Will the complaints be investigated by the PDPC and enforcement actions be taken in every instance?
In general, the PDPC may commence an
investigation either upon receiving a complaint from an individual against an organisation or of its
Upon receiving a complaint or other information
that indicates that an organisation has or may have contravened the PDPA, the PDPC will
a) Whether the matter may be more appropriately resolved in the manner set out in Part II of these Guidelines, that is, by resolving the underlying dispute between the complainant and the organisation. Additionally, when a complaint relates to access and correction matters, the PDPC will generally conduct a review instead of an investigation; and
b) Otherwise, the PDPC may commence an investigation into the conduct of an organisation if the PDPC considers that an investigation is warranted, based on the information it has obtained.
Some of the circumstances under which the PDPC may refuse to conduct an
investigation includes, but are not limited to, the following situations:
The Complainant and the organisation have
mutually agreed to settle the matter;
b) The Complainant has commenced legal
proceedings against the organisation in respect of the contravention or alleged
contravention of the PDPA by the organisation; or
PDPC is of the opinion that the complaint is frivolous or vexatious or is not
made in good faith.
The PDPC has the power to issue directions to
secure an organisation’s compliance with the Data Protection Provisions as set
out in the PDPA. The directions may instruct the organisation as follows:
a) To stop collecting, using or disclosing personal data in contravention of the PDPA;
b) To destroy personal data collected in contravention of the PDPA;
c) Comply with any direction of the PDPC concerning access and correction under the PDPA; and
d) To pay a financial penalty of such amount not exceeding $1 million as the PDPC thinks fit.
© 2019 Government of Singapore.
Best supported by IE 9 and above, Firefox and Chrome.