EU GDPR

The European Union General Data Protection Regulation (EU GDPR) entered into force on 25 May 2018. The EU GDPR will apply to an organisation established outside of the EU, so long as the organisation offers goods or services to individuals in the EU, or monitors their behavior within the EU.

The PDPC has developed a factsheet on the EU GDPR which highlights the key requirements of the EU GDPR.

Frequently Asked Questions

1. When does an organisation based in Singapore have to comply with the EU GDPR?

The EU GDPR may apply to organisations in Singapore if they offer goods or services (whether or not payment is required) to individuals in the EU or monitor the behavior of individuals in the EU.

For example, presenting a version of your organisation's website in the vernacular language of a EU Member State, publishing the price of products or services in Euros or the currency of a EU Member State (e.g. Swedish krona or Danish krone), and offering to ship goods to the EU Member State, may amount to offering goods to individuals in the EU.

If an organisation is targeting individuals in the EU in this sense, it may be required to designate a European representative if it processes data on a large scale (i.e. not just occasional processing) or if it processes special categories of personal data as defined in Articles 9(1) and 10 of the GDPR.

2. Does compliance with Singapore's Personal Data Protection Act (PDPA) equate to compliance with the EU GDPR?

Compliance with the PDPA does not necessarily mean the organisation is in compliance with the EU GDPR as there are differing requirements under the two regimes. However, with the amendments introduced in the enhanced PDPA that came into effect on 1 February 2021, the exceptions to consent under the PDPA have been streamlined and categorised broadly in ways that are similar to the EU GDPR’s six legal bases for processing of personal data.

The PDPC has developed an infographic to illustrate the broad comparison between the PDPA’s exceptions to consent and the EU GDPR’s legal bases for processing of personal data.

3. What do organisations need to do to comply with the EU GDPR?

The European regulators have provided guidance on how to comply with the EU GDPR. Organisations may refer to the resources issued by the European regulators on the EU GDPR requirements (eg. https://ec.europa.eu/info/law/law-topic/data-protection_en), or seek professional legal advice on compliance with the EU GDPR where necessary.

PDPC's factsheet on the EU GDPR, which highlights the key requirements of the EU GDPR, may be useful for organisations' information. The factsheet is available here.

Scenarios

The following scenarios illustrate when EU GDPR is likely or unlikely to apply to the processing of personal data:

Examples where EU GDPR is likely to apply 
  1. Chinese Language School in Singapore offers an online course targeting EU nationals (e.g. French-Chinese lessons). Its website is accessible in French, Spanish, Dutch and Italian. The website also allows individuals in the EU to submit their enrolment application and make payment in Euros.
  2. Hotel in Singapore operates a website that is accessible in French, Spanish, Dutch and Italian. The website indicates room rates in different currencies, including Euros, and accepts reservations and payments for hotel room bookings by credit card in Euros.
  3. Retailer in Singapore operates a website that is accessible in French, Spanish, Dutch and Italian. Customers in the EU can place orders through the website and make payment by credit card in Euros. The retailer processes the order and ships to countries in the EU.
  4. Mobile game developer in Singapore allows users who are in the EU to download its app and create an account. It collects users' personal information and tracks their app usage and geolocation. When the app is used in the EU, there is an arrangement with a digital advertising platform to push location-specific advertisements to the users.
 Examples where EU GDPR is unlikely to apply
  1. Café in Singapore hires coffee baristas, including EU nationals, and collects their personal data as part of employee records. It does not supply any goods or services to customers who are in the EU. It only sells coffee to customers at its café locations in Singapore.
  2. Museum in Singapore offers a membership programme for all visitors to the Museum, including tourists from the EU. Under the membership programme, the Museum provides regular email updates and information on upcoming museum exhibits and programmes to all members in English.
  3. Mobile app provider allows any individual, including those who may be in the EU, to download its app available in English and create an account in order to make dining reservations for restaurants in Singapore. The app also keeps track of each user's dining history and culinary preferences, and rewards users through frequent diner points that can be redeemed for discount vouchers to be used at the restaurant in Singapore.
  4. Car booking service in Singapore allows any individual, including those who may be in the EU, to make advance reservations through its website. The website is in English and accepts credit card payments of deposits for reservations in Singapore dollars only.            

The contents herein are not intended to be an authoritative statement of the law or substitute for legal or other professional advice. The scenarios are intended to illustrate how organisations in Singapore may be impacted by the EU GDPR. It does not provide an interpretation of the EU GDPR. Please refer to the EU GDPR text and the resources issued by the European regulators on the interpretation of the EU GDPR. Where further assistance is required, organisations may wish to seek professional legal advice to ensure compliance with the EU GDPR.


Tags:

Related Resources

Resources as reference materials on the PDPA requirements and good practices to adopt

Related FAQs

Related FAQs

View all