--- title: "Singapore PDPA Compliance Hub - DPO, Data Intermediaries, Breach Timelines, DNC, and Transfers" canonical_url: "https://www.sorena.io/artifacts/apac/singapore-pdpa" source_url: "https://www.sorena.io/artifacts/apac/singapore-pdpa" author: "Sorena AI" description: "Grounded Singapore PDPA compliance hub covering DPO and accountability duties, business contact information, data intermediary role limits." published_at: "2026-02-21" updated_at: "2026-02-21" keywords: - "Singapore PDPA compliance" - "PDPA Singapore" - "PDPC guidelines" - "Data Protection Officer Singapore" - "business contact information PDPA" - "data intermediary Singapore PDPA" - "breach notification Singapore PDPA" - "30 day breach assessment PDPA" - "3 day PDPC notification" - "DNC Registry compliance Singapore" - "cross border transfer PDPA" - "deemed consent by notification" - "legitimate interests PDPA" - "PDPA access and correction" - "PDPA vendor contracts" - "Singapore PDPA" - "PDPC" - "Data Protection Officer" - "business contact information" - "data intermediaries" - "breach notification" - "DNC Registry" - "cross-border transfers" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # Singapore PDPA Compliance Hub - DPO, Data Intermediaries, Breach Timelines, DNC, and Transfers Grounded Singapore PDPA compliance hub covering DPO and accountability duties, business contact information, data intermediary role limits. ![Singapore PDPA artifact preview](https://cdn.sorena.io/cdn-cgi/image/format=auto/cheatsheets/prod/sorena-ai-sg-pdpa-timeline-small.jpg?v=cheatsheets%2Fprod) *PDPA* *Free Resource* ## Singapore PDPA Timeline and Decision Flow A grounded Singapore PDPA hub for teams that need to move from statute and PDPC guidance into daily controls. Use the decision flow to confirm scope, business contact information treatment, organisation versus data intermediary roles, consent and notification logic, breach escalation timing, DNC duties, and transfer safeguards. The local grounding pack behind this page covers Sections 11 and 12 accountability duties, DPO appointment and publication of business contact information, the limited direct obligations of data intermediaries, the 30 calendar day breach assessment window, the 3 calendar day PDPC reporting deadline after a notifiable determination, and the continuing responsibility of the organisation for overseas transfers. [Get a PDPA review](/contact.md) ## What you can decide faster - **Role and scope**: Separate organisations from data intermediaries, recognise business contact information exclusions, and record which PDPA duties apply. - **Breach timing**: Run the 30 day assessment window correctly and escalate to the PDPC within 3 calendar days once a breach is assessed as notifiable. - **Vendors and transfers**: Keep accountability with the organisation while contracting for data intermediary controls and overseas transfer safeguards. By Sorena AI | Updated 2026 | No signup required ### Quick scan *PDPA* - **Accountability**: DPO appointment, published contact details, policies and practices, and access to information about them on request. - **Data intermediary model**: Protection, retention limitation, and breach obligations may sit differently for vendors, but the organisation still owns the wider programme. - **Breach and DNC**: Assess fast, notify the PDPC on time, and operate marketing controls that do not drift away from registry and consent rules. Use the decision flow and topic guides to align legal, security, operations, and marketing on one documented Singapore PDPA programme. | Value | Metric | | --- | --- | | PDPC | Regulator | | Consent | Core | | Breach | Notify | | Transfer | Safeguard | **Key highlights:** Consent logic | Breach readiness | Transfers ## Topic Guides - [Singapore PDPA Applicability Test | Does the PDPA Apply to Your Organisation?](/artifacts/apac/singapore-pdpa/applicability-test.md): Complete Singapore PDPA applicability test with step-by-step framework to determine if the Personal Data Protection Act applies to your organisation. - [Singapore PDPA Breach Notification Playbook - Complete Guide](/artifacts/apac/singapore-pdpa/breach-notification-playbook.md): Singapore PDPA breach notification playbook with the 3-day PDPC reporting deadline. - [Singapore PDPA Compliance Checklist - Audit-Ready Guide (2026)](/artifacts/apac/singapore-pdpa/checklist.md): Complete Singapore PDPA compliance checklist covering DPMP governance, consent management, purpose limitation, data protection controls, retention schedules. - [Singapore PDPA Compliance Deadlines and Calendar](/artifacts/apac/singapore-pdpa/deadlines-and-compliance-calendar.md): Complete Singapore PDPA compliance deadlines calendar: 3-day breach notification, 30-day access requests, correction timelines, consent withdrawal windows. - [Singapore PDPA Compliance Guide - Data Protection Management Programme, DPO, Consent, Protection, Retention, DPTM](/artifacts/apac/singapore-pdpa/compliance.md): Complete Singapore PDPA compliance guide for organisations. - [Singapore PDPA Consent and Notification Obligations Guide](/artifacts/apac/singapore-pdpa/consent-notification-and-purposes.md): Complete Singapore PDPA consent and notification guide covering express consent, deemed consent by conduct and notification, legitimate interests exception. - [Singapore