法律翻译 | 新加坡《个人数据保护法》概述(1)
作者:Crystal Zhuang 法律从业者
审稿:Victor Wu, Vanderbilt J.D.
岳文豪 上海交通大学硕士
编辑:Gary 詹远 UNSW J.D
责编:Izzy 美国西北大学LL.M.
新加坡《个人数据保护法》概述
(1)
《个人数据保护法》(Personal Data Protection Act 2012,以下简称“PDPA”)是新加坡主要的关于数据保护的法律,其规范了机构对个人数据的收集、使用和披露。PDPA 于 2012 年首次颁布,并于 2020 年修订。个人数据保护委员会(Personal Data Protection Commission,以下简称“PDPC”)是新加坡根据 PDPA 成立的监管数据保护的机构, 其下属于资讯通信媒体发展局(Infocomm Media Development Authority,以下简称“IMDA”)。
PDPC的主要职能包括提高新加坡的数据保护意识以及管理和执行 PDPA,其可以根据PDPA发布执行决定,以对违反PDPA的机构作出相应惩罚。
PDPA共分为10个部分,其中第7和第8部分已被撤销。PDPA重点包含了两组规定,一组为数据保护的相关规定(下称“数据保护规定”),在PDPA第3部分至第6A部分;一组为防电话骚扰登记平台的相关规定(下称“谢绝来电规定”),在PDPA第9至第9A部分。PDPA 第 9B 部分包含了严重不当处理个人数据的相关个人责任的规定,第9C和第9D部分包含了PDPA执行和上诉相关的规定。PDPA的剩余部分主要包括了专有名词的解释,PDPC的设立和管理,以及其它的一般性事项。
PDPC 针对PDPA发布了许多对应的指南,虽然这些指南对任何一方都没有法律约束力,但其清楚地说明了 PDPC 如何解释 PDPA 的规定。本文将着重选取PDPC发布的《<个人数据保护法>关键概念咨询指南(2022年5月17日修订版)》(Advisory Guidelines on Key Concepts in the Personal Data Protection Act,Revised 17 May 2022)中关于数据保护规定、谢绝来电规定和严重不当处理个人数据的相关个人责任这三个部分的重点段落进行翻译,并将在下一篇文章中对PDPA的执行和上诉相关问题进行介绍。
I PDPA概述
(以下内容选取自《指南》第7至9页)
The PDPA governs the collection, use and disclosure of individuals’ personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use and disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances. The PDPA contains two (2) main sets of provisions, covering data protection and the Do Not Call registry, which organisations are required to comply with.
PDPA 对机构收集、使用和披露个人数据的行为进行规范,其方式包括承认个人有权保护其个人数据,以及机构出于一个理性人在相应情况下会认为合适的目的,收集、使用和披露个人数据的权利。PDPA 包含两 (2) 组主要条款,涵盖了数据保护和“谢绝来电”登记,相关机构必须遵守这些条款。
The Data Protection Provisions and the Do Not Call Provisions are intended to operate in conjunction. Accordingly, organisations are required to comply with both sets of provisions when collecting and using Singapore telephone numbers that form part of individuals’ personal data. Organisations need not comply with the Data Protection Provisions for Singapore telephone numbers that do not form part of an individual’s personal data but would still be required to comply with the Do Not Call Provisions.
数据保护规定和谢绝来电规定在实践中应同时适用。因此,机构在收集和使用构成个人数据一部分的新加坡电话号码时,必须遵守这两份规定。对于不属于个人数据一部分的新加坡电话号码,机构无需遵守数据保护规定,但仍需遵守谢绝来电规定。
Part 9B of the PDPA sets out offences that hold individuals accountable for egregious mishandling of personal data. The offences are for knowing or reckless unauthorised (a) disclosure of personal data; (b) use of personal data for a wrongful gain or a wrongful loss to any person; and (c) re-identification of anonymised data.
