If your Singapore company collects, uses, or discloses personal data — and virtually every company does — the Personal Data Protection Act 2012 (PDPA) places eleven distinct obligations on your organisation. These are not aspirational guidelines. They are enforceable legal requirements backed by fines of up to ten per cent of your annual turnover for serious contraventions.

Yet many directors treat the PDPA as an IT matter delegated to the technology team. That is a governance error. Under the PDPA’s Accountability Obligation, it is the organisation — and therefore its directors and senior management — that bears ultimate responsibility for ensuring compliance across every department, every vendor, and every process that touches personal data.

This guide explains all eleven PDPA obligations in plain language, tells you what each one requires in practice, and sets out what directors should have in place before the Personal Data Protection Commission (PDPC) comes knocking.

What Is Personal Data Under the PDPA?

Personal data means data — whether true or not — about an individual who can be identified from that data, or from that data combined with other information the organisation has or is likely to have access to. This includes names, NRIC numbers, mobile numbers, email addresses, photographs, and salary information. It also includes CCTV footage, cookies, and IP addresses where these can identify a specific person.

The PDPA applies to personal data in any form — electronic or paper — and to organisations of all sizes. There is no small-company exemption. If your Singapore Pte Ltd has even one customer, one employee, or one business contact, you process personal data and you must comply.

The 11 PDPA Obligations Explained

1. Consent Obligation

You may only collect, use, or disclose personal data if the individual has given consent, and only for purposes that a reasonable person would consider appropriate in the circumstances. Consent must be voluntary and informed — pre-ticked boxes, bundled consent, and consent buried in lengthy terms and conditions are problematic. The PDPA also recognises deemed consent in certain situations, such as where an individual provides their business card or voluntarily makes their data publicly available.

Director action: Review all consent collection points — website forms, employment onboarding, customer intake — and confirm that consent is clearly obtained, documented, and auditable.

2. Purpose Limitation Obligation

Personal data collected for one purpose may not be used or disclosed for a different purpose without fresh consent. If you collected a customer’s email address to send order confirmations, you cannot later use it for marketing campaigns unless the customer separately consented to marketing communications.

Director action: Maintain a data inventory mapping each data type to its collection purpose, and ensure internal teams do not repurpose data without proper authorisation.

3. Notification Obligation

Before or at the time of collecting personal data, you must notify individuals of the purposes for which the data is being collected. This is typically done through a privacy notice on your website, customer-facing forms, and employment contracts.

Director action: Ensure your privacy notice is current, accurate, and accessible. Review it annually and update it whenever you introduce new data processing activities.

4. Access and Correction Obligation

Individuals have the right to request access to their personal data held by your organisation and to request correction of any errors. You must respond within 30 calendar days. You may charge a reasonable fee for access requests but not for correction requests.

Director action: Establish a documented process for handling Data Subject Access Requests (DSARs). Designate a responsible team member and track all requests to ensure the 30-day deadline is met.

5. Accuracy Obligation

You must make reasonable efforts to ensure that personal data collected is accurate and complete, particularly where the data will be used to make a decision affecting the individual or where the data will be disclosed to a third party.

Director action: Build accuracy checks into data entry workflows, particularly for HR records, customer databases, and financial records that feed into decisions or disclosures.

6. Protection Obligation

This is the obligation that most commonly triggers PDPC enforcement action. You must make reasonable security arrangements to protect personal data against unauthorised access, collection, use, disclosure, modification, disposal, or similar risks.

“Reasonable” is assessed relative to the sensitivity of the data, the likelihood and consequences of a breach, and what similarly situated organisations do. An accounting firm holding NRIC numbers and financial records is held to a higher standard than a florist holding a customer’s delivery address.

This obligation is discussed in detail in our companion guide to accounting data security and PDPA compliance.

Director action: Commission a data protection audit or gap assessment. Implement access controls, encryption for sensitive data in transit and at rest, and regular vulnerability assessments.

7. Retention Limitation Obligation

Personal data must not be retained longer than is necessary for the purposes for which it was collected, or for any other legal or business purpose. Once the retention period has passed, the data must be destroyed, anonymised, or archived in a manner that prevents further use.

Director action: Create a data retention schedule aligned with both PDPA requirements and other regulatory retention obligations (for example, IRAS requires most business records to be kept for five years). Implement automated deletion or archiving where possible.

8. Transfer Limitation Obligation

If you transfer personal data outside Singapore — for example, to a cloud provider hosted overseas, a foreign parent company, or an overseas professional services firm — you must ensure the recipient country or the specific recipient provides a standard of protection comparable to the PDPA. This is typically achieved through contractual clauses, binding corporate rules, or confirming the destination country is on PDPC’s approved list.

Director action: Map all cross-border data transfers, including those to cloud services. Insert appropriate data protection clauses in vendor and service provider contracts.