PDPA Cross-Border Transfer Rules | Section 26 Data Transfer Compliance](/artifacts/apac/singapore-pdpa/cross-border-transfers.md): Complete guide to Singapore PDPA cross-border transfer compliance under Section 26. - [Singapore PDPA Do Not Call Registry and Marketing Messages Compliance Guide](/artifacts/apac/singapore-pdpa/dnc-and-marketing-messages.md): Complete Singapore PDPA Do Not Call (DNC) Registry compliance guide for businesses. - [Singapore PDPA FAQ | Frequently Asked Questions on Personal Data Protection Act Compliance](/artifacts/apac/singapore-pdpa/faq.md): Singapore PDPA FAQ with detailed answers on scope, consent, deemed consent, legitimate interests, breach notification, DPO requirements. - [Singapore PDPA Penalties and Enforcement Cases - PDPC Fines and Decisions](/artifacts/apac/singapore-pdpa/pdpa-penalties-and-enforcement-cases.md): Singapore PDPA penalties and enforcement cases: PDPC financial penalties up to SGD 1 million or 10% turnover. - [Singapore PDPA Penalties and Fines | SGD 1M or 10% Turnover Cap + PDPC Enforcement Guide](/artifacts/apac/singapore-pdpa/penalties-and-fines.md): Complete guide to Singapore PDPA penalties and fines: maximum financial penalties up to SGD 1 million or 10% annual turnover, PDPC enforcement directions. - [Singapore PDPA Privacy Policy Template - Clause-by-Clause Drafting Guide](/artifacts/apac/singapore-pdpa/pdpa-privacy-policy-template.md): Singapore PDPA privacy policy template with clause-by-clause drafting instructions for all 10 Data Protection Provisions. - [Singapore PDPA Requirements -- All Obligations Explained (Consent, Protection, Breach Notification, DNC)](/artifacts/apac/singapore-pdpa/requirements.md): Complete guide to Singapore PDPA requirements covering all Data Protection Provisions: consent obligation (Sections 13-17), purpose limitation (Section 18). - [Singapore PDPA Scope, Exclusions, and Data Intermediary Obligations](/artifacts/apac/singapore-pdpa/scope-exclusions-and-data-intermediaries.md): Complete guide to Singapore PDPA scope covering excluded organisations, the personal and domestic exception, business contact information exclusion. - [Singapore PDPA Vendor Outsourcing and Contracts Guide](/artifacts/apac/singapore-pdpa/vendor-outsourcing-and-contracts.md): Singapore PDPA vendor outsourcing guide covering data intermediary contracts, Singapore PDPA outsourcing obligations, vendor due diligence. - [Singapore PDPA vs GDPR: Full Comparison of Scope, Consent, Penalties](/artifacts/apac/singapore-pdpa/singapore-pdpa-vs-gdpr.md): Singapore PDPA vs GDPR comparison covering scope, consent models, deemed consent, breach notification, cross-border transfers, penalties, DPO requirements. ## Key dates for Singapore PDPA *PDPA Timeline* Track milestones and programme checkpoints (not a substitute for the statute or PDPC guidance). ## Which PDPA obligations apply to your organisation *PDPA Decision Flow* Use the decision flow to map consent and notification choices, then convert outcomes into workflows and evidence. *Next step* ## Turn Singapore PDPA Timeline and Decision Flow into a cited research workflow Singapore PDPA Timeline and Decision Flow should be the shared entry point for your team. Route execution into Research Copilot for live work and into Assessment Autopilot when the artifact needs deeper research, evidence governance, or supporting analysis. - Start from Singapore PDPA Timeline and Decision Flow and route the work by entity, product, team, or control owner. - Use Research Copilot to answer scope, timing, and interpretation questions with cited outputs. - Use Assessment Autopilot to turn the guidance into owned tasks, evidence requests, and review checkpoints. - Move from artifact reading to accountable execution without rebuilding the guidance in separate files. - [Open Research Copilot](/solutions/research-copilot.md): Answer scope, timing, and interpretation questions with cited outputs for Singapore PDPA Timeline and Decision Flow. - [Open Assessment Autopilot](/solutions/assessment.md): Turn the guidance into owned tasks, evidence requests, and review checkpoints from the same artifact. - **Download decision flow**: Share scope logic internally. - **Download timeline**: Align milestones across teams. - [Talk through Singapore PDPA Timeline and Decision Flow](/contact.md): Review your current process, evidence model, and next steps for Singapore PDPA Timeline and Decision Flow. ## Decision Steps ### STEP 1: Are you an organisation that collects, uses or discloses personal data? *Reference: PDPA s.2(1), s.3* - PDPA applies to organisations that collect, use or disclose personal data. - Personal data = data about an individual who can be identified from that data or from that data and other information. - Organisation includes individuals, companies and associations, but excludes certain entities (see exclusions). - **NO** Out of Scope - **YES** Are you excluded from the Data Protection Provisions? ### STEP 2: Are you excluded from the Data Protection Provisions? *Reference: PDPA s.4* - Data Protection Provisions do not apply to: public agencies; individuals acting in a personal or domestic capacity; employees acting in the course of employment; business contact information used solely for business purposes. - If you are a data intermediary processing personal data on