Singapore Personal Data Protection Act

Singapore PDPA compliance guide

Q: What is deemed consent under PDPA?

The 2020 amendments introduced deemed consent provisions where consent can be deemed in specific scenarios without explicit opt-in, such as contractual necessity or legitimate interests. Organizations must still provide individuals with reasonable notice and opportunity to opt out.

11 data protection obligations, mandatory breach notification within 3 days, and penalties up to 10% of annual turnover or S$1 million.

Start PDPA assessment Book compliance consultation

What is Singapore PDPA?

The Personal Data Protection Act 2012 (PDPA) is Singapore's comprehensive data protection law that governs the collection, use and disclosure of personal data by private sector organizations. The Act establishes a baseline standard of data protection across sectors.

Why this matters now: The 2020 amendments (effective February 1, 2021) significantly strengthened enforcement powers with mandatory breach notification within 3 days, financial penalties up to 10% of annual turnover, and stricter accountability requirements. The Personal Data Protection Commission (PDPC) actively enforces PDPA with public enforcement decisions.

11 obligations

Comprehensive protection framework

3-day notification

Mandatory breach reporting to PDPC

Enforced by the Personal Data Protection Commission (PDPC) under IMDA. Complements GDPR for global data protection strategy.

Who needs PDPA compliance?

All private sector organizations

Any organization collecting, using or disclosing personal data in Singapore

Data intermediaries

Organizations processing personal data on behalf of others

Digital platforms & e-commerce

Online services collecting customer personal data

Financial services

Banks, insurers, payment processors handling sensitive financial data

Healthcare providers

Clinics, hospitals and health tech platforms

AI system deployers

Organizations using AI for automated decisions affecting individuals

How VerifyWise supports PDPA compliance

VerifyWise provides a Singapore compliance preset operating in checklist mode, structured around transparency, traceability, outcome monitoring, and regular audit obligations

Singapore requirement

VerifyWise coverage

Transparency measures

Checklist item for documenting AI use disclosure and transparency practices

Traceability records

Structured checklist tracking with audit date and system description metadata

Outcome monitoring

Checklist item with optional quantitative adverse impact analysis

Regular audit schedule

Dedicated checklist item for documenting audit frequency and methodology

Additional compliance capabilities

Personal data inventory and mapping

Maintain a complete register of personal data processing activities across your organization. The platform captures what data you collect, why you process it, who has access and where it's stored to satisfy PDPC's accountability requirements.

Addresses: Accountability, Openness, Purpose Limitation

Consent management and tracking

Document consent collection methods, track consent withdrawal requests and manage deemed consent scenarios introduced in the 2020 amendments. The platform maintains audit-ready consent records with timestamps and evidence.

Addresses: Consent Obligation, Notification, Accountability

Data protection impact assessments

Conduct structured privacy impact assessments for new data processing activities. The platform guides you through risk identification, safeguard selection and documentation that demonstrates reasonable security arrangements.

Addresses: Protection Obligation, Accountability

Data breach notification workflows

Manage the mandatory 3-day notification timeline with structured incident workflows. The platform tracks breach assessment, PDPC notification submission and affected individual communications required under 2020 amendments.

Addresses: Data Breach Notification Obligation

Data subject rights portal

Handle access and correction requests with workflows that enforce PDPC's response timelines. The platform tracks requests, manages reasonable fee calculations and maintains records of responses for audit purposes.

Addresses: Access & Correction Obligation, Accountability

Cross-border transfer assessments

Evaluate cross-border data transfers with structured risk assessments and contractual safeguard tracking. The platform documents transfer mechanisms and ensures compliance with PDPA's Transfer Limitation Obligation.

Addresses: Transfer Limitation Obligation, Accountability

All activities are tracked with timestamps, assigned data protection officers and approval workflows. This audit trail demonstrates systematic PDPA compliance to PDPC investigators.

