Every Singapore company that collects, uses, or discloses personal data — which means virtually every business operating in Singapore today — is bound by the Personal Data Protection Act 2012 (PDPA). Enforced by the Personal Data Protection Commission (PDPC), the PDPA sets out 11 distinct obligations that your organisation must fulfil. Failure to comply can result in financial penalties of up to S$1 million per contravention, or 10% of annual turnover for larger organisations.

For directors and company secretaries, PDPA compliance is not just an IT or operations issue — it is a governance obligation that sits squarely on the board’s agenda. This guide walks through all 11 obligations in plain language, explains what each means in practice for a Singapore Pte Ltd, and sets out a practical compliance checklist you can act on immediately.

PDPA obligations apply to all organisations — whether you have 2 employees or 2,000. There is no small-business exemption, although the PDPC takes proportionality into account when assessing penalties.

The Legal Framework

The PDPA 2012 (as amended in 2021) sets out the core data protection obligations. The 2021 amendments introduced mandatory data breach notification, enhanced consent mechanisms, and the legitimate interests exception. The full text of the Act is available at Singapore Statutes Online.

The 11 PDPA Obligations: A Director’s Guide

1. Consent Obligation

Your organisation must obtain the individual’s consent before collecting, using, or disclosing their personal data. The 2021 amendments introduced deemed consent by notification and deemed consent by contractual necessity.

Practical implication: Review all consent forms — on your website, at point of sale, in employment contracts, and in vendor agreements. Ensure consent language is specific and that you have a documented record of when consent was obtained.

2. Purpose Limitation Obligation

Personal data may only be collected, used, or disclosed for purposes that a reasonable person would consider appropriate, and only for the purpose for which consent was given. You cannot collect data “just in case” it might be useful later.

Practical implication: When onboarding customers or employees, define and document the specific purposes for which you collect each category of data. If you later want to use data for a new purpose, you must obtain fresh consent.

3. Notification Obligation

You must notify individuals of the purposes for which their personal data will be collected, used, or disclosed — before or at the time of collection. This notification must be specific and not couched in vague, catch-all language.

Practical implication: Your website must have an up-to-date Privacy Policy. Offline collection (e.g. paper forms) must include a notification statement. Employment contracts and HR onboarding documents must explain what employee data is used for.

4. Access and Correction Obligation

Upon request, you must provide individuals with access to their personal data held by your organisation and information about how it has been used or disclosed in the past 12 months. You must also correct any error or omission in an individual’s personal data.

Practical implication: Establish a documented process for handling access and correction requests. Requests must generally be responded to within 30 days.

5. Accuracy Obligation

Your organisation must make a reasonable effort to ensure that personal data collected or used is accurate and complete — particularly where the data may be used to make decisions that affect the individual, or disclosed to third parties.

Practical implication: Implement periodic data quality reviews for employee, customer, and vendor records.

6. Protection Obligation

You must make reasonable security arrangements to protect personal data against unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks.

Practical implication: Implement access controls, encryption for sensitive data, regular security training for staff, and vendor contracts with data protection clauses. For guidance on accounting data security, additional controls are advisable.

7. Retention Limitation Obligation

Personal data must not be retained once it is no longer necessary for any business or legal purpose. You must put in place data retention policies and ensure data is securely disposed of at the end of the retention period.

Practical implication: Align data retention periods with your other legal obligations — ACRA and IRAS require certain business records to be kept for 5 years. After the legally required period, personal data should be destroyed or anonymised.

8. Transfer Limitation Obligation

If you transfer personal data to a third party outside Singapore, you must ensure that the recipient provides a comparable level of data protection. This is typically achieved through a Data Processing Agreement (DPA) or binding corporate rules.

Practical implication: If you use overseas cloud providers, offshore back-office teams, or international HR systems, you need proper data transfer agreements in place.

9. Accountability Obligation

Every organisation must develop and implement policies and practices necessary to meet its PDPA obligations, communicate these to staff, and make information publicly available. Crucially, this obligation requires you to designate a Data Protection Officer (DPO).