PDPA 第 9B 部分规定了追究个人对个人数据的严重不当处理的责任。这些罪行是明知未经授权或未经授权轻率地 (a) 披露个人数据; (b) 使用个人数据为任何人谋取不正当收益或造成不正当损失; (c)对匿名数据重新进行身份识别。
II 数据保护规定概述
(以下内容选取自《指南》第34至35页)
The PDPA’s data protection obligations are set out in Parts 3 to 6A of the PDPA (the “Data Protection Provisions”). In brief, the Data Protection Provisions deal with the following matters:
PDPA 中的数据保护义务载于 PDPA 第 3 至 6A 部分。简而言之,数据保护规定涉及以下事项:
a) Having reasonable purposes, notifying purposes and obtaining consent for the collection, use or disclosure of personal data;
收集、使用或披露个人数据具有合理目的、告知效果并获得同意;
b) Allowing individuals to access and correct their personal data;
允许个人访问和更正其个人数据;
c) Taking care of personal data (which relates to ensuring accuracy), protecting personal data (including protection in the case of international transfers) and not retaining personal data if no longer needed;
处理个人数据(与确保准确性有关)、保护个人数据(包括在跨境传输情况下的保护)以及在不再需要时停止存储个人数据;
d) Notifying the Commission and affected individuals of data breaches; and
就数据泄露的情况通知PDPC和受影响的个人;和
e) Having policies and practices to comply with the PDPA.
制定符合 PDPA 的政策和惯例。
The PDPA provides a number of exceptions to various Data Protection Provisions to address situations where organisations may have a legitimate need, for example, to collect, use or disclose personal data without consent or to refuse to provide an individual with access to his personal data.
PDPA 为各种数据保护规定提供了许多例外情况,以应对诸如机构可能对于未经同意收集、使用或披露个人数据,或拒绝向个人提供访问其个人数据的权限等情形有正当的需求的情况。
Organisations are required to comply with the Data Protection Provisions in Parts 3 to 6A of the PDPA. When considering what they should do to comply with the Data Protection Provisions, organisations should note that they are responsible for personal data in their possession or under their control. In addition, when an organisation employs a data intermediary to process personal data on its behalf and for its purposes, organisations have the same obligations under the PDPA as if the personal data were processed by the organisation itself.
机构必须遵守 PDPA 第 3 至 6A 部分中的数据保护规定。在考虑他们应该做什么来遵守数据保护规定时,机构应注意他们对其持有或控制的个人数据负有责任。此外,当机构雇用数据中介代表自己并且该中介为该机构的目的处理个人数据时,机构在 PDPA 下承担的义务与机构自己处理个人数据时相同。
Broadly speaking, the Data Protection Provisions contain ten main obligations which organisations are required to comply with if they undertake activities relating to the collection, use or disclosure of personal data. These obligations may be summarised as follows. The sections of the PDPA which set out these obligations are noted below for reference.
从广义上讲,数据保护规定包含十项主要义务,机构在开展与收集、使用或披露个人数据相关的活动时必须遵守这些义务。这些义务可概括如下。PDPA 中列出这些义务的法条也列在下方,以供参考。
a) The Consent Obligation (PDPA sections 13 to 17): An organisation must obtain the consent of the individual before collecting, using or disclosing his personal data for a purpose.
同意义务(PDPA 第 13 至 17 条):机构在出于某种目的收集、使用或披露个人数据之前必须获得个人的同意。
b) The Purpose Limitation Obligation (PDPA section 18): An organisation may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances and, if applicable, have been notified to the individual concerned.
目的限制义务(PDPA 第 18 条):机构在收集、使用或披露有关个人的个人数据时,仅可以出于在当时情况下一个理性人会认为适当的目的,并且在适当的情况下机构已通知有关个人。
c) The Notification Obligation (PDPA section 20): An organisation must notify the individual of the purpose(s) for which it intends to collect, use or disclose the individual’s personal data on or before such collection, use or disclosure of the personal data.
通知义务(PDPA 第 20 条):机构必须在收集、使用或披露个人数据时或之前通知个人其意欲收集、使用或披露个人数据的目的。
d) The Access and Correction Obligations (PDPA sections 21, 22 and 22A): An organisation must, upon request, (i) provide an individual with his or her personal data in the possession or under the control of the organisation and information about the ways in which the personal data may have been used or disclosed during the past year; and (ii) correct an error or omission in an individual’s personal data that is in the possession or under the control of the organisation.
