The European Union General Data Protection Regulation (EU GDPR) enters into force from 25 May 2018. The EU GDPR will apply to an organisation established outside of the EU, so long as the organisation offers goods or services to individuals in the EU, or monitors their behavior within the EU.

The PDPC has developed a factsheet on the EU GDPR which highlights the key requirements of the EU GDPR.

Frequently Asked Questions

1. Will organisations in Singapore need to comply with the EU GDPR?

The EU GDPR may apply to organisations in Singapore if they offer goods or services to individuals in the EU or monitor the behavior of individuals in the EU. Factors such as the use of a language or a currency generally used in one or more EU Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the EU, may make it apparent that the organisation envisages offering goods or services to individuals in the EU.

2. Does compliance with Singapore's Personal Data Protection Act (PDPA) equate to compliance with the EU GDPR?

Compliance with the PDPA does not necessarily mean the organisation is in compliance with the EU GDPR as there are differing requirements under the two regimes.

3. What do organisations need to do to comply with the EU GDPR?

The European regulators have provided guidance on how to comply with the EU GDPR. Organisations may refer to the resources issued by the European regulators on the EU GDPR requirements (eg. https://ec.europa.eu/info/law/law-topic/data-protection_en), or seek professional legal advice on compliance with the EU GDPR where necessary.

PDPC's factsheet on the EU GDPR, which highlights the key requirements of the EU GDPR, may be useful for organisations' information. The factsheet is available here.