Introduction
Singapore’s Personal Data Protection Act (PDPA) is the cornerstone of the country’s data protection framework, ensuring that organizations manage personal data responsibly. Enforced by the Personal Data Protection Commission (PDPC), the PDPA governs the collection, use, disclosure, and care of personal data while balancing the need for business innovation. As data privacy concerns continue to grow worldwide, compliance with the PDPA is critical for organizations operating in Singapore.
Overview of the PDPA
The PDPA was first enacted in 2012 and has undergone several amendments, most notably in 2020. It aims to safeguard individuals’ personal data while allowing organizations to collect, use, and disclose such data for legitimate business purposes. The PDPA applies to both private sector organizations and individuals handling personal data in a commercial capacity. However, it does not cover public agencies, which are governed by separate laws.
The PDPA consists of two main components:
- Data Protection Provisions (DPP) – These regulate how personal data should be handled throughout its lifecycle, ensuring accountability and transparency.
- Do Not Call (DNC) Provisions – These govern telemarketing practices, preventing unsolicited marketing communications to individuals who have opted out.
Definition of Personal Data Under the PDPA
Section 2(1) of the PDPA defines personal data as “data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organization has or is likely to have access.”
Key Obligations Under the PDPA
The PDPA outlines several obligations that organizations must adhere to when handling personal data. Some of the most critical ones include:
1. Consent Obligation (Section 13-17)
Organizations must obtain an individual’s consent before collecting, using, or disclosing their personal data. Consent must be voluntary and informed, meaning individuals should be aware of the purposes for which their data is collected. Organizations must allow individuals to withdraw consent at any time, and they must cease using the data once consent is revoked. The PDPA also recognizes deemed consent, such as when an individual voluntarily provides data for a reasonable purpose. However, there are exceptions where consent is not required, such as for legitimate interests or business improvement under the Data Protection Provisions.
2. Purpose Limitation Obligation (Section 18)
Organizations can only collect, use, or disclose personal data for purposes that have been notified to the individual. Data collected should be relevant and necessary for the stated purpose. If an organization wants to use data for a new purpose, fresh consent must be obtained unless an exception applies. This ensures that personal data is not misused beyond what the individual originally agreed to.
3. Notification Obligation (Section 20)
Before collecting personal data, organizations must inform individuals of the purpose of collection, use, or disclosure. This is typically done through privacy notices or consent forms. The notice should be clear and easily understandable so that individuals can make informed decisions. Failure to notify individuals adequately may result in regulatory action by the Personal Data Protection Commission (PDPC).
4. Access and Correction Obligation (Section 21-22)
Individuals have the right to request access to their personal data and understand how it has been used or disclosed. They can also request corrections if the data is inaccurate or incomplete. Organizations must respond to such requests within 30 days unless there are legal exceptions (e.g., national security concerns). If a correction request is valid, organizations must amend the data and inform other parties that received the incorrect data.
5. Accuracy Obligation (Section 23)
Organizations must ensure that personal data is accurate and complete before using or disclosing it, especially when decisions affecting the individual rely on the data. While individuals can request corrections, organizations also have a duty to verify and update records as necessary. This helps prevent errors that could result in financial loss or reputational damage to individuals.
6. Protection Obligation (Section 24)
Organizations must implement reasonable security measures to protect personal data from unauthorized access, collection, use, disclosure, copying, modification, or disposal. Security measures should be proportionate to the sensitivity of the data, such as encryption for financial data or access controls for medical records. Organizations that fail to protect data adequately may face fines from the PDPC in case of data breaches.
7. Retention Limitation Obligation (Section 25)
Personal data should not be retained longer than necessary for legal or business purposes. Organizations must establish retention policies that specify how long data is kept and when it is securely deleted. Once data is no longer needed, organizations must dispose of it in a secure manner to prevent unauthorized access or misuse.
8. Transfer Limitation Obligation (Section 26)
If personal data is transferred outside Singapore, organizations must ensure that the receiving country has comparable data protection standards. This can be done through contractual clauses, binding corporate rules, or ensuring the overseas recipient is subject to similar legal protections. The goal is to prevent weaker protections when personal data is transferred to other jurisdictions.
9. Accountability Obligation (Section 11-12)
The Accountability Obligation, set out in Sections 11 and 12, requires organizations to adopt policies, practices, and measures that demonstrate compliance with the PDPA. Organizations must appoint a Data Protection Officer (DPO) to oversee data protection strategies and ensure that data handling practices are communicated clearly to staff and, where appropriate, to data subjects.
10. Data Breach Notification Obligation (Section 26A-26E)
Organizations must notify the PDPC and affected individuals if a data breach results in significant harm or affects 500 or more individuals. The notification must be made within 3 calendar days of assessing the breach. Affected individuals should receive guidance on how to protect themselves, such as changing passwords or monitoring financial transactions.
11. Data Portability Obligation
The Data Portability Obligation (which will take effect when the Regulations are issued) allows individuals to request the transfer of their personal data from one organization to another in a structured, commonly used, and machine-readable format. This empowers consumers with greater control over their data while promoting competition and innovation.
Penalties under the Law
Under Singapore’s Personal Data Protection Act (PDPA), organizations face significant fines and penalties for non-compliance. The maximum financial penalty for breaches of data protection provisions was raised in October 2022 to 10% of an organization’s annual turnover in Singapore (if exceeding SGD 10 million) or SGD 1 million, whichever is higher.
The PDPC enforces penalties such as ordering organizations to cease non-compliant data practices, destroy improperly collected data, and provide access/correction to affected individuals.
There are provisions for imprisonment of individuals for offenses like intentional mishandling of data. Additionally, individuals harmed by breaches can file civil lawsuits for damages.
Conclusion
The Personal Data Protection Act (PDPA) serves as a vital framework for safeguarding personal data while enabling businesses to operate effectively in Singapore’s digital economy. By enforcing strict obligations such as obtaining consent, ensuring data accuracy, protecting personal data, and notifying authorities of breaches, the PDPA enhances consumer trust and promotes responsible data management practices.
Businesses operating in Singapore should view compliance not just as a legal requirement but as an opportunity to build trust with customers and stakeholders. By fostering a strong data protection culture, organizations can mitigate risks, enhance their reputation, and contribute to a more secure digital landscape.
Tsaaro Consulting, in collaboration with PSA Legal Counsellors and Advertising Standards Council of India, has authored a whitepaper titled ‘Navigating Cookies: Recalibrating Your Cookie Strategy in Light of the DPDPA’. If you want to learn more about cookie consent management, read the whitepaper by clicking here.
The Ministry of Electronics and Information Technology (MeitY) has released the Draft DPDP Rules, 2025 for Public Consultation!
Learn more about the Draft Rules here:
