Organisation Name:

Date:
Time:

No. Question
Consent
1 Your organisation obtains consent
2 from individuals ornotifies
Your organisation relies on
andanseeks
3 fresh
Your organisation responds to to use
consent from individuals
4 withdrawal of consent
Your organisation requests
ensures by
that the
5 person providing consent
Your organisation ensureson behalf
that third
6 party sources which your
Your organisation has conducted the
7 necessary assessments
Your organisation to in
has put utilise
place
the necessary processes including
Purpose Limitation
1 Your organisation only collects, uses
or discloses personal data for
Notification
1 Your organisation informs individuals
of the purposes for collecting, using
Access & Correction
1 Your organisation has the processes
2 to preserve
Your a complete
organisation and accurate
has provided ways
3 to allow access and correction
Your organisation responds to access
4 requests by individuals
Your organisation as soon
informs the as
5 individual making the
Your organisation accesstorequest
responds
6 requests by individuals
Your organisation to correct
informs the
7 individual
Before responding to an accesstoor
of the time needed
correction request, your organisation
Accuracy
1 Your organisation ensures that
2 personal data collected
Your organisation from
ensures that
personal data of individuals collected
Protection
1 Your organisation has in place
2 appropriate technical
Your organisation has security
in place
3 appropriate
Your organisation hassecurity
physical in place
4 appropriate
Your organisation conducts measures
administrative risk
5 assessments to determine
Your organisation has measures in
6 place to prevent the
Your organisation accidental
ensures that
7 appointed information andthat the
Your organisation ensures
8 ready-made software
Your organisation usedthat
ensures can third
meet
party organisations that processes
Retention Limitation
1 Your organisation stops retaining
2 personal data when
Your organisation it defined
has does notthe
have
retention period and disposal
Transfer Limitation
1 Your organisation ensures that
personal data is only transferred to
Accountability
1 Your organisation has appointed a
2 data
Your protection
organisation officer
adopts(DPO) or
3 accountability tools DPO
Your organisation’s to assist
business
4 contact
Your organisation hasis developed
information made and
5 implemented policies and practices
Your organisation has policies and
6 practices to respond
Your organisation hastoclear
queries and
reporting
7 channels on personal
Your organisation data protection
educates all staff
on the organisation’s personal data
Breach notification
1 Your organisation has put in place
2 measures to monitor
Your organisation hasfor potential
policies and
3 practices to respond to data
Your organisation has established a
4 Data Breach Management
Your organisation Plan to
runs regular
breach simulation exercises to
Do Not Call
1 Your organisation adheres to Do Not
2 Call
Your(DNC) requirements
organisation checkswhen
the Do Not
3 Call (DNC) Registry before
Your organisation documentssending
checks
4 with the DNC Registry.
Your organisation has obtained and
5 documented clearensures
Your organisation and unambiguous
that third
party service providers engaged for
Others
1 Your organisation has documented
2 how
Your personal dataregularly
organisation is collected, used
reviews
3 its
Yourpersonal data protection
organisation policies
conducts regular
4 audits on your organisation’s
Your organisation ensures that third
party service providers engaged to
More Information on Question

Organisations must obtain the express consent of the individual before collecting, using or
disclosing his/hersought
For the consent personal
fromdata for a purpose.
individuals Express
to be valid, consent is consent
organisations obtained
must inform in writing
individuals or
of the
purposes for which organisations are collecting, using or disclosing their personal data
Individuals may at any time withdraw any consent given or deemed to have been given under the on or before
PDPA
Consentin respect
may be of the collection,
given, or deemeduse or disclosure
to have of their
been given, personal
by any persondata for acting
validly any purpose by an
on behalf of the
individual for the collection, use or disclosure of the individual’s personal data.Organisations
Organisations obtaining personal data from third party sources should exercise the appropriate due should
diligence to check
An organisation mayandcollect,
ensureuse
thatorthe third personal
disclose party source
datacan validly
about give consent
an individual for on
based thedeemed
collection,
consent. Examples of deemed consent include
There are exceptions where an organisation may collect, use, or disclose personal data about an
individual without seeking their express consent. Acceptable exceptions include:

An organisation may collect, use or disclose personal data about an individual only for purposes:
- That a reasonable person would consider appropriate in the circumstances; and

Organisations are required to inform individuals of the purposes for collecting, using or disclosing
their personal data on or before collecting the data.Organisations should note that failure to notify

The preservation is required under Section 22A of the PPDA and the Personal Data Protection
Regulations as anthe
Individuals have individual
right to may seek
access anda make
reviewcorrections
of the organisation’s decision.In
to the personal the event
data which the
organisations
has possessionare
Organisations of. required,
Organisations
uponshould
requestprovide ways whichtoindividuals
by an individual, provide the can request with
individual for the access
his/her
personal data in their possession or under their control, as well as information about
Organisations may charge a reasonable fee to recover incremental costs (for example, the cost of how the
producing a physical
An individual copy of
may request anthe personal data
organisation requested)
to correct of responding
an error or omissiontoinantheindividual’s
individual’saccess
personal data that
Organisations remainis inresponsible
the possession orthe
under under
PDPAthetocontrol
provideofaccess
the organisation.Upon receipt
as soon as reasonably of a
possible
and
Aftercorrect the personal
an individual submits data
an as soonrequest
access as practicable.Organisations
and before processingshould respond to requests
an access/correction for
request,
an organisation must verify the identity of the applicant. This could be in the form of the staff

