Singapore’s Personal Data Protection Act (PDPA) imposes eleven distinct legal obligations on every organisation that collects, uses, or discloses personal data. Yet many Singapore directors and business owners still treat data protection as an IT matter — a checkbox left to the technology team. That is a mistake that is becoming increasingly costly.
The Personal Data Protection Commission (PDPC) has stepped up enforcement significantly in recent years. Financial penalties can now reach up to 10% of an organisation’s annual Singapore turnover for serious breaches, and the mandatory data breach notification obligation means that incidents reaching a certain threshold must be reported to the PDPC within three business days. Directors who cannot demonstrate that their company has taken the PDPA obligations seriously face real regulatory and reputational consequences.
This guide sets out all eleven PDPA obligations in plain language, explains what directors must do to comply, and provides a practical compliance checklist for a Singapore private limited company.
The Legal Framework: PDPA 2012 and Its Amendments
The Personal Data Protection Act 2012 (PDPA) governs the collection, use, and disclosure of personal data by private organisations in Singapore. It has been amended twice — in 2020 and in 2021 — with the most significant changes being mandatory data breach notification and significantly increased financial penalties.
The PDPC administers and enforces the Act. Its enforcement decisions are publicly available on the PDPC website and serve as a guide to how the obligations are interpreted in practice.
The 11 PDPA Obligations: What Each One Requires
1. Consent Obligation
Organisations must obtain the individual’s consent before collecting, using, or disclosing their personal data — unless an exception applies. Consent must be voluntary, informed, and given for a specific purpose. The PDPA also recognises “deemed consent by contractual necessity” and “deemed consent by notification” since the 2021 amendments.
2. Purpose Limitation Obligation
Personal data may only be collected, used, or disclosed for purposes that a reasonable person would consider appropriate in the circumstances, and that the individual was informed of or consented to. Data collected for one purpose cannot simply be repurposed without fresh consent or a legitimate basis.
3. Notification Obligation
Before collecting personal data, organisations must notify the individual of the purposes for which the data will be collected, used, and disclosed. This is typically done through a privacy policy or a data collection notice at the point of collection. The notice must be in clear, plain language.
4. Access and Correction Obligation
Individuals have the right to request access to their personal data held by an organisation, and to request corrections to inaccurate data. Organisations must respond to access requests within 30 days (unless an extension is granted). Specific grounds allow organisations to refuse access — for example, if the request is frivolous or disclosure would harm a third party.
5. Accuracy Obligation
Organisations must take reasonable steps to ensure that personal data collected is accurate and complete, particularly when it will be used to make decisions affecting the individual or disclosed to third parties.
6. Protection Obligation
Organisations must make reasonable security arrangements to protect personal data from unauthorised access, collection, use, disclosure, copying, modification, or disposal. What constitutes “reasonable” security depends on the type and sensitivity of the data, the potential harm from a breach, and current industry practices. The PDPC has found organisations in breach for failing to implement multi-factor authentication, adequate access controls, and employee training.
7. Retention Limitation Obligation
Personal data must not be retained for longer than is necessary to serve the purpose for which it was collected. Once data is no longer needed, it must be disposed of or anonymised. Organisations must have a clear data retention schedule.
8. Transfer Limitation Obligation
Organisations may only transfer personal data outside Singapore if that country provides a comparable standard of protection, the individual has consented, or specific contractual safeguards are in place. Cloud services hosted overseas frequently trigger this obligation.
9. Accountability Obligation
Organisations are responsible for all personal data in their possession or control, including data processed by third-party vendors. This obligation requires implementing data protection policies, training employees, conducting due diligence on vendors, and including data protection clauses in third-party contracts.
Critically, Section 11(3) of the PDPA requires every organisation to designate at least one individual as a Data Protection Officer (DPO). The DPO’s business contact information must be publicly available on the company website. The role must be meaningful, not nominal.
