The Personal Data Protection Act (PDPA) has been in force in Singapore since 2014, but it is the 2020 amendments — and the Personal Data Protection Commission’s (PDPC) increasingly active enforcement since 2022 — that have brought data protection compliance to the top of many directors’ agendas. With financial penalties of up to S$1 million per contravention, and reputational exposure that can far exceed any financial penalty, understanding your obligations under the PDPA is no longer optional.
This guide sets out all 11 obligations under the PDPA in a clear, director-friendly format, explains the mandatory Data Protection Officer (DPO) requirement, and provides a practical compliance checklist for Singapore private limited companies. For related compliance obligations, see our Singapore Company Compliance Calendar.
What Is the PDPA and Who Does It Apply To?
The Personal Data Protection Act 2012 (No. 26 of 2012), as amended by the Personal Data Protection (Amendment) Act 2020, governs the collection, use, disclosure, and care of personal data by organisations in Singapore. It applies to all private sector organisations — including sole proprietorships, partnerships, and companies — that collect, use, or disclose personal data in connection with their activities.
Government agencies are separately regulated and fall outside the PDPA’s scope. Public sector bodies are governed by the Public Sector (Governance) Act 2018 and associated government-wide policies.
The 11 PDPA Obligations: A Director’s Reference Guide
1. Consent Obligation
Your organisation may collect, use, or disclose an individual’s personal data only with their consent, unless an exception applies. Consent must be informed — the individual must know the purpose — and voluntarily given. Deemed consent (where an individual provides their business card or enters a transaction) is recognised, but organisations must be able to demonstrate that the individual would reasonably expect the use of their data for the stated purpose.
From the 2020 amendments, deemed consent by contractual necessity is now recognised: where disclosure is necessary to perform a contract to which the individual is party, consent is deemed given.
2. Purpose Limitation Obligation
Personal data may only be collected, used, or disclosed for purposes that a reasonable person would consider appropriate given the circumstances, and that the individual was informed of at or before the time of collection. You may not subsequently use the data for unrelated purposes without fresh consent.
3. Notification Obligation
Before or at the time of collecting personal data, your organisation must notify the individual of the purpose(s) for which the data is being collected, used, or disclosed. In practice, this is typically done through a privacy notice on your website and in customer-facing communications. The notification must be clear, easily accessible, and written in plain language.
4. Access and Correction Obligation
Upon request, your organisation must provide individuals with access to their personal data held by your organisation, as well as information about the purposes for which it has been used or disclosed in the past year. You must also correct any personal data that the individual demonstrates to be inaccurate or incomplete, unless there is a legitimate reason not to do so. Requests must be responded to as soon as reasonably practicable — PDPC guidance suggests within 30 days.
5. Accuracy Obligation
Your organisation must make a reasonable effort to ensure that personal data collected is accurate and complete — particularly where it is likely to be used to make a decision affecting the individual or to be disclosed to another organisation. Periodic data hygiene reviews are recommended.
6. Protection Obligation
Reasonable security arrangements must be made to protect personal data against unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks. The protection obligation is technology-neutral — it is assessed based on the nature and sensitivity of the data, and the likelihood and severity of harm from a breach. Common breaches include phishing, ransomware, and misconfigured cloud storage.
7. Retention Limitation Obligation
Personal data must not be retained for longer than is necessary to fulfil the purpose for which it was collected. Once the purpose is fulfilled and there is no legal or business reason to retain the data, it must be destroyed or anonymised. Directors should ensure their organisations have a documented data retention schedule that maps categories of personal data to specific retention periods.
8. Transfer Limitation Obligation
When transferring personal data outside Singapore, your organisation must ensure the recipient country provides a standard of protection comparable to the PDPA — either through contractual arrangements (data transfer agreements), the recipient being subject to legally binding obligations, or the individual’s consent. This obligation is particularly relevant for companies using overseas cloud service providers or sharing data with foreign group companies.
