0% found this document useful (0 votes)
41 views28 pages

GDPR V Singapore 2021 Update 0

This document compares the privacy laws of the European Union's General Data Protection Regulation (GDPR) and Singapore's Personal Data Protection Act (PDPA). Both laws establish comprehensive personal and territorial scopes, with some differences. Key similarities include definitions of controllers, processors, and children's data. Both require lawful bases for processing, data transfers, records, impact assessments, officers, security, accountability, and individual rights like access and objection. Differences include the PDPA excluding public agencies and not distinguishing data categories. Enforcement includes authorities' powers and penalties, with the GDPR's maximum penalty being higher. The guide aims to help organizations comply by highlighting similarities and differences.

Uploaded by

Gurukul
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
41 views28 pages

GDPR V Singapore 2021 Update 0

This document compares the privacy laws of the European Union's General Data Protection Regulation (GDPR) and Singapore's Personal Data Protection Act (PDPA). Both laws establish comprehensive personal and territorial scopes, with some differences. Key similarities include definitions of controllers, processors, and children's data. Both require lawful bases for processing, data transfers, records, impact assessments, officers, security, accountability, and individual rights like access and objection. Differences include the PDPA excluding public agencies and not distinguishing data categories. Enforcement includes authorities' powers and penalties, with the GDPR's maximum penalty being higher. The guide aims to help organizations comply by highlighting similarities and differences.

Uploaded by

Gurukul
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 28

LA

ED TE
IT ST
IO
N

Comparing privacy laws:


GDPR v.
Singapore's PDPA

September 2021
About the authors Table of contents
OneTrust DataGuidanceTM provides a suite of privacy solutions designed to help organisations
monitor regulatory developments, mitigate risk, and achieve global compliance. Introduction 5
OneTrust DataGuidanceTM regulatory research includes focused guidance around core topics (i.e. 1. Scope
GDPR, data transfers, breach notification, among others), Comparisons which allow you to compare 1.1.
Personal scope 7
regulations across multiple jurisdictions at a glance, a daily customised news service, and expert 1.2. Territorial scope 9
analysis. These tools, along with our in-house analyst service to help with your specific research 1.3. Material scope 10
questions, provide a cost-effective and efficient solution to design and support your privacy program.
2. Key definitions
2.1. Personal data 12
Rajah & Tann Asia: A full service legal network spread out over 10 countries in South East Asia and
2.2. Pseudonymisation 13
beyond. One unified team, one commitment, one standard – driven by multiple talents. A team that
understands local conditions and international standards. A team that is always there, ready when 2.3. Controller and processors 14
you are. Whenever and wherever you are. 2.4. Children 17
2.5. Research 19
Contributors
3. Legal basis 21
OneTrust DataGuidanceTM: Angela Potter, Keshawna Campbell, Mona Benaissa, Theo Stylianou,
Victoria Ashcroft, Alexis Galanis, Angus Young 4. Controller and processor obligations
4.1. Data transfers 23
Rajah & Tann Asia: Lionel Tan and Kendrick Deng 4.2. Data processing records 25
4.3. Data protection impact assessment 28
4.4. Data protection officer appointment 29
4.5. Data security and data breaches 31
4.6. Accountability 32

5. Individuals' rights
5.1. Right to erasure 33
5.2. Right to be informed 34
5.3. Right to object 37
5.4. Right to access 38
5.5. Right not to be subject to discrimination in the exercise of rights 40
5.6. Right to data portability 41

Image production credits: 6. Enforcement


Cover/p.5/p.51: cnythzl / Signature collection / istockphoto.com 6.1. Monetary penalties 42
Scale key p6-49: enisaksoy / Signature collection / istockphoto.com
Icon p.12-21: Moto-rama / Essentials collection / istockphoto.com 6.2. Supervisory authority 44
Icon p.22-23: AlexeyBlogoodf / Essentials collection / istockphoto.com
Icon p.25, 29-37: zak00 / Signature collection / istockphoto.com 6.3. Civil remedies for individuals 46
Icon p.38-45: AlexeyBlogoodf / Essentials collection / istockphoto.com
Icon p.47-51: cnythzl / Signature collection / istockphoto.com

2 3
Introduction
On 25 May 2018, the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') went into effect. The Personal Data
Protection Act 2012 (No. 26 of 2012) ('PDPA') which contains two (2) main sets of provisions, which covers data protection and
the Do Not Call Registry, was first enacted in 2012 and revised in 2020 with the amendments coming into effect as of 1 February
2021. Along with the PDPA, amendments to the subsidiary legislations including the Personal Data Protection Regulations 2021
also came into effect on 1 February 2021. Given the practice of using the Advisory Guidelines on Key Concepts in the PDPA
('the Advisory Guidelines on Key Concepts') and on the PDPA for Selected Topics ('the Advisory Guidelines on Selected Topics')
both of which were issued by the Personal Data Protection Commission ('PDPC') to interpret and apply the PDPA, this GDPR
comparison guide also refers to relevant Advisory Guidelines provisions.

Both laws are generally comprehensive and set out similar personal and extraterritorial scopes. However, while the GDPR
applies to both private and public bodies, the PDPA excludes public agencies from its scope. In addition, the GDPR defines
special categories of personal data, whereas the PDPA does not distinguish between specific categories of personal data, or
between automated and non-automated means of data processing.

Aside from some differences in terminology, both the GDPR and the PDPA share similar concepts of 'data controller' and 'data
processor,' and outline an obligation for organisations to appoint a data protection officer ('DPO'). Similar to the GDPR, the PDPA
provides for Data Protection Impact Assessments ('DPIA') to be carried out in certain situations – situations under the PDPA
include relying on deemed consent by notification or the legitimate interests exception to consent, while the GDPR prescribes
DPIAs to be conducted when data processing is likely to result in high risk to the rights of natural persons. Furthermore, the
amendments to the PDPA have introduced a number of key reforms, including a mandatory data breach notification obligation
which would further align the PDPA with the GDPR.

In addition, both pieces of legislation provide for restrictions and exceptions in relation to cross-border transfers of personal data
to a third country and international organisations, as well as establishing legal grounds and circumstances where cross-border
transfers can be lawfully performed.

Further similarities may be found in the rights individuals are entitled to, for instance both the GDPR and the PDPA require data
controllers to inform data subjects about the purpose for which their personal data is collected and processed, provide data
subjects with the right to withdraw consent to the processing of their personal data, as well as to access to their personal data.
Nonetheless, the PDPA does not provide data subjects with the right to request the erasure or deletion of their personal data.

Both the GDPR and the PDPA provide supervisory authorities with wide-ranging investigatory powers and corrective powers
and outline significant monetary penalties in cases of non-compliance. However, the maximum penalty under the GDPR is much
higher than under the PDPA, although the PDPA will introduce an increased financial penalty of 10% of the annual turnover of
organisations if such turnover exceeds S$10 million, which will take effect no earlier than 1 February 2022.

This guide is aimed at highlighting the similarities and differences between the two pieces of legislation in order to help
organisations develop their compliance activities.

4 5
Introduction (cont'd) 1. Scope
1.1. Personal scope Fairly inconsistent

Both the GDPR and the PDPA protect living individuals with regard to the use of their personal data, and both utilise concepts that
bear some degree of similarity. However, while the GDPR applies to both private and public bodies, the PDPA excludes public
agencies and organisations acting on behalf of public agencies from its scope.

GDPR PDPA
Articles 3, 4(1) Sections 2(1), 4
Recitals 2, 14, 22-25 Personal Data Protection Regulations 2014 ('PDPR')
Structure and overview of the Guide
This Guide provides a comparison of the two pieces of legislation on the following key provisions: Similarities

1. Scope The GDPR only protects living individuals. The GDPR The PDPA only protects living individuals, and does not apply
2. Key definitions does not protect the personal data of deceased to personal data about deceased individuals save for provisions
3. Legal basis individuals, this being left to Member States to regulate. relating to protection and disclosure of personal data, which
Key for giving the consistency rate
4. Controller and processor obligations would apply in respect of personal data about an individual
5. Individuals' rights who has been dead for 10 years or fewer. The PDPA would also
6. Enforcement not apply to personal data about an individual that is contained
in a record that has been in existence for at least 100 years
Each topic includes relevant provisions from the two legislative frameworks, a summary (even if it is personal data of an individual who is still living).
of the comparison, and a detailed analysis of the similarities and differences between the
GDPR and the PDPA. The GDPR defines a data controller as a 'natural and legal Whilst the PDPA does not utilise the concept of a 'data
person, public authority, agency or other body which, controller', instead using the more general term 'organisations'
Inconsistent Consistent alone or jointly, with others, determines the purposes when defining the entities which are subject to the PDPA's
and means of the processing of personal data.' obligations, this term is, with respect to the scope of such
  obligations, similar to the concept of a 'data controller'
Consistent: The GDPR and the PDPA bear a high degree of similarity under the GDPR. 'Organisation' is defined in the PDPA as
in the rationale, core, scope, and the application of the provision considered. 'any individual, company, association or body of persons,
corporate or unincorporated, whether or not (a) formed or
Fairly consistent: The GDPR and the PDPA bear a high degree of similarity in the rationale, core, and the scope of the recognised under the law of Singapore; or (b) resident, or
provision considered, however, the details governing its application differ. having an office or a place of business, in Singapore.'

