South-East Asia Data Protection Services

The South-Eastern countries of Malaysia, Philippines, Singapore, Thailand, China, and Japan have enacted their own data protection legislation.


The Personal Data Protection Act (PDPA) provides a baseline standard of protection for personal data in Singapore. It complements sector-specific legislative and regulatory frameworks such as the Banking Act and Insurance Act. The act was enforced on 15 October 2012 and was implemented in three phases. Some of the key features of the law are:

  • Applicability: The PDPA applies to all organisations that carry out activities relating to the collection, use, and disclosure of personal data in Singapore, and are not a public agency or acting on behalf of a public agency. The PDPA applies to organisations collecting, using, and disclosing personal data in Singapore, whether or not formed or recognised under the laws of Singapore, or residents or having an office or a place of business in Singapore
  • Rights of the data subject:
    • Right to be Informed: The PDPA requires data controllers to inform data subjects about the purpose for which their personal data is collected and processed.
    • Right to Object: Individuals may, at any time, withdraw any consent given or deemed to have been given under the PDPA in respect of the collection, use, or disclosure of their personal data for any purpose by an organisation.
    • Right of Access: The PDPA provides individuals with a right of access to personal data about the individual that is in the possession or under the control of an organisation.
    • Right to Rectification: Organisations are subject to the Correction Obligation. An organisation must allow an individual to correct their personal data in its possession or under its control upon request.
  • Legal Basis: An organisation cannot collect, use, or disclose personal data about an individual unless the individual gives, or is deemed to have given, his/ her consent to the collection, use, or disclosure. The law provides that the collection, use, or disclosure can be done without the consent of the individual only if it is required or authorised under the PDPA or any other written law.
  • Obligations of the data controller: Data Controllers must comply with the nine data protection provisions of the PDPA which are as follows:
    • Consent Obligation;
    • Purpose Limitation Obligation;
    • Notification Obligation;
    • Access and Correction Obligation;
    • Accuracy Obligation;
    • Protection Obligation;
    • Retention Limitation Obligation;
    • Transfer Limitation Obligation; and
    • Accountability Obligation.
  • Penalties: The Personal Data Protection Commission (‘PDPC’) is responsible for enforcing the PDPA. Where the PDPC is satisfied that an organisation has breached the Data Protection Provisions under the PDPA, the PDPC is empowered with wide discretion to issue such remedial directions as it thinks fit. These include directions requiring the organisation to:
    • stop collecting, using, or disclosing personal data in contravention of the PDPA;
    • destroy personal data collected in contravention of the PDPA;
    • provide access to or correct personal data; or
    • pay a financial penalty of up to SGD 1 million.

China’s new data privacy law, the Personal Information Protection Law (PIPL), was passed on 20 August 2021 and went into effect on 1 November 2021. The law is designed to protect the personal data of individuals and increase data security in China. Some of the key features of the law are:

  • Applicability: Company or individual that processes the personal information of individuals in China (regardless of the individual’s nationality or residency). In both the cases, where such company or individual is set-up within the Territory of China or outside the Territory of China
    • For the purpose of providing products or services to domestic natural persons;
    • Analyzing and evaluating the behaviors of domestic natural persons
  • Rights of the data subject:
    • Right to know the reasons for processing and restricting or refusing such processing.
    • Right to consulting and copying personal information, from processors (Except in circumstances as mentioned in Article 18 and 35.
    • Right to correct or supplement incorrect or incomplete information
    • Right to active deletion and incase no active deletion practice, subject can request for deletion under the certain circumstances.
    • Right to be explained the process of processing information
    • Right of a close relative of a dead individual to make use of any rights as aforementioned.
  • Legal Basis: PIPL mentions 3 major legal bases under which the personal information can be processed, which are: (i) Necessity for contracts or human resources (HR) management (ii) Personal information already disclosed; and (iii) Forms and criteria of consent. There are a few other legal bases for processing as given uner the PIPL, which are (i) For fulfilment of statutory duties or obligations (ii) Necessary for coping with public health emergencies or for the protection of an individual’s life, health or property, and (iii) Acts of news reporting and supervision by public opinions, which are carried out for public interest.
  • Obligations of the data controller: Data Controller, as under the PIPL is termed as “Personal Information Processor” (PIP). PIP must ensure formulating internal management systems and operation procedures, implementing classified management of personal information, adopting corresponding technical security measures, such as encryption and de-identification, reasonably determining the operational authorizations for personal information and providing regular security education and training for operational staff, formulating and implementing response plans for security incidents relating to personal information, conducting regular compliance audits and adopting other security measures as stipulated by laws and regulations. Additionally, When a specific number of processing personal information as specified by National Cyber security and Information Dept. is reached, company should appoint a Person In Charge for supervising all processing activities. PIP should conduct regular audits and conduct Impact assessment and record the findings. When leakage, tampering, or loss occurs, PIP should inform authorities and PIC, through a notice.
  • Penalties: For a severe violation of the law or in the absence of required data security measures, Chinese personal information protection authorities may impose a fine from the following, whichever is higher: (i) RMB 50 million; and (ii) 5% of the offending entity’s annual turnover in the preceding year. The person in charge or other directly liable individuals also may be held liable and subject to a fine up to 1 million RMB.

