Back

Amendments in the Personal Data Protection Act

Amendments in the Personal Data Protection Act (“PDPA”) were promulgated in SG, issue No. 17 dated February 26, 2019, in regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“the Regulation”). 

The amended PDPA regulates the public relations regarding to the protection of the rights of natural persons with regard to the processing of their personal data, as far as they are not covered by the Regulation. 

With the amended PDPA the obligation of the Personal Data Controller and Processor to inform the Commission on Personal Data Protection about the names, personal identification number or personal number of foreigner or other similar identifier, about the contact details of the Personal Data Protection Officer, as well as about any subsequent changes was introduced. The form and content of the notification and the terms for its submission shall be determined by the Regulation for implementation of the PDPA. 

Pursuant the armaments, the personal data processing of person under age of 14 on the gourds of its consent under Art. 4, Item 11 of the Regulation, shall be made only if the consent of the parent exercising the parent rights or the guardian of the person has been provided. 

Pursuant to the amended PDPA, the Personal Data Controller or Processor may copy an identity document, a driving license or a stay permit document only in cases provided by the law.    

In addition to the Regulation, pursuant to the amended PDPA, the Personal Data Controller or Processor shall adopt and shall apply rules in case of processing, on a large scale or in case of systematic monitoring of the data subjects on a large scale, by which appropriate technical and organization measures for protection of the rights and freedoms of the data subjects shall be introduced. The rules for systematic monitoring of the data subjects on a large scale on public accessible zones shall consist the legal grounds and purposes for adoption of monitoring systems, the territorial scope of the monitoring and the means for monitoring, the term for storage of the files with information and their erasure, the right of access of the monitored persons, information to the public for the monitoring, as well as any restrictions upon providing access to the information to third parties. 

With the adopted amendments in the PDPA the obligation of the employers, in their capacity as of Personal Data Administrators to adopt rules and procedures was introduced, in case of:  

  • using systems for reporting of violations;
  • restrictions upon using in-house company’s resources;
  • introducing systems for access control, work time and labour discipline.

The PDPA introduces the obligation of the employers, in their capacity of Personal Data Controllers to determine a term for storage of the personal data of applicants for work, which may not be shorter than 6 months, unless the applicant has given his/hers consent for longer storing. After the expiry of the term the respective employer shall erase or destruct the stored documents with personal data, unless otherwise provided by a specific law. 

The PDPA shall enter into force within 3 days as of its promulgation in SG.