Every organisation — regardless of size — must appoint at least one DPO and make the DPO’s business contact information publicly available. Singapore companies are also encouraged to register their DPO’s contact details via BizFile+.

Practical implication: Designate a DPO (can be an existing employee or outsourced), publish the DPO’s contact details on your website’s Privacy Policy page, and ensure your board reviews and approves the data protection policy annually.

10. Data Breach Notification Obligation

Introduced by the 2021 amendments, a notifiable data breach is one that: (a) results in or is likely to result in significant harm to affected individuals, or (b) affects 500 or more individuals.

Where a breach is notifiable, you must:

  • Notify the PDPC within 3 calendar days of assessing that the breach is notifiable
  • Notify affected individuals as soon as practicable where the breach is likely to result in significant harm

Practical implication: Your organisation must have a documented Data Breach Response Plan, covering detection, escalation, assessment of notifiability, PDPC notification, and individual notification. Test your plan at least annually.

11. Do Not Call (DNC) Registry Obligation

The DNC Registry obligations prohibit sending unsolicited marketing messages — calls, SMS, or faxes — to Singapore telephone numbers registered on the DNC Registry, unless you have clear consent or an existing business relationship with the recipient.

Practical implication: Before any telemarketing or SMS marketing campaign, check all recipient numbers against the DNC Registry using the PDPC’s bulk-checking API.

Director’s Compliance Checklist

The Accountability Obligation means PDPA compliance starts at board level. Here is a governance checklist for directors of Singapore companies:

  • DPO appointed — a named individual is DPO, with contact details on the website and registered via BizFile+
  • Privacy Policy published — clearly written, covers all 11 obligations, reviewed within 12 months
  • Data inventory completed — all categories of personal data documented with purpose, storage location, retention period, and third-party disclosure
  • Vendor data protection clauses — all vendor contracts involving personal data include DPA clauses
  • Staff training conducted — all staff handling personal data trained at induction and annually thereafter
  • Data breach response plan in place — documented, tested, and known to the DPO and senior management
  • Consent forms reviewed — all customer and employee consent forms are specific, current, and recorded
  • DNC Registry checks in place — marketing campaign workflow includes DNC check before any outreach
  • Annual board review — data protection policy and PDPA compliance status reviewed and minuted at least annually

From a compliance calendar perspective, PDPA obligations are ongoing. Your company secretary can incorporate data protection reviews into your overall ACRA compliance framework.

PDPC Enforcement: Penalties and Consequences

The PDPC can investigate complaints from individuals, conduct audits on its own initiative, and issue enforcement decisions. Penalties include financial penalties up to S$1 million per contravention (or 10% of annual turnover for large organisations), directions to stop processing data or implement remedial measures, and publication of enforcement decisions — which can cause significant reputational damage.

Notable PDPC enforcement actions have involved healthcare providers, financial services firms, and e-commerce platforms — but SMEs have also been fined. Organisations that self-report breaches promptly, cooperate with investigations, and have good compliance programmes typically receive more favourable treatment.

If your organisation faces a PDPC investigation, you may need legal advice on your response strategy and rights during the process.

The Corporate Secretarial Angle

PDPA compliance intersects directly with corporate secretarial duties. Board resolutions approving the data protection policy should be formally recorded in the company’s minutes. The DPO’s contact information on BizFile+ must be kept current — this is part of the broader governance obligations that Singapore directors must take seriously in 2026.

For directors of audited companies, note that the individual auditor is now named on audit reports under CALA 2025. Auditors handling client data are also subject to their own data protection obligations.

For the latest Singapore business compliance updates, staying informed on PDPC guidance changes is as important as tracking ACRA and IRAS developments. Beyond compliance, strong data governance supports better business and investment planning.

How Raffles Corporate Services Can Help

Raffles Corporate Services assists Singapore companies with corporate governance advisory, annual compliance management, and company secretarial services — including helping you incorporate PDPA compliance into your overall corporate governance calendar.

To speak with the team at Raffles Corporate Services, you can email [email protected] or call, SMS, or WhatsApp +65 8501 7133. We are happy to assist with any queries.

— The Editorial Team, Raffles Corporate Services