Protecting personal data online has become a standard requirement in recent years. Most countries worldwide have implemented their own personal data protection laws to regulate the collection and management of personal data.

If you operate a business in Singapore or have a website or app that collects the personal data of Singapore residents, you must comply with the Singapore’s Personal Data Protection Act (PDPA).

Read this article to learn what the PDPA is, how it works, and who it affects.

What Is Singapore’s Personal Data Protection Act?

The Singapore’s Personal Data Protection Act 2012 (PDPA) is the data privacy law in Singapore that regulates the collection, management, and disclosure to third parties of personal data by businesses and individuals.

Read the official text of the Singapore’s PDPA. 

The law was initially introduced in 2012 and later amended in 2020 and was implemented in several phases. The first phase of implementation took effect on February 1, 2021.

Effective date: February 1, 2021.

The Act initially outlined nine initial obligations for organizations, including— consent, purpose limitation, notification, access and corrections, accuracy, data protection, retention limitation, data transfer, and accountability. In 2020, a tenth obligation was introduced, presenting the data breach notification.

It also establishes the Do Not Call Register and regulates telemarketing in Singapore.

Who Has to Comply with the Singapore’s PDPA?

The PDPA applies to all private sector organizations in Singapore, regardless of their size, if they collect, use, or disclose the personal data of Singapore residents.

The law also has an extraterritorial effect, meaning that it also applies to organizations outside Singapore, if they collect, use, or disclose the personal data of Singapore residents, independently of whether they have a physical presence in Singapore.

The PDPA covers individuals located within or outside Singapore.

There are several exemptions to the PDPA:

• Individuals in personal or domestic capacities
• Employees during their work within an organization
• Public agencies
• Specific organizations or personal data as prescribed in the Act. Tis exemption covers organizations of “national interest” like national defense, security, public safety, essential services, or international affairs.

Use CookieScript CMP to comply with Singapore’s PDPA and avoid penalties.

Ten Data Protection Obligations under the PDPA

The PDPA defines ten personal data protection responsibilities:

1. Purpose limitation. Personal data can only be collected, used, or disclosed for the purposes the organization asked for, and individuals consent to.
2. Notification. During collection, inform the individuals of the purposes of collecting, using, and disclosing their personal data.
3. Consent. Organizations must obtain consent before collecting, using, or disclosing personal data. Individuals can withdraw consent at any time.
4. Access and correction. Individuals have the right to request access to and correction of their personal data. Upon request, provide the individual’s personal and correct data.
5. Accuracy. Ensure that personal data is accurate and complete during collection or when making a decision that would affect the individual.
6. Protection. Keep personal data in your possession secure from unauthorized access, modification, disclosure, use, or copying, whether in hardcopy or electronic form.
7. Retention limitation. Organizations can only retain personal data for as long as necessary for business or legal purposes and are required to destroy personal data when no longer needed.
8. Transfer limitation. The PDPA limits the overseas transfer of personal data. If the transfer is necessary, organizations must ensure that overseas external organizations meet data protection requirements comparable to Singapore’s PDPA.
9. Accountability. Organizations must develop data protection policies for their businesses, inform their staff about these policies and perform regular training. They should also designate a data protection officer who ensures that the organization follows PDPA guidelines. Organizations should also share their data protection policies and practices with their customers.
10. Data breach notification. Where a data breach could harm individuals or cause data loss, organizations must report a breach to the Personal Data Protection Commission and the individuals affected within 3 calendar days of determining the severity of the breach.

Do Not Call Registry Under the PDPA

The PDPA establishes the Do Not Call Registry (DNC Registry) to regulate telemarketing to Singapore residents. Organizations can’t send marketing communications to Singapore telephone numbers (mobile, fixed-line, residential, and business numbers) listed in the DNC Registry.

Marketing communications include voice calls, text, or fax messages sent to supply, advertise or promote goods or services, or advertisements on investment opportunities.

For more information, check to the DNC Registry Business Rules. 

What Is Personal Data in Singapore’s PDPA?

Singapore’s PDPA defines personal data similarly to Europe’s GDPR definition of personal data. Read more about the difference between personal data, personally identifiable information, and sensitive data under the GDPR.

