Skip to content
Last reviewed: 2026-05-05 Reviewer: M.K., CIPP/E Methodology Report inaccuracy
Editorial reference emblem — SGStylized regulator-jurisdiction emblem for editorial reference. Not affiliated with or endorsed by any government, regulator, or institution.SG
PDPA Singapore Personal Data Protection Commission

REGULATION · NATIONAL · IN FORCE SINCE 2014

Personal Data Protection Act 2012

The EU's baseline privacy law since May 2018. Defines six lawful bases, eight data-subject rights, and fines up to 4% of global annual turnover.

EUR-Lex official text Reviewed 2026-05-05 Free reference · sources cited

Scope and territorial reach

Scope

Singapore’s Personal Data Protection Act 2012 (PDPA, Act No. 26 of 2012) is the federal privacy law enforced by the Personal Data Protection Commission (PDPC). It applies to organisations collecting, using, or disclosing personal data in Singapore — including foreign organisations targeting Singapore residents.

The Act has been amended substantially: 2020 amendments introduced mandatory data-breach notification, expanded the cap on financial penalties, and clarified deemed-consent rules. 2022 amendments brought the Do Not Call (DNC) regime closer alignment with the wider PDPA framework.

PDPA §13 requires consent before collection, use, or disclosure of personal data — with some exceptions:

  • Deemed consent (§15) — personal data given voluntarily for an identified purpose
  • Deemed consent by notification (§15A, 2020 amendment) — for legitimate business purposes after appropriate disclosure and a reasonable opt-out window
  • Legitimate interests exception (§17) — for specific operational purposes meeting an “interest balancing test”

For cookies and analytics, PDPC Advisory Guidelines recommend transparent notice with opt-out — banner-style consent is not statutorily required but is the safe default for foreign businesses.

Data subject rights

  • Access (§21) — copy of data + how it has been used in the past 12 months. 30-day response window.
  • Correction (§22) — request correction of inaccurate data.
  • No statutory right of erasure (PDPC may direct erasure in specific orders).

Mandatory breach notification (since 1 February 2021)

An organisation must notify the PDPC and affected individuals if a breach:

  • Affects ≥500 individuals, OR
  • Is likely to result in significant harm to affected individuals.

Timeline: notify the PDPC within 72 hours of assessing the breach as notifiable; notify individuals “as soon as practicable” thereafter unless an exception applies.

Cross-border transfers

PDPA §26 requires the transferring organisation to ensure the recipient provides protection comparable to PDPA. Acceptable mechanisms: contractual clauses (similar to SCCs), binding corporate rules, or APEC CBPR certification. Singapore has been a CBPR member since inception.

Do Not Call regime

A separate but PDPA-adjacent regime restricting unsolicited marketing calls/SMS to Singapore phone numbers registered on the DNC Registry. Distinct from email marketing — which is governed by the Spam Control Act.

Enforcement

2020 amendments raised the maximum financial penalty to the greater of SGD$1 million or 10% of annual Singapore turnover (10% applies to organisations with annual turnover >SGD$10M). The PDPC has been actively imposing fines: Royal & Sun Alliance (SGD$58k, 2022), Singtel (SGD$80k, 2022), and a string of healthcare and education-sector enforcement actions.

The PDPC is widely regarded as one of the most effective APAC privacy regulators — issuing detailed decision summaries that double as compliance guidance.

Key references

  • PDPC: pdpc.gov.sg
  • PDPA Advisory Guidelines (multiple sectoral)
  • 2020 amendments overview: PDPC briefing on the 2020 PDPA reforms

Where it applies — 1 jurisdictions

🇸🇬Singapore
SG

Seven principles (Article 5)

The constitutional backbone — every processing activity must satisfy all seven simultaneously.

  1. 01
    Consent obligation Sec 13–17

    Obtain consent before collecting, using, or disclosing personal data — express, deemed, or under statutory exception.

  2. 02
    Purpose limitation Sec 18

    Use data only for purposes a reasonable person would consider appropriate, and only those notified to the individual.

