Nature of Decentralised Finance (DeFi)

Personal Data Protection requirements: decentralised p2p exchange processing client information

You should ensure that the processing of client information is only for purposes which are reasonable and appropriate in the circumstances and, where applicable, have been notified to clients of the decentralised P2P exchange. 

In practice, purposes which are reasonable and appropriate are generally those which relate to the services of the decentralised P2P exchange (such as managing the client's account or the sending of marketing information on the products / services of the exchange). These purposes should be notified to clients in sufficient detail via the exchange's Terms of Use or Privacy Policy. 

However, you should not inform clients that you may use / process their information 'for such purposes as you deem fit' in order to cover the same as a purpose which has been notified to clients. Such a purpose is too broad and would not be considered reasonable.
In addition:  

  • If you would be outsourcing the processing of client information to a vendor (whether in or outside of Singapore), you must ensure that the vendor: (1) only processes client information in accordance with your instructions;  (2) will ensure that the client information disclosed to them is protected from unauthorised disclosure and processing; (3) (particularly if the vendor is overseas) is able to provide a standard of protection for the client information which is comparable to what is required under the PDPA; and (4) informs you without undue delay in the event of a data breach which affects the client information. The foregoing is usually implemented by entering into a data processing agreement or other contract with the vendor which requires the vendor to observe the same as part of their contractual obligations to you. However, please note that you remain liable under the PDPA in respect of client information that is processed by a vendor on your behalf, as if you were processing the client information on your own.
  • If you will be processing information of overseas clients, you may also have to ensure compliance with foreign data protection laws. Such laws may impose obligations which are different from the requirements of the PDPA, such as requiring you to, amongst other things, keep records of your processing activities and/or appoint a DPO in the foreign territory regardless of whether you have an establishment there.