Singapore’s PDPA defines personal data as ”information about a Singapore individual that can identify them, either on its own or when combined with other accessible information held by the organization.”

Common examples of personal data include:

• Full name and identification numbers
• Contact details like phone number, physical address, or email address
• Photos and video recordings
• Education information
• Employment information
• Medical records
• Bank account details
• Driver's licences
• Data related to race, religion, politics, etc
• Any combination of data like date of birth, address, and telephone number.

Organizations could use data anonymization to protect personal data and avoid issues with non-compliance. However, even anonymized data can be considered personal data if an individual can be re-identified again.

What Are the Consent Requirements in Singapore’s PDPA?

If an organization wants to collect, use, or disclose individual’s personal data, it must obtain user consent.

There are requirements for organizations for consent to be valid:

• Provide an individual with the required information about data collection and processing.
• Obtain consent from users before the collection, usage, or disclosure of personal data.
• Do not make consent a condition for service beyond what is reasonable.
• Do not use deception or dark patterns to obtain consent.

An individual can withdraw consent at any time after giving notice to the organization. The organization must inform the individual about the consequences of withdrawing consent.

Deemed Consent

PDPA defines deemed consent in the following way:” An individual is deemed to consent to the collection, use or disclosure of personal data by an organization if the individual voluntarily provides the personal data to the organization for that purpose; and it is reasonable that he or she would do so.”

Note that failure to opt out of consent is not considered consent in all situations.

There are several cases for deemed consent scenarios:

• Deemed consent for contract: In certain contract situations, an individual can provide consent for necessary data processing.
• Deemed consent by notification: An individual is deemed to have given consent unless they explicitly notify the organization of their refusal within a specified period. However, this doesn’t apply for collection, use, or disclosure for prescribed purposes.

Consent exemptions

Organizations do not need consent to process personal data in the following cases:

• ​​Vital interests: Includes emergencies or situations in the individual’s interest, requiring prompt response.
• Public matters: Covers publicly available data, national interest, artistic, archival, and news purposes.
• Legitimate interests: If an organization has legitimate interest, it can collect personal data without user consent. However, organizations must take necessary measures to minimize adverse effects.
• Business transactions: Consent is not required for data handling during business deals. If the transactions didn’t proceed, the data must be deleted.
• Business improvement: Consent is not required for improving services and understanding customer behavior under specific conditions.
• Public interest: Consent is not required for research, public interest, and specific industry-related data handling.

Companies must get cookie consent to place cookies on their website. Scan your website for free to see all your website cookies, local storage and session storage in use.

Individuals’ Data Rights under the Singapore’s PDPA

Singapore PDPA grants individuals certain rights over their personal data, including:

• Right to access. Individuals have the right to request access to their personal data in an organization’s possession or under its control. The information should be provided in a readable format. Organizations may charge a reasonable fee to respond to the requests.
  Organizations can refuse to provide information under certain circumstances, such as when such access will reveal personal data about another individual, when it is contrary to the national interest, or when the request is malicious in intent.
• Right to correct. Individuals have the right to ask organizations to correct inaccurate personal data about them unless there are legal exceptions. Unlike access requests, organizations cannot charge fees for correction requests. The organization can refuse to correct if it has reasonable grounds. 
• Right to erase. Individuals have the right to ask organizations to delete information about them. Organizations must delete personal data under such requests and in all cases when they no longer need it for legal or business reasons.
• Right to opt out. Individuals can withdraw the consent they gave earlier to collect, use, or disclose their personal data at any time by informing organizations. However, withdrawing consent does not affect any legal consequences from the withdrawal.
• Right to data portability. Individuals have the right to ask organizations to deliver their data to another organization. Organizations must send the requested data to the receiving organization following any requirements set.
• Different from other privacy laws, the PDPA does not define the right to be informed. However, organizations have the Notification Obligation, under which they must notify individuals of the purposes for collecting, using, or disclosing their personal data before doing so. Organizations are also required to provide information about how personal data was used or disclosed in the past year.

Enforcement of the Singapore’s PDPA

The PDPA established the Personal Data Protection Commission (PDPC) as the regulatory authority responsible for enforcing the PDPA and offering guidance. 

The PDPC aims to promote and enforce personal data protection to foster an environment of trust among businesses and consumers. It advises organizations and protects against the misuse of personal data.