Fairly inconsistent: The GDPR and the PDPA bear several differences with regard to the scope and application of the The GDPR defines a data processor as a 'natural or legal Whilst the PDPA does not utilise the concept of a 'data
provision considered, however, person, public authority, agency or other body which processor', the term is similar to the concept of a 'data
its rationale and core presents some similarities. processes personal data on behalf of the controller.' intermediary' under the PDPA. 'Data intermediary' is
defined in the PDPA as 'an organisation which processes
Inconsistent: The GDPR and the PDPA bear a high degree of difference with regard to personal data on behalf of another organisation, but does
the rationale, core, scope, and application of the provision considered. not include an employee of that other organisation.'

Article 4(1) of the GDPR clarifies that a data subject 'Individual' is defined in the PDPA as 'a natural person,
is 'an identified or identifiable natural person.' whether living or deceased.' Please note that although

6 7
GDPR PDPA 1.2. Territorial scope Fairly consistent

Similarities (cont'd) With regard to extraterritorial scope, the GDPR applies to data controllers and data processors that do not have a presence in the EU
but have processing activities that take place in the EU. Similarly, the PDPA applies to all organisations which are not a public agency,
'deceased' is included in this definition, the PDPA explicitly whether or not they are formed or recognised under the laws of Singapore, or resident or have an office or a place of business in
states that it does not apply to personal data about Singapore.
deceased individuals save for the provisions noted above.

GDPR PDPA
Articles 3, 4, 11 Section 2(1)
Differences Recitals 2, 14, 22-25 Advisory Guidelines on Key Concepts
('the Advisory on Key Concepts')
The GDPR applies to data controllers and data The PDPA does not apply to any public agencies or
processors who may be public bodies. organisations acting on behalf of a public agency.
Similarities
The GDPR provides that it 'should apply to natural persons, The PDPA applies to the collection, use, and disclosure of
The GDPR applies to organisations that have presence in The PDPA applies to all organisations which are not a public
whatever their nationality or place of residence, in personal data of individuals in Singapore and makes no
the EU. In particular, under Article 3, the GDPR applies to agency that carry out activities relating to the collection,
relation to the processing of their personal data.' explicit reference to their nationality or place of residence in
entities or organisations that have an 'establishment' in use, and disclosure of personal data in Singapore.
relation to the collection, use, and disclosure of personal data.
the EU or if processing of personal data takes place in the
context of the activities of that establishment, irrespective of
whether the data processing takes place in the EU or not.

In relation to extraterritorial scope, the GDPR applies The PDPA applies to organisations collecting, using, and
to the processing activities of data controllers and data disclosing personal data in Singapore, whether or not formed
processors that do not have any presence in the EU, or recognised under the laws of Singapore, or resident
where processing activities are related to the offering or having an office or a place of business in Singapore.
of goods, or services to individuals in the EU, or to the
monitoring of the behaviour of individuals in the EU.

Differences

Not applicable. Not applicable.

8 9
GDPR PDPA

1.3. Material scope Fairly consistent Similarities (cont'd)

Both the GDPR and the PDPA generally define personal data as information that directly or indirectly relates to an individual. Similarly, • the Government, including any ministry,
both laws provide exceptions for personal data processing that is for legal purposes, for personal use, and for certain artistic or department, agency, or organ of the State;
media related purposes. • any tribunal appointed under any written law; or
• any statutory body specified as such by the
However, the GDPR and the PDPA vary regarding other aspects of material scope. Whilst the GDPR defines special categories of Minister by notification in the Gazette
personal data, the PDPA does not distinguish between specific categories of personal data. In addition, unlike the GDPR, the PDPA The list of statutory bodies which are considered
does not differentiate between automated and non-automated means of data processing. public agencies for the purposes of the PDPA
is prescribed in the Notification.
GDPR PDPA
Articles 2-4, 9, 26 Sections 2(1), 4(1) The GDPR provides requirements for specific processing The PDPA provides exceptions to the need for consent
Recitals 15-21, 26 First and Second Schedule situations including processing for journalistic purposes in certain situations, such as the use or disclosure of
Personal Data Protection (Statutory Bodies) and academic, artistic or literary expression. personal data for research purposes, the collection
Notification 2013 ('the Notification') of personal data for artistic or literary purposes,
PDPC's Advisory Guidelines on the certain journalistic purposes, as well as for legitimate
PDPA for Selected Topics ('Advisory interests and business improvements exceptions.
Guidelines on Selected Topics')
The GDPR excludes anonymous data from its application, The PDPA does not define anonymised data. However,

Similarities which is defined as information that does not relate the PDPC's Advisory Guidelines on Selected Topics state
to an identified or identifiable natural person or to that data that has been anonymised is not personal data,

The GDPR applies to the 'processing' of personal data. The PDPA applies to the collection, use, personal data rendered anonymous in such a manner and the data protection provisions in the PDPA would not

The definition of 'processing' covers 'any operation' and disclosure of personal data. that the data subject is not or no longer identifiable. apply to the collection, use, or disclosure of anonymised

performed on personal data 'such as collection, recording, data. The Advisory Guidelines on Selected Topics state that

organisation, structuring, storage, adaptation or alteration, 'anonymisation' is the process of converting personal data into

retrieval, consultation, use, disclosure by transmission, data that cannot be used to identify any particular individual.

dissemination or otherwise making available, alignment


or combination, restriction, erasure or destruction.' Differences

The GDPR defines 'personal data' as 'any The PDPA defines 'personal data' as 'data, whether true The GDPR defines special categories of personal data Whilst the PDPA neither distinguishes nor defines special

information' that directly or indirectly relates to or not, about an individual who can be identified (a) from as personal data revealing racial or ethnic origin, political categories of personal data, based on past decisions

an identified or identifiable individual. that data; or (b) from that data and other information to opinions, religious or philosophical beliefs, or trade by the PDPC, certain types of personal data have been

which the organisation has or is likely to have access.' union membership, and the processing of genetic data, considered to be more sensitive, and organisations that
biometric data for the purpose of uniquely identifying collect, use, or disclose such data would generally be

The GDPR excludes from its application the processing The PDPA explicitly excludes the application of the data a natural person, data concerning health or data expected to provide more robust standards of protection.

of personal data by individuals for purely personal or protection provisions to any individual acting in a personal concerning a natural person's sex life or sexual orientation. Such types of data include medical data, financial data,

household purposes. This is data processing that has 'no or domestic capacity, as well as any employee acting in The GDPR also provides specific requirements for the bankruptcy status, drug problems and infidelity, personal

connection to a professional or commercial activity.' the course of his/her employment with an organisation. processing of special categories of personal data. data of children and personal identifiers (e.g. National
Registration Identity Card ('NRIC') and passport details).

The GDPR excludes from its application data processing The PDPA excludes from its application
in the context of law enforcement or national security. public agencies or organisations acting on behalf of a The GDPR applies to the processing of personal The PDPA does not differentiate or refer to automated and

public agency in relation to the collection, use, or disclosure data by automated means or non-automated non-automated means of processing of personal data.

of personal data. Under the PDPA, 'public agency' includes: means if the data is part of a filing system.

10 11
2. Key definitions 2.2. Pseudonymisation Inconsistent

2.1. Personal data Fairly consistent


The GDPR provides a definition for pseudonymised data and clarifies that such data is subject to the obligations of the GDPR. Unlike
the GDPR, the PDPA does not provide a definition of pseudonymised data.
Both the GDPR and the PDPA define 'personal data', although the GDPR provides a more detailed definition. While the GDPR also
defines sensitive data, the PDPA neither defines nor distinguishes special categories of personal data.
GDPR PDPA
Articles 4(5), 11 PDPC's Guide to Basic Data Anonymisation
GDPR PDPA Recitals 26, 29 Techniques ('the Anonymisation Guide')
Articles 4(1), 9 Section 2(1)
Recitals 26-30 Advisory Guidelines on Selected Topics
Similarities

Similarities Not applicable. Not applicable.

The GDPR defines 'personal data' as 'any information The PDPA defines 'personal data' as 'data, whether true
relating to an identified or identifiable natural person ('data or not, about an individual who can be identified (a) from
Differences
subject'); an identifiable natural person is one who can be that data; or (b) from that data and other information to
identified, directly or indirectly, in particular by reference which the organisation has or is likely to have access.'
The GDPR defines pseudonymised data as 'the processing The PDPA does not define pseudonymised data. Instead, the
to an identifier such as a name, an identification number,
of personal data in such a manner that the personal data that Anonymisation Guide merely describes pseudonymisation
location data, an online identifier or to one or more factors
can no longer be attributed to a specific data subject without as the replacement of identifying data with made up
specific to the physical, physiological, genetic, mental,
the use of additional information, provided that such additional values, and can be both reversible and irreversible.
economic, cultural or social identity of that natural person.'
information is kept separately and is subject to technical and
organisational measures to ensure that the personal data are
The GDPR does not apply to 'anonymised' data, where the The PDPA does not apply to 'anonymised' data, where the
not attributed to an identified or identifiable natural person.'
data can no longer be used to identify the data subject. data can no longer be used to identify the data subject.

The GDPR specifies that online identifiers may be The PDPC's Advisory Guidelines on Selected Topics
considered as personal data, such as IP addresses, cookie state that online identifiers such as IP addresses, cookie
identifiers, and radio frequency identification tags. identifiers, and radio frequency identification tags may be
considered as personal data if they can identify individuals.

