Singapore’s Personal Data Protection Act (PDPA) places eleven distinct legal obligations on every organisation that collects, uses, or discloses personal data. For directors and company secretaries of Singapore companies, understanding these obligations is not optional — failure to comply can result in financial penalties of up to S$1 million per contravention, and the Personal Data Protection Commission (PDPC) has been increasing enforcement action year on year.

This guide sets out all eleven PDPA obligations in plain language, explains what they require in a practical business context, and gives company secretaries and directors a compliance checklist to work from. It covers the mandatory Data Protection Officer appointment, the data breach notification rule, and the Accountability Obligation — which places governance responsibility squarely on the board.

Unlike many technical compliance areas, PDPA compliance is directly relevant to every Singapore company regardless of size, industry, or whether it holds sensitive data. Every company that stores employee information, handles customer records, or retains supplier contacts is subject to the PDPA.

The Eleven PDPA Obligations: An Overview

The PDPA (Cap. 26, 2012) as amended by the Personal Data Protection (Amendment) Act 2020 imposes the following eleven obligations. We address each in turn.

1. Consent Obligation

An organisation must obtain the individual’s consent before collecting, using, or disclosing their personal data, unless an exception applies. Consent must be voluntary, informed, and given for a specific purpose. Implied consent is permitted in limited circumstances — for example, where an individual voluntarily provides their business card, they implicitly consent to the company recording and using those contact details for the purpose the card was given.

Key exceptions to the consent requirement include situations where collection is necessary for a contract with the individual, for legal proceedings, for life-threatening emergencies, or for certain business transactions. The 2020 amendments also introduced a “legitimate interests” exception for situations where obtaining consent is not reasonably practical and the purpose is in the legitimate interests of the organisation and not outweighed by the interests of the individual.

2. Purpose Limitation Obligation

Personal data may only be collected, used, or disclosed for purposes that a reasonable person would consider appropriate in the circumstances, and that the individual was notified of at the time of collection. An organisation cannot collect data for one purpose and then repurpose it for an unrelated use without fresh consent.

3. Notification Obligation

Before or at the time of collection, the organisation must notify the individual of the purposes for which their personal data is being collected, used, or disclosed. This notification is typically embedded in the organisation’s privacy policy, which must be publicly accessible. Every Singapore company with a website should have a compliant privacy notice that clearly states the categories of data collected and how they will be used.

4. Access and Correction Obligation

Upon written request from an individual, an organisation must provide that individual with access to their personal data and information about how it has been used or disclosed in the year preceding the request. The organisation must also correct any personal data that is inaccurate or incomplete, unless an exception applies. Response within 30 days is considered a reasonable target per PDPC guidance.

5. Accuracy Obligation

An organisation must make reasonable efforts to ensure that personal data it collects is accurate and complete, particularly where it will be used to make a decision affecting the individual or disclosed to a third party. For most Singapore companies, this means periodic validation of customer, employee, and supplier records.

6. Protection Obligation

Every organisation must make reasonable security arrangements to protect personal data against unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks. The PDPC’s technical guidelines recommend encryption, role-based access controls, regular security assessments, and staff training. Failure in the Protection Obligation is the most commonly enforced PDPA breach in Singapore.

7. Retention Limitation Obligation

Personal data must not be retained once the purpose for which it was collected no longer exists and there is no legal obligation requiring its retention. Organisations must maintain a data retention schedule and a secure deletion process. Note that IRAS, MOM, and other regulatory requirements may mandate minimum retention periods for specific records that override the PDPA’s deletion obligation.

8. Transfer Limitation Obligation

Personal data may only be transferred overseas if the recipient provides a comparable level of protection to Singapore’s PDPA, or if the individual consents, or another exception applies. The PDPC has approved standard contractual clauses for managing cross-border transfers. This obligation is particularly relevant for companies using overseas cloud providers or group entities for HR, CRM, or payroll data.

9. Accountability Obligation

Every organisation must implement policies and practices to meet PDPA obligations and designate at least one Data Protection Officer (DPO). The DPO’s business contact information must be publicly available — on the company website and registered with ACRA via BizFile+. For directors, this is the most governance-critical obligation: the PDPC expects board-level awareness of data protection risk. See our guide on registering your DPO information with ACRA via BizFile+ for practical steps.