9. Accountability Obligation

Every organisation must designate at least one Data Protection Officer (DPO). Under Section 11 of the PDPA, the DPO’s business contact information must be made publicly available — typically on your company website. The DPO does not have to be a separate hire; an existing employee taking on the role is entirely acceptable. You may also engage an outsourced DPO service.

Note that with the Corporate and Accounting Laws (Amendment) Act 2025 — which commenced 6 May 2026 — ACRA now allows organisations to register their DPO’s information directly through BizFile+. Our guide to registering your DPO information with ACRA via BizFile+ walks through this process step by step.

Director action: Formally appoint a DPO, document the appointment in a board resolution, publish the DPO’s contact information on your website, and register it with ACRA via BizFile+.

10. Data Breach Notification Obligation

Since February 2020, organisations must notify the PDPC of a data breach within three calendar days of assessing it to be notifiable. A breach is notifiable if it (a) affects 500 or more individuals, or (b) is likely to cause significant harm to affected individuals — for example, breaches involving financial data, health records, NRIC numbers, passwords, or sensitive personal information.

Where the breach is likely to cause significant harm to identifiable individuals, you must also notify those affected individuals as soon as reasonably practicable.

Director action: Establish a documented data breach response procedure covering: detection, assessment, notification to the PDPC and affected individuals, and post-incident review. Run a tabletop exercise annually.

11. Data Portability Obligation

The data portability obligation requires organisations, upon request, to transmit an individual’s personal data to another organisation in a machine-readable format. This obligation is currently scoped to specific organisations and data types; the PDPC has issued regulations specifying the sectors and data types to which it applies. Most SMEs are not yet affected by this obligation, but it is important to monitor PDPC’s regulations as they expand.

Director action: Monitor PDPC’s portability regulations. If your organisation falls within scope, implement technical capabilities for structured data export and transmission.

The Do Not Call (DNC) Registry — A Separate Regime

In addition to the eleven obligations above, the PDPA contains a separate regime governing unsolicited telemarketing calls, faxes, and text messages: the Do Not Call Registry. Before making any marketing communication to a Singapore telephone number, you must check the DNC Registry unless the recipient has given clear consent to receive such communications from your organisation. Failing to check the DNC Register before sending marketing messages can result in fines of up to S$10,000 per message.

PDPC Enforcement: What Are the Penalties?

The 2020 amendments to the PDPA significantly strengthened the PDPC’s enforcement powers. For organisations, the maximum financial penalty is ten per cent of annual turnover in Singapore, or S$1 million, whichever is higher. For individuals who wilfully or recklessly cause a data breach, personal criminal liability also applies.

The PDPC has been increasingly active in enforcement. Notable enforcement decisions in recent years have involved banks, healthcare providers, technology companies, and professional services firms — no sector is exempt. Enforcement decisions are published on the PDPC’s website and are searchable by the public, meaning a PDPC determination is itself a reputational risk beyond the financial penalty.

A Director’s PDPA Governance Checklist

To demonstrate compliance across all eleven obligations, directors of a Singapore Pte Ltd should ensure the following are in place:

  • A formally appointed Data Protection Officer (DPO) with contact details published on the company website and registered with ACRA via BizFile+
  • A current, accurate Privacy Notice describing data collection purposes and retention periods
  • Documented consent collection processes for all customer and employee data touchpoints
  • A data inventory mapping data types to purposes, processing activities, and retention schedules
  • Technical and organisational security measures (access controls, encryption, vendor assessments)
  • A cross-border data transfer register with appropriate contractual protections in place
  • A documented data breach response procedure with assigned roles and the three-day PDPC notification timeline understood
  • An annual board-level review of PDPA compliance status
  • Staff training on data protection responsibilities, updated at least annually
  • Data protection clauses inserted in all vendor, service provider, and employment contracts

The Singapore Company Compliance Calendar 2026 sets out the key regulatory deadlines your company needs to track across ACRA, IRAS, MOM, and other agencies — PDPA compliance should sit alongside these as a standing governance obligation rather than a one-off project. Sound financial and business investment planning should also account for the compliance costs of running a proper data protection programme.

How Singapore Secretary Services Can Help

Singapore Secretary Services assists companies with corporate secretarial compliance and governance advisory, including DPO appointment documentation, board resolutions formalising data protection policies, and annual governance reviews that include PDPA status as a standing agenda item.

For the PDPA compliance work itself — data audits, privacy notices, vendor assessments — we recommend engaging a qualified data protection specialist. If you need legal advice on your PDPA obligations, we can point you in the right direction.

For the latest Singapore business news and regulatory updates, including PDPC enforcement decisions and legislative amendments, there are useful resources for directors and business owners.

To speak with the team at Raffles Corporate Services, you can email [email protected] or call, SMS, or WhatsApp +65 8501 7133. We are happy to assist with any queries.

— The Editorial Team, Raffles Corporate Services