Differences
The GDPR defines special categories of personal data Whilst the PDPA neither distinguishes nor defines special
as data revealing a data subject's 'racial or ethnic origin, categories of personal data, based on past PDPC decisions,
political opinions, religious or philosophical beliefs, trade certain types of personal data have been considered
union membership, and the processing of genetic data, more sensitive data, and organisations that collect, use, or
biometric data for the purpose of uniquely identifying a disclose such data would generally be expected to provide
natural person, data concerning health or data concerning more robust standards of protection. Such types of data
a natural person's sex life or sexual orientation.' include medical data, financial data, bankruptcy status,
drug problems and infidelity, personal data of children
and personal identifiers (e.g. NRIC and passport details).

12 13
GDPR PDPA

2.3. Controllers and processors Fairly consistent Similarities (cont'd)

Save for some differences in terminology, both the GDPR and the PDPA share similar concepts of 'data controller' and 'data processor.' • Purpose Limitation Obligation;
There are also common obligations under both laws, such as the requirement to appoint a DPO. • Notification Obligation;
• Access and Correction Obligation;
Both the GDPR and PDPA provide that a data controller or data processor must conduct Data Protection Impact Assessments • Accuracy Obligation;
('DPIAs') in certain circumstances. • Protection Obligation;
• Retention Limitation Obligation;
GDPR PDPA • Transfer Limitation Obligation;
Articles 4, 17, 28, 30, 32, 33, 35, 37, 38 Sections 2(1), 4, 11, 15A and Part VIA • Data Breach Notification Obligation; and
Recitals 64, 90, 93 First Schedule, Part 3, Section 1 • Accountability Obligation.
Personal Data Protection (Notification However, data intermediaries are only required to comply
of Data Breaches) Regulations 2021 with the Protection Obligation, the Retention Limitation
('the Data Breach Regulations') Obligation, and the Data Breach Notification Obligation.
PDPC's Guide to Handling Access Requests
PDPC's Guide to Data Protection Under the GDPR, data controllers must implement Organisations must implement reasonable technical and
Impact Assessments technical and organisational security measures. security measures to prevent unauthorised access, collection,
PDPC's Guide on Managing and Notifying use disclosure, copying, modification or disposal, and the loss of
Data Breaches under the PDPA any storage medium or device on which personal data is stored.

Similarities The GDPR provides for the designation of a DPO Under the PDPA, all organisations are required to
by data controllers or data processors. appoint a DPO, whose business contact information

The GDPR defines a data controller as a natural or Whilst the PDPA does not utilise the term 'data controller,' must be made publicly available. Although the DPO

legal person, public authority agency or other body that instead using the more general term 'organisations' when is not required to be physically present in Singapore,

determines the purposes and means of the processing defining the entities which are subject to the PDPA's they should be readily reachable from Singapore and

of personal data, alone or jointly with others. obligations, the concept of 'organisations', with respect to operational during Singapore business hours.

the scope of such obligations, is similar to the concept of a


'data controller' under the GDPR. 'Organisation' is defined in The GDPR provides that where processing is to be carried The PDPA provides that an organisation will have the same

the PDPA as 'any individual, company, association or body of out on behalf of a controller, the controller shall use obligations in respect of personal data processed on its

persons, corporate or unincorporated, whether or not (a) formed only data processors providing sufficient guarantees behalf and for its purposes by a data intermediary as if the

or recognised under the law of Singapore; or (b) resident, to implement appropriate technical and organisational personal data were processed by the organisation itself.

or having an office or a place of business, in Singapore.' measures in such a manner that processing will meet the Additionally, if the data intermediary is located overseas
requirements of the GDPR and ensure the protection of the (i.e. outside Singapore), the Transfer Limitation Obligation

The GDPR defines a data processor as a natural or legal Whilst the PDPA does not utilise the term 'data processor', rights of the data subject. In addition, the data processor would apply, requiring the organisation to ensure that the

person, public authority, agency or other body which the concept is similar to that of a 'data intermediary' shall not engage another data processor without prior (recipient) data intermediary is bound by legally enforceable

processes personal data on behalf of the controller. under the PDPA. 'Data intermediary' is defined in the specific or general written authorisation of the controller. obligations (such as a contract) to provide a standard of

PDPA as 'an organisation which processes personal protection that is comparable to that under the PDPA.

data on behalf of another organisation, but does not


include an employee of that other organisation.' Data controllers must notify supervisory Organisations have a mandatory Data Breach Notification
authorities of data breaches. Obligation to notify the PDPC and/or affected individuals

Under the GDPR, data controllers must comply with the Organisations must comply with the ten data protection of data breaches if it is (or if it is likely to) result in significant

purpose limitation and accuracy principles, and rectify a provisions of the PDPA as set out in Parts III to VIA of the PDPA. harm to the affected individuals or of a significant scale

data subject's personal data if it is inaccurate or incomplete. The ten data protection provisions are as follows: (involving the personal data of 500 or more individuals).

• Consent Obligation;

14 15
GDPR PDPA
2.4. Children Fairly consistent

Similarities (cont'd) Unlike the GDPR, the PDPA does not contain provisions specifically targeted at protecting children's personal data. Nonetheless, the
PDPC recognises that there is generally greater sensitivity surrounding the treatment of minors and generally expects organisations
The GDPR provides that a data controller or data The PDPA provides that a data controller has to that collect, use, or disclose personal data of minors to provide more robust standards of protection when collecting, using, or
processors conduct DPIAs in certain circumstances. conduct DPIAs if relying on the legitimate interests disclosing personal data of minors.
exception or deemed consent by notification.

GDPR PDPA
Differences Articles 6, 8, 12, 40, 57 Advisory Guidelines on Selected Topics
Recitals 38, 58, 75
Data controllers based outside the EU and involved in The PDPA does not contain an equivalent provision.
certain forms of processing, with exceptions based on
the scale of processing and type of data, are obliged to Similarities
designate a representative based within the EU in writing.
The GDPR does not define 'child' nor 'children.' The PDPA does not define 'child' nor 'children.'

The GDPR stipulates that data controllers and data processors The PDPA does not specifically require organisations to keep
The GPDR provides that data controllers are required As a general rule, organisations obtaining personal data
keep records of processing activities and provides an records of processing activities. However, the PDPC has
to make reasonable efforts to verify that consent is from third-party sources should exercise the appropriate
exception from this obligation for small organisations. indicated that organisations should keep a record of all access
given or authorised by a parent or guardian. due diligence to check and ensure that the third-party
requests received and processed, documenting clearly
source can validly give consent for the collection, use,
whether the requested access was provided or rejected, as
and disclosure of personal data on behalf of the individual.
proper documentation may help an organisation in the event
This would similarly apply to the situation of obtaining
of a dispute or an application to the PDPC for a review.
consent from a parent or guardian on behalf of a minor.

Differences

Where the processing is based on consent, the The PDPA does not specify the situations in which a minor
consent of a parent or guardian is required for providing (that is, an individual who is less than 21 years of age) may
information society services to a child below the age of give consent for the purposes of the PDPA. However, the
16. EU Member States can lower this age limit to 13. PDPC's Advisory Guidelines on Selected Topics state that
the PDPC will adopt the practical rule of thumb that a minor
who is at least 13 years of age would typically have sufficient
understanding to be able to consent on his/her own behalf.
The Advisory Guidelines on Selected Topics also state that
as a general guide, where the minor is under the age of
13 years, organisations may wish to obtain consent for the
collection, use, and disclosure of the minor's personal data
from an individual that can legally give consent on behalf
of the minor, such as the minor's parent or guardian.

The GDPR considers children as 'vulnerable natural persons' The PDPA does not contain provisions that specifically
that merit specific protection with regard to their personal address the collection, use, or disclosure of personal
data. In particular, specific protection should be given when data about minors. However, the PDPC has expressed
children's personal data is used for marketing or collected that given that there is generally greater sensitivity
for information society services offered directly to a child. surrounding the treatment of minors, it may be prudent

16 16 17
GDPR PDPA 2.5. Research
Fairly inconsistent

Differences (cont'd) Under the GDPR, the processing of sensitive data is not prohibited where necessary for research purposes and when specific
measures have been taken to safeguard the fundamental rights and interests of the data subjects. Similarly, under the PDPA, an
for organisations to introduce relevant precautions organisation may collect, use, or disclose personal data for research purposes if individuals have been informed that their personal
and safeguards when collecting, using, or data will be collected, used, or disclosed for research purposes and their consent has been obtained for the same, unless an
disclosing personal data about minors. exception under the PDPA applies.

When any information is addressed specifically to a child, Whilst the PDPA does not contain provisions that specifically Unlike the GDPR, the PDPA does not provide data subjects with the right to object to the processing of their personal data. In
controllers must take appropriate measures to provide address the collection, use, or disclosure of personal data addition, the GDPR provides a definition of scientific research, whereas the PDPA does not.
information relating to processing in a concise, transparent, about minors, the PDPC has expressed that when information
intelligible and easily accessible form, using clear and is addressed specifically to a minor, the information should be GDPR PDPA
plain language, that the child can easily understand. stated in language that is easily understandable by minors. Articles 5(1)(b), 9(2)(j), 14(5), 17(3), 21(6), 89 Part 2 Division 3 Paragraph 1 of
Organisations should also consider the use of pictures and Recitals 33, 159-161 the Second Schedule
other visual aids to make such information easier to understand.

