Data Protected - Singapore
Last updated March 2024
General | Data Protection Laws
National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement
ePrivacy | Marketing and cookies
National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone
_____________________________________________________________________
General | Data Protection Laws
____________________________________________________________
National Legislation
General data protection laws
The Personal Data Protection Act 2012 (“PDPA”).
In addition, certain sector-specific laws such as the Banking Act 1970 and the Securities and Futures Act 2001 include provisions relating to the protection of certain personal data (such as particulars of accounts of customers of a bank). Companies in industries such as telecommunications may also be subject to Codes of Practice which impose data protection-related obligations. This summary does not consider these sector-specific laws and codes. Further, common law duties of confidentiality may also apply under certain circumstances.
Entry into force
The provisions in the PDPA relating to the Do Not Call Registry (see below) came into force on 2 January 2014, and the main provisions in the PDPA relating to the collection, use and disclosure of personal data came into force on 2 July 2014.
Amendments to the PDPA were implemented in phases pursuant to the Personal Data Protection (Amendment) Act 2020 (“Amendment Act”). The first batch of amendments came into effect on 1 February 2021, introducing a mandatory notification requirement for data breaches and new grounds for processing data without consent. The increase in the prescribed maximum financial penalty under the PDPA came into force on 1 October 2022. There is no specified timeframe as yet for the introduction of an individual’s right to data portability.
_____________________________________________________________________ Top
National Supervisory Authority
Details of the competent national supervisory authority
The Personal Data Protection Commission (the “Commission”)
10 Pasir Panjang Road #03-01
Mapletree Business City
Singapore
117438
The Infocomm Media Development Authority of Singapore supports the Commission in administering compliance with the PDPA.
Notification or registration scheme and timing
The PDPA does not include a general notification or registration scheme.
Exemptions to notification
Not applicable.
_____________________________________________________________________ Top
Scope of Application
What is the territorial scope of application?
The PDPA does not contain express provisions on territorial effect. However, the PDPA is likely to apply to the collection, use and/or disclosure of personal data within Singapore, even if any remaining part(s) of the data processing takes place somewhere else in the world.
Is there a concept of a controller and a processor?
The PDPA applies to any individual, company, association or body of persons, corporate or unincorporated, whether located in or outside Singapore (“organisations”).
It also contains the concept of data intermediaries (a concept similar to that of processors). Where a data intermediary processes personal data under a contract in writing with an organisation and for the purposes of that organisation, it will be largely exempt from the PDPA and only subject to the security and retention obligations therein.
Are both manual and electronic records subject to data protection legislation?
Data is not specifically defined in the PDPA to include both manual and electronic records. However, guidelines issued by the Commission clarify that personal data can be data that exists in electronic or other format and therefore both manual and electronic records will be subject to the PDPA as long as they contain personal data.
Are there any national derogations?
The PDPA does not impose obligations on individuals acting in a personal or domestic capacity.
The PDPA’s main obligations do not apply to public agencies (which include Government ministries and departments). The public sector has other laws governing government data including the Public Sector (Governance) Act 2018 and the Government Instruction Manual on Infocomm Technology & Smart Systems Management.
Organisations may collect, use and disclose personal data without consent if one of the statutory exceptions in the PDPA apply including where the collection, use or disclosure is necessary to the national interest or for any investigation or proceedings. The PDPA defines “national interest” to include national defence, national security, public security, the maintenance of essential services and the conduct of international affairs. However, these are not general derogations, but simply exemptions to the obligation to obtain consent for the collection, use and disclosure of personal data.
_____________________________________________________________________ Top
Personal Data
What is personal data?
Personal data is data, whether true or not, about an individual who can be identified: (i) from that data; or (ii) from that data and other information to which the organisation has or is likely to have access.
Business contact information (unless provided solely for personal purposes) is largely exempt from the provisions of the PDPA.
Is information about legal entities personal data?
No.
What are the rules for processing personal data?
The PDPA regulates the collection, use and disclosure of personal data by organisations (as defined above). The main provisions governing the collection, use and disclosure of personal data will not apply to any individual acting in a personal or domestic capacity, or to any public agencies.
The collection, use and disclosure of personal data is permitted where: (i) the individual has consented; or (ii) those activities are required by law. Alternatively, the collection, use or disclosure of personal data can be carried out without consent if a condition in Schedules 1 and 2 to the PDPA respectively is satisfied. Such conditions are similar to the conditions for processing personal data but are much more extensive.