Complete PDPA obligations coverage

VerifyWise provides dedicated tooling for all 11 data protection obligations

PDPA obligations

Compliance controls with dedicated tooling

100%

Coverage across all obligations

Consent8/8

Consent collection, withdrawal, deemed consent

Purpose Limitation5/5

Use limitation to identified purposes

Notification6/6

Privacy notices and transparency

Access & Correction7/7

Data subject rights management

Accuracy4/4

Data quality and accuracy

Protection9/9

Security safeguards

Retention Limitation5/5

Retention schedules and deletion

Transfer Limitation6/6

Cross-border transfers

Openness4/4

DPO and policies availability

Data Breach8/8

Breach notification within 3 days

Accountability7/7

DPO, policies, compliance framework

Built for Singapore PDPA from the ground up

3-day breach notification

Automated workflows for mandatory PDPC reporting timeline

AI Governance Framework

Model AI Governance Framework and AI Verify alignment

DNC Registry integration

Do Not Call compliance tracking and evidence

Multi-framework mapping

Crosswalk to GDPR and ISO 27701 requirements

11 data protection obligations

PDPA establishes comprehensive obligations for personal data management

Consent Obligation

Obtain valid consent before collecting, using or disclosing personal data, with clear exceptions.

Consent must be voluntary, informed and specific to purpose
Consent withdrawal mechanism required
Deemed consent provisions (2020 amendment)
Legitimate interest exceptions where applicable
Documentation of consent collection method

Purpose Limitation

Collect, use and disclose personal data only for purposes that would be considered appropriate in the circumstances.

Identify and document purpose before collection
Purpose must be reasonable person would consider appropriate
No use or disclosure beyond original purpose without new consent
Purpose specification in privacy notices
Purpose limitation in data processing agreements

Notification Obligation

Inform individuals of purposes for data collection, use and disclosure.

Privacy notice before or at time of collection
Notification of purposes in clear language
Business contact information provided
Notification of whether collection is mandatory
Updates to privacy notices when purposes change

Access & Correction

Provide individuals access to their personal data and allow correction of inaccurate data.

Respond to access requests within 30 days
Provide data in comprehensible form
Allow correction of inaccurate or incomplete data
Reasonable fees may apply for access requests
Limited exceptions for withholding access

Accuracy Obligation

Ensure personal data is accurate and complete if it will be used to make decisions or disclosed to others.

Accuracy verification processes
Correction procedures when inaccuracies identified
Periodic data quality reviews
Source verification for critical data
Update procedures for outdated data

Protection Obligation

Protect personal data with reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal.

Risk-based security measures appropriate to harm
Technical and organizational safeguards
Access controls and authentication
Encryption for sensitive data in transit and at rest
Security testing and vulnerability management

Retention Limitation

Cease retention of personal data when purposes are no longer being served and retention is not required by law.

Retention schedules for different data categories
Documented business or legal retention requirements
Secure deletion or anonymization procedures
Periodic review of retained data
Disposal logs for accountability

Transfer Limitation

Transfer personal data outside Singapore only if the receiving jurisdiction provides comparable protection or appropriate contractual safeguards are in place.

Assessment of receiving jurisdiction's data protection law
Contractual safeguards (BCRs, Standard Contractual Clauses)
Transfer impact assessments for high-risk transfers
Individual consent for transfers without safeguards
Documentation of transfer mechanisms

Openness Obligation

Develop and implement policies and practices for personal data management and make information available about these policies.

Documented data protection policies and procedures
Designated Data Protection Officer (DPO) contact
Publicly available privacy policy
Employee training on data protection
Regular policy review and updates

Data Breach Notification

Notify PDPC within 3 calendar days of assessing a notifiable data breach. Notify affected individuals where breach likely to result in significant harm or impact.

Breach detection and assessment procedures
PDPC notification within 3 calendar days (2020 amendment)
Individual notification where significant harm likely
Breach register and incident documentation
Post-incident review and remediation tracking

Accountability Obligation

Comply with PDPA obligations and be able to demonstrate compliance to PDPC.

Data protection management program
Designated Data Protection Officer (DPO)
Compliance monitoring and audit processes
Staff training and awareness programs
Evidence of compliance (policies, logs, assessments, records)

Singapore's AI governance framework

Voluntary but influential frameworks for responsible AI deployment

Governance Framework

Model AI Governance Framework

Singapore's voluntary framework for deploying AI responsibly

Key components

Internal governance structures and measures
Human involvement in AI-augmented decision-making
Operations management for AI systems
Stakeholder interaction and communication

Applicability: Voluntary but increasingly expected by regulators and customers

View framework

Technical Testing

AI Verify Testing Framework

Technical testing toolkit for AI system validation

Key components

Transparency testing for explainability
Fairness and bias detection
Robustness and security validation
Safety and performance testing

Applicability: Technical validation tool for Model AI Governance Framework

View framework

Pro tip: While Singapore's Model AI Governance Framework is voluntary, implementing it demonstrates responsible AI practices to regulators, customers and stakeholders. Combine with PDPA compliance for comprehensive AI data protection.

