PERSONAL DATA PROTECTION ACT 2012 (No. 26 of 2012) ARRANGEMENT OF SECTIONS PART I PRELIMINARY Section 1. 2. 3. 4. Short title and commencement Interpretation Purpose Application of Act PART II PERSONAL DATA PROTECTION COMMISSION AND ADMINISTRATION 5. 6. 7. 8. 9. 10. Personal Data Protection Commission Functions of Commission Advisory committees Delegation Conduct of proceedings Co-operation agreements PART III GENERAL RULES WITH RESPECT TO PROTECTION OF AND ACCOUNTABILITY FOR PERSONAL DATA 11. 12. Compliance with Act Policies and practices PART IV COLLECTION, USE AND DISCLOSURE OF PERSONAL DATA Division 1 — Consent 13. 14. Consent required Provision of consent Informal Consolidation – version in force from 1/2/2021 2 NO. 26 OF 2012 Section 15. 15A. 16. 17. Deemed consent Deemed consent by notification Withdrawal of consent Collection, use and disclosure without consent Division 2 — Purpose 18. 19. 20. Limitation of purpose and extent Personal data collected before appointed day Notification of purpose PART V ACCESS TO AND CORRECTION OF PERSONAL DATA 21. 22. 22A. Access to personal data Correction of personal data Preservation of copies of personal data PART VI CARE OF PERSONAL DATA 23. 24. 25. 26. Accuracy of personal data Protection of personal data Retention of personal data Transfer of personal data outside Singapore PART VIA NOTIFICATION OF DATA BREACHES 26A. 26B. 26C. 26D. 26E. Interpretation of this Part Notifiable data breaches Duty to conduct assessment of data breach Duty to notify occurrence of notifiable data breach Obligations of data intermediary of public agency Informal Consolidation – version in force from 1/2/2021 PERSONAL DATA PROTECTION PART VII [REPEALED] PART VIII [REPEALED] PART IX DO NOT CALL REGISTRY Division 1 — Preliminary Section 36. 37. 38. Interpretation of this Part Meaning of “specified message” Application of this Part Division 2 — Administration 39. 40. 41. 42. Register Applications Evidence Information on terminated Singapore telephone number Division 3 — Specified message to Singapore telephone number 43. 43A. 44. 45. 46. 47. 48. Duty to check register Duty of checkers Contact information Calling line identity not to be concealed Consent Withdrawal of consent Defence for employee PART IXA DICTIONARY ATTACKS AND ADDRESS-HARVESTING SOFTWARE 48A. 48B. Interpretation of this Part Prohibition on use of dictionary attacks and address-harvesting software Informal Consolidation – version in force from 1/2/2021 3 4 NO. 26 OF 2012 PART IXB OFFENCES AFFECTING PERSONAL DATA AND ANONYMISED INFORMATION Section 48C. 48D. 48E. 48F. Interpretation and application of this Part Unauthorised disclosure of personal data Improper use of personal data Unauthorised re-identification of anonymised information PART IXC ENFORCEMENT 48G. 48H. 48I. 48J. 48K. Alternative dispute resolution Power to review Directions for non-compliance Financial penalties Procedure for giving of directions and imposing of financial penalty 48L. Voluntary undertakings 48M. Enforcement of directions of or written notices by Commission in District Court 48N. Reconsideration of directions or decisions 48O. Right of private action PART IXD APPEALS 48P. 48Q. 48R. Data Protection Appeal Panel and Data Protection Appeal Committees Appeal from direction or decision of Commission Appeals to General Division of High Court, etc. PART X GENERAL 49. 50. 51. 52. 52A. 53. Advisory guidelines Powers of investigation Offences and penalties Offences by corporations Offences by unincorporated associations or partnerships Liability of employers for acts of employees Informal Consolidation – version in force from 1/2/2021 PERSONAL DATA PROTECTION Section 54. 55. 56. 57. 58. 59. 60. 61. 62. 63. 64. 65. 66. 67. 68. Jurisdiction of court Composition of offences General penalties Public servants and public officers Evidence in proceedings Preservation of secrecy Protection from personal liability Symbol of Commission Power to exempt Certificate as to national interest Amendment of Schedules Power to make regulations Rules of Court Saving and transitional provisions Dissolution First Schedule — Collection, use and disclosure of personal data without consent Second Schedule — Additional bases for collection, use and disclosure of personal data without consent Third Schedule — [Repealed] Fourth Schedule — [Repealed] Fifth Schedule — Exceptions from access requirement Sixth Schedule — Exceptions from correction re