Schedule 1 includes a legitimate interests exception (which is similar to the GDPR equivalent) which allows the collection, use or disclosure of personal data without consent for the lawful interests of an organisation that are either specifically listed, or for any other purposes that otherwise meet the definition of “legitimate interests”.
In Schedule 2, there are different conditions depending on whether the organisation is collecting, using or disclosing the relevant personal data. The Schedules also include another condition for processing personal data without consent that was introduced in subsequent amendments to the PDPA, known as the “business improvement exception”, which enables organisations to use, without consent, personal data that they had collected in accordance with the PDPA, where the use of the personal data falls within the scope of specified business improvement purposes, including improving, enhancing or developing new goods or services and learning or understanding behaviour and preferences of individuals.
There is an overriding obligation on the organisation to collect, use and disclose personal data in a manner a reasonable person would consider appropriate in all the circumstances. The PDPA includes obligations to ensure that certain personal data it holds is accurate, and to retain personal data for no longer than necessary. The organisation must also implement appropriate data protection policies and processes and make available information on the same.
Are there any formalities to obtain consent to process personal data?
Consent can be expressly given or deemed to be given. Express consent will only be valid if the individual has been provided with certain information about the purpose of collection and the consent cannot be made a condition of the provision of a product or service (beyond what would be reasonable for the provision of that product or service).
Deemed consent by conduct will arise when an individual voluntarily provides personal data for a particular purpose and it is reasonable for such provision of personal data to take place. Deemed consent may also arise from contractual necessity, where the disclosure of personal data is necessary for the conclusion or performance of a transaction, or by notification, where an individual may be deemed to have consented to the collection, use or disclosure of personal data for a purpose that he/she had been notified of, and he/she has not taken any action to opt out of the collection, use or disclosure of his/her personal data.
Consent can be obtained in a number of ways, and there is no general requirement that consents be in writing although it is recommended by the Commission that organisations should obtain consents in writing or recorded in a manner that is accessible for subsequent reference. Guidelines issued by the Commission provide that an opt-in would be considered consent for the purposes of the PDPA and that a failure to opt-out may not always be sufficient to constitute consent (e.g. the individual’s failure to opt-out may have been due to reasons other than the individual’s desire to give consent).
The Commission has also released guidelines on best practices and examples that organisations may adopt regarding how to phrase consent notifications, what layout organisations should use for their notifications, and where these notifications should be positioned on forms, websites or mobile applications.
Are there any special rules when processing personal data about children?
Guidelines published by the Commission set out additional non-binding requirements that apply when processing personal data about children. The Commission is of the view that organisations should consider if the minor understands the nature and consequences of giving consent when determining whether consent is valid. The age threshold of a minor is not mandated in the guidelines, but the Commission adopts a practical rule of thumb that a minor, who is at least 13 years old, will have sufficient understanding to give consent, while parents or legal guardians may give consent on behalf of minors under this age.
Additionally, the guidelines advise organisations to consider putting in place precautions when collecting, using or disclosing a minor’s personal data (e.g. ensuring the language is clear and understandable) and to take extra steps to verify the accuracy of personal data, especially where an inaccuracy may have severe consequences for the minor.
Are there any special rules when processing personal data about employees?
The collection, use or disclosure of personal data can be carried out without consent if a condition in Schedules 1 and 2 to the PDPA respectively is satisfied. One such condition, set out in Schedule 1, is the collection of data for the purpose of “managing or terminating an employment relationship”. As such, organisations may collect personal data about its employees without the consent of the individual where such personal data is collected for this purpose.
Despite consent not being required, organisations are still required to notify their employees of the purposes of such collection, use or disclosure.
_____________________________________________________________________ Top
Sensitive Personal Data
What is sensitive personal data?
The PDPA does not include a separate category of sensitive personal data.
Are there additional rules for processing sensitive personal data?
While the PDPA does not contain provisions specific to sensitive personal data, guidelines published by the Commission provide that private organisations are generally not allowed to collect, use or disclose personal identification numbers (e.g. NRIC / other national identity numbers, passport numbers, work permit numbers, birth certification numbers) unless an exception applies (e.g. if required by law, or it is necessary to verify an individual’s identity to a high degree of accuracy). Such personal information can only be retained by an organisation if required by law.
Are there additional rules for processing information about criminal offences?