  3. 03
    Notification obligation Sec 20

    Inform individuals of purposes for collection, use, and disclosure on or before processing begins.

  4. 04
    Access and correction Sec 21–22

    On request, provide data and how it has been used or disclosed in the past year; correct errors.

  5. 05
    Accuracy obligation Sec 23

    Make a reasonable effort to ensure data is accurate and complete when used to make a decision affecting the individual or disclosed to a third party.

  6. 06
    Protection obligation Sec 24

    Protect personal data with reasonable security arrangements against unauthorized access, modification, disposal, or similar risks.

  7. 07
    Retention limitation Sec 25

    Cease retention or anonymize personal data once the purpose is no longer served and retention is no longer needed for legal or business reasons.

  8. 08
    Transfer limitation Sec 26

    Transfer personal data overseas only if the recipient is bound by legally enforceable obligations providing comparable protection (PDPA Regulations Reg 9–10).

  9. 09
    Openness / accountability Sec 11–12

    Designate a DPO, develop policies and practices, make them publicly available, and demonstrate compliance.

  10. 10
    Data breach notification Sec 26A–26E

    Assess breaches; notify PDPC within 3 calendar days and affected individuals where significant harm is likely or ≥500 individuals are affected. Effective 1 Feb 2021.

Six lawful bases (Article 6)

You must identify and document one before processing — and consent isn't always the right one.

Sec 13–14

Express consent

Individual gives clear affirmative consent (opt-in) for stated purposes.

Common for: Marketing emails, analytics cookies, newsletter sign-up
Sec 15

Deemed consent (by conduct)

Individual voluntarily provides data for an obvious purpose (e.g. submitting an order form).

Common for: Order processing, account registration
Sec 15A

Deemed consent by notification

Organization notifies individual of new purpose, conducts risk assessment, and individual does not opt out within reasonable period (added by 2020 amendments).

Common for: Adding a new processing purpose to an existing relationship
First Schedule Part 3 (post-2020)

Legitimate interests exception

Benefit to organization or others outweighs adverse effect on individual; assessment documented.

Common for: Fraud detection, IT security, debt recovery
First Schedule Part 5

Business improvement exception

Use within the organization (or related corporations) for operational efficiency, product/service improvement, or knowing customers — without consent.

Common for: Internal analytics, product development, A/B testing
First Schedule Part 6

Research exception

Research purpose impractical to obtain consent; no decision affecting individual; results not in personally identifiable form.

Common for: Academic research, market studies
First Schedule Part 1–2

Public interest / legal

Required or authorized by law, necessary for national interest, public agency functions, or vital interests.

Common for: AML, tax records, emergency response
Cookie banner under GDPR Consent Mode v2

Eight data-subject rights (Articles 12–22)

What individuals can demand from you, with the response window and scope.

RightArticleResponseScope
Right of access Sec 21 30 days Receive personal data held and information about its use and disclosure in the past year. Organizations should respond "as soon as reasonably possible" — PDPC's Advisory Guidelines treat 30 calendar days as the practical benchmark.
Right to correction Sec 22 30 days Request correction of error or omission; organization must correct unless reasonable grounds otherwise, and notify recipients of past disclosures.
Data portability (pending) Sec 26F–26J 30 days 2020 amendment provisions enacted but not yet operational. Will require transmission of applicable data in commonly used machine-readable format once PDPC issues regulations.
Right to withdraw consent Sec 16 30 days Withdraw consent at any time on reasonable notice; organization must inform of likely consequences and cease processing.
No statutory erasure right n/a At collection PDPA does not grant a general right to erasure. Retention obligation (Sec 25) requires cessation when purpose ends; PDPC may direct deletion as enforcement remedy.
Topic: DSARs in practice Template: DSR reply (Art 15)

Fines & enforcement

Maximum administrative penalty: €20.0M or 10% of global annual turnover (Art 83(5)). Tiered structure: Art 83(4) = 2% / €10M for procedural failures.

