Personal Data Protection Act 2012 (Singapore)
Singapore's PDPA governs how private-sector organizations collect, use, and disclose personal data, administered by the PDPC. A 2020 reform added mandatory breach notification, a DPO requirement, and higher penalties.
The Personal Data Protection Act 2012 (PDPA) is Singapore's main data protection law. Its data protection obligations took effect on July 2, 2014, and the Do Not Call provisions started earlier in 2014. The PDPA governs the collection, use, disclosure, and care of personal data by private-sector organizations. It is administered by the Personal Data Protection Commission (PDPC). A significant amendment in 2020 and 2021 added a mandatory data breach notification regime, increased financial penalties, and introduced new exceptions such as legitimate interests.
The PDPA aims to balance individuals' right to protect their personal data with organizations' need to use data for reasonable purposes. It coexists with sector-specific rules issued by regulators in areas such as banking and healthcare.
Who It Applies To
The PDPA applies to organizations that collect, use, or disclose personal data in Singapore, whether or not they are formed or resident there. It covers personal data in electronic and non-electronic form. Public agencies are generally excluded, as they are governed by separate government rules. Business contact information is treated differently and is largely exempt from the consent and notification obligations.
Key Requirements
The PDPA sets out obligations including consent, purpose limitation, notification, access and correction, accuracy, protection, retention limitation, transfer limitation, and accountability. Organizations generally must obtain consent and notify individuals of purposes before collecting data, though deemed consent and exceptions such as legitimate interests and business improvement now apply. They must protect data with reasonable security, limit retention, and restrict overseas transfers to recipients with comparable protection. Since 2021, organizations must notify the PDPC of data breaches that are likely to cause significant harm or that affect 500 or more individuals, and notify affected individuals. Organizations must appoint a Data Protection Officer. The Do Not Call registry restricts marketing messages to registered numbers.
Penalties for Non-Compliance
The PDPC can issue directions and impose financial penalties. Following the 2020 amendments, the maximum financial penalty rose to SGD 1 million, or up to 10 percent of annual turnover in Singapore for organizations with local turnover above SGD 10 million. Certain offences, such as the unauthorized disclosure or misuse of personal data by individuals, can carry fines and imprisonment.
How to Comply
Appoint a Data Protection Officer and publish a contact. Obtain and document consent or another lawful basis, and notify individuals of purposes. Provide access and correction processes. Apply reasonable security and retention limits and restrict cross-border transfers appropriately. Establish a breach assessment and notification process to meet PDPC timelines. Check the Do Not Call registry before sending marketing messages.