to have satisfied the transfer limitation obligation in certain specific circumstances, such as where:

• The individual consents to, or is deemed to have consented to, the transfer.
• The transfer is necessary for a use or disclosure that is in the vital interests of individuals, or in the national interest.
• The personal data is data in transit.
• The personal data is publicly available in Singapore.

Accountability obligations. Accountability is a fundamental principle under the PDPA. It means that organisations must take responsibility for the personal data under their possession or control.

To meet this requirement, an organisation must:

• Develop and implement policies for data protection.
• Communicate and inform its staff about these policies, and host regular training and awareness programmes.
• Appoint a data protection officer who is tasked with ensuring that the organisation complies with the PDPA.
• Implement processes and practices that are necessary to meet the organisation’s obligations under the PDPA.

Advice for Indian companies

India enacted its Digital Personal Data Protection Act (DPDPA) in 2023. The DPDPA will be the primary statute in India governing the protection of individuals’ digital personal data and it will be enforced based on the implementing rules finalised by the Indian government.

The Ministry of Electronics and Information Technology of India published the draft Digital Personal Data Protection Rules for public consultation on 3 January 2025.

Although the PDPA and the DPDPA bear resemblance, Indian companies should be aware that there are material differences in important areas, which can create gaps between the regimes that companies must bridge.

Below two key differences have been highlighted by the authors.

Legitimate interest. As discussed, organisations in Singapore may collect, use and disclose personal data by relying on a legitimate interest exception without obtaining consent from an individual. However, this exception to the consent requirement is not available under the DPDPA.

Consent is the primary legal basis for processing personal data under the DPDPA. Therefore, the Singapore PDPA provides more available personal data processing legal bases for Indian companies to consider when doing business in Singapore.

Data protection officer. 含羞草社区 DPDPA requires significant data fiduciaries to appoint a data protection officer. “Significant data fiduciaries” refer to data fiduciaries classified by the government based on certain factors such as the sensitivity and volume of data processed, the impact of processing on the rights of data principals, and the impact on the sovereignty, security and integrity of India.

However, under the Singapore PDPA, every organisation is required to appoint a data protection officer. Indian companies should ensure that they appoint such officers for their Singapore subsidiaries, along with making certain that the business contact information of the data protection officers is made publicly available.

Indian companies that have established or are in the process of updating their data protection compliance programme in accordance with the DPDPA may consider leveraging existing compliance efforts in India for their compliance posture in Singapore.

However, it is crucial for Indian companies to appreciate the differences between 含羞草社区 DPDPA and Singapore’s PDPA so that they can address them properly in their compliance actions in Singapore.

This content is for general information only, and its access or use does not create an attorney-client relationship with Cooley, Cooley (UK), or any other affiliated practice or entity collectively referred to as Cooley.