Last review date: 31 December 2024

☒         the identity and the contact details of the controller and, where applicable, of the controller's representative

☒         the purposes of the processing for which the personal data is intended

☒         the categories of personal data concerned

☒         the source from which the personal data originates and, if applicable, whether it came from publicly accessible sources

☒         the recipients or categories of recipients of the personal data, if any

☒         the existence of data subjects' rights, such as the right to access, rectification, erasure, data portability, etc.

☒         the existence of the right to withdraw consent if processing is based on consent

☒         whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data

☒         other

Note that certain classes of data users/controllers (e.g., private educational institutions, direct selling companies, private employment agencies, housing developers, etc.) are also subject to the General Code of Practice of Personal Data Protection (GCOP), which requires additional information to be included in a privacy notice. These include the requirement to mention any sensitive personal data involved in the processing, if personal data of children under 18 is processed, and the duration for which personal data will be retained for processing, etc. The GCOP is already in force and non-compliance with it is an offense under the PDPA.

Last review date: 31 December 2024

Yes.

Data subjects have the following data privacy rights, although the specifics of the scope and conditions for each of these vary depending on the circumstances and local law:

☒         right to access the data subject's own personal data

☒         right to rectify/correct the data subject's own personal data where inaccurate or incomplete

☒         right to restrict data processing

☒         right to data portability

☒         right to withdraw consent

☒         other

• Right to prevent processing likely to cause damage or distress
• Right to prevent processing for purposes of direct marketing

Last review date: 31 December 2024

Yes.

There are accountability and governance requirements to:

☒         maintain a record of processing activities

☒         implement appropriate measures to comply with data privacy and cybersecurity

☒         demonstrate compliance with data privacy and cybersecurity

☒         identify a specific individual as the data privacy contact for data subject or data protection authority inquiries

☒         provide training to employees

☒         appoint a local representative in the jurisdiction (if the controller or processor is not located in the jurisdiction)

Note that the PDPD announced in November 2024 that two new guidelines on data protection impact assessment and privacy by design are expected to be released in the third quarter of 2025. These may introduce further accountability and governance requirements.