The Personal Data Protection Act (PDPA) imposes eleven distinct legal obligations on every organisation that collects, uses, or discloses personal data in Singapore. These obligations apply to virtually every Singapore company — sole proprietorships, private limited companies, and large corporations alike — regardless of whether your business holds vast customer databases or simply maintains employee payroll records.

Enforcement by the Personal Data Protection Commission (PDPC) has been increasing steadily, and the financial penalties are significant: organisations can face fines of up to S$1 million or 10% of annual local turnover (whichever is higher) per contravention. This guide breaks down all eleven PDPA obligations in plain language, with practical compliance steps that every Singapore director should understand.

The Legal Framework

The Personal Data Protection Act 2012 (amended in 2020) governs the collection, use, and disclosure of personal data by private sector organisations in Singapore. The Act is administered by the PDPC, which has the authority to investigate complaints, conduct audits, and impose financial penalties. The eleven data protection obligations form the core of what your company must comply with.

The 11 PDPA Obligations: What Every Director Must Know

1. Consent Obligation

Your company may only collect, use, or disclose an individual’s personal data if the individual has given consent — and only for the purpose for which consent was given. Consent must be given voluntarily; you cannot make a product or service conditional on consenting to data collection that is not necessary for that product or service. You must also allow individuals to withdraw consent, and stop using their data when consent is withdrawn (subject to legal obligations and legitimate business needs).

2. Purpose Limitation Obligation

You may collect, use, or disclose personal data only for purposes that a reasonable person would consider appropriate given the circumstances. You cannot use data collected for one purpose (say, processing an order) for an entirely different purpose (say, marketing other products) without fresh consent or a valid legal basis.

3. Notification Obligation

Before — or at the time of — collecting personal data, you must notify individuals of the purposes for which you are collecting, using, or disclosing their data. In practice, this means having a clear and accessible privacy notice or privacy policy on your website and in your terms of engagement. The notice must be written in plain language and be easy for your customers to find.

4. Access and Correction Obligation

Upon a written request from an individual, your company must provide that person with access to their personal data held by you, as well as information about how it has been used or disclosed in the past year. If the individual can show that their data is inaccurate or incomplete, you must correct it as soon as practicable. There are limited grounds for refusing access — for example, if doing so would reveal personal data of another individual, or is subject to legal privilege.

5. Accuracy Obligation

Your company must make reasonable efforts to ensure that personal data it collects and uses is accurate and complete, where it is likely to be used to make a decision that directly affects the individual concerned, or where it is likely to be disclosed to another organisation. This requires periodic data hygiene reviews and processes for updating customer and employee records.

6. Protection Obligation

You must implement reasonable security arrangements to protect personal data in your possession or under your control from unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks. What is “reasonable” depends on the nature and sensitivity of the data you hold and the potential harm from a breach. Practically, this means password-protected systems, encryption for sensitive records, access controls, and vendor contracts with data protection clauses.

7. Retention Limitation Obligation

Personal data must not be retained for longer than is necessary for the purpose it was collected. Once the purpose has been fulfilled and the data is no longer needed for any legal or business reason, you must dispose of it securely. Retention periods should be documented in a data retention policy.

8. Transfer Limitation Obligation

If your company transfers personal data to a country or territory outside Singapore, you must take steps to ensure the recipient provides a standard of data protection that is comparable to Singapore’s PDPA. This typically means putting a data transfer agreement in place with the overseas recipient, or using PDPC-approved contractual clauses.

9. Data Breach Notification Obligation

This was introduced in the 2020 PDPA amendments and is one of the most operationally demanding obligations. Your company must assess any data breach to determine whether it is notifiable. A breach is notifiable if it:

  • Results in significant harm to affected individuals (e.g. financial loss, identity theft, damage to reputation); or
  • Affects 500 or more individuals.

If the breach is notifiable, you must:

  • Notify the PDPC within 3 calendar days of determining that the breach is notifiable; and
  • Notify affected individuals as soon as practicable (concurrently with or after notifying the PDPC).