Similarities
The GDPR's provisions on the applicable The conditions for processing minors' data identified in
conditions for the processing children's data apply PDPC's Advisory Guidelines on Selected Topics appear
Under the GDPR, the processing of personal data for Organisations that wish to conduct analytics and research
in respect of information society services. to be wider in scope than the GDPR and apply to the
research purposes is subject to specific rules (e.g. activities that require the collection, use, or disclosure of
collection, use, or disclosure of personal data in Singapore.
with regard to the purpose limitation principle, right to personal data have to comply with the PDPA. In particular,
erasure, data minimisation and anonymisation etc.). under the PDPA, individuals have to be notified that their
personal data will be collected, used, or disclosed for
the purpose of analytics and research activities, and
their consent must have been obtained for the same,
unless an exception under the PDPA applies.

According to the GDPR, the processing of sensitive data is Under Part 2 Division 3 of the Second Schedule to the PDPA,
not prohibited when 'necessary for archiving purposes in the organisations may use personal data without consent
public interest, scientific or historical research purposes or for a research purpose, including historical or statistical
statistical purposes, which shall be proportionate to the aim research, if all the conditions referred to in the subparagraphs
pursued, respect the essence of the right to data protection (a) to (d) of Part 2 Division 3 Paragraph 1 are met.
and provide for suitable and specific measures to safeguard Subparagraphs (a) to (d) of Part 2 Division 3 Paragraph 1
the fundamental rights and the interests of the data subject.' states that the use of personal data about an individual
for a research purpose shall not apply unless:
• the research purpose cannot reasonably be
accomplished unless the personal data is
provided in an individually identifiable form;
• there is a clear public benefit to using the
personal data for the research purpose;
• the results of the research will not be used to make
any decision that affects the individual; and
• in the event that the results of the research are
published, the organisation publishes the results
in a form that does not identify the individual.

18 19
GDPR PDPA
3. Legal basis Fairly inconsistent
Similarities (cont'd)
The GDPR provides a list of legal bases for the processing of personal data and special categories of personal data. Whilst the PDPA

Under the GDPR, data subjects have the right to object to The PDPA does not provide individuals with the right to object does not distinguish specific categories of personal data, it does deem the consent of the individual as central and necessary before

the processing of personal data for research purposes unless to the processing of their personal data. Nonetheless, under commencing data processing activities. Furthermore, both pieces of legislation stipulate that data processing can be carried out by

such research purposes are for reasons of public interest. the PDPA, a data subject has the right to withdraw consent a data controller or organisation if it is required under a legal obligation.

that was previously given in relation to the collection, use, or


disclosure of personal data for analytics and research activities. GDPR PDPA
Articles 5-10 Section 13
Differences Recitals 39-48 First Schedule, Parts 3 and 5
Second Schedule, Part 2 Division 2
The GDPR clarifies that the processing of personal data The PDPA does not include a definition for scientific research. Advisory Guidelines on Key Concepts
for scientific research purposes should be interpreted
'in a broad manner including for example technological
Similarities
development and demonstration, fundamental research,
applied research and privately funded research.'
The GDPR recognises consent as a legal basis to process Under Section 13 of the PDPA, an organisation cannot
personal data and includes specific information on how collect, use, or disclose personal data about an individual
Under the GDPR, where personal data are processed for The PDPA does not provide for the capacity to
consent must be obtained and can be withdrawn. unless the individual gives, or is deemed to have given, his/
research purposes, it is possible for Member States to derogate from data subject rights in relation to
her consent to the collection, use, or disclosure. Under
derogate from some data subjects' rights, including the processing for research purposes (see the reference
the PDPA, an individual has not given consent unless the
right to access, the right to rectification, the right to object to the Second Schedule of the PDPA above for the
individual has been notified of the purposes for which his/
and the right to restrict processing, insofar as such rights research exceptions from consent requirement).
her personal data will be collected, used, or disclosed, and
are likely to render impossible or seriously impair the
the individual has provided his consent for those purposes.
achievement of the specific purposes, and such derogations
are necessary for the fulfilment of those purposes.
Differences

The GDPR states that data controllers can only The PDPA does not explicitly outline legal bases for personal
process personal data when there is a legal data processing, although it does provide that the collection,
ground for it. The legal grounds are: use, or disclosure can be done without the consent of the
• consent; individual only if it is required or authorised under the PDPA
• when processing is necessary for the performance or any other written law. These exceptions can be found in
of a contract which the data subject is part of the First and Second Schedules of the PDPA, and include:
in order to take steps at the request of the data • to protect the vital interests of individuals;
subject prior to the entering into a contract; • where the processing concerns public matters,
• compliance with legal obligations to which such as the personal data being publicly available
the data controller is subject; or if the processing is in the national interest;
• to protect the vital interest of the data • for the legitimate interests of the data
subject or of another natural person; controller or another person;
• performance carried out in the public interest or in the • for the purposes of carrying out business
official authority vested in the data controller; or asset transactions; and
• for the legitimate interest of the data controller when this • for business improvement purposes.
does not override the fundamental rights of the data subject.
Further permissible uses are provided for the processing
of special categories of personal data under Article 9(2).

20 21
4. Controller and processor
GDPR PDPA
obligations
Difference (cont'd)
4.1. Data transfers
Under the GDPR, the legitimate interest basis applies Under the PDPA, the legitimate interests exception applies Fairly inconsistent

provided that the interests and fundamental rights of the as long as the legitimate interests of the data controller or Both the GDPR and the PDPA provide for restrictions and exceptions in relation to cross-border transfers of personal data to a third

data subject are not overriding. Legitimate interests can other person outweighs any adverse effect on the individual. country and international organisations. In addition, both outline legal grounds and circumstances where cross-border transfers can
be lawfully performed.
arise when there is an appropriate relationship between data Organisations seeking to rely on the legitimate interests
subject and controller, and requires assessment of whether exception must carry out a DPIA to (i) define the context and
However, unlike the PDPA, the GDPR provides for cross-border transfers made from a register, and allows cross-border transfers
a data subject can reasonably expect that processing of purpose of data processing, (ii) identify expected benefits, carried out under international agreements for judicial cooperation.
personal data for a particular purpose may take place at (iii) assess likely adverse effects on the data subject, (iv)
the time. Among others, legitimate interests can include assess likely residual adverse effects, and (v) conduct a GDPR PDPA
fraud prevention and direct marketing purposes. balancing test on whether the legitimate interests outweigh the
Articles 44-50 Section 26
residual adverse effects. The organisations may conduct this Advisory Guidelines on Key Concepts
Recitals 101, 112
assessment using the PDPC’s prescribed Assessment Checklist PDPR
for Legitimate Interests Exception. While the legitimate interests
exception applies to fraud prevention, network security and
Similarities
prevention of illegal activities, it should be noted that this
exception does not apply to direct marketing purposes.
The GDPR allows personal data to be transferred to a third The PDPA provides that an organisation must not transfer
country or international organisation that has an adequate personal data to a country or territory outside Singapore
The GDPR does not provide for business improvement The PDPA has a business improvement exception which allows
level of protection as determined by the EU Commission. except in accordance with requirements prescribed under
as a legal basis for data processing. for collection, use and disclosure of personal data without
the PDPA and the PDPR which specify the conditions under
consent for the purposes of improving their goods, services and
which an organisation may transfer personal data overseas.
methods, to learn about consumer preferences or personalise
products/services, as long as the purpose cannot reasonably
An organisation may transfer personal data overseas if it
be achieved without the use of identifiable personal data, and a
has taken appropriate steps to ensure that the overseas
reasonable person would consider such use to be appropriate.
recipient is bound by legally enforceable obligations or
specified certifications to provide the transferred personal
Under the GDPR, as a general rule, the processing of special The PDPA neither distinguishes nor defines
data a standard of protection that is comparable to the
categories of personal data is restricted unless an exemption special categories of personal data.
standard of protection provided under the PDPA.
applies, which include the data subject's explicit consent.
Differences

Under the GDPR, one of the following legal grounds must An organisation will be recognised as having taken appropriate
be established for the transfer of personal data abroad: steps to ensure that the recipient of transferred personal data is
• prior consent; bound by legally enforceable obligations to provide a standard
• when a data subject has explicitly consented to the of protection that is comparable to that under the PDPA if:
proposed transfer and acknowledged the possible • subject to conditions, the individual whose
risks of such transfer due to inadequate safeguards; personal data is to be transferred gives his/her
• when the transfer is necessary for the consent to the transfer of his personal data;
performance or conclusion of a contract; • the individual is deemed to have consented to the
• when the transfer is necessary for disclosure by the transferring organisation;
important public interest reasons; • the transfer is necessary for the performance of a
• when the transfer is necessary for the establishment, contract between the organisation and the individual,

22 23
GDPR PDPA GDPR PDPA

Differences (cont'd) The GDPR specifies that a cross-border transfer is allowed The PDPA does not specify whether cross-border
based on international agreements for judicial cooperation. transfers based on international agreements
exercise, or defence of a legal claim; and or to do anything at the individual's request with a view
• when the transfer is necessary to protect the vital to his entering a contract with the organisation; for judicial cooperation are permitted.

interests of a data subject or other persons. • the transfer is necessary for a use or disclosure in certain
The grounds for a cross-border transfer includes the The PDPA does not establish a similar provision.
situations where the consent of the individual is not
transfer being made from a register which, according to
required under the PDPA. In such cases, the organisation
the Union or a Member State law, is intended to provide
may only transfer personal data if it has taken reasonable
information to the public, and which is open to consultation
steps to ensure that the personal data will not be used
either by the public in general or by any person who can
or disclosed by the recipient for any other purpose;
demonstrate a legitimate interest, but only to the extent
• the personal data is data in transit; or that the conditions laid down by Union or Member State
• the personal data is publicly available in Singapore. law for consultation are fulfilled in the particular case.

