As a good practice, organisations should generally seek individuals' consent for marketing via a distinct opt-in selection when signing up for a product or service.
An organisation will not be considered to be requiring consent to market its products or services as a condition of providing a product or service, if it allows the individual to withdraw such consent and doing so will not result in ceasing of the provision of the product or service to the individual.
The organisation should clearly state how the individual may withdraw consent from marketing subsequently (e.g. by providing a link or an email address for the individual to opt out).
Organisations should also note that this approach to obtaining consent for sending marketing messages does not apply to sending of marketing messages via voice, text and fax where clear and unambiguous consent is required under the DNC Provisions of the PDPA.
Organisations that wish to do so should consider the following:
Is the collection, use or disclosure of the personal data required or authorised under the PDPA or other laws for that purpose? If so, the organisation does not need to seek consent. Otherwise, the organisation should consider whether the individual has previously withdrawn or indicated that he does not consent to that new purpose.
If the individual has previously withdrawn or indicated that he does not consent to that new purpose, the organisation should not contact him to seek consent for that new purpose. However, the organisation may seek fresh consent during any new transaction with the individual. For example, a service provider may seek the consent of subscribers who previously indicated they did not consent to the use of their personal data for other purposes, at the point of renewal of their service subscription.
Where the individual has not previously withdrawn or indicated that he does not consent to that purpose, the organisation may contact the individual to seek consent for the new purpose. However, if the new purpose involves marketing, the organisation must also comply with the Do Not Call (DNC) provisions when contacting the individual via voice, text or fax messages.
Organisations may collect, use and disclose personal data without consent where this is necessary for evaluative purposes. The term “evaluative purpose” is defined in section 2(1) of the PDPA and includes, amongst other things, the purpose of determining the suitability, eligibility or qualifications of an individual for employment, promotion in employment or continuance in employment.
Hence, the evaluative purpose exception allows employers to collect, use and disclose personal data without the consent of the individual concerned for various purposes that are common in the employment context, for example:
a) Obtaining a reference from a prospective employee’s former employer where necessary to determine his suitability for employment; orb) Obtaining opinions about the employee where necessary to determine his eligibility for promotion.
In practice, an organisation that has been requested to disclose information about its past employee may not be able to evaluate whether it is necessary for evaluative purposes, and may therefore wish to obtain the consent of the individual.
Organisations are required to comply with the Data Protection Provisions, including the Consent Obligation and Transfer Limitation Obligation, under the PDPA for any disclosure and overseas transfer of personal data, unless an exception applies.
Depending on the specific facts of the case, an exception to the Consent Obligation may apply such that an organisation may disclose the personal data to an overseas authority without consent from the individual. The circumstances for disclosure without consent are provided in the Fourth Schedule of the PDPA. The Transfer Limitation Obligation may also be taken to be satisfied where certain exceptions in the Fourth Schedule applies (more details are set out in Regulation 9(3)(e) of the Personal Data Protection Regulations 2014).
However, no specific exception under the PDPA routinely covers all requests from overseas authorities.
If an organisation requires further guidance from the PDPC on this matter, please write in to us at firstname.lastname@example.org.
Organisations must notify individuals of the purposes for which their personal data (including CCTV footage of them) is collected, used or disclosed and obtain their consent, unless any exception applies. For example, notification and consent is not required if the personal data is publicly available.
The PDPA does not prescribe the content of notifications. Generally, organisations should indicate that CCTVs are operating in the premises, and the purpose of the CCTVs if such purpose may not be obvious to the individual.
Please refer to the Advisory Guidelines on the PDPA for Selected Topics, Chapter 4, on Photography, Video and Audio Recordings, and PDPC’s Guide to Notification for information and examples on good practices organisations may adopt when notifying individuals about personal data policies and practices.
© 2019 Government of Singapore.
Best supported by IE 9 and above, Firefox and Chrome.