No.
Are there any formalities to obtain consent to process sensitive personal data?
Not applicable.
_____________________________________________________________________ Top
Data Protection Officers
When must a data protection officer be appointed?
An organisation (as defined above) must appoint one or more individuals as the data protection officer to be responsible for that organisation’s compliance with the PDPA. The data protection officer’s function may be a dedicated responsibility or added to an existing role in the organisation, and the data protection officer may delegate certain responsibilities to other officers. The contact details of at least one such individual must be made available to the public.
What are the duties of a data protection officer?
An organisation’s data protection officer is generally responsible for ensuring its compliance with the PDPA. These responsibilities may extend to: (i) ensuring that the organisation’s policies and processes developed or implemented for handling personal data are compliant with the PDPA; (ii) fostering a data protection culture among employees and communicating personal data protection policies to stakeholders; (iii) managing personal data protection related queries (e.g. access or correction requests) and complaints from the public; (iv) alerting management to any risks that might arise with regard to personal data; and (v) being the point of contact for the Commission on any data protection matters.
The legal responsibility of complying with the PDPA remains with the organisation and does not pass to the data protection officer.
_____________________________________________________________________ Top
Accountability and Privacy Impact Assessments
Is there a general accountability obligation?
The PDPA requires organisations to develop and implement policies and practices that are necessary for them to meet their obligations under the PDPA.
Are privacy impact assessments mandatory?
No general privacy impact assessments for an organisation’s systems and processes are mandatory under the PDPA. However, guidelines published by the Commission provide that organisations may wish to consider strengthening organisational accountability by adopting measures such as conducting data protection impact assessments in appropriate circumstances, to ensure that they are compliant with the PDPA.
However, when relying on the deemed consent by notification exception and the legitimate interests exception (as described above) to collect, use and disclose personal data without consent, organisations are required to conduct an assessment of any likely adverse effect to the individual before relying on either of these exceptions. The Commission has published detailed guidelines on how these assessments may be conducted, including assessment checklists that organisations can use.
_____________________________________________________________________ Top
Rights of Data Subjects
Privacy notices
Organisations should provide individuals with details of the purposes for which their personal data is collected, used or disclosed. This obligation arises when seeking express consent from them or when the use or disclosure of their personal data is for a purpose other than that for which it was originally envisaged and notified to the individual.
Individuals can also request contact details for an organisation’s data protection officer.
Rights to access information
Individuals have a right of access to their personal data and to details of the way in which their personal data has been or may have been used or disclosed within one year prior to the request of access. There are a wide range of exemptions to this right, for example where there would be disclosure of personal data about another individual. There is a general duty imposed on organisations to respond to each access request as accurately and completely as necessary and reasonably possible, and as soon as reasonably possible. If an organisation is unable to provide the individual with the information requested within 30 days of receiving the request, the organisation must within that time inform the individual in writing of the time by which it will respond to his/her request. Organisations may charge an individual a minimal fee in order to recover the costs of responding to the access request, but must provide the applicant with a written estimate of the fee.
The Commission has released guidelines on how organisations should handle access requests. For example, the Commission has suggested that organisations develop standard operating procedures to conduct verification when processing access requests, and to keep a record of all access requests received and processed, documenting clearly whether the requested access was provided or rejected. The Commission has also released sample access request forms and sample acknowledgement forms that organisations can use to process access requests.
Rights to data portability
There is currently no right to data portability. However, the Amendment Act contains a set of provisions relating to data portability which are yet to come into force. These provisions will impose an obligation for a porting organisation to transmit personal data upon an individual’s request to a receiving organisation (in Singapore or in a prescribed foreign country or territory). The obligation is expected to apply to personal data in the possession or under the control of the porting organisation if such personal data belongs to a class of personal data that is prescribed in the regulations and if the requesting individual has an ongoing relationship with the porting organisation. The data portability rule is not, however, expected to apply to certain types of data including “derived personal data”, which is personal data about an individual that is derived by the organisation in the course of business from other personal data.
Right to be forgotten
There is no express right to be forgotten.
Objection to direct marketing and profiling
There is no general right to object to direct marketing. However, individuals can withdraw consent to the collection, use and disclosure of their personal data at any time and there are specific direct marketing restrictions under the Do Not Call Registry (see below).