In the absence of a decision on adequate level of protection, The PDPA does not contain a similar provision. However, the
a transfer is permitted when the data controller or data Advisory Guidelines on Key Concepts provide that the following
processor provides appropriate safeguards with effective may be used to demonstrate that the recipient is bound by
legal remedies that ensure the data subjects' rights as legally enforceable obligations to provide to the personal data
prescribed under the GDPR. Appropriate safeguards include: transferred a standard of protection that is comparable to that
• Binding Corporate Rules ('BCR') with specific under the PDPA, as required under Section 26 of the PDPA:
requirements (e.g. a legal basis for processing, a • any law;
retention period, complaint procedures, etc.); • any BCR that:
• Standard Contractual Clauses ('SCC') adopted by the ◦ require recipients of transferred personal data to
EU Commission or by a supervisory authority; provide a standard of protection that is at least
• an approved code of conduct; or comparable to the protection under the PDPA; and
• an approved certification mechanism. ◦ specify the recipients of the transferred personal data
to which the BCR apply; the countries and territories to
which the personal data may be transferred under the
BCR; and the rights and obligations provided by the BCR;
• a contract that requires the recipient to provide to the
transferred data a standard of protection that is at least
comparable to the standard of protection under the PDPA; and
• specifies the countries and territories to which the
personal data may be transferred under the contract; or
• any other legally binding instrument.
• or if the recipient organisation holds a 'specified certification'
that is granted or recognised under the law of that country
or territory to which the personal data is transferred,
the recipient organisation is taken to be bound by such
legally enforceable obligations and thereby taken to have
satisfied the requirements. Under the PDPR, 'specified
certification' refers to certifications under the Asia Pacific
Economic Cooperation Cross Border Privacy Rules ('APEC
CBPR') System and the Asia Pacific Economic Cooperation
Privacy Recognition for Processors ('APEC PRP') System.

24 25
4.2. Data processing records 4.3. Data processing impact assessment Fairly consistent
Inconsistent
The GDPR imposes an obligation on data controllers, their representatives, and data processors to maintain a record of processing The GDPR contains provisions addressing when data controllers need to conduct DPIAs. The PDPA similarly contains provisions,
activities, and outlines specific information that must be included within the record. The PDPA does not impose any obligations albeit in the context of exceptions to obtaining consent from data subjects for data processing.
relating to recordkeeping of data processing activities.

GDPR PDPA
GDPR PDPA
Articles 35, 36 Section 15A
Article 30 Advisory Guidelines on Key Concepts
Recitals 75, 84, 89-93 First Schedule, Part 3, paragraph 1
Recital 82

Similarities
Similarities
The GDPR provides that a DPIA must be conducted The PDPA requires data controllers to conduct DPIAs when
Not applicable. Not applicable.
under the following circumstances: seeking to collect, use or disclose personal data without
Differences • if a data controller utilises new technologies express consent and are seeking to rely either on the legitimate
to process personal data; interests exception, or deemed consent by notification.
Under the GDPR, data controllers and data processors have The PDPA does not impose an obligation on organisations to
• the processing may result in a high risk to the • For the legitimate interests exception, the data controller
an obligation to maintain a record of processing activities maintain a record of processing activities. However, the PDPC
rights and freedoms of an individual; can rely on this exception if the legitimate interests outweigh
under their responsibility. In addition, the GDPR prescribes has indicated in its Advisory Guidelines on Key Concepts that
• when a systematic and extensive evaluation of personal any residual adverse effects on the data subject.
a list of information that a data controller must record: organisations should keep a record of all access requests
aspects relating to natural persons is involved, which • For deemed consent by notification, the data controller
• the name and contact details of the data controller; received and processed, documenting clearly whether
is based on automated processing or profiling; cannot rely on the exception as long as there are
• the purposes of the processing; the requested access was provided or rejected, as proper
• there is processing on a large scale of any residual adverse effects on the data subject.
• a description of the categories of personal data; documentation may help an organisation in the event of
special categories of data; and
• the categories of recipients to whom the a dispute or an application to the PDPC for a review.
• there is systematic monitoring of a publicly
personal data will be disclosed;
accessible area on a large scale.
• the estimated period for erasure of
In addition, the GDPR specifies requirements
the categories of data; and
for further reviews and obligations for prior
• a general description of the technical and organisational
consultation with a supervisory authority.
security measures that have been adopted.
The GDPR also prescribes a similar list for data processors,
The GDPR also outlines that an assessment
requires that records be maintained in writing or electronic
must contain at least the following:
form, and details exceptions organisations with less than
• a systematic description of the envisaged processing;
250 employees, unless the processing is likely to result
• operations and legitimate purposes of the processing;
in a risk to the rights and freedoms of data subjects, is
• the necessity and proportionality of the
not occasional, or includes special categories of data.
• operations in relation to the purposes; and
• the risks to the rights and freedoms of data subjects.

Differences

Not applicable. Not applicable.

26 27
Global Regulatory Build a global privacy program by
comparing key legal frameworks
Research Software against the GDPR
40 In-House Legal Researchers, 500 Lawyers CCPA | Russia | Thailand | Brazil | Japan | China
Across 300 Jurisdictions
and 20+ other global laws & frameworks
Monitor regulatory developments, mitigate risk,
and achieve global compliance
Understand and compare key provisions of the GDPR
with relivant data protection laws from around the globe

The GDPR Benchmarking tool provides comparison of the


various pieces of legislation on the following key provisions

Scope Rights

Definitions and legal basis Enforcement

• Employ topic specific guidance to develop your


compliance activities

• Monitor news and access written opinion pieces on


the most recent developments

Start your free trial at


www.dataguidance.com
GDPR PDPA
4.4. Data protection officer appointment
Fairly consistent

Both the GDPR and the PDPA provide for the appointment of a data protection officer ('DPO'). However, unlike the GDPR, the Differences (cont'd)
PDPA does not provide a definition of a DPO. In addition, the GDPR details the independence and professional qualities as well as
• the processing is carried out by a public authority or
expertise necessary to be appointed as a DPO, whereas the PDPA does not. Finally, the PDPA allows for more than one DPO to be
appointed, whereas the GDPR does not address this matter. body, except for courts acting in their judicial capacity;
the core activities of a data controller or data processor
GDPR PDPA consist of processing operations which, by virtue of their
Articles 13-14, 37-39 Sections 11(3), 11(5) nature, their scope and/or their purposes, require regular and
Recital 97 Advisory Guidelines on Key Concepts systematic monitoring of data subjects on a large scale; or
• the core activities of the controller or the processor relate

Similarities to a large scale of special categories of personal data


(e.g. religious beliefs, ethnic origin, data required for the

Under the GDPR, data controllers and data processors, Under the PDPA, an organisation shall designate one establishment, exercise, or defence of legal claims etc.)

including their representatives, are required to or more individuals to be responsible for ensuring
appoint a DPO in certain circumstances. that the organisation complies with the PDPA. The GDPR provides that a group may appoint a single DPO The PDPA does not contain equivalent provisions regarding
who must be easily contactable by each establishment, that the appointment and role of a DPO. However, the Advisory

Under the GDPR, a DPO's tasks include: Under the PDPA, the possible responsibilities of the DPO the DPO shall be designated on the basis of professional Guidelines on Key Concepts state that DPOs should be

• informing and advising the controller or the data may include, but are not limited to, the following: qualities and expert knowledge of data protection law and sufficiently skilled and knowledgeable, trained and certified,

processor and the employees who carry out processing • ensuring compliance with the PDPA when practices, and that data subjects may contact the DPO with and be amply empowered to discharge their duties.

of their obligations pursuant to the GDPR and to other developing and implementing policies and regard to the processing of their personal data as well as

Union or Member State data protection provisions; processes for handling personal data; the exercising of their rights. The GDPR also recognises

• monitoring compliance with the GDPR with other Union • fostering a data protection culture among employees the independence of DPOs and ensures that DPOs are

or Member State data protection provisions and with the by communicating personal data protection policies provided with the resources necessary to carry out his or

policies of the data controller or data processor in relation to stakeholders and conducting training sessions for her obligations. The GDPR specifies that the DPO can be

to the protection of personal data, including the assignment employees to familiarise them with the company's a staff member of the data controller or data processor

of responsibilities, awareness-raising and training of staff data protection policies and guidelines; or can perform tasks based on a service contract.

involved in processing operations, and the related audits; and • managing personal data protection
• acting as a contact point the supervisory authority related queries and complaints; The GDPR does not explicitly refer to DPO teams The PDPA provides that an organisation may appoint

on issues relating to processing, including the prior • alerting management to any risks that might or the delegation of DPO responsibilities. one person or a team of persons to be its DPO.

consultation referred to in Article 36, and to consult, arise with regard to personal data; Once appointed, the DPO may in turn delegate

where appropriate, with regard to any other matter. • liaising with the PDPC on data protection certain responsibilities to other officers.

matters, if necessary;
• producing a personal data inventory;
• monitoring and reporting data protection risks; and
• providing internal training on data protection compliance.

The contact details of the DPO must be included An organisation must make available to the
in the privacy notice for data subjects and public the business contact information of at
communicated to the supervisory authority. least one of the individuals designated.