10. Data Breach Notification Obligation

Since 1 February 2021, organisations must notify the PDPC within three calendar days of determining that a data breach is notifiable (likely to cause significant harm or affects 500+ individuals). Affected individuals must also be notified as soon as reasonably practicable if they are likely to suffer significant harm. Three days is an extremely tight window — every company needs a documented Incident Response Plan (IRP) to meet this deadline.

11. Do Not Call Obligation

Organisations sending marketing messages to Singapore telephone numbers (voice, SMS, fax, or messaging apps) must check the DNC Registry before sending, unless they have clear consent or an existing business relationship exception applies. Non-compliance carries fines of up to S$10,000 per contravention. This applies to all marketing communications — including bulk SMS, WhatsApp Business campaigns, and automated calls.

The Mandatory DPO: Practical Guidance for Singapore SMEs

Every Singapore company must appoint a DPO. The DPO does not need to be a dedicated full-time role — many SMEs designate an existing employee such as the company secretary, CFO, or operations manager. The DPO can also be outsourced to a third party.

The DPO’s core responsibilities are: (1) being the internal point of contact for data protection queries and complaints; (2) ensuring data protection policies are current and implemented; (3) training staff; (4) being the PDPC’s contact point during an investigation or data breach. Under ACRA’s BizFile+ system, the DPO’s name and contact details must be registered and publicly accessible.

PDPA Compliance Checklist for Singapore Company Directors

Directors and company secretaries should use the following checklist annually:

  1. Privacy policy published and current — Updated privacy notice on the company website covering all 11 obligations.
  2. DPO appointed and registered — DPO contact information publicly available and registered on ACRA BizFile+.
  3. Data inventory completed — Documented inventory of personal data held, storage locations, and access controls.
  4. Consent mechanisms reviewed — Website forms, employment contracts, and customer sign-up processes are compliant.
  5. Retention schedule in place — Written retention schedule with secure deletion procedures.
  6. Security measures documented and tested — Technical and organisational security measures documented and periodically reviewed.
  7. Incident Response Plan in place — IRP addresses the three-day PDPC notification deadline.
  8. Overseas transfers assessed — Cross-border data transfers to overseas parties assessed and appropriately documented.
  9. Staff training completed — All staff handling personal data have received PDPA awareness training, with records kept.
  10. Vendor contracts reviewed — Data processor agreements (payroll vendors, CRM, cloud storage) include data protection clauses.
  11. DNC Registry checks in place — Process for checking DNC Registry before outbound marketing communications.

PDPC Enforcement: The Financial Stakes

The PDPA gives the PDPC power to impose penalties of up to S$1 million per contravention (or 10% of annual local turnover for organisations with turnover exceeding S$10 million). Since the enhanced penalty regime commenced in 2021, the PDPC has imposed multiple penalties in the six-figure range.

The most commonly enforced failures are: the Protection Obligation (data breaches from inadequate security), the Accountability Obligation (no DPO, no written policies), and the Data Breach Notification Obligation (late or incomplete PDPC notification). The PDPC treats senior management awareness of known risks without remedial action as an aggravating factor in penalty determinations.

A practical board-level governance measure is an annual data protection update presented by the DPO, covering access requests received, near-miss incidents, vendor DPA reviews, and upcoming policy updates — minuted as part of the board’s governance record. See the Singapore Company Compliance Calendar 2026 for a complete overview of annual director obligations.

For the latest Singapore business and regulatory news, staying informed helps directors keep pace with evolving PDPA requirements. If you need legal advice on PDPA compliance or a data breach investigation, we can point you in the right direction.

Beyond compliance obligations, sound financial planning and business investment decisions remain equally important for Singapore company directors.

How Raffles Corporate Services Can Help

Raffles Corporate Services assists Singapore companies with corporate secretarial services including ACRA BizFile+ DPO registration, annual compliance calendar management, and board governance advisory. Our team ensures your data protection governance is properly documented and board oversight is in place.

To speak with the team at Raffles Corporate Services, you can email [email protected] or call, SMS, or WhatsApp +65 8501 7133. We are happy to assist with any queries.

— The Editorial Team, Raffles Corporate Services