Explore AI governance policies

Do Not Call Registry

Singapore's opt-out registry for marketing communications

What you need to know

The Do Not Call (DNC) Registry allows individuals to opt out of receiving marketing telephone calls, SMS, fax and MMS. Before sending marketing messages via these channels, organizations must check the DNC Registry (valid for 30 days) and maintain evidence of the check.

What it is

Singapore's Do Not Call Registry allows individuals to opt out of marketing messages

Channels covered

Telephone calls, SMS, fax, MMS (excluding emails and physical mail)

Before contacting

Check DNC Registry and maintain evidence of check (30-day validity)

Exemptions

Ongoing customer relationships, limited deemed consent scenarios

Penalties

Up to SGD 10,000 per violation

DNC compliance checklist

Check DNC Registry
Before each marketing campaign via covered channels
Maintain evidence
Keep records of DNC checks for 3 years
Honor opt-outs
Stop marketing if number is on DNC Registry
Validate exemptions
Document ongoing relationships or clear consent

24-week implementation roadmap

A practical path to PDPA compliance with clear milestones

Phase 1Weeks 1-4

Foundation & gap analysis

Designate Data Protection Officer (DPO)
Conduct personal data inventory
Map data flows and processing activities
Gap assessment against 11 obligations

Phase 2Weeks 5-10

Policy & governance framework

Develop PDPA-compliant privacy policies
Establish consent collection procedures
Create data subject rights processes
Implement security safeguards baseline

Phase 3Weeks 11-18

Operational implementation

Deploy data breach notification workflows
Implement retention and deletion schedules
Establish cross-border transfer assessments
Train staff on PDPA requirements

Phase 4Weeks 19-24

Monitoring & continuous compliance

Activate compliance monitoring processes
Conduct internal PDPA audits
Establish incident response exercises
Create continuous improvement cycle

Penalties and enforcement

Understanding PDPC's enforcement powers and penalty framework

Financial penalties (2020 amendments)

Up to SGD 1 million in financial penalties, OR
Up to 10% of annual Singapore turnover (whichever is higher)
Significant increase from previous SGD 1 million cap
PDPC considers organization size, harm caused, compliance history

Criminal penalties

Knowing or reckless unauthorized disclosure: up to SGD 5,000 fine
Improper use of personal data: up to SGD 5,000 or 2 years imprisonment
Obstruction of PDPC investigation: additional penalties
Directors and officers can be personally liable

Enforcement approach

PDPC publishes enforcement decisions publicly
Reputational damage from public enforcement notices
Mandatory compliance directions and remediation orders
Follow-up audits for significant breaches

Recent enforcement trends

Higher penalties post-2020
Financial penalties now reach millions for serious breaches
Public enforcement decisions
PDPC publishes detailed case studies causing reputational harm
Focus on accountability
Inadequate policies and DPO oversight frequently cited

Factors affecting penalties

Organization size & turnover

Larger organizations face higher penalties

Harm caused

Number of individuals affected and severity of impact

Compliance history

Repeat violations result in higher penalties

Cooperation with PDPC

Self-reporting and remediation efforts considered

Policy templates

PDPA-compliant policy repository

Access 37 ready-to-use policies aligned with PDPA obligations, GDPR, and Singapore's Model AI Governance Framework

Core PDPA policies

• Privacy Policy (Notification)
• Consent Management Policy
• Data Subject Rights Policy
• Data Protection Policy
• Data Retention & Disposal
• Cross-Border Transfer Policy
+ 6 more policies

Incident & breach

• Data Breach Notification
• Breach Assessment Procedure
• Incident Response Plan
• PDPC Reporting Workflow
• Individual Notification
• Post-Breach Remediation
+ 4 more policies

AI governance

• AI Governance Framework
• Algorithmic Transparency
• AI Impact Assessment
• Human-in-the-Loop Policy
• Explainability Standards
• AI Fairness & Bias
+ 5 more policies

Browse all policy templates

Frequently asked questions

Common questions about PDPA compliance

If your organization is a private sector entity that collects, uses or discloses personal data in Singapore, PDPA applies. This includes sole proprietorships, partnerships, companies and foreign entities with Singapore operations. Public sector agencies are covered by separate legislation but follow similar principles. See the PDPC's overview for applicability details.