  1. 2019-01 €670k
    SingHealth + IHIS PDPC · SG · Sec 24

    Largest PDPA fine pre-2020. SGD$1M combined (SingHealth SGD$250k + IHIS SGD$750k) for July 2018 cyberattack exposing 1.5M patient records including PM Lee. Failure of protection obligation.

  2. 2022-04 €54k
    Singtel PDPC · SG · Sec 24

    SGD$80,000 financial penalty for January 2021 Accellion FTA breach affecting 129,000 customers. Insufficient security arrangements for vendor file-transfer system.

  3. 2024-09 €50k
    Marina Bay Sands PDPC · SG · Sec 24

    SGD$74,400 for October 2023 breach affecting 665,000 loyalty members — insufficient access controls on legacy CRM. Note: full penalty subject to appeal at time of writing — verify on PDPC decisions page.

  4. 2021-08 €49k
    Commeasure (RedDoorz) PDPC · SG · Sec 24

    SGD$74,000 — largest fine to date on a startup. September 2020 breach exposing 5.9M customer records via legacy AWS access key in code repository.

  5. 2022-09 €40k
    MyRepublic PDPC · SG · Sec 24

    SGD$60,000 for August 2021 breach exposing 79,388 customers' identity documents via unsecured cloud storage. Protection obligation.

  6. 2022-03 €39k
    Royal & Sun Alliance Insurance PDPC · SG · Sec 24

    SGD$58,000 fine for unauthorized disclosure of policyholder data via misconfigured email system. Protection obligation breach.

  7. 2024-02 €39k
    Fullerton Health PDPC · SG · Sec 24, 26C

    SGD$58,000 — protection obligation breach + late notification under new Sec 26C breach-notification regime. October 2021 ransomware via vendor (Agape Connecting People).

  8. 2023-11 €25k
    OrangeTee & Tie PDPC · SG · Sec 24, 26C

    SGD$37,000. Phishing-driven email-account compromise exposing client property-transaction data; protection + breach-notification gaps.

Sources: national supervisory-authority press releases. Full enforcement database available via CMS Law tracker.

National addons

GDPR is a Regulation — directly applicable, no transposition required. But Member States layer additional rules on top via national acts.

CountryNational actStricter than GDPR baseline?Note
🇸🇬 Singapore SG Personal Data Protection Act 2012 (Act 26/2012) Stricter Primary jurisdiction. PDPC actively enforces; mandatory breach notification + 10% turnover cap effective 1 Feb 2021. DPO mandatory for ALL organizations under Sec 11(3) — unique feature among APAC laws. Strong Do Not Call (DNC) regime under Part IX.
🇲🇾 Malaysia MY Personal Data Protection Act 2010 (Act 709) Aligned Sectoral peer; 2024 amendments introduced mandatory DPO and breach notification. Commercial-only scope (excludes federal/state government).
🇹🇭 Thailand TH Personal Data Protection Act B.E. 2562 (2019) Aligned Effective 1 Jun 2022. GDPR-styled with explicit consent + DPO triggers. PDPC Thailand active on enforcement since 2023.
🇮🇩 Indonesia ID Personal Data Protection Law (UU 27/2022) Aligned Effective 17 Oct 2024. Highest APAC fines (up to 2% of annual revenue). Standalone authority being established.
🇵🇭 Philippines PH Data Privacy Act of 2012 (RA 10173) Aligned NPC enforces. Mandatory DPO + breach notification within 72 hours. Active enforcement on telcos and government.
🇻🇳 Vietnam VN Personal Data Protection Decree 13/2023 (PDPD); PDPL forthcoming Aligned PDPD effective 1 Jul 2023. Standalone PDPL (Law on Personal Data Protection) passed 2024, effective 1 Jan 2026 — sharpens consent and adds GDPR-style transfer rules.

Compared to other laws

Side-by-side rule comparison with the same field on each side.

COMPARE · 2 ENTITIES
GDPR vs CCPA / CPRA
Opt-in EU baseline against opt-out California — same rows on each side.
COMPARE · 2 ENTITIES
GDPR vs UK GDPR
Post-Brexit divergence — DPA 2018, ICO, UK Extension to DPF.
COMPARE · 2 ENTITIES
GDPR vs LGPD
EU baseline vs Brazilian privacy law modeled on it.