Other rights
Individuals have a right to ask organisations to correct their personal data. Individuals also have a right, on reasonable notice to the organisation, to withdraw their consent to the collection, use or disclosure of their personal data, in which case the organisation must inform the individual of the likely consequences of such withdrawal of consent and cease collecting, using and disclosing that individual’s personal data except to the extent required or authorised under law.
_____________________________________________________________________ Top
Security
Security requirements in order to protect personal data
Organisations must make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification or disposal or similar risks. What is considered “reasonable” depends on the security needs of the organisation. PDPC decisions have noted that, if an organisation holds a high volume of personal data, or if the personal data is particularly sensitive, the organisation is considered to have higher-level security needs than organisations that do not hold such data.
Specific rules governing processing by third party agents (processors)
Organisations are responsible for any processing carried out by their data intermediaries.
Data intermediaries who process personal data under a contract in writing with an organisation and for the purposes of that organisation will be largely exempt from the PDPA and only subject to the security, retention and data breach notification obligations therein. The Commission has released a guide containing sample data protection clauses which organisations engaging services relating to the processing of personal data (e.g. hosting or storage of data) may include in their service agreements.
The PDPC has noted in a decision that organisations should avoid disclosing more personal data than is needed for the purpose of subcontracted data processing. In addition, the organisation should maintain reasonable oversight over the subcontractor’s performance of such services.
Notice of breach laws
The Amendment Act introduced a notification obligation which requires organisations to first conduct an assessment to determine if a data breach is notifiable and notify the Commission and individuals if the breach is determined to be notifiable. A data breach is defined as (a) the unauthorised access, collection, use, disclosure, copying, modification, or disposal of personal data; or (b) the loss of any storage medium or device on which personal data is stored in circumstances where the unauthorised access, collection, use, disclosure, copying, modification or disposal of the personal data is likely to occur.
A data breach is notifiable to the Commission if it: (a) is likely to result in significant harm to an affected individual; or (b) is of a significant scale (i.e. a minimum of 500 affected individuals). A data breach is notifiable to affected individuals where the organisation has determined that the data breach is likely to result in significant harm to the affected individual.
A data breach is deemed to result in “significant harm” to an individual if the data breach relates to: (a) an individual’s full name or full national identification number, together with any other personal data of that individual such as his or her financial information or life/health insurance information; or (b) the account information of an individual in combination with any security or access code, password, or biometric data to access or use the account.
Organisations which have credible grounds to believe that a data breach has occurred must take reasonable and expeditious steps to assess whether such data breach is notifiable under the PDPA, and document the steps taken in assessing such breach.
The organisation is required to notify the Commission as soon as practicable and no later than three calendar days after the organisation makes the assessment that the data breach is notifiable. If the organisation is also required to notify affected individuals, it must do so as soon as practicable at the same time or after notifying the Commission.
In addition, the Cybersecurity Act 2018 (“Cybersecurity Act”), together with the Cybersecurity (Critical Information Infrastructure) Regulations 2018 impose cyber incident notification requirements on operators of computer systems designated as critical information infrastructure (“CII”) owners by the Commissioner of Cybersecurity (“Cybersecurity Commissioner”) and located wholly or partly in Singapore. The Cybersecurity Act requires CII owners to notify the Cybersecurity Commissioner of cybersecurity incidents that affect CII or computer systems that interface with CII.
Sector specific regulations and guidelines may also apply, such as the Technology Risk Management Guidelines issued by the Monetary Authority of Singapore.
_____________________________________________________________________ Top
Transfer of Personal Data to Third Countries
Restrictions on transfers to third countries
An organisation may only transfer personal data outside Singapore if it has taken appropriate steps to ensure that: (i) it will comply with the PDPA obligations in respect of the transferred personal data while it remains in its possession or under its control; and (ii) the recipient outside of Singapore is bound by legally enforceable obligations to provide a standard of protection to the personal data transferred that is comparable to that under the PDPA.
In this regard, “legally enforceable obligations” would include obligations imposed on the recipient: (i) under law (e.g. the recipient’s relevant national data privacy legislation); (ii) under any contract: (a) requiring the recipient to provide a standard of protection to the personal data transferred that is at least comparable to the protection under the PDPA; and (b) specifying the countries and territories to which the personal data may be transferred under the contract; (iii) under binding corporate rules (see below); or (iv) any other legally binding instrument.
