All Regulations
πŸ‡ΈπŸ‡¬Singapore

PDPA

Personal Data Protection Act

Singapore's primary data protection law governing the collection, use, and disclosure of personal data by private sector organisations.

Overview

Singapore's Personal Data Protection Act (PDPA) came into force on July 2, 2014, establishing a data protection regime for the private sector. The PDPA was substantially amended in November 2021 to strengthen individual rights, introduce mandatory data breach notification, and increase maximum financial penalties. The PDPC's approach combines rules-based obligations with an outcomes-focused accountability model.

The PDPA's data protection obligations are framed around nine main obligations: consent, purpose limitation, notification, access and correction, accuracy, protection, retention limitation, transfer limitation, and accountability. Organisations that breach these obligations face financial penalties and, following the 2021 amendments, potential criminal liability for egregious acts such as unauthorised disclosure of personal data for gain. The PDPC also maintains a Do Not Call (DNC) registry and imposes marketing-specific obligations.

Singapore's PDPA is notable for its business-friendly approach β€” it includes a deemed consent by contractual necessity concept, and the PDPC takes a facilitative approach to enforcement, issuing advisory guidelines and encouraging voluntary compliance. However, enforcement has become more rigorous, and the 2021 amendments signal a shift toward stronger accountability, particularly for organisations handling large volumes of sensitive data.

Scope & Applicability

The PDPA applies to all private sector organisations operating in Singapore that collect, use, or disclose personal data. It covers personal data about individuals β€” any data, whether true or not, that can identify an individual directly or indirectly. The PDPA does not apply to public agencies or data processed by individuals for personal purposes. Business contact information (name, business title, business address, business telephone/email) used for business purposes is excluded from most obligations.

Key Principles

  1. 1
    Consent Obligation β€” personal data may only be collected, used, or disclosed with the individual's consent, unless an exception applies
  2. 2
    Purpose Limitation Obligation β€” data must be collected, used, and disclosed only for purposes made known to the individual
  3. 3
    Notification Obligation β€” individuals must be notified of the purposes for which their data is collected, used, or disclosed
  4. 4
    Access and Correction Obligation β€” individuals can request access to their data and request corrections upon reasonable grounds
  5. 5
    Accuracy Obligation β€” organisations must make reasonable efforts to ensure data is accurate and complete
  6. 6
    Protection Obligation β€” reasonable security arrangements must prevent unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks
  7. 7
    Retention Limitation Obligation β€” data must not be retained longer than necessary for business or legal purposes
  8. 8
    Transfer Limitation Obligation β€” personal data transferred overseas must receive comparable protection

Data Subject Rights

Right of Access

Individuals can request access to their personal data held by an organisation and information about how it has been used or disclosed in the past year.

Right to Correction

Individuals can request correction of errors or omissions in their personal data, and organisations must correct data that is inaccurate unless there are reasonable grounds to decline.

Right to Withdraw Consent

Individuals can withdraw consent for collection, use, or disclosure at any time, with reasonable notice. Organisations must inform individuals of the consequences of withdrawal.

Right to Data Portability

Under the 2021 amendments, the PDPC may introduce data portability obligations by regulation, allowing individuals to transmit their data to other organisations.

Right to Opt Out of Direct Marketing

Individuals can opt out of receiving direct marketing messages sent to Singapore telephone numbers registered in the Do Not Call (DNC) registry.

Business Obligations

Appoint a Data Protection Officer (DPO)

Every organisation must designate at least one individual (DPO) to ensure PDPA compliance and make the DPO's contact details available to the public.

Develop and Implement Data Protection Policies

Organisations must develop and implement policies and practices necessary to meet PDPA obligations and communicate these to staff.

Mandatory Data Breach Notification

Breaches that result in, or are likely to result in, significant harm to individuals must be notified to the PDPC within 3 calendar days and to affected individuals as soon as practicable.

Data Protection Impact Assessments

While not mandatory, the PDPC strongly recommends DPIAs for new or changed processing activities, particularly those involving large volumes of sensitive data.

Transfer Limitation

Personal data may only be transferred outside Singapore to countries with comparable data protection standards or under binding agreements with recipient organisations.

Retention Limitation

Personal data must cease to be retained once the purpose for collection is no longer served and retention is no longer required for legal or business purposes.

Cross-Border Transfer Rules

The PDPA prohibits transferring personal data to countries outside Singapore unless the transferring organisation ensures comparable data protection. This can be achieved through binding contractual arrangements, model data transfer contract clauses issued by the PDPC, binding corporate rules, certification under the APEC Cross-Border Privacy Rules (CBPR) system or Privacy Recognition for Processors (PRP) system, or where an exception applies (such as the individual's consent or necessity for a contract). Singapore is an active participant in APEC CBPR, providing a regional cross-border transfer framework.

Breach Notification Requirements

Notification Timeline

3 calendar days from the time the organisation assesses that the breach is notifiable (i.e., likely to result in significant harm or affects 500 or more individuals)

Notify Authority

Personal Data Protection Commission (PDPC) β€” notification via the PDPC's online portal

Notify Individuals

Affected individuals must be notified as soon as practicable after notifying the PDPC, when the breach is likely to result in significant harm to them

How TruePrivacy Helps

Purpose-built tools for every PDPA obligation.

DPO Appointment and Management

TruePrivacy provides a full DPO toolkit β€” data inventory, breach log, DSR tracker, and PDPC correspondence management β€” keeping the DPO in control of obligations.

3-Day Breach Notification Workflows

Automated breach assessment questionnaires determine notifiability and generate PDPC-ready notification reports within hours, ensuring the 3-day deadline is met.

PDPA Consent Management

Capture and record consent in line with PDPC advisory guidelines, including deemed consent by notification and contractual necessity provisions.

APEC CBPR Certification Support

Documentation and gap analysis tools support organisations seeking APEC Cross-Border Privacy Rules certification for international data transfers.

Data Protection Policy Templates

Customisable policy templates aligned with PDPC's Guide to Developing a Data Protection Management Programme accelerate policy implementation.

Ready to achieve PDPA compliance?

TruePrivacy automates your compliance workflows so your team can focus on what matters.

Start Free TrialBook a Demo