Global Data and Cyber Handbook

Singapore

Select a Topic
Start Comparison
Legal Bases for Processing of Personal Data
Jump to
Legal Bases for Processing of Personal Data Start Comparison
Is an identified legal basis required in order to collect or process non-sensitive personal data?

Last review date: 15 January 2025

Yes.

The following are potential legal bases for processing personal data:

☒  appropriate notice has been provided to or made available to the data subject

☒  the data subject has provided consent to the processing for the identified purposes

☒  the personal data is necessary to perform a contract with the data subject

☒  the personal data is necessary to comply with a legal obligation

☒  the personal data is necessary to protect the vital interests of a natural person

☒  the personal data is necessary for a public interest

☒  the personal data is necessary to fulfil a legitimate interest of the controller or third party (provided that the interest is not overridden by the data subject's privacy interests and the data subject has not made use of his/her right to object)

☒  other

A full list of circumstances under which personal data (regardless of sensitivity) can be collected and processed without consent can be found in the First and Second Schedules of the PDPA.

Is an identified legal basis required in order to collect or process sensitive personal data?

Last review date: 15 January 2025

No

A full list of circumstances under which personal data (regardless of sensitivity) can be collected and processed without consent can be found in the First and Second Schedules of the PDPA.

Are there special requirements that apply to the collection or processing of personal data from minors?

Last review date: 15 January 2025

Yes.

A minor within the meaning of data privacy laws is a person below the age of 21.

While the age of majority to enter into contracts in Singapore is 18, the age of majority in Singapore is actually 21.

However, the PDPC has adopted a "practical rule of thumb" that a minor (i.e., someone under 21 years of age) who is at least 13 years of age would typically have sufficient understanding to be able to provide consent to the collection, use and/or disclosure of their personal data, unless the relevant organization has reason to believe that the minor does not have sufficient understanding to consent on their own behalf. In such a case, consent should be obtained from the minor's parent or legal guardian.

On 28 March 2024, the PDPC issued its finalized advisory guidelines on the PDPA for children's personal data in the digital environment, covering issues such as obtaining children's consent, using children's personal data and providing higher standards of protection to children's personal data.

See: advisory-guidelines-on-the-pdpa-for-children's-personal-data-in-the-digital-environment_mar24.pdf.

In what circumstances do these special requirements apply?

Last review date: 15 January 2025

Generally

What are the special requirements that apply to collecting or processing personal data from minors?

Last review date: 15 January 2025

If the relevant organization has reason to believe that the minor does not have sufficient understanding to consent on their own behalf, the consent of the minor's legal guardian or parent should be obtained.

{{ $store.state.loadingScreen.message }} ...