An organisation will, however, be taken to have satisfied the second requirement of ensuring that the recipient outside of Singapore is bound by legally enforceable obligations if the individual whose personal data is being transferred consents to the transfer of the personal data to the recipient in that country or territory, subject to such consent satisfying certain prescribed conditions.
Notification and approval of national regulator (including notification of use of Model Contracts)
The Commission has the power to exempt an organisation from any prescribed requirements.
Use of binding corporate rules
For intra-corporate transfers of data overseas, binding corporate rules would be an acceptable form of legally enforceable obligations to be imposed on the receiving organisation. These binding corporate rules must require every recipient to provide to it a standard of protection to the personal data transferred that is at least comparable to the protection under the PDPA. These binding corporate rules must also specify: (i) the recipients of the transferred personal data to which the binding corporate rules apply; (ii) the countries and territories to which the personal data may be transferred under the binding corporate rules; and (iii) the rights and obligations provided by the binding corporate rules.
_____________________________________________________________________ Top
Enforcement
Fines
The Commission has a range of powers under the PDPA including directing an organisation pay a financial penalty of up to the higher of: (i) 10% of its annual turnover in Singapore (if the organisation’s annual turnover in Singapore exceeds S$10 million); and (ii) in any other case, S$1 million.
The maximum financial penalty for a breach of the prohibition against the use of dictionary attacks and address-harvesting software is (i) S$200,000 for individuals; (ii) 5% of a person’s annual turnover in Singapore (if the person’s annual turnover in Singapore exceeds S$20 million); and in any other case, S$1 million.
Imprisonment
The PDPA contains various criminal offences including: (i) unauthorised access to, or alteration of, personal data; (ii) alteration, falsification, concealment or destruction of personal data with the intent of evading an access or correction request; (iii) obstructing or impeding the Commission; (iv) knowingly or recklessly making false statements to the Commission; (v) unauthorised disclosure of personal data; (vi) knowingly or recklessly making improper use of personal data; and (vii) knowingly or recklessly re-identifying anonymised information when unauthorised. The penalty for an offence includes imprisonment for up to three years.
Compensation
A person who suffers loss as a result of breach of the rules on collection, use and disclosure, as well as access to, correction and care of personal data, shall have a right of action in civil proceedings in court. The court may award damages, injunctions or other remedies as it sees fit.
Other powers
The Commission has a range of powers under the PDPA including directing an organisation to: (i) stop collecting, using or disclosing personal data; (ii) destroy personal data; (iii) comply with any directions from the Commission; or (iv) provide voluntary undertakings.
Practice
Fines: As of January 2024, the Commission issued the largest ever fines of S$750,000 and S$250,000 on Integrated Health Information Systems and Singapore Health Services respectively for failure to make reasonable security arrangements to protect personal data of individuals. This failure resulted in the personal data (including medical records) of millions of individuals being compromised following a cyberattack. Another notable decision is the S$74,000 fine to Commeasure, the operator of hotel booking platform Reddoorz, which failed to put in place reasonable security arrangements to prevent the unauthorised access and exfiltration of 5,892,843 customer records hosted in a cloud database. The Commeasure data breach involved the largest number of individuals since the PDPA came into effect.
Other enforcement action: The Commission has published numerous enforcement actions against organisations for breach of their data protection obligations under the PDPA. These cases involved various contraventions of the PDPA, a majority of which related to unauthorised access or disclosure of personal data. The penalties that the Commission issued against these organisations varied and included administrative fines, directions and warnings. The severity of the Commission’s directions depended on several factors, including the scale of the breach, remedial actions taken and the relevant organisation’s cooperation with the Commission in its investigations. Financial penalties were generally imposed on organisations involved in larger scale breaches or on those that were uncooperative with the Commission.
The calibrated approach to these enforcement actions taken by the Commission reflects its overarching policy that organisations should feel free to continue processing personal data, while taking appropriate actions to keep it secure.
In addition to the above, the Commission has issued sanctions including fines and warnings against organisations for failing to comply with the provisions in relation to the Do Not Call Registry.