Differences

Under the GDPR, data controllers and data processors All organisations are required to appoint a DPO.
are only required to designate a DPO where:

30 31
4.5. Data security and data breaches GDPR PDPA
Fairly consistent

Both the GDPR and the PDPA outline requirements in relation to implementing security arrangements and various technical Differences
measures as well as an obligation to notify the relevant authorities and the impacted data subjects of data breaches in certain
circumstances within a set timeline.
The GDPR defines 'personal data breach' to mean a breach The PDPA's definition of a 'data breach', in relation to
of security leading to the accidental or unlawful destruction, 'personal data' is wider than the GPDR definition. PDPA
GDPR PDPA loss, alteration, unauthorised disclosure of, or access to, definition includes the unauthorised access, collection, use,
Article 5, 24, 32-34 Section 24 personal data transmitted, stored or otherwise processed. disclosure, copying, modification or disposal of personal
Recitals 74-77, 83-88 Part VIA
data as well as the loss of any storage medium or device
on which personal data is stored in circumstances where the
Similarities unauthorised access, collection, use, disclosure, copying,
modification or disposal of the personal data is likely to occur.
The GDPR states that data controllers and data processors The PDPA states that an organisation shall protect personal
are required to implement appropriate technical and data in its possession or under its control by making
organisational security measures to ensure that the processing reasonable security arrangements to prevent unauthorised
of personal data complies with the obligations of the GDPR. access, collection, use, disclosure, copying, modification,
disposal or similar risks; and the loss of any storage
medium or device on which personal data is stored.

The GDPR provides a list of technical and organisational The Advisory Guidelines on Key Concepts provide a
measures, where appropriate, that data controllers and list of example technical measures that organisations
data processors may implement such as pseudonymisation, could implement, such as encrypting personal
encryption, and the ability to restore availability and access data, adopting appropriate access controls, and
to personal data in a timely manner in the event of physical or ensuring computer networks are secure.
technical incidents, to ensure integrity and confidentiality.

In the case of a personal data breach, the data controller Organisations have a mandatory Data Breach Notification
must notify the competent supervisory authority of the Obligation to notify the PDPC and/or affected individuals
breach, unless the personal data breach is unlikely to result of data breaches if it is (or if it is likely to) result in significant
in a risk to the individuals' rights and freedoms. The controller harm to the affected individuals ('Significant Harm Breach')
must also notify relevant data subjects of a data breach or of a significant scale (involving the personal data of 500 or
without undue delay if the data breach is likely to result in more individuals) ('Significant Scale Breach'). The Significant
a high risk to the rights and freedoms of natural persons, Harm Breach does not look at the number of data subjects
unless certain exceptions apply. The GDPR also specifies who are affected by the data breach, but the extent of harm
information such notifications must contain. In addition, that could be caused, which can be dependent on the nature
the GDPR provides that a personal data breach must be of the personal data compromised. The Significant Scale
notified to the supervisory authority without undue delay Breach does not consider the harm that could be caused
and, where feasible, no later than 72 hours after having to the individual but instead focuses on the number of data
become aware of the breach, and stipulates that data subjects whose personal data have been compromised. The
processors must notify the data controller without undue PDPA provides the following timelines for when notification
delay after becoming aware of the personal data breach. is required to take place. Notification to the PDPC must be
no later than three calendar days after the organisation
makes an assessment that a data breach is a notifiable
data breach. In the case where notification to the affected
individuals is required because it is a Significant Harm
Breach, the timeline for doing so is as soon as practicable.

32 33
4.6. Accountability
Consistent
5. Individuals' rights
Inconsistent
Both the GDPR and the PDPA recognise an organisation's accountability for personal data in its possession or under its control as a
fundamental privacy principle. Furthermore, both pieces of legislation contain provisions that can be taken to apply to accountability,
5.1. Right to erasure
such as the requirement to designate a DPO.
Unlike the GDPR, the PDPA does not provide data subjects with the right to request the erasure or deletion of their personal data.

GDPR PDPA Under the PDPA, there are only general requirements in relation to ceasing to retain data once the purpose for which the personal

Article 5, 24-25, 35, 37 Sections 11(2), 12 data was collected is no longer being served by retention of the personal data, and retention is no longer necessary for legal or

Recital 39 business purposes.

GDPR PDPA
Similarities
Articles 12, 17 Sections 16, 25
Recitals 59, 65-66 Advisory Guidelines on Key Concepts
The GDPR recognises accountability as a fundamental The PDPA recognises the Accountability Obligation
principle of data protection. In particular, Article 5(2) of the (previously known as the Openness Obligation) as a
GDPR states that 'the data controller shall be responsible fundamental principle of data protection. The Accountability Similarities
and able to demonstrate compliance with the data protection Obligation is premised on Section 11(2) of the PDPA which
principles provided for under Article 5(1). In addition, the states that 'an organisation is responsible for personal Not applicable. Not applicable.
accountability principle can be taken to apply to several data in its possession or under its control.' Furthermore,
other requirements, as mentioned in other sections of this accountability can be taken to apply to other requirements, Differences
report, including the appointment of a DPO, and DPIAs. including the appointment of a DPO and the requirement for
an organisation to develop and implement data protection Under the GDPR, the right to erasure applies if certain The PDPA does not provide data subjects with the right to

policies and practices to meet its obligations under the PDPA. grounds apply, such as where consent of the data subject erasure. The Advisory Guidelines on Key Concepts clarify that
is withdrawn and there is with no other legal ground for an individual may withdraw consent for the collection, use, or
Differences
processing, or the personal data is no longer necessary disclosure of his personal data, but the PDPA does not require
Not applicable. Not applicable. for the purpose of which it was collected. The GDPR further an organisation to delete or destroy the individual's personal
specifies that this right can be exercised free of charge, data upon request. Instead, the organisation is required to
data subjects must be informed that they have the right to delete the personal data only if (i) the purpose for which the
request for their data to be deleted, and that responses must data was collected is no longer being served by retention, and
be made within one month with the potential for extending (ii) retention is not necessary for business or legal purposes.
this deadline for two additional months. The GDPR also
specifies related exceptions and format requirements.

34 34 35
GDPR PDPA
5.2. Right to be informed Fairly inconsistent

The GDPR and the PDPA both require data controllers to inform data subjects about the purpose for which their personal data is
Differences (Cont'd)
collected and processed. In addition, both pieces of legislation require data controllers and organisations to disclose business
In addition, data subjects must be informed of the possible The PDPA does not contain a similar requirement regarding
contact information of the DPO to respond to data subjects' queries.
consequences of a failure to provide personal data whether the consequences of failing to provide information.
in complying with statutory or contractual requirements,
However, the GDPR requires data controllers to inform data subjects of the potential consequences of the processing of personal
or a requirement necessary to enter into a contract.
data, and stipulates that information must be sent in written form to the data subjects, whereas the PDPA does not specify the means
by which information must be shared.
The GDPR provides specific information that must be The PDPA does not require organisations to provide
given to data subjects when their personal data has information to the data subjects when their personal
GDPR PDPA
been collected from a third party, which includes data has been collected from a third party. However,
Articles 5-14 Sections 11(5), 20
the sources from which the data was collected. organisations obtaining personal data from third-party
Recitals 58 - 63
sources should exercise the appropriate due diligence to
check and ensure that the third-party source can validly
Similarities give consent for the collection, use, and disclosure of
personal data on behalf of the individual or that the source
Data subjects must be provided with information An organisation must inform the individual of: had obtained consent for disclosure of the personal data.
relating to the processing of personal data in • the purposes for the collection, use, and/or disclosure
order to validate their consent, including: of the personal data, as the case may be, on or Information can be provided to data subjects The PDPA does not specify a manner or form in which
• purposes of processing, including the before collecting the personal data; and orally, in writing, or by electronic means. an organisation is to inform an individual of the purposes
legal basis for processing; and • on request by the individual, the business contact for which it is collecting, using, or disclosing their data.
• contact details of the data controller or information of a person who is able to answer on behalf An organisation should determine the best way to
its representative and the DPO. of the organisation the individual's questions about the ensure that the individual is provided with the required
collection, use, or disclosure of the personal data. information to understand the purposes for which his
personal data is collected, used, or disclosed.
A data controller cannot collect and process personal Under the PDPA, an organisation must inform the
data for purposes other than the ones about which data subject of any other purpose for which the In the case of indirect collection, a data controller must The PDPA does not contain a similar requirement
the data subjects were informed, unless the data data collected will be used or disclosed. provide information relating to such collection to data regarding indirect collection.
controller provides them with further information. subjects within a reasonable period after obtaining the
data, but at the latest within one month, or at the time of
Information relating to personal data processing (e.g. the Information relating to personal data processing (e.g. the first communication with the data subject, or when
purpose of the processing, the rights of data subjects, the purpose of the collection, use, or disclosure) personal data is first disclosed to the recipient.
etc.) must be provided to data subjects by the data must be provided to the data subjects on or before
controller at the time when personal data is obtained. collecting, using, or processing such personal data. Data subjects must be informed of the existence of The PDPA does not contain a similar requirement
automated decision-making, including profiling, regarding automated decision-making.
Differences at the time when personal data is obtained.

Under the GDPR data subjects must be provided with the The PDPA does not explicitly require organisations to provide
A data controller must inform data subjects of the existence The PDPA does not contain a similar requirement regarding
following information relating to the processing of personal: this information. However, an organisation should state its
or absence of an adequacy decision, or in the case of informing data subjects of adequacy decisions.
• details of personal data to be processed; purposes at an appropriate level of detail for the individual to
transfers referred to in Article 46 or 47, or the second
• data subjects' rights (e.g. the right to erasure, determine the reasons and manner in which the organisation
subparagraph of Article 49(1), reference the appropriate or
right to object, right of withdrawal, right to lodge will be collecting, using, or disclosing his personal data.
suitable safeguards and the means by which to obtain a
a complaint to a relevant authority, etc.);
copy of them or where they have been made available.
• data retention period; and
• recipients or their categories of personal data.

