What are the penalties for noncompliance with any applicable data protection laws?
Noncompliance with data privacy laws and data breaches may lead to sanctions, fines, and penalties. The amounts are usually calculated according to the risk to which personal rights were exposed and the preventive measures taken by the data controllers, processors and sub-processors in relation to their respective role in the chain of personal data processing.
Singapore’s Personal Data Protection Commission (PDPC) may impose civil and/or administrative penalties for violations of the Personal Data Protection Act 2012 (PDPA). Employers are liable for employee violations of the PDPA, whether it was done with or without the employer’s knowledge. General penalties for noncompliance can lead to a fine of up to S$10,000 (Singapore dollars) and/or imprisonment of up to 3 years. When an offence continues after conviction, additional fines of up to S$1,000 per day of noncompliance can be imposed.
If a person is found guilty of requesting access to or changing an individual’s personal data without the authority of that individual, a fine of up to S$5,000 or, imprisonment of up to one year may be imposed. Organizational offences relating to obtaining access or changing data can lead to a fine of up to S$50,000 (PDPA, Sec. 51). In addition, noncompliance can lead to the PDPC requiring employers as well as any organization in violation of the PDPA to:
- stop collecting/using/disclosing personal data that is in contravention of the law;
- destroy collected noncompliant personal data;
- provide access to or correct personal data; or, reduce/refund any fee that was charged for an access or correction request; or,
- pay a penalty up to S$1,000,000
Obstructing, hindering or providing false information to the PDPC can result in fines of up to S$10,000, and/or up to 12 months imprisonment for individuals. Organizations may be fined up to S$100,000.