访问和更正义务(PDPA 第 21、22 和 22A 节):机构必须在收到请求后,(i) 向个人提供机构已持有或控制的他/她的个人数据和关于过去一年内该等个人数据可能会被使用或被公开的信息; (ii) 更正机构持有或控制的个人数据中的错误或遗漏。
e) The Accuracy Obligation (PDPA section 23): An organisation must make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete if the personal data is likely to be used by the organisation to make a decision that affects the individual concerned or disclosed by the organisation to another organisation.
准确性义务(PDPA 第 23 条):如果机构使用个人数据作出的决定可能影响到相关个人,或机构可能向另一机构披露个人数据,则机构必须做出合理的努力以确保由机构或以机构名义收集的个人数据是准确和完整的。
f) The Protection Obligation (PDPA section 24): An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent (i) unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks; and (ii) the loss of any storage medium or device on which personal data is stored.
保护义务(PDPA 第 24 条):机构必须使用合理的安全的手段来保护其持有或控制的个人数据,以防止 (i) 未经授权的访问、收集、使用、披露、复制、修改或处置(个人数据),或其它类似的风险;和 (ii) 存储个人数据的任何存储介质或设备的毁损灭失。
g) The Retention Limitation Obligation (PDPA section 25): An organisation must cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals as soon as it is reasonable to assume that (i) the purpose for which the personal data was collected is no longer being served by retention of the personal data; and (ii) retention is no longer necessary for legal or business purposes.
保留限制义务(PDPA 第 25 条):在合理假设 (i) 原先收集个人数据的目的不再需要通过保留个人数据来实现; (ii) 出于法律或商业目的不再需要保留(个人数据)时,机构必须尽快删除包含个人数据的文件,或删除可以将个人数据和特定个人对应起来的路径。
h) The Transfer Limitation Obligation (PDPA section 26): An organisation must not transfer personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA.
传输限制义务(PDPA 第 26 条):机构不得将个人数据传输到新加坡以外的国家或地区,除非符合 PDPA 规定的要求。
i) The Data Breach Notification Obligation (PDPA sections 26A to 26E): An organisation must assess whether a data breach is notifiable and notify the affected individuals and/or the Commission where it is assessed to be notifiable.
数据泄露通知义务(PDPA 第 26A 至 26E 条):机构必须评估数据泄露是否需要告知,如果经过评估认为该次泄露需要告知,机构应告知受影响的个人,和/或PDPC。
j) The Accountability Obligation (PDPA sections 11 and 12): An organisation must implement the necessary policies and procedures in order to meet its obligations under the PDPA and shall make information about its policies and procedures publicly available.
问责义务(PDPA 第 11 和 12 条):机构必须实施必要的政策和程序,以履行其在 PDPA 下的义务,并应公开有关其政策和程序的信息。
Some of the ten obligations mentioned above may have other related requirements which organisations must comply with. In addition, some of the ten obligations are subject to exceptions or limitations specified in the PDPA.
上述十项义务中的部分义务可能还有其它机构必须遵守的相关要求。此外,十项义务中的部分义务受 PDPA 中规定的例外或限制的约束。
III 谢绝来电规定
The PDPA’s Do Not Call Registry provisions are set out in Parts 9 and 9A of the PDPA (the “Do Not Call Provisions”). These deal with the establishment of Singapore’s national Do Not Call Registry (the “Do Not Call Registry”) and the obligations of organisations relating to the sending of certain marketing messages to Singapore telephone numbers. The Do Not Call Registry comprises three (3) separate registers kept and maintained by the Commission under section 39 of the PDPA (the “Do Not Call Registers”) which cover telephone calls, text messages and faxes. Users and subscribers may register their Singapore telephone number(s) on one or more Do Not Call Registers depending on their preferences in relation to receiving marketing messages through telephone calls, text messages or faxes.