36 36 37
GDPR PDPA 5.3. Right to object
Fairly inconsistent
Differences (Cont'd) Both the GDPR and the PDPA provide data subjects and individuals with the right to withdraw consent to the processing of their
personal data. However, the GDPR provides data subjects with the right to object to the processing of their personal data, whereas
Information must be provided to data subjects in an easily The PDPA does not contain a similar provision. However, the PDPA does not provide such a right.
accessible form with clear and plain language, which can be the Advisory Guidelines on Key Concepts note that it
in writing and other means such as electronic format. is generally good practice for an organisation to state GDPR PDPA
its purpose in a written form (which may be electronic Articles 7, 12, 18, 21 Section 16
or other form of documentary evidence) so that the
individual is clear about its purpose and both parties will
Similarities
be able to refer to a clearly documented statement of the
organisation's purpose in the event of any dispute.
Data subjects shall have the right to withdraw their consent Individuals may, at any time, withdraw any consent
to the processing of their personal data at any time. given or deemed to have been given under the PDPA
in respect of the collection, use, or disclosure of their
personal data for any purpose by an organisation.

Differences

Under the GDPR, data subjects are provided The PDPA does not provide the right to object in a
with the right to object to the processing of their similar manner to that provided in the GDPR.
personal data in specific circumstances:
• the processing of personal data is due to tasks carried
out in the public interest or based on a legitimate
interest pursued by the data controller or third party;
• the processing of personal data is for
direct marketing purposes; and
• the processing of personal data is for scientific,
historical research or statistical purposes.

The data subject has the right to be informed about


the right to object, and how to exercise this right.
Upon the receipt of an objection request, a data controller
shall no longer process the personal data unless:
• the processing is based on a legitimate ground
that overrides the data subjects' interests; or
• it is for the establishment, exercise,
or defence of a legal claim.
A request to restrict the processing of personal data must
be responded to without undue delay and in any event
within one month from the receipt of request. The deadline
can be extended by two additional months taking into
account the complexity and number of requests.

38 38 39
GDPR PDPA

5.4. Right of access Fairly consistent


Similarities (cont'd)
Both the GDPR and the PDPA provide data subjects with the right to access personal data in the possession of a data controller or
organisation, respectively. may derogate and alter the scope of the data subject rights • cause immediate or grave harm to the safety
provided in the GDPR when such a restriction respects the or to the physical or mental health of the

However, the GDPR and the PDPA contain notable differences with regard to the implementation of the right to access, including essence of the fundamental rights and freedoms and is a individual who made the request;

how requests must be communicated and on verifying the identity of the data subject. Furthermore, the GDPR provides detailed necessary and proportionate measure in a democratic society. • reveal personal data about another individual;

guidance on the information that must be included in an access request, whereas the PDPA does not. Further details regarding the aforementioned fundamental • reveal the identity of an individual who has provided
rights and freedoms can be found in Article 23(1) of the GDPR. personal data about another individual and the
individual providing the personal data does not
GDPR PDPA
consent to the disclosure of his identity; or
Articles 15, 23(1) Sections 21, 48H, Fifth Schedule
Advisory Guidelines on Key Concepts • be contrary to the national interest.
Recitals 59-64
Further exceptions can also be found in
the Fifth Schedule of the PDPA.
Similarities
Differences
The GDPR recognises that data subjects have the right to The PDPA provides individuals with a right of access
The GDPR specifies that, when responding to Section 21(1) of the PDPA provides that, upon request by
access their personal data that is processed by a data controller. to personal data about the individual that is in the
an access request, the data controller must an individual, an organisation shall provide the individual
possession or under the control of an organisation.
indicate the following information: with the following as soon as reasonably possible:
• the purposes of the processing; • personal data about the individual that is in the
Data subjects' requests under this right must be replied An organisation must respond to an access request as
• the categories of personal data concerned; possession or under the control of the organisation; and
to without 'undue delay and in any event within one soon as reasonably possible from the time the access
• the recipients or categories of recipients to whom the • information about the ways in which that
month from the receipt of a request.' The deadline can be request is received. Furthermore, if an organisation is
personal data has been or will be disclosed, in particular personal data has been or may have been used
extended by two additional months taking into account unable to respond to an access request within 30 days, the
recipients in third countries or international organisations; or disclosed by the organisation within a year
the complexity and number of requests. In any case, organisation must instead inform the individual in writing of
• where possible, the envisaged period for which before the date of the individual's request.
the data subject must be informed of such an extension the time by which it will be able to respond to the request.
the personal data will be stored, or, if not possible,
within one month from the receipt of a request.
the criteria used to determine that period;
• the existence of the right to request from the
A data controller can refuse to act on a request An organisation is not required to provide access if the burden
controller rectification or erasure of personal data or
when it is manifestly unfounded, excessive, or expense of providing access would be unreasonable
restriction of processing of personal data concerning
or has a repetitive character. to the organisation or disproportionate to the individual's
the data subject or to object to such processing;
interest, or if the request is otherwise frivolous or vexatious.
• the right to lodge a complaint with a supervisory authority;
• where the personal data are not collected from the data
The GDPR provides that the right of access must The PDPA provides that an organisation is not required
subject, any available information as to their source; and
not adversely affect the rights or freedoms of to provide personal data which, if disclosed, would reveal
• the existence of automated decision-
others, including those related to trade secrets. confidential commercial information that could, in the opinion
making, including profiling.
of a reasonable person, harm the competitive position of the
organisation.
Data subjects must have a variety of means through The PDPA does not address the means by which data
which they can make their request, including orally and subjects can make an access request. However, the
Under the GDPR a data controller may refuse requests that The PDPA creates further exceptions to when access
through electronic means. In addition, when a request Advisory Guidelines on Key Concepts note that where
are 'manifestly unfounded or excessive'. In addition, the requests need not be complied with, including where
is made through electronic means, a data controller an individual making the access request asks for a copy
right to obtain a copy of personal data must not adversely provision of the data subject's personal data or other
should submit a response through the same means. of personal data in documentary form, an organisation
affect the rights and freedoms of others, however, the result information could reasonably be expected to:
should provide the copy and have the option of charging
of such considerations should not be a refusal to provide all • Threaten the safety or physical or mental health of an
the individual a reasonable fee for producing the copy.
information to the data subject. Furthermore, Member States individual other than the individual who made the request;

40 40 41
GDPR PDPA
5.5. Right not to be subject to discrimination
Differences (cont'd) Consistent
The right not to be subject to discrimination in exercising rights is not explicitly mentioned in the GDPR or the PDPA. However, under
The GDPR specifies that a data controller must have The PDPA does not contain a similar provision on identity the GDPR and the PDPA, the right not to be subject to discrimination can be inferred from the fundamental rights of the data subject.
in place mechanisms for identify verification. verification mechanisms. However, organisations should, before
responding to an access request, exercise due diligence and GDPR PDPA
adopt appropriate measures to verify an individual’s identity.

Similarities
The right to access can be exercised free of charge. An organisation may charge an individual a reasonable
There may be some instances where a fee may be fee to process an access request by the individual. The GDPR does not explicitly address the right The PDPA does not explicitly address the right
requested, notably when the requests are unfounded, not to be subject to discrimination; therefore, not to be subject to discrimination; therefore,
excessive, or have a repetitive character. no scope of implementation is defined. no scope of implementation is defined.

Differences

Not applicable. Not applicable.

42 43
5.6. Right to data portability 6. Enforcement Fairly inconsistent
Inconsistent
Presently, the PDPA does not contain any provisions on the right of data subjects to data portability. However, the Personal Data 6.1. Monetary penalties
Protection (Amendment) Bill 2020 has been passed and will introduce a data portability obligation similar to the right to data
portability under the GDPR, which would require organisations, at the request of the individuals, to share the individual's personal Both the GDPR and the PDPA provide for the possible imposition of significant monetary penalties in cases of non-compliance.
data to another organisation, in a machine-readable format. The timeline of when this new data portability obligation will take effect However, the GDPR's maximum limit for monetary penalties is much higher than that of the PDPA.

has yet to be announced.


GDPR PDPA
GDPR PDPA Article 83-84 Sections 48I, 48J
Articles 12, 20, 28 Not applicable Recitals 148-149 PDPC's Guide on Active
Recital 68, 73 Enforcement ('the AE Guide')

Similarities
Similarities
The GDPR provides for the possibility of administrative, The PDPA provides for the possibility of
Not applicable. Not applicable.
monetary penalties to be issued by the supervisory administrative, monetary penalties to be issued
authorities in cases of non-compliance. by the PDPC in cases of non-compliance.