behalf of another organisation, different obligations apply (PDPA s.4(2)). - **YES** Out of Scope - **NO** Are you a data intermediary processing personal data on behalf of another organisation? ### STEP 3: Are you a data intermediary processing personal data on behalf of another organisation? *Reference: PDPA s.2(1), s.4(2)-(3)* - Data intermediary = organisation that processes personal data on behalf of another organisation (but does not include an employee of that organisation). - If yes: many Data Protection Provisions do not impose obligations on you for that processing (PDPA s.4(2)). - However: you must comply with the Protection Obligation (s.24) and Retention Limitation Obligation (s.25), and you must notify the organisation without undue delay if you become aware of a data breach (PDPA s.26C(3)(a)). - The organisation on whose behalf you are processing remains fully responsible for compliance. - **YES** Data Intermediary Obligations Apply - **NO** You are subject to PDPA Data Protection Provisions ### DNC (OUT OF SCOPE): Even if Data Protection Provisions do not apply: do you send specified marketing messages to Singapore telephone numbers? *Reference: PDPA Parts 9-9A* - If yes: DNC Provisions may apply (check DNC Registry and consent/exceptions). - If no: neither Data Protection Provisions nor DNC Provisions apply on the facts provided. - **YES** DNC Provisions Apply - **NO** Out of Scope (No DNC Activity Identified) ### IN SCOPE: You are subject to PDPA Data Protection Provisions *Reference: Parts 3-6A* - You must comply with all Data Protection Provisions: consent, purpose limitation, notification, access & correction, accuracy, protection, retention, transfer, data breach notification, and accountability. - Next: determine which specific obligations apply to your data processing activities. - -> Do you collect, use or disclose personal data? ### STEP 4: Do you collect, use or disclose personal data? *Reference: PDPA s.13* - If yes: you must obtain consent unless an exception applies. - Consent must be given voluntarily by the individual (or someone validly acting on their behalf). - Consent can be express or implied (deemed consent), depending on circumstances. - Individuals have the right to withdraw consent at any time. - -> Do you transfer personal data outside Singapore? ### STEP 5: Do you transfer personal data outside Singapore? *Reference: PDPA s.26* - If yes: you must comply with the Transfer Limitation Obligation. - Transfer includes: sending data overseas; allowing overseas entity to access or retrieve data; storing data on servers located overseas. - Organisation remains responsible for personal data transferred overseas. - **YES** Cross-Border Transfer Obligations Apply - **NO** Have you experienced a data breach? ### STEP 6: Have you experienced a data breach? *Reference: Part 6A (s.26A-26E)* - Data breach = unauthorised access, collection, use, disclosure, copying, modification or disposal of personal data; or loss of storage medium where unauthorised access is likely. - If yes: you must conduct an assessment and determine if it is a notifiable data breach. - Data breach can result from: cyber-attack, human error, system weaknesses, physical security lapses. - **YES** Is the data breach a notifiable data breach? - **NO** Have you designated one or more individuals (a DPO) to be responsible for PDPA compliance? ### STEP 7: Is the data breach a notifiable data breach? *Reference: PDPA s.26B* - Notifiable data breach = data breach that is, or is likely to, result in significant harm to affected individuals OR is, or is likely to be, of a significant scale. - Significant harm: physical, psychological, emotional, economic, financial harm; harm to reputation; identity theft; fraud. - Significant scale: affects 500 or more individuals (prescribed threshold). - If yes: you must notify PDPC and affected individuals. - **YES** Notifiable Data Breach - **NO** Have you designated one or more individuals (a DPO) to be responsible for PDPA compliance? ### STEP 8: Have you designated one or more individuals (a DPO) to be responsible for PDPA compliance? *Reference: PDPA s.11(3)-(6), s.12* - An organisation must designate one or more individuals to be responsible for ensuring that the organisation complies with the PDPA (s.11(3)). This individual is typically referred to as a Data Protection Officer (DPO). - The organisation must develop and implement policies and practices necessary to meet its obligations under the PDPA (s.12). - An organisation must make available the business contact information of at least one designated individual (s.11(5)). - Designating an individual does not relieve the organisation of its obligations under the PDPA (s.11(6)). - **YES** Do you send telemarketing messages to Singapore telephone numbers? - **NO** Designate a DPO ### STEP 9: Do you send telemarketing messages to Singapore telephone numbers? *Reference: Parts 9, 9A* - If yes: you must comply with Do Not Call (DNC) Provisions. - DNC Provisions apply to specified messages (marketing messages offering goods, services, land, business/investment opportunities) sent to Singapore telephone numbers. - DNC Registry has three registers: telephone calls, SMS, fax messages. - **YES** DNC Provisions Apply - **NO** DNC Provisions Do Not Apply ### BEST PRACTICE: Does your processing involve new technologies or significant privacy risks? *Reference: Guide to DPIAs* - Data Protection Impact Assessment (DPIA) is a good practice process to identify and mitigate privacy risks. - Conduct DPIA when: implementing new technologies; processing sensitive data; large-scale profiling or automated decision-making; cross-border transfers; significant changes to data processing. - DPIA helps demonstrate accountability and compliance with PDPA. - **YES** PDPA Full Compliance Required - **NO** PDPA Full Compliance Required ## Reference Information ### PDPA Scope Overview - PDPA establishes a general data protection law in Singapore governing collection, use and disclosure of personal data by organisations. - Two main sets of provisions: Data Protection Provisions (Parts 3-6A) and Do Not Call Provisions (Parts 9-9A). - Personal Data Protection Commission (PDPC) administers and enforces the PDPA. - Data Protection Provisions came into effect on 2 July 2014; DNC Provisions on 2 January 2014. ### Exclusions from Data Protection Provisions - Public agencies: government, statutory bodies, tribunals. - Individuals acting in personal or domestic capacity: e.g., individual collecting friend's contact details for personal use. - Employees acting in course of employment: but the employing organisation must comply with PDPA. - Business contact information (name, position, business contact details) when used solely for business purposes. - Data intermediaries: process personal data on behalf of another organisation; some obligations do not apply, but protection, retention, and limited data breach duties still apply. ### Consent Exceptions - First Schedule: consent not required if collection, use or disclosure is necessary for or related to: evaluating individual for employment/volunteer position; managing employment/volunteer relationship; investigation of breach; emergency; national interest; legal proceedings; publicly available data, and other specified purposes. - Second Schedule: additional bases for collection, use and disclosure without consent (e.g., business improvement purposes, if legitimate interests of organisation outweigh adverse effects). - Deemed consent by notification (s.15A): before relying on deemed consent by notification, an organisation must conduct an assessment to eliminate or mitigate adverse effects, provide adequate notification, and give a reasonable opt-out period and method. Deemed consent by notification does not apply to the purpose of sending direct marketing messages. - Legitimate interests exception: an organisation may collect, use or disclose personal data without consent if conditions are met, including an assessment (with a balancing test for legitimate interests). ### Purpose Limitation Obligation - Organisation may collect, use or disclose personal data only for purposes that a reasonable person would consider appropriate in the circumstances (s.18(1)). - Organisation may collect, use or disclose personal data only for purposes that have been notified to the individual or for a directly related purpose the individual would reasonably expect (s.18(2)). - For data collected before 2 July 2014: may use or disclose for purpose of collection or directly related purpose, unless individual withdraws consent (s.19). ### Notification Obligation - On or before collecting personal data, organisation must notify individual of purposes for collection, use or disclosure (s.20(1)). - If data collected from third party source, notify individual of purposes on or before first use/disclosure (s.20(2)). - Notification can be provided through a data protection policy, privacy notice, or other accessible form. - Purposes must be stated clearly and in a manner that is reasonable to expect the individual would understand. ### Access and Correction Obligations - Access (s.21): an individual has the right to request access to personal data in an organisation's possession or under its control, subject to exceptions (Fifth Schedule). Respond as soon as reasonably possible. If you cannot respond within 30 days, inform the individual in writing within 30 days when you will be able to respond. - Correction (s.22): an individual has the right to request correction of personal data, subject to exceptions (Sixth Schedule). If you cannot correct within 30 days, inform the individual in writing within 30 days when you will be able to correct. - Organisation may charge reasonable fee for access request (but must inform individual of fee before providing access). - Individual may apply to PDPC for review of fee charged or organisation's refusal to provide access/correction. ### Accuracy Obligation - Organisation must make reasonable effort to ensure personal data is accurate and complete if it is likely to be used to make a decision affecting the individual or disclosed to another organisation (s.23). - When personal data is provided directly by individual: reasonable to rely on individual to ensure accuracy unless organisation knows or has reason to believe data is inaccurate. - When collected from third party source: conduct appropriate due diligence to verify accuracy. - Maintain records of basis for relying on accuracy of data. ### Protection Obligation - Organisation must make reasonable security arrangements to protect personal data in its possession or under its control (s.24). - Security arrangements should prevent: unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. - Consider: nature of data; harm from unauthorised access; method of storage; security measures such as encryption, access controls, audit logs, staff training. - Data intermediaries must also comply with this obligation. ### Retention Limitation Obligation - Organisation must cease to retain documents containing personal data (or remove means by which data can be associated with individuals) when it is reasonable to assume retention is no longer necessary for legal or business purposes (s.25). - Consider: purpose of collection; legal/regulatory requirements; business needs; whether individual can be contacted in future. - Anonymisation: if personal data is anonymised such that individual can no longer be identified, PDPA obligations no longer apply. - Data intermediaries must also comply with this obligation. ### Transfer Limitation Obligation - Organisation may transfer personal data outside Singapore only if it ensures the receiving organisation provides comparable standard of protection to PDPA (s.26). - Common ways to ensure comparable protection include legally enforceable obligations (e.g., contractual clauses), binding corporate rules, or consent for the overseas transfer (where appropriate). - Some scenarios (e.g., data in transit) can change how the Transfer Limitation Obligation applies. Use PDPC guidance and the Personal Data Protection Regulations for the detailed conditions. ### Data Breach Notification Obligation - Duty to assess (s.26C): upon becoming aware of a data breach, conduct an assessment as soon as practicable to determine if it is a notifiable data breach. PDPC guidance indicates organisations should generally aim to complete this assessment within 30 calendar days. - Duty to notify PDPC (s.26D): notify PDPC within 3 calendar days after determining it is a notifiable data breach. Submit notification at https://eservice.pdpc.gov.sg/case/db?ref=sorena.io - Duty to notify affected individuals (s.26D): notify affected individuals as soon as practicable (unless exception applies or PDPC prohibits notification). - Information to provide: description of breach; personal data involved; actions taken/to be taken; contact point for further information; recommendation on steps individuals can take. - Exceptions: remedial action taken before significant harm occurs; notification would prejudice security/defence/international relations; prohibited by law. - Failure to notify: financial penalties can apply under PDPA enforcement provisions. PDPC guidance indicates the cap can be up to S$1 million, or (where the organisation's annual turnover in Singapore exceeds S$10 million) up to 10% of annual turnover in Singapore, whichever is higher. ### Accountability Obligation - Compliance (s.11): organisation must comply with PDPA and is responsible for personal data in its possession or under its control (including data processed by data intermediaries on its behalf). - Policies and practices (s.12): develop and implement policies and practices necessary to meet PDPA obligations, including: process to receive and respond to complaints; communication of policies to individuals; information about policies and practices; designate one or more individuals to be responsible for compliance. - Appointing a DPO: good practice to appoint a DPO as contact point and to oversee data protection compliance. - Data Protection Management Programme (DPMP): implement DPMP with governance, processes and controls to ensure ongoing compliance. - Staff training: conduct regular data protection training and awareness programmes. ### Do Not Call Registry Obligations - Duty to check DNC Register (s.43): before sending specified message, check if Singapore telephone number is listed on relevant DNC Register (unless you have clear and unambiguous consent in evidential form or ongoing relationship exception applies). - Do not send if listed: if number is on DNC Register, do not send specified message (unless consent or exception applies). - Validity period: checking results valid for 21 days from receipt. - Contact information (s.44): specified message must contain clear and accurate information identifying sender and contact details. - Calling line identity (s.45): for voice calls, do not conceal or withhold calling line identity. - Consent (s.46): individual may give clear and unambiguous consent in written or other accessible and evidential form to receive specified messages; check DNC Register not required if valid consent obtained. - Withdrawal of consent (s.47): individual may withdraw consent at any time; organisation must cease sending specified messages. - Prohibition on dictionary attacks and address-harvesting software (s.48B): do not use automated means to generate telephone numbers or harvest numbers for sending messages indiscriminately. ### DNC Exceptions - Eighth Schedule: certain messages excluded from being specified messages: messages from public agencies; messages to organisations (B2B); messages related to ongoing relationship (e.g., account updates, subscription renewals, customer service); surveys and market research (if no marketing element); charitable/religious/political messages (if no commercial marketing). - Ongoing relationship: organisation need not check DNC Register if individual has ongoing relationship with organisation and message relates to subject of that relationship. - Clear and unambiguous consent: if individual has given written or evidential consent, no need to check DNC Register. - Requested information: if individual requested information about goods/services, may respond without checking (but only for that specific request). ### PDPC Enforcement Powers - Alternative dispute resolution (s.48G): PDPC may facilitate mediation between complainant and organisation (via Singapore Mediation Centre or CASE). - Reviews (s.48H): individual may apply to PDPC for review of organisation's decision (e.g., access/correction refusal, fee charged). - Investigations (s.50): PDPC may investigate suspected contraventions; appoint inspectors with powers to enter premises, examine documents, question persons. - Directions (s.48I): PDPC may issue directions to organisation to cease contravention, destroy data, pay compensation (up to S$20,000), take remedial action. - Financial penalties (s.48J): PDPC may impose financial penalties for intentional or negligent contraventions, subject to the applicable statutory caps and conditions (see Financial Penalties). - Voluntary undertakings (s.48L): organisation may give voluntary undertaking to PDPC to comply with PDPA. - Reconsideration (s.48N): organisation may apply to PDPC to reconsider direction or decision. - Appeals (s.48Q): organisation may appeal PDPC's direction/decision to Data Protection Appeal Panel. - Right of private action (s.48O): individual may bring civil action in court for contravention of Data Protection Provisions. ### Financial Penalties - Data Protection Provisions: PDPC may require an organisation to pay a financial penalty of up to S$1 million, or (where the organisation's annual turnover in Singapore exceeds S$10 million) up to 10% of annual turnover in Singapore, whichever is higher, for any intentional or negligent contravention of the Data Protection Provisions. - DNC Provisions (dictionary attacks and address-harvesting, PDPA s.48B(1)): for an individual, up to S$200,000; for an organisation, up to S$1 million, or (where annual turnover in Singapore exceeds S$20 million) up to 5% of annual turnover in Singapore, whichever is higher, for intentional or negligent contraventions. - Other DNC contraventions: for an individual, up to S$200,000; and in other cases, up to S$1 million. - Financial penalty calibration factors can include harm and culpability considerations, among other relevant factors. ### Offences Affecting Personal Data - Part 9B creates criminal offences for individuals (not organisations) who commit egregious mishandling of personal data: - Unauthorised disclosure (s.48D): individual knowingly or recklessly discloses personal data without authority. Penalty: fine up to S$5,000 or imprisonment up to 2 years, or both. - Improper use (s.48E): individual knowingly or recklessly uses personal data for wrongful gain or wrongful loss. Penalty: fine up to S$5,000 or imprisonment up to 3 years, or both. - Unauthorised re-identification (s.48F): individual knowingly or recklessly re-identifies anonymised information without authority. Penalty: fine up to S$5,000 or imprisonment up to 2 years, or both. - These offences apply to individuals (including employees and officers of organisations) and hold them personally accountable for egregious conduct. ### Data Protection Impact Assessment (DPIA) - DPIA is a process to identify and assess privacy risks arising from data processing and determine measures to mitigate risks. - When to conduct DPIA: new technology; processing involving sensitive/large-scale data; profiling/automated decision-making; cross-border transfers; changes that materially affect privacy risks. - DPIA steps: describe data processing; identify and assess privacy risks; determine mitigation measures; document and review. - Benefits: demonstrates accountability; builds trust; identifies compliance gaps; helps design privacy-protective systems. - PDPC Guide to Data Protection Impact Assessments provides detailed methodology and templates. ### Cross-Border Transfer Methods - Contractual clauses: ASEAN Model Contractual Clauses (MCCs); EU Standard Contractual Clauses (SCCs); PDPC sample clause for APEC CBPR/PRP certified organisations. - APEC Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) certification: if overseas organisation is certified, may use PDPC sample clause. - Binding corporate rules (BCRs): for intra-group transfers. - Consent: obtain consent from individual for specific overseas transfer (inform individual of jurisdiction and risks). - Other bases: necessary to perform contract; for individual's benefit; required by law; publicly available data. - Joint ASEAN-EU Guide helps organisations navigate both ASEAN MCCs and EU SCCs for transfers within ASEAN and to EU. ### Withdrawal of Consent - Individual may withdraw consent at any time by giving reasonable notice (s.16). - Organisation must: inform individual of likely consequences of withdrawal; allow and facilitate withdrawal; cease collection, use or disclosure upon withdrawal (unless exception applies). - Exceptions: withdrawal would affect legal obligations; data is needed to complete transaction or provide benefit requested; data may