10. Data Breach Notification Obligation
Introduced by the 2020 Amendment Act, this is one of the most operationally demanding obligations. Organisations must notify the PDPC of a data breach that: (a) is likely to result in significant harm to affected individuals; or (b) is of a significant scale (affecting 500 or more individuals). Notification to the PDPC must occur within three business days of the organisation assessing that the breach is notifiable. Affected individuals must also be notified where significant harm is likely.
11. Do-Not-Call (DNC) Obligation
The DNC Registry allows individuals to opt out of receiving unsolicited telemarketing messages. Before sending such messages, organisations must check the registry and refrain from contacting registered numbers unless the individual has given clear and unambiguous consent.
PDPC Enforcement: What the Penalties Look Like
As of the 2020 amendments, the PDPC can impose financial penalties of up to S$1 million or 10% of an organisation’s annual Singapore turnover (whichever is higher) for serious breaches. For organisations with annual Singapore turnover exceeding S$10 million, the 10% cap is the relevant ceiling — a very significant financial exposure.
The PDPC has issued enforcement decisions against organisations of all sizes, from large financial institutions to small healthcare providers. Common enforcement themes include inadequate security arrangements (Protection Obligation), poor vendor management (Accountability Obligation), and failure to implement a meaningful DPO designation. PDPC decisions are published online and name the organisation — making reputational damage an equally significant consequence.
The DPO Appointment: A Director’s Specific Obligation
Under Section 11(3) of the PDPA, DPO designation is mandatory. The DPO’s role includes overseeing data protection policies, ensuring staff training, handling access and correction requests, managing data breach response, conducting vendor due diligence, and registering DPO details with the PDPC under Section 11(5).
Directors should confirm at each board meeting that a DPO has been validly designated, their contact details are publicly available, and the DPO has been given adequate resources and training.
Practical PDPA Compliance Checklist for a Singapore Pte Ltd
- ☐ Privacy notice reviewed in the last 12 months
- ☐ Consent forms and opt-in mechanisms up to date
- ☐ DPO designated and contact published on company website
- ☐ DPO details registered with the PDPC
- ☐ Data inventory and personal data map completed and current
- ☐ Data retention schedule documented and actively applied
- ☐ Vendor contracts include data protection clauses
- ☐ Overseas data transfers assessed for adequacy
- ☐ Security measures reviewed — MFA, access controls, encryption
- ☐ Employee PDPA training conducted in the last 12 months
- ☐ Data breach response plan documented and tested
- ☐ DNC Registry check process in place before any telemarketing
- ☐ Board has reviewed and approved PDPA compliance status annually
PDPA Compliance at the Board Level
Directors can be held personally liable if they are knowingly involved in a contravention of the PDPA. Under Section 54 of the PDPA, where an offence is committed with the consent, connivance, or neglect of a director or officer, that individual may be personally guilty of the same offence.
Good governance requires: tabling a PDPA compliance update at least annually at a directors’ meeting; recording the board’s review of data protection policies in the minutes; and including data breach incidents in board reporting. Our Singapore Company Compliance Calendar 2026 covers ACRA and IRAS obligations — PDPA review should be added as a standing annual item. Directors managing broader compliance requirements for Singapore companies should treat data protection as equally important as tax and corporate secretarial obligations.
Our companion article on registering your DPO information with the PDPC provides step-by-step guidance on the registration process.
For the latest Singapore business regulatory updates, including PDPC enforcement decisions and legislative changes, directors will find useful coverage there. If you need legal advice on your PDPA compliance obligations or responding to a PDPC investigation, we can point you in the right direction. Beyond compliance, sound financial planning and business investment decisions benefit from robust governance structures — and PDPA compliance is an increasingly important part of that picture.
To speak with the team at Raffles Corporate Services, you can email [email protected] or call, SMS, or WhatsApp +65 8501 7133. We are happy to assist with any queries.
— The Editorial Team, Raffles Corporate Services
Leave A Comment