Common questions

Does PDPA apply to my non-Singapore organization?
Yes, where you collect, use, or disclose personal data of individuals in Singapore in the course of activities, regardless of whether you have a SG presence. PDPC's Advisory Guidelines confirm extraterritorial scope similar to GDPR Art 3(2). A foreign e-commerce site selling to SG residents is in scope.
What's the maximum PDPA fine?
Under the 2020 amendments (effective 1 Oct 2022 for the higher cap), PDPC may impose a financial penalty of up to the greater of SGD$1 million or 10% of an organization's annual turnover in Singapore. Pre-2022 fines were capped at SGD$1M absolute. The largest fine to date remains the SingHealth/IHIS combined SGD$1M (2019).
When must I notify PDPC of a data breach?
Under Sec 26B–26E (effective 1 Feb 2021), notify PDPC as soon as practicable and no later than 3 calendar days after determining the breach is notifiable. Trigger thresholds: (a) significant harm to affected individuals (e.g. financial, identity, sensitive-category data) OR (b) ≥500 individuals affected. Affected individuals must also be notified unless an exception applies.
Is a DPO mandatory for my organization?
Yes. Sec 11(3) requires every organization to designate at least one Data Protection Officer responsible for ensuring PDPA compliance — this is unique among major APAC laws. The DPO's business contact information must be publicly available. The DPO can be an employee or outsourced, full-time or part-time.
Do I need consent for analytics under PDPA?
Generally no, where analytics data is non-identifying or used under the business improvement exception (First Schedule Part 5, post-2020). You must still discharge the notification obligation (Sec 20) — disclose analytics use in your privacy notice. Identified user-level tracking or sensitive analytics still requires consent.
How do PDPA cross-border transfer rules work?
Sec 26 + PDPA Regulations Reg 9–10 require recipients in foreign jurisdictions to be bound by legally enforceable obligations providing comparable protection. Mechanisms: (a) APEC Cross-Border Privacy Rules (CBPR — Singapore is a member), (b) ASEAN Model Contractual Clauses, (c) binding corporate rules, or (d) contractual clauses meeting Reg 10. No single 'adequacy' list — case-by-case assessment.
What's the difference between PDPA and the DNC regime?
PDPA Parts III–VI cover personal-data processing generally. Part IX establishes the Do Not Call (DNC) regime: separate registers for voice calls, SMS/MMS, and fax. Before sending any specified marketing message to a SG telephone number, organizations must check the relevant DNC register (or hold valid clear-and-unambiguous consent or an existing-business-relationship exemption). DNC penalties are separate and enforced strictly.
How does PDPA interact with sectoral laws (banking, healthcare, telco)?
PDPA is the baseline. Sector-specific obligations override or supplement it: Banking Act (banking secrecy), Insurance Act, Healthcare Services Act + Private Hospitals Regulations, Telecommunications Act. Where sectoral law provides equal or higher protection, sectoral rules prevail; where PDPA provides higher protection, PDPA applies.
How fast must I respond to an access or correction request?
PDPA does not specify a hard deadline; Sec 21 requires response 'as soon as reasonably possible'. PDPC's Advisory Guidelines treat 30 calendar days as the practical benchmark. If you cannot respond in 30 days, inform the individual in writing of the timeframe within which you will respond. A reasonable fee may be charged for access requests (not correction).
Is PDPA stricter or looser than GDPR?
PDPA is generally pragmatic and less prescriptive than GDPR. Looser: lower default consent friction for non-PII analytics, business-improvement exception, no statutory erasure right, no formal DPIA mandate. Stricter or unique: DPO mandatory for ALL organizations, Do Not Call regime, 3-day breach notification (vs GDPR 72 hours), 10% turnover cap aligns with GDPR Tier-2 fines. Net effect: easier baseline compliance, but tighter operational discipline on breach + DNC.