The Amended Act on Protection of Personal Information (APPI) , which was passed by the Japanese legislature in June 2020 has come into effect on April 1, 2022. Some of the key features of the law are:

  • Applicability: The APPI applies to businesses that operates using the personal data of an individual in Japan. It also applies to all the companies that operate in Japan as well as the companies that operate outside Japan, if the said company is handling the data of the Japanese people.
  • Rights of the data subject:
    • Disclosure of the use of personal information: The data subjects may ask a business to disclose the purpose of the use of the data subject’s personal data, such as access, correction or suspension.
    • Request for deletion or suspension of use under limited conditions: The data subjects may request an operator to delete or suspend the use of their personal data under certain circumstances.
    • Request for disclosure of retained personal data: A data subject may demand a personal information handling business operator to disclose retained personal data that can identify him through electromagnetic record or other methods prescribed by the Personal Information Protection Commission.
    • Right to correction: Upon receiving a data subject’s demand, an operator shall conduct a necessary investigation without delay to the extent necessary to achieve a utilization purpose and make a correction etc. of the contents of the retained personal data.
  • Legal Basis:
    • A personal information handling operator shall specify the purpose of utilizing the personal information and should refrain from altering the utilization purpose beyond the reasonable scope.
    • A business shall not handle personal data without obtaining the data subject’s prior consent.
    • A business shall not utilize personal information using a method that is unlawful or unfair.
    • A business should explicitly state the purpose of use in a reasonable and appropriate manner.
    • A business shall keep the personal data accurate and up to data within the scope required to fulfill the purpose of utilization.
  • Obligations of the data controller:
    • A business must mandatorily report any data breach to the Personal Information Controller if the breach consists of (a) Sensitive information; (b) Data resulting in significant economic loss; (c) Information breach of more than 1,000 data subjects; or (d) an “unjust means”.
    • A business shall take necessary and appropriate action for the security control of personal data including preventing the leakage, loss or damage of its handled personal data.
    • A business shall exercise necessary and appropriate supervision over the employees so as to seek security control of the personal data.
    • A business also has obligations related to the transfer of personal data to a third party within the country and/or cross-boarder transfer.
    • The business cannot transfer the data without the direct consent of the data subject to any third party except as specified under the law.
  • Penalties:
    • An entity can be sentenced with imprisonment for work for up to 6 months or fine of not more than 3,00,00 JPY for violation of orders under Article 34.
    • Business operators may be up to 3,00,000 JPY for not making a report or making a false report.
    • A business may be sentenced to a fine of not more than 1,00,000 JPY if does not make a notification or makes a false notification.
    • A fine of up to 100 million JPY which may include imprisonment of up to 1 year may be sentenced if there is a failure to comply with the APPI regulations.

On 15 November 2013, the Personal Data Protection Act 2010 (PDPA) came into force in Malaysia with the objective of protecting the personal data of individuals with respect to commercial transactions. Some of the key features of the law are as follows:

  • Applicability: The Act applies to any person who processes; and any person who has control over or authorizes the processing of, any personal data in respect of commercial transactions. The act will be applicable to the person is established in Malaysia and the personal data is processed, or the person is not established in Malaysia, but uses equipment in Malaysia for processing the personal data otherwise than for the purposes of transit through Malaysia.
  • Rights of data subject: The Malaysia PDPA establishes the following rights for data subjects:
    • Right of access
    • Right to correction of data
    • Right to withdraw consent
    • Right to prevent processing likely to cause damage or distress
    • Right to prevent processing for direct marketing purposes.
  • Legal Basis: Under the Malaysia PDPA, there is a general principle that prohibits the processing of personal data without the consent of the data subject. However, the requirement for consent does not apply if the personal data is being processed for:
    • the performance of a contract to which the data subject is a party;
    • taking steps, at the data subject’s request, with a view to entering into a contract;
    • compliance with any legal obligation to which the data user is the subject, other than a contractual obligation;
    • protecting the vital interests, namely matters relating to life, death, or security, of the data subject;
    • the administration of justice; or
    • the exercise of any functions conferred on any person under any law.
  • Obligations of the data controller:
    • Data Processing Notification: The Order and the Order Amendment set out the classes of data users who have to be registered with the Commission.
    • Data Transfers: The PDPA prohibits the transfer of personal data out of Malaysia unless such transfer is to a country, which has been specified and recorded in the Official Gazette by the Minister. In relation to outsourcing, a data user is not allowed to share data with third parties unless the consent of the individual has been obtained.
    • Data Processing Records: A data user must keep and maintain a record of any application, notice, request, or any other information relating to personal data processed by him in the form and manner that may be determined by the Commissioner.
    • Data Retention: In addition to the retention principle under the PDPA, it is to be ensured that all legislation relating to the processing and storing of personal data is complied with before disposing of personal data.
    • Special Categories of Personal Data: Processing ‘sensitive personal data’ requires explicit consent unless an exemption applies.
    • Controller and Processor Contracts: Where a data processor carries out the processing of personal data on behalf of a data user, the PDPA for the purpose of protecting the personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction, requires the data user to ensure that the data processor provides sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out; and takes reasonable steps to ensure compliance with those measures.
  • Penalties: Penalties for non-compliance with the PDPA include monetary fines and may amount in criminal charges. For non-compliance with any of the seven data protection principles under the PDPA, fines can be issued up to MYR 300,000 (approx. €60,400) and/or to two years imprisonment. For, the unlawful collection, disclosure, and sale of personal data, can amount in a fine of up to MYR 500,000 (approx. €100,680) and/or up to three years imprisonment.