Organisations are required to make a reasonable effort to ensure that personal data collected by or
on behalf of the
Organisations areorganisation
required to ismake
accurate and complete,
a reasonable if the
effort to personal
ensure data: data collected by or
that personal
on behalf of the organisation is accurate and complete, if the personal data:

Organisations must protect personal data in their possession or under their control to prevent
unauthorised
Organisations access, collection,
are required use,reasonable
to make disclosure,security
copying,arrangements
modification, to
disposal
protectorpersonal
similar risks.As
data in
their possession or under their control in order to prevent unauthorised access, collection,
Organisations are required to make reasonable security arrangements to protect personal data use, in
their possession
Organisations areorrequired
under their control
to make in order to
reasonable prevent
security unauthorisedtoaccess,
arrangements protectcollection, use, in
personal data
their possession
Organisations areorrequired
under their control
to make in order to
reasonable prevent
security unauthorisedtoaccess,
arrangements protectcollection, use, in
personal data
their possession
It is common for or under their to
organisations control in order
outsource toICT
their prevent unauthorised
security access,
requirements to becollection, use,
fulfilled by third
party service providers. For instance, organisations may engage ICT service providers
It is common for organisations to procure “commercial off-the-shelf” software to be implementedto design
by the organisation.
Organisations While
have the samesuch components
obligations or the
under services
PDPAcannot
for thebe completely
personal datacontrolled
processed by by a third
party (i.e. data intermediary), including making reasonable security arrangements to protect

Organisations are required to stop retaining documents containing personal data, or remove the
means by which
Organisations arethe personal to
considered data canstopped
have be associated with
retaining particularcontaining
documents individuals,personal
as soon data
as it is
when
it, its agents and third parties that process personal data on its behalf (i.e. data intermediaries) no
Organisations may transfer personal data overseas if it has taken appropriate steps to ensure that
it will comply with Data Protection Provisions in respect of the transferred personal data while

Organisations are required to appoint at least one individual, known as the Data Protection Officer
(DPO), to be responsible
Organisations’ DPOs mayfor ensuring
adopt thesethat the organisation
accountability complies
tools, where with the -PDPA.DPOs
relevant: oversee
Data Protection by
Design (DPbD): a framework to operationalise data protection policies into processes by
Organisations are required to make available the business contact information (BCI) of at least one
individual whoare
Organisations is able to handle
required queriesand
to develop on implement
the organisation's
policiescollection, use necessary
and practices or disclosure of
to meet
their obligations
Organisations areunder the PDPA.
required to havePolicies and practices should
a complaint-handling processbeincommunicated
place.Queries to
or staff and other
complaints
related
As goodto personal
practice, data protection
organisations areset
should potential signs of inadequate
out a governance structurepersonal data protection
that establishes roles and
responsibilities in relation to personal data protection. This demonstrates the organisation’s
Organisations are required to communicate to its staff information about the organisation’s
personal data protection policies and practices.Well-trained staff help ensure measures are

It is important for organisations to put in place measures which allow them to monitor and take
pre-emptive
Data breaches actions before
are costly data breaches
security occur.Monitoring
failures. They could lead tomeasures and tools
financial losses, andhelp to consumers
cause provide
to
Planning to manage a data breach is best done early. On the discovery of a data breach, it may and
lose trust in an organisation.As such, PDPC encourages organisations to proactively prepare be
chaotic without the establishment of a data breach management plan. Having
To familiarise the data breach management team, senior management, and staff on the in place a robust
organisations's data breach management plan, it would be necessary to run simulated exercises on

Organisations sending telemarketing messages to a Singapore telephone number should:

- Check
There are with
DNC the DNC Registry,
Registers for voiceunless clearmessages
calls, text and unambiguous consent hasmessages
(e.g. SMS/MMS/Text been provided.
sent to a
Singapore telephone number using messaging applications) and fax messages.Organisations
As good practice, organisations may wish to maintain an internal DNC Record that includes the that
results
Check ifofyour
DNCorganisation
Registry checks, DNC expiry
has obtained anddates, and details
documented ofand
clear individuals who have
unambiguous consented
consent from or
individuals to send them telemarketing messages without checking the DNC Registry.Organisations
Organisations should exercise due diligence to check and ensure that third party service providers
engaged to carry out telemarketing activities adhere to the DNC requirements when doing so. This

As good practice, knowing how personal data is collected and handled helps identify potential gaps
in
Asexisting data protection
good practice, measures.Organisations
organisations may wishreview
are encouraged to regularly to: - personal
Identify adata
list of business
protection
policies
As good and practices
practice, (includingshould
organisations ICT security policies,
conduct auditsstandards
to assess or processes)totothe
compliance ensure
PDPA.their
Audits are
encouraged because it could highlight potential personal data protection problems, risks
An organisation has the same obligations under the PDPA for the personal data that it has engaged or
a third party to process on its behalf (i.e. data intermediary).Organisations should exercise due
(1) Implemented
(2) Partially Implemented
(3) Not Implemented
(This could include policies, procedures, forms, response plans, contract clauses, data
protection management programme, consent register, or data protection impact
assessment.You may wish to include a description of where such documents are