If the advice is not effective, the PDPC could issue penalties for non-compliance. Although many of the provisions within the Singapore’s PDPA are advisory and not legally binding, penalties for non-compliance are severe.

The maximum financial penalty for non-compliance could reach one million SGD. For organizations with a turnover of more than 10 million SGD, the maximum fine could be 10% of the organization’s turnover.

Companies involved in larger-scale breaches may also expect heavy financial sanctions or criminal liability, leading to imprisonment. Such factors like early detection and timely breach notification and aggravating factors like non-cooperation during investigations will be considered when determining the penalties.

In June 2022, the Personal Data Protection Commission issued S$750,000 and S$250,000 fines, the largest fines announced yet. Integrated Health Information Systems and Singapore Health Services did not provide sufficient safeguards to protect the medical records of data subjects, leading to a massive data breach caused by a cyberattack.

How to Comply with Singapore’s PDPA?

If you control the personal data of Singaporean data subjects, you must comply with Singapore’s PDPA. To comply with the regulation, follow these recommendations:

• Create a Privacy Policy that meets PDPA obligations and make it available to the public.
• Obtain user consent before collecting, using, or disclosing personal data.
• Respect purpose limitation principle: only collect, use, or disclose personal data for purposes that consent was given.
• Delete documents containing personal data once the data is no longer needed for the purpose it was collected.
• Allow individuals to access and correct their personal data upon request.
• Respond to requests from data subjects within the scope of their statutory rights.
• Do not send marketing communications to data subjects listed in the DNC Registry.
• Protect personal data by implementing security safeguards to prevent unauthorized access, collection, use, disclosure, or other related risks.
• Do not transfer data to a recipient outside of Singapore unless they comply with the requirements regarding transferred personal data in the PDPA.
• Notify authorities and individuals promptly in case of a data breach.

How Can CookieScript Help?

Use a professional Consent Management Platform (CMP) to comply with the OCPA and other data privacy laws.

CookieScript Consent Management Platform (CMP) peovide you a Cookie Banner, Cookie Scanner, Privacy Policy Generator, script manager, and user consent manager, so you can be sure your website is compliant with the PDPA and other privacy regulations 100%!

In 2024, CookieScript CMP was ranked by users as the best CMP on a peer-review site G2.
It also received a GOLD Tier in the New Google Tiering System.

Frequently Asked Questions

Does Singapore have a data privacy law?

Yes, Singapore’s Personal Data Protection Act 2012 (PDPA) is the data privacy law in Singapore that regulates the collection, management, and disclosure to third parties of personal data by businesses and individuals. The PDPA took effect on February 1, 2021. Use CookieScript CMP to comply with the PDPA and avoid penalties.

How can individuals complain about a breach of Singapore’s PDPA?

Individuals don’t have a private right to action and can’t sue an organization directly. However, they can complain to the Personal Data Protection Commission (PDPC) if they believe that their personal data has been collected, used, or disclosed by breaching the law. The PDPC will investigate the complaint and take appropriate action.

What are the consequences of breaching Singapore’s PDPA?

Organizations breaching the PDPA may be fined up to SGD1 million or 10% of their annual turnover, whichever is higher. Individuals willfully or recklessly breaching the PDPA may be fined up to SGD5,000 or imprisoned for up to two years, or both. Use CookieScript CMP to comply with the PDPA and avoid consequences for breaching the PDPA.

What is considered personal data under Singapore’s PDPA?

Personal data refers to any data that can be used to identify an individual. Common examples include full names, driver’s licenses, phone numbers, email addresses, home addresses, education or employment information, medical records, bank account details, data related to race, religion, politics, browsing history, biometric data, or any combination of this data. Use CookieScript CMP to comply with the PDPA and avoid consequences for breaching the PDPA.

What is the Do Not Call Registry under the PDPA?

The PDPA establishes the Do Not Call Registry to regulate telemarketing to Singapore residents. Organizations can’t send marketing communications to Singapore telephone numbers listed in the DNC Registry. Marketing communications include voice calls, text, or fax messages sent to supply, advertise, or promote goods or services, or advertisements on investment opportunities. Use CookieScript CMP to comply with the PDPA.