Thailand’s first-ever law on personal data protection will come into force on June 1, 2022, after being postponed since 2019. The law outlines the obligations for businesses regarding the collection and processing of personal information.

  • Applicability: The PDPA of Thailand applies to any person or organization that collects, uses, discloses, or transfers personal data in Thailand for commercial purposes, except when the personal data is collected by:
    • government agencies;
    • organizations for the public interest;
    • the House of Representatives, the Senate, and the Parliament; or
    • credit bureaus.
      The PDPA also applies to data controllers and data processors who are outside of Thailand, i.e. foreign-owned entities operating outside Thailand, if their activities consist of offering goods or services to, or monitoring the behavior of, data subjects in Thailand.
  • Rights of the data subject:
    • Right to be informed: Right to be informed of the purpose of data collection, data retention period, etc.
    • Access: Request access to their personal data
    • Erasure: Demand such data to be erased.
    • Restrict Processing: Can object to collection, usage or disclosure of the personal data.
    • Right to object/withdraw consent from inappropriate uses at any time.
    • Right to Rectify: rectification of inaccurate/ misleading information.
    • Right to Data Portability: send or transfer structured personal data from one data controller to another
  • Legal Basis: Thailand’s PDPA requires a legal basis for processing personal data which include consent, the performance of a contract, legal obligations, public interest, legitimate interest and vital interests or suppressing danger to the data subject’s life.
  • Obligations of the data controller: The Thai PDPA provides for restrictions and exceptions to the cross-border transfer of personal data to a third country or international organization. Such a transfer must be made based on legitimate grounds or in accordance with an adequate level of data protection as prescribed by the relevant authority. The PDPA has also imposed an obligation on data controllers and data processors to record their processing activities. Data controllers have a duty to provide appropriate security measures and review them when it is necessary, or when the technology has changed in order to effectively maintain the appropriate security and safety standards. The PDPA requires data controllers and data processors, including their representatives, to designate a DPO. The legislation imposes an obligation to notify the data protection authority, as well as data subjects of any personal data breaches, within 72 hours, without any exemption.
  • Penalties: Under the PDPA, the maximum penalty for non-compliance under Sections 26-28 is a fine not exceeding THB 5 million can be issued by the expert committee.

Philippines introduced the Republic Act 10173 – Data Privacy Act of 2012. It became enforceable on 8 September 2012.  Some of the key features of the law are:

  • Applicability: The Act applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that is located in the Philippines, or those who maintain an office, branch or agency in the Philippines.
  • Rights of the data subject: The data subject has the right to ask the data controller to erase his or her personal data from their system, but to use this right the data subject has to provide “substantial proof”. The data subject also has some private rights of action for damages for inaccurate, incomplete, outdated, false, unlawful obtained or unauthorised use of personal data. Right of data portability is also provided. However, any of these rights are not available if the data is used for scientific or statistical research and used for investigation in relation to any criminal, administrative or tax liabilities of the data subject.
  • Legal Basis: The Act states that for the collection of personal data the legal entity must declare and specify the use of the data and the data must be used only for legitimate purpose. It should be adequate, accurate, relevant and not excessive. The information must only be retained till it is required. Consent is required for all personal information, it is also required if the information is shared with affiliates or mother company and when the consent is taken it must be taken freely, the data subject should be informed and specified about the use of data.
  • Obligations of the data controller: The Personal Information Controllers (PICs) and Personal Information Processors (PIPs) are required to register their personal data processing systems with the NPC if the sensitive personal information is of at least 1,000 individual, if the personal information controller or processor employs at least 250 persons, if less than 250 persons are employed but processing is not occasional or if 250 employees are employed but the processing of the information make put the risk to the rights and freedoms of the data subject.
  • Penalties: Entities are required to inform about the data breach within 72 hours. The penalties for the violation that pertain to personal information and sensitive personal information that includes unauthorised processing, access due to negligence, improper disposal, processing for any unauthorised purpose and etc. The fines and periods of imprisonment for each of these violations vary from the range of P1,00,000 to P50,00,000 and six months to seven years of imprisonment.


Reach out to us