The 2020 amendments (effective February 1, 2021) introduced mandatory data breach notification within 3 calendar days to PDPC, expanded legitimate interest exceptions to consent, deemed consent provisions, enhanced financial penalties up to 10% of annual turnover, and stricter accountability requirements. Organizations must update policies and procedures to reflect these changes.

When a notifiable data breach occurs (unauthorized access, use, disclosure, loss or modification likely to result in significant harm), you have 3 calendar days from assessment to notify PDPC. You must also notify affected individuals where the breach is likely to result in significant harm or significant impact (large-scale breach). The platform helps track the assessment timeline and manages notification workflows.

PDPA requires organizations to designate at least one individual to be responsible for ensuring compliance. While not mandatory to call this person a 'DPO', it's best practice. The DPO's contact information must be made available to the public. For smaller organizations, an existing employee can take on this responsibility alongside other duties.

The 2020 amendments introduced 'deemed consent' provisions where consent can be deemed in specific scenarios without explicit opt-in, such as contractual necessity or legitimate interests. Organizations must still provide individuals with reasonable notice and opportunity to opt out. This is more limited than GDPR's legitimate interests basis but provides needed flexibility.

PDPA and GDPR share similar principles but differ in details. PDPA has consent-based approach with limited legitimate interest exceptions, while GDPR has six lawful bases including broader legitimate interests. PDPA's consent requirements are stricter in some ways but more flexible in others. Organizations operating in both jurisdictions often comply with the stricter requirement.

Singapore published a voluntary Model AI Governance Framework that complements PDPA. While voluntary, it's increasingly expected by regulators and customers. It covers internal governance, human oversight, operations management and stakeholder communication for AI systems. VerifyWise helps implement both PDPA and AI governance requirements together.

Yes, but only if the receiving jurisdiction provides comparable protection OR you implement appropriate contractual safeguards (like Standard Contractual Clauses or Binding Corporate Rules). You must assess whether the transfer involves sensitive data, the jurisdiction's data protection law and implement transfer impact assessments for high-risk transfers. PDPC provides guidance on acceptable transfer mechanisms.

Since the 2020 amendments, PDPC can impose financial penalties up to SGD 1 million OR 10% of annual Singapore turnover (whichever is higher). Criminal penalties include fines up to SGD 5,000 and imprisonment up to 2 years for knowing or reckless violations. PDPC also publishes enforcement decisions, causing significant reputational damage. Factors considered include organization size, harm caused and compliance history.

You must respond to data access requests within 30 calendar days, providing data in comprehensible form. You may charge a reasonable fee to recover costs. For correction requests, you must correct inaccurate or incomplete data and notify other organizations to which you disclosed the data. Limited exceptions exist (legal privilege, unreasonably repetitive requests). The platform tracks these timelines and manages response workflows.

Singapore's DNC Registry allows individuals to opt out of marketing calls, SMS, fax and MMS (not emails or physical mail). Before sending marketing messages via covered channels, you must check the DNC Registry within 30 days and keep evidence. Violations can result in penalties up to SGD 10,000 per violation. Exemptions exist for ongoing customer relationships with consent.

AI systems processing personal data must comply with all PDPA obligations. This includes consent for data collection, purpose limitation, accuracy, security safeguards and accountability. Singapore's Model AI Governance Framework provides additional voluntary guidance on transparency, fairness and human oversight. Organizations should implement both PDPA compliance and AI governance together. See our EU AI Act page for comparison with other AI regulations.

Ready to achieve PDPA compliance?

Start your PDPA compliance journey with our guided assessment and implementation tools aligned with all 11 data protection obligations.

Start PDPA assessment Schedule consultation