9. Accountability Obligation
Your organisation must take responsibility for the personal data in its possession or under its control. This includes implementing policies and practices to comply with the PDPA, making those policies available upon request, training staff, and ensuring vendors and data intermediaries who handle personal data on your behalf are contractually bound to comply with appropriate data protection standards.
Mandatory DPO Designation: Every organisation must designate at least one individual as a Data Protection Officer (DPO). The DPO’s contact details must be made publicly available — typically on your website’s privacy policy page. The DPO may be an existing employee or an external professional; there is no requirement that they hold a specific qualification, but PDPC guidance encourages relevant training such as the PDPC-certified Foundation Programme.
10. Data Breach Notification Obligation
From 1 February 2021, organisations must notify the PDPC of a data breach that is likely to cause significant harm to affected individuals, or where it affects 500 or more individuals, within 3 calendar days of assessing that the breach is notifiable. Where the breach is likely to cause significant harm to an individual, you must also notify those affected individuals as soon as reasonably practicable. Significant harm includes financial loss, physical harm, humiliation, or identity theft.
PDPC’s definition of “significant harm” is set out in the Second Schedule to the PDPA and covers a wide range of data types including NRIC numbers, financial account details, and health information.
11. Do Not Call (DNC) Registry Obligation
Before sending unsolicited marketing messages to Singapore telephone numbers (voice calls, SMS, fax), your organisation must check the Do Not Call Registry to ensure the number is not registered. Exemptions exist for organisations that have an ongoing relationship with the individual or have obtained clear and unambiguous consent to receive marketing messages. Non-compliance can result in significant financial penalties.
Maximum Penalties Under the PDPA (Post-2020 Amendments)
The 2020 amendments significantly increased penalties for PDPA breaches. Organisations can now be fined up to S$1 million per contravention, or 10% of annual turnover in Singapore (whichever is higher) for organisations with annual turnover exceeding S$10 million. For individuals (officers or employees personally responsible for a breach), fines of up to S$5,000 apply for certain offences.
The PDPC has issued enforcement decisions against banks, telcos, healthcare providers, and SMEs alike. No sector is exempt. A selection of published enforcement decisions is available on the PDPC enforcement decisions page.
Practical PDPA Compliance Checklist for Singapore Companies
Governance
- DPO designated and their contact details published on the company website
- Board-approved data protection policy in place and reviewed annually
- Data protection training completed by all staff who handle personal data
Data Inventory and Mapping
- Data inventory maintained identifying all personal data held, purposes, and retention periods
- Third-party vendors and processors identified; data processing agreements (DPAs) in place
Consent and Notification
- Privacy notice published on the company website and in customer communications
- Consent collection mechanisms reviewed for clarity and voluntariness
- DNC Registry checks conducted before marketing calls or SMS
Breach Response
- Documented incident response plan covering detection, assessment, and PDPC notification within 3 days
- Breach log maintained for all personal data incidents (notifiable or otherwise)
Board-Level Action
- Annual board agenda item on data protection compliance status
- Data protection included in corporate risk register
- PDPA compliance status reviewed by the company secretary and recorded in board minutes
For related corporate governance topics, see our guides on AGM requirements for Singapore companies and board resolutions in Singapore.
How Raffles Corporate Services Can Help
As part of our corporate secretarial services, Raffles Corporate Services helps directors track their PDPA compliance obligations alongside their annual filing and governance calendar. We can assist with DPO designation notifications, board-level compliance reviews, and integrating data protection into your corporate governance framework.
For the latest Singapore regulatory updates and business news, there are useful resources for directors and compliance officers.
Beyond compliance, sound financial planning and investment decisions are equally important for Singapore business owners building long-term value.
If you need legal advice on your PDPA obligations or a data breach response, we can point you in the right direction.
To speak with the team at Raffles Corporate Services, you can email [email protected] or call, SMS, or WhatsApp +65 8501 7133. We are happy to assist with any queries.
— The Editorial Team, Raffles Corporate Services
Leave A Comment