PDPA
What is PDPA?
The Personal Data Protection Act (PDPA) is Singapore’s privacy law. It also includes the Personal Data Protection Regulation and the Advisory Guidelines.
Application
PDPA applies to organisations which are resident of singapore (such as companies, associations, body of persons) that collect, use and share personal data. Note that unlike the GDPR, PDPA scope does not apply outside of Singapore.
What is personal data under the PDPA?
Data, whether true or not, about an individual who can be identified from (a) that data; or (b) from thar data and any other information.
Individual rights under PDPA
Under PDPA individuals have the following rights:
- Right to withdraw consent;
- Right to be informed regarding the collection, use and disclosure of personal data;
- Right to access personal data; and
- Right to correct personal data.
As a global company, Rapyd (“we”; “our”) will provide additional rights for individuals under PDPA as further stipulated in our Site Privacy Policy which is applicable to you if you are our site visitor; or Product Privacy Policy – if you are our customer or otherwise use our services.
PDPA compliance in respect to using Rapyd Services
Rapyd usually collects the following categories of personal data:
- Contact information such (e.g., your name and email)
- Financial information (e.g., transactions)
- KYC information (such as identification or utility bills);
- Usage information (such information collected via our site)
All of these categories are personal data and therefore subject to the PDPA. With a broad definition of personal data under the PDPA, device identifiers or network data such as IP addresses will be deemed personal data as well and thus the information collected when using Rapyd will also be subject to the PDPA requirements.
What is the legal basis for collecting, using and disclosing personal data?
Unlike the GDPR, under PDPA the main legal basis is consent – it means that in order to process personal data – for example to process transactions – Rapyd need consent which can be either express or deemed (‘soft’) in the sense that the individual may be deemed to have consented for a purpose if they have voluntarily provided personal data for that purpose and it is reasonable that the data would be provided in that instance. In addition, personal data must be used in accordance with the purpose of collection.
There are some exceptions to consent such as in response to an emergency etc. but they are less relevant to our activities.
Transfers of personal data outside Singapore
Under PDPA cross-border data transfer is allowed if the third party receiving the data outside of Singapore has comparable privacy protections in place as the PDPA. This can be achieved by data transfer agreements or consent from the individual. Rapyd signs Data Processing Agreements when it transfers data to third parties.
How different is the PDPA compared to the GDPR
Overall, the 2 pieces of legislation are similar although the GDPR is more strict. Because Rapyd is subject to the GDPR and as we believe in an holistic approach towards our clients, their customers and any other data subjects whose personal data we process, we will afford additional privacy safeguards where such safeguards might not necessarily be provided under PDPA. For example, additional data subject rights such as the right for deletion may be provided also to data subjects from Singapore – depending on the use case.
Disclaimer: This document is for informational purposes only and should not be used as a legal advice, we strongly encourage that you work closely with legal and other professional advisors to determine exactly how the PDPA applies to you