be retained under retention obligation or other law. - Organisation must not: impose unreasonable conditions on withdrawal; require individual to delete account to withdraw consent; penalise individual for withdrawal (but may inform of consequences). - Good practice: provide easy withdrawal mechanism (e.g., unsubscribe link, online portal, contact form). ## Possible Outcomes ### [RESULT] Out of Scope PDPA Data Protection Provisions do not apply - You are not an organisation subject to the Data Protection Provisions under PDPA. - However: DNC Provisions (telemarketing rules) may still apply if you send marketing messages to Singapore telephone numbers. - Even if excluded, consider data protection best practices to build trust. ### [RESULT] Out of Scope (No DNC Activity Identified) No PDPA obligations identified - Based on your answers, the PDPA Data Protection Provisions do not apply to you and you do not send specified marketing messages to Singapore telephone numbers. - If your activities change (e.g., you start sending telemarketing), re-check DNC Provisions and data protection obligations. ### [RESULT] Data Intermediary Obligations Apply Limited obligations under PDPA - You must comply with protection obligation (s.24): make reasonable security arrangements to protect personal data in your possession or under your control. - You must comply with retention limitation obligation (s.25): cease to retain documents containing personal data when it is reasonable to assume retention is no longer necessary. - You must notify the organisation without undue delay if you become aware of a data breach affecting personal data you process on its behalf (PDPA s.26C(3)(a)). - Many other obligations (e.g., consent, purpose, notification, access, correction, accuracy, transfer) do not impose obligations on you for that processing (PDPA s.4(2)). - The organisation on whose behalf you process data remains fully responsible for PDPA compliance. ### [ACTION REQUIRED] Cross-Border Transfer Obligations Apply Transfer Limitation Obligation (s.26) - You must ensure the overseas recipient provides a standard of protection comparable to the PDPA (Transfer Limitation Obligation). - Use an appropriate transfer mechanism (e.g., contractual clauses, binding corporate rules, consent where applicable) and document your approach. ### [ACTION REQUIRED] Notifiable Data Breach Notification duties may apply - If a data breach is notifiable under the PDPA, you must notify the PDPC and affected individuals within the required timelines and include required content. - Preserve evidence, remediate the breach, and document your assessment and notifications. ### [ACTION REQUIRED] Designate a DPO Accountability requirement - Designate one or more individuals to be responsible for ensuring that your organisation complies with the PDPA (PDPA s.11(3)). - Make available the business contact information of at least one designated individual (PDPA s.11(5)). - Adopt and maintain policies and practices necessary to meet PDPA obligations (PDPA s.12). ### [ACTION REQUIRED] DNC Provisions Apply Telemarketing messages to Singapore numbers - You must comply with the DNC Provisions (Parts 9-9A), including checking numbers against the DNC Registry (unless an exception applies) and obtaining/recording consent where required. - If your messages also involve personal data, the PDPA Data Protection Provisions continue to apply. ### [RESULT] PDPA Full Compliance Required All Data Protection Provisions apply - You must comply with all Data Protection Provisions: consent (s.13-17), purpose limitation (s.18), notification (s.20), access (s.21), correction (s.22), accuracy (s.23), protection (s.24), retention (s.25), transfer (s.26), data breach notification (Part 6A), and accountability (s.11-12). - If you send telemarketing messages, you must also comply with DNC Provisions (Parts 9-9A). - Implement a Data Protection Management Programme (DPMP) and appoint a DPO. - Conduct regular staff training and maintain documentation of policies and practices. - Be prepared for PDPC reviews, investigations and potential enforcement action. - Consider conducting DPIAs for high-risk processing activities. ### [RESULT] DNC Provisions Apply Telemarketing compliance required - You must comply with Do Not Call Provisions when sending specified messages (marketing messages) to Singapore telephone numbers. - Key obligations: check DNC Register before sending (unless consent or exception applies); include contact information in messages; do not conceal calling line identity; obtain consent in evidential form if required; allow withdrawal of consent. - Even if Data Protection Provisions do not apply to you (e.g., because telephone numbers are not personal data in your context), DNC Provisions still apply to marketing messages. - Failure to comply may result in financial penalties imposed by PDPC. ### [RESULT] DNC Provisions Do Not Apply No telemarketing or exception applies - DNC Provisions do not apply because: you do not send specified messages (marketing messages); OR your messages are excluded under Eighth Schedule (e.g., B2B, ongoing relationship, surveys without marketing, charitable/religious/political messages); OR you have obtained clear and unambiguous consent. - However: if messages contain personal data, Data Protection Provisions still