_____________________________________________________________________ Top
ePrivacy | Marketing and cookies
_____________________________________________________________
National Legislation
ePrivacy laws
The PDPA contains provisions relevant to telephone (calls, SMS and MMS) and fax marketing. Pursuant to the PDPA, the Commission set up a national Do Not Call Registry, which comprises three registers: (i) a No Voice Call Register; (ii) a No Text Message Register; and (iii) a No Fax Message Register (together, the "Do Not Call Registry"). Individuals may register their numbers in any or all of the relevant registers to prevent calls from telemarketers. The rules apply to “specified messages” which are messages from organisations to consumers the purpose of which is to offer or advertise goods, services, land or investment opportunities. There are a number of exemptions to the term “specified messages” set out in the schedule to the PDPA including messages sent to a business for a purpose of that business. The PDPA also has a new prohibition against sending of unsolicited messages to telephone numbers obtained through the use of dictionary attacks and address-harvesting software.
The rules relevant to direct marketing by email, text and multi-media marketing are generally set out in the Spam Control Act 2007 (the “SCA”).
_____________________________________________________________________ Top
Cookies
Conditions for use of cookies
Consent is not needed for cookies that do not collect personal data, and may not be needed where the use of cookies to collect data pertains to internet activities which the individual has clearly requested. Where an individual has configured his or her browser to accept certain cookies but reject others, consent may be deemed to have been given. Where cookies for behavioural targeting actually collect personal data, the individual’s consent is required.
Regulatory guidance on the use of cookies
The publication titled “Advisory Guidelines on Selected Topics” made available by the Commission clarifies that the PDPA applies to the collection, use, or disclosure of personal data using cookies.
_____________________________________________________________________ Top
Marketing by E-mail
Conditions for direct marketing by e-mail to individual subscribers
It is possible to send commercial e-mails “in bulk”, each addressed to individual or corporate subscribers, if they consent.
Conditions for direct marketing by e-mail to corporate subscribers
It is possible to send commercial e-mails “in bulk”, each addressed to individual or corporate subscribers, if they consent.
Exemptions and other issues
It is also possible to send such bulk e-mail without consent if: (i) the e-mail complies with particular requirements set out in the SCA, including a labelling requirement and a requirement to provide an unsubscribe facility; (ii) the subscriber does not “unsubscribe”; and (iii) the relevant e-mail address was not obtained through dictionary attack or address harvesting.
Sending direct marketing messages under any circumstances requires the express consent of the individual. This means that sending direct marketing messages is not a legitimate interest and does not qualify for the legitimate interests exception. Moreover, sending direct marketing messages does not qualify for the business improvement or the deemed consent by notification exceptions for processing personal data without consent.
_____________________________________________________________________ Top
Marketing by Telephone
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
A person may only send a “specified message” to a Singapore telephone number that is listed on the Do Not Call Registry if the relevant subscriber or user has given clear and unambiguous consent. Guidelines issued by the Commission specify that a failure to opt-out will not be sufficient to constitute clear and unambiguous consent.
Marketing by text message is subject to these rules and is also subject to the rules on marketing by e-mail (see above).
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
No person shall send a “specified message” to a Singapore telephone number that is listed on the Do Not Call Registry unless the relevant subscriber or user has given clear and unambiguous consent. If the Singapore telephone number is considered business contact information and the information is not provided by the individual solely for his personal purposes, organisations may contact the individual for business marketing purposes (but not consumer marketing purposes) notwithstanding that the number is listed on the Do Not Call Registry, without seeking consent.
Marketing by text message is subject to these rules and is also subject to the rules on marketing by e-mail (see above).
Exemptions and other issues
Any consent must be clear and unambiguous and in writing or other form so as to be accessible for subsequent reference. Consent cannot be made a condition to the supply of goods, services, land, interests, or opportunities beyond what is reasonable for purposes of the same.
Where the individual has an ongoing commercial relationship with the organisation, the organisation may send “specified messages” to the individual relating to the ongoing relationship via fax message or text message (but not voice calls) regardless of whether the individual’s fax or telephone number is listed in the relevant Do Not Call Registry unless and until the individual withdraws consent or informs the organisation that he/she no longer wishes to receive such communications. Other exemptions from checking the Do Not Call registry include sending service calls or reminder messages regarding services bought by the individual and sending messages as part of a market survey or research / relating to charitable or religious causes / targeting businesses (i.e. B2B) and not individuals.
Any person sending a specified message, whether under the general rules or any applicable exemption, must: (i) identify the person who sent or authorised the sending of that message; (ii) include contact details; and (iii) contain such other information as may be set out by regulation from time to time. Where the specified message is a voice call, the person making the call must not conceal or withhold their calling line identity.
Marketing by text message is subject to these rules and is also subject to the rules on marketing by e-mail (see above).
_____________________________________________________________________ Top