Differences
When applying an administrative sanction, the supervisory The AE Guide states that as a matter of enforcement policy, the

The GDPR provides individuals with the right to data The PDPA does not currently include a right to data authority must consider: (i) the nature, gravity and duration PDPC's approach is first to consider the nature of the breach

portability and defines the right to data portability as the portability. However, the new data portability obligation of the infringement; (ii) the intentional or negligent character and whether directions without financial penalties are effective

right to receive data processed on the basis of contract or envisaged to come into effect soon allows for individuals of the infringement; (iii) any action taken to mitigate the in remedying the breach. Financial penalties are intended

consent and processed by automated means, in a 'structured, to make a request to the organisation to transmit the damage; (iv) the degree of responsibility of the controller or to act as a form of sanction and deterrence against non-

commonly used, and machine-readable format' and to individual’s Personal Data to another organisation processor; (v) any relevant previous infringements; (vi) the compliance when directions alone do not sufficiently reflect

transmit that data to another controller without hindrance. in a commonly used machine-readable format. degree of cooperation with the supervisory authority; (vii) the seriousness of the breach. When considering whether to
the categories of personal data affected by the infringement; direct an organisation to pay a financial penalty, the PDPC will
(viii) the manner in which the infringement became known take into account the seriousness of the incident of the breach.
to the supervisory authority; (ix) where measures referred In calibrating the financial penalties, the PDPC considers the
to in Article 58(2) have previously been ordered against following non-exhaustive list of factors: (i) the nature, gravity
the controller or processor concerned with regard to the and duration of the non-compliance by the organisation; (ii)
same subject-matter, compliance with those measures; the type and nature of the personal data affected by the non-
(x) adherence to approved codes of conduct or approved compliance by the organisation; (iii) whether the organisation,
certification mechanisms; and (xi) any other aggravating or as a result of the non-compliance, gained any financial benefit
mitigating factor applicable to the circumstances of the case. or avoided any financial loss; (iv) whether the organisation
took any action to mitigate the effects and consequences of
the non-compliance, and the timeliness and effectiveness
of that action; (v) whether the organisation, despite the
non-compliance, implemented adequate and appropriate
measures for compliance with requirements under the PDPA;
(vi) whether the organisation had previously failed to comply
with the PDPA; (vii) the compliance of the organisation with
any previous direction issued by the PDPC; (viii) whether the
financial penalty to be imposed is proportionate and effective,
having regard to achieving compliance and deterring

44 45
GDPR PDPA 6.2. Supervisory authorities
Fairly consistent

Both the GDPR and the PDPA provide supervisory authorities with wide-ranging investigatory powers and corrective powers. The
Similarities (cont'd)
scope of these powers under the two laws is fairly consistent, and the PDPC can be considered a relatively active authority when

non-compliance with the PDPA; (ix) the likely impact of the compared with EU equivalents.

imposition of the financial penalty on the organisation, including


the ability of the organisation to continue the usual activities of GDPR PDPA
the organisation; or (x) any other matter that may be relevant, Articles 51-84 Sections 6, 48H, 48I, 48J, 48K, 48M, 48N, 49, 50
for example, voluntary notification of the data breach. Recitals 117-140 Ninth Schedule

Differences Similarities

The GDPR provides for the application of fines to The PDPA does not apply to public authorities and bodies. Under the GDPR, supervisory authorities have investigatory Under the PDPA, the PDPC has powers of investigation,
government bodies. It is, though, left to Member States powers which include: (i) ordering a controller and processor which include requiring an organisation to produce a specified
to create rules on the application of administrative to provide information required; (ii) conducting data protection document or specified information which the PDPC or one
fines to public authorities and bodies. audits; (iii) carrying out a review of certifications issued; and of its inspectors considers relevant to an investigation. If the
(iv) obtaining access to all personal data and to any premises. document is produced, the PDPC may take copies of it or
Depending on the violation occurred the penalty may Depending on the violation, the PDPC may impose extracts from it, and require an explanation of the document.
be up to either: 2% of global annual turnover or €10 a financial penalty of up to SGD 1 million (approx. If the document is not produced, the PDPC may require an
million, whichever is higher; or 4% of global annual €629,540) or 10% of the organisation's annual turnover organisation or person to state where it is. The PDPC has the
turnover or €20 million, whichever is higher. in Singapore (where the organisation's annual turnover in power to enter premises under warrant. The PDPC may also
Singapore exceeds SGD 10 million (approx. €6,295,440)), enter into any premises without a warrant by giving the occupier
whichever is higher. The revised financial penalty caps of the premises at least two working days' written notice of
are to take effect no earlier than 1 February 2022. the intended entry, and indicating the subject matter and
purpose of the investigation. The PDPC may also require any
person within the limits of Singapore to attend before it, such
as if the person is acquainted with the facts or circumstances
of the matter, to be orally examined by the PDPC.

Under the GDPR, supervisory authorities have corrective Under the PDPA, the PDPC has the power to issue the
powers which include: (i) issuing warnings and reprimands; following directions to an organisation: (i) to stop collecting,
(ii) imposing a temporary or definitive limitation including a using or disclosing personal data in contravention of the PDPA;
ban on processing; (iii) ordering the rectification or erasure (ii) to destroy personal data collected in contravention of the
of personal; and (iv) imposing administrative fines. PDPA; (iii) to comply with any direction of the PDPC; or (iv) to pay
SGD 1 million (approx. €629,540) or 10% of the organisation's
annual turnover in Singapore (where the organisation's
annual turnover in Singapore exceeds SGD 10 million (approx.
€6,295,440)), whichever is higher. The revised financial penalty
caps are to take effect no earlier than 1 February 2022.

Under the GDPR, supervisory authorities shall also: (i) handle Under the PDPA, the functions of the PDPC include (i)
complaints lodged by data subjects; and (ii) cooperate handling complaints lodged by individuals; (ii) representing
with data protection authorities from other countries. the Singapore Government internationally on matters
relating to data protection; and (iii) managing technical
co-operation and exchange in the area of data

46 47
GDPR PDPA
6.3. C
 ivil remedies for individuals Fairly consistent

Similarities (Cont'd)
Both the GDPR and the PDPA provide individuals with a legal right to claim relief for any damages incurred from violations by
organisations, and allow for the lodging of complaints with the relevant authority.
protection with foreign data protection
authorities and international
or inter-governmental organisations. GDPR PDPA
Articles 79, 80, 82 Section 48O
Under the GDPR, supervisory authorities are tasked with Under the PDPA, the functions of the PDPC include, among Recitals 131, 146-147, 149
promoting public awareness and understanding of the other things, promoting awareness of data protection
risks, rules, safeguards and rights in relation to processing in Singapore, conducting research and studies and Similarities
as well as promoting the awareness of controllers and promoting educational activities relating to data protection,
processors of their obligations, amongst other tasks. including organising and conducting seminars, workshops The GDPR provides individuals with a cause of action The PDPA provides that any person who suffers loss or
and symposia relating thereto, and supporting other to seek compensation from a data controller and damage directly as a result of a contravention of any of the
organisations conducting such activities. The PDPC may data processor for a violation of the GDPR. data protection provisions in Part IV, V, VI, VIA or VIB of the
also issue various advisory guidelines indicating the manner PDPA by an organisation or contravention of any provisions
in which it will interpret the provisions of the PDPA. of Division 3 of Part IX or IXA by a person may commence a
private civil action in respect of such loss or damage suffered.
Differences
Under the GDPR, the data subject has the right to An individual may lodge a complaint relating to
It is left to each Member State to establish a supervisory The PDPA stipulates that the PDPC shall be lodge a complaint with the supervisory authority. The personal data protection to the PDPC.
authority, and to determine the qualifications required to be responsible for the administration of the PDPA. supervisory authority must inform the data subject of
a member, and the obligations related to the work, such as the progress and outcome of his or her complaint.
duration of term as well as conditions for reappointment.
The GDPR provides that a data controller or Under the PDPA, only individuals who have suffered
Supervisory authorities may be subject to financial The PDPC is part of the Info-communications Media processor shall be exempt from liability to provide loss or damage directly as a result of a contravention
control only if it does not affect its independence. Development Authority ('IMDA'). IMDA receives an annual compensation if it proves that it is not in any way of any of the data protection provisions in Part IV, V, VI,
They have separate, public annual budgets, which operating budget from the Ministry of Communications and responsible for the event giving rise to the damage. VIA, VIB, Division 3 of Part IX or Part IXA of the PDPA
may be part of the overall national budget. Information, a ministry of the Government of Singapore. may commence a private civil action an organisation or
a person in respect of such loss or damage suffered.

Differences

The GDPR allows Member States to provide for the possibility The PDPA does not contain a provision for individuals
for data subjects to give a mandate for representation to a to give a mandate for representation to not-for-
not-for-profit body, association, or organisation that has as profit bodies, associations, or organisations.
its statutory objective the protection of data subject rights.

48 49
LED BY LEADING LAWYERS,
HERE TO RAJAH & TANN HAS
GIVE YOU WON NUMEROUS
HOME AWARDS AND ACCOLADES
ADVANTAGE FOR EXCELLENCE
IN LEGAL SERVICE
OVER THE YEARS.

L
BAND 1 - TMT
“AT THE TOP OF THEIR GAME”
CHAMBERS ASIA PACIFIC 2020

Where bright minds form one of the largest dedicated TIER 1 - TMT
“THE ‘GO TO’ PRACTICE FOR MAJOR
Technology, Media & Telecommunications teams CORPORATE CLIENTS ACROSS
in the region. VARIOUS INDUSTRIES”
THE LEGAL 500 ASIA PACIFIC 2020
With unmatched cross-border capabilities, we are the clear market leader in providing
a comprehensive suite of data protection services and technology related legal work. OUTSTANDING - TECHNOLOGY &
Our lawyers are equipped with the expertise and experience to provide incisive legal TELECOMMUNICATIONS
ASIALAW PROFILES 2020
advice and to embrace the application of existing laws and principles to new offerings.

CAMBODIA | CHINA | INDONESIA | LAOS | MALAYSIA | MYANMAR | PHILIPPINES | SINGAPORE | THAILAND | VIETNAM

www.rajahtannasia.com

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy