In what case would a foreign company NOT be liable for breaches of Singapore's PDPA?
In what case would a foreign company NOT be liable for breaches of Singapore's PDPA?
According to Singapore's Personal Data Protection Act (PDPA), the law applies to any organization collecting, using, or disclosing personal data within Singapore, irrespective of whether the organization has a physical presence in Singapore. This includes foreign companies with no physical presence in Singapore but collecting personal data within the country. The only situation where a foreign company would not be liable under the PDPA is if it collects information from Singaporeans living abroad. Since the PDPA focuses on the collection, use, and disclosure of personal data within Singapore, it does not extend to personal data collected from Singaporeans who are outside the country.
The Act has an extraterritorial effect, meaning it applies to organizations collecting, using or disclosing personal data in Singapore whether or not the organization itself has a physical presence or is registered as a company in Singapore. The PDPA applies to organisations collecting, using, and disclosing personal data in Singapore, whether or not formed or recognised under the laws of Singapore, or resident or having an office or a place of business in Singapore. Organisation' is defined in the PDPA as 'any individual, company, association or body of persons, corporate or unincorporated, whether or not (a) formed or recognised under the law of Singapore; or (b) resident, or having an office or a place of business, in Singapore.'