EU - Singapore: Comparing privacy laws - GDPR v. PDPA
In this report, OneTrust DataGuidance and Rajah & Tann LLP provide a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and the Personal Data Protection Act 2012 (PDPA).
The report, which was last updated in July 2022, examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of the PDPA with the GDPR.
You can access the latest version of the report here.
What is the PDPA?
The PDPA contains two main sets of provisions covering data protection and the Do Not Call Registry. It was first enacted in 2012 and revised in 2020 with amendments coming into effect on February 1, 2021. Along with the PDPA, amendments to the subsidiary legislations including the Personal Data Protection Regulations 2021 also came into effect on February 1, 2021.
The PDPA and the GDPR share some similarities, particularly in regard to their personal and material scope. Both laws:
- share similar definitions for 'data controller' and 'data processor';
- outline obligations for the appointment of a data protection officer;
- provide for restrictions and exceptions regarding cross-border data transfers;
- have similarities in terms of some data subject rights, including the right to withdraw consent and freedom of access; and
- provide supervisory authorities with investigatory powers and outline monetary penalties.
However, despite their similarities, the PDPA and the GDPR also differ sometimes in their approach, such as:
- that the PDPA excludes public agencies from its scope;
- that the GDPR defines special categories of personal data, which the PDPA does not;
- regarding obligations relating to the recordkeeping of data processing activities; and
- their approaches to pseudonymization.