PDPA 的“谢绝来电登记处”相关条款载于 PDPA 第 9 和 9A 部分(“谢绝来电规定”)。这些规定涉及建立新加坡国家谢绝来电登记处(“谢绝来电登记处”),以及机构向新加坡电话号码发送某些营销信息相关的义务。谢绝来电登记处包括三 (3) 个独立的登记簿,由PDPC根据 PDPA 第 39 条保存和维护(“谢绝来电登记簿”),该等登记簿涵盖了电话、短信和传真。用户和订阅者可以根据他们在通过电话、短信或传真接收营销信息方面的偏好,在一个或多个谢绝来电登记簿上登记他们的新加坡电话号码。
Organisations have the following obligations in relation to sending certain marketing messages to Singapore telephone numbers:
机构在向新加坡电话号码发送某些营销信息时有以下义务:
a) Checking the relevant Do Not Call Register(s) to confirm if the Singapore telephone number is listed on the Do Not Call Register(s);
a) 核对相关的谢绝来电登记簿以确认该新加坡电话号码是否登记在谢绝来电登记簿上;
b) Providing information on the individual or organisation who sent or authorised the sending of the marketing message; and
b) 提供发送或授权发送营销信息的个人或机构的有关信息;和
c) Not concealing or withholding the calling line identity of the sender of the marketing message.
c) 不得隐瞒或拒绝提供营销信息发送者的主叫线路身份。
The PDPA recognises that organisations may not need to check the Do Not Call Registers in certain circumstances, in particular, when the user or subscriber of a Singapore telephone number has given clear and unambiguous consent in written or other accessible form to the sending of the marketing message to that number. In addition, certain organisations that are in an ongoing relationship with individuals would not need to check the Do Not Call Registry before sending certain messages related to the subject of the ongoing relationship.
PDPA 认可,在某些情况下,机构可能不需要核对谢绝来电登记簿,特别是当该新加坡电话号码的用户或订阅者已以书面或其他可访问的形式明确同意(机构)给该号码发送营销信息。此外,与个人保持持续关系的某些机构在发送与该持续关系的主题相关的某些信息之前无需与谢绝来电登记处核对。
Further, organisations are prohibited from sending any messages to any telephone number that is generated or obtained through the use of address-harvesting software, or to use dictionary attacks[1] or similar automated means to send messages indiscriminately.
此外,对于通过使用地址收集软件生成或获得的任何电话号码,(PDPA)禁止机构向该等电话号码发送任何信息,或使用字典攻击或类似的自动化手段不加区别地发送信息。
IV 影响个人数据和匿名信息的罪行
(以下内容选取自《指南》第156页)
Offences under Part 9B of the PDPA hold individuals accountable for egregious mishandling of personal data in the possession of or under the control of an organisation (including a public agency). The offences are for:
PDPA 第 9B 部分下的罪行要求由个人对机构(包括公共机构)持有或控制的个人数据的严重不当处理行为负责。这些罪行是针对:
a) Knowing or reckless unauthorised disclosure of personal data;
故意或未经授权轻率地披露个人资料;
b) Knowing or reckless unauthorised use of personal data for a gain for the individual or another person, or to cause a harm or a loss to another person; and
故意或未经授权轻率地使用个人数据为个人或他人谋取利益,或对他人造成伤害或损失;和
c) Knowing or reckless unauthorised re-identification of anonymised information.
故意或未经授权轻率地对匿名信息重新进行身份识别。
《<个人数据保护法>关键概念咨询指南(2022年5月17日修订版)》原文:
https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/AG-on-Key-Concepts/Advisory-Guidelines-on-Key-Concepts-in-the-PDPA-17-May-2022.ashx?la=en
*PDPA原文:
https://sso.agc.gov.sg/Act/PDPA2012
[1] 字典攻击是一种使用密钥空间的受限子集通过尝试确定其解密密钥或密码短语来击败密码或身份验证机制的攻击。举例来说,可以通过系统地输入字典中的每个单词作为密码来侵入受密码保护的计算机、网络或其他 IT 资源。
微信扫码关注该文公众号作者