The 3-day clock starts when your company has assessed — not merely discovered — that the breach is notifiable. Organisations must therefore have a breach response procedure that enables them to assess and escalate breaches rapidly.

10. Accountability Obligation

Your company must be able to demonstrate that it is complying with the PDPA. This requires:

  • Designating a Data Protection Officer (DPO) — see below
  • Developing and implementing data protection policies and practices
  • Making your data protection policies available to the public upon request
  • Training employees on PDPA obligations
  • Having data protection clauses in contracts with third-party vendors who handle personal data on your behalf

11. Do Not Call (DNC) Obligation

If your company makes marketing calls, sends marketing text messages, or sends marketing fax messages to Singapore telephone numbers, you must check the DNC Registry before doing so — unless the individual has given you clear and unambiguous consent to receive such communications. Failure to check the registry before each campaign is a separate and commonly-penalised breach.

The Mandatory DPO Requirement

Every Singapore organisation — including small businesses — must designate at least one individual as its Data Protection Officer. The DPO does not need to be a full-time dedicated role; an existing employee such as the HR manager, IT manager, or even the company director can serve as DPO. However, the DPO must have sufficient understanding of the PDPA to carry out the role meaningfully.

Key DPO responsibilities:

  • Developing and implementing data protection policies and processes
  • Conducting staff training on PDPA compliance
  • Handling personal data access and correction requests
  • Managing data breach assessment and notification
  • Liaising with the PDPC on investigations or queries

Critically, the DPO’s business contact information must be made publicly available — typically on your company website’s privacy policy page. The PDPC checks for this during investigations. Our earlier article on what a Data Protection Officer is and does provides further guidance.

PDPA Compliance Checklist for a Singapore Pte Ltd

Here is a practical checklist for directors and company secretaries to work through:

  • DPO designated — name and contact details published on company website
  • Privacy notice on website and in customer-facing documents, covering all 3 notification requirements
  • Consent forms — clear, voluntary, specific, and properly recorded
  • Data inventory — list of all personal data your company holds, where it is stored, and how it is used
  • Data protection policy — written and board-approved
  • Vendor contracts — all third parties handling personal data on your behalf have data protection clauses in their contracts
  • Retention schedule — documented periods for how long each category of data is kept, and a secure disposal process
  • DNC Registry check — process in place before any telemarketing campaign
  • Breach response procedure — documented steps for detecting, assessing, and notifying a data breach within 3 days
  • Staff training — at least annual PDPA awareness training for all employees
  • Annual board review — PDPA compliance status reviewed and minuted at a board meeting

PDPC Enforcement: What the Penalties Look Like in Practice

Since 2020, the PDPC has significantly increased enforcement activity. Key enforcement statistics and cases illustrate the risk:

  • Financial penalties of up to S$1 million per contravention (or 10% of local annual turnover if higher)
  • Common causes of enforcement action: inadequate security arrangements, failure to notify a breach within 3 days, lack of consent for marketing, and excessive data retention
  • Even relatively small companies have been fined for PDPA breaches — this is not just a concern for large enterprises

If you need legal advice on your PDPA compliance obligations, we can point you in the right direction. Directors who want to understand how PDPA compliance fits into broader governance obligations should read our overview of the CALA 2025 obligations for directors as well.

The Corporate Secretarial Angle: PDPA and Board Governance

As the person responsible for documenting board decisions, the company secretary plays an important role in PDPA compliance. The data protection policy should be formally approved by the board and minuted. Any significant data breach — particularly a notifiable one — should be documented in board minutes. PDPA compliance status should be included on the agenda of the annual board governance review, alongside the Singapore Company Compliance Calendar and other annual filing requirements.

For the latest Singapore business and regulatory news, directors can find updated guidance as regulations evolve. For business investment planning and financial decisions, understanding data protection risk is increasingly a component of corporate due diligence.

To speak with the team at Raffles Corporate Services, you can email [email protected] or call, SMS, or WhatsApp +65 8501 7133. We are happy to assist with any queries.

— The Editorial Team, Raffles Corporate Services