apply. - Best practice: even if excluded, consider privacy-protective telemarketing practices to build trust. ## Compliance Timeline | Date | Event | Category | Reference | | --- | --- | --- | --- | | 2013-01-02 | PDPC Established | Implementation Milestones | | | 2013-09-23 | Advisory Guidelines on Key Concepts Issued | Advisory Guidelines & Guides | | | 2013-09-24 | Advisory Guidelines for Selected Topics Issued | Advisory Guidelines & Guides | | | 2013-12-26 | Advisory Guidelines on the DNC Provisions Issued | Advisory Guidelines & Guides | | | 2014-01-02 | DNC Registry Provisions in Force | Implementation Milestones | | | 2014-07-02 | Main Data Protection Rules in Force | Implementation Milestones | | | 2014-09-11 | Healthcare Sector Advisory Guidelines Issued | Advisory Guidelines & Guides | | | 2015-01-23 | PDPA Version Published (Amended by S 19/2015) | Legislation & Amendments | | | 2016-01-03 | PDPA Version Published (Amended by Act 29 of 2014) | Legislation & Amendments | | | 2016-04-21 | Enforcement Advisory Guidelines Issued | Advisory Guidelines & Guides | | | 2016-10-02 | PDPA Historical Version Listed (Amended by Act 22 of 2016) | Legislation & Amendments | | | 2018-01-25 | Guide to Basic Anonymisation Published | Advisory Guidelines & Guides | | | 2019-09-01 | NRIC Advisory Guidelines Take Effect | Advisory Guidelines & Guides | | | 2020-06-09 | APEC CBPR/PRP Sample Clause Updated | Frameworks & Tools | | | 2020-11-02 | Major PDPA Amendments Passed | Legislation & Amendments | | | 2021-01-02 | PDPA Historical Version Listed (Amended by Act 40 of 2019) | Legislation & Amendments | | | 2021-01-22 | ASEAN MCC Guidance Published | Advisory Guidelines & Guides | | | 2021-02-01 | 2020 Amendments in Force - Phase 1 | Implementation Milestones | | | 2021-02-01 | DNC Advisory Guidelines Revised | Advisory Guidelines & Guides | | | 2021-02-01 | Guide on Data Protection Clauses Updated | Advisory Guidelines & Guides | | | 2021-03-15 | Data Breach Guide Updated | Advisory Guidelines & Guides | | | 2021-09-14 | DPMP Guide Updated | Advisory Guidelines & Guides | | | 2021-12-31 | 2020 Revised Edition Published | Legislation & Amendments | | | 2022-05-16 | Key Concepts Guidelines Revised | Advisory Guidelines & Guides | | | 2022-10-01 | Active Enforcement Guide Revised | Enforcement & Compliance | | | 2023-09-20 | Healthcare Sector Advisory Guidelines Revised | Advisory Guidelines & Guides | | | 2024-03-01 | AI Recommendation and Decision Systems Advisory Guidelines Issued | Advisory Guidelines & Guides | | | 2024-05-23 | Selected Topics Guidelines Revised | Advisory Guidelines & Guides | | | 2024-07-24 | Basic Anonymisation Guide Updated | Advisory Guidelines & Guides | | | 2024-12-13 | NRIC Guidance Update Announced | Advisory Guidelines & Guides | | | 2025-07-07 | New Tools and Trust Ecosystem Announced | Frameworks & Tools | | | 2025-12-05 | PDPA Version Listed (Amended by Act 19 of 2025) | Legislation & Amendments | | **Event details:** - **2013-01-02 - PDPC Established**: Personal Data Protection Commission (PDPC) officially established. Parts I, II, VIII, IX and X of the PDPA commenced operation. - **2013-09-23 - Advisory Guidelines on Key Concepts Issued**: PDPC issued Advisory Guidelines on Key Concepts in the PDPA covering consent, purpose limitation, and other core data protection concepts. - **2013-09-24 - Advisory Guidelines for Selected Topics Issued**: PDPC issued Advisory Guidelines on the PDPA for Selected Topics covering analytics, research, anonymisation, photography, and CCTVs. - **2013-12-26 - Advisory Guidelines on the DNC Provisions Issued**: PDPC issued Advisory Guidelines on the Do Not Call (DNC) Provisions, covering telemarketing rules, checking requirements, and exceptions under the PDPA. - **2014-01-02 - DNC Registry Provisions in Force**: Do Not Call (DNC) Registry provisions came into force, allowing individuals to register Singapore telephone numbers to opt out of telemarketing. - **2014-07-02 - Main Data Protection Rules in Force**: Parts III to VII of the PDPA (main data protection provisions) came into operation, including consent, purpose limitation, access, correction, and care obligations. - **2014-09-11 - Healthcare Sector Advisory Guidelines Issued**: PDPC issued Advisory Guidelines for the Healthcare Sector to help healthcare providers apply the PDPA, including consent, deemed consent, and common operational scenarios. - **2015-01-23 - PDPA Version Published (Amended by S 19/2015)**: Singapore Statutes Online lists a PDPA version published on 23 Jan 2015, with amendments referenced as S 19/2015. - **2016-01-03 - PDPA Version Published (Amended by Act 29 of 2014)**: Singapore Statutes Online lists a PDPA version published on 03 Jan 2016, with amendments referenced as Act 29 of 2014. - **2016-04-21 - Enforcement Advisory Guidelines Issued**: PDPC issued Advisory Guidelines on Enforcement of the PDPA data protection provisions, explaining directions, financial penalties, and voluntary undertakings. - **2016-10-02 - PDPA Historical Version Listed (Amended by Act 22 of 2016)**: Singapore Statutes Online lists a PDPA historical version dated 02 Oct 2016, with amendments referenced as Act 22 of 2016. - **2018-01-25 - Guide to Basic Anonymisation Published**: PDPC published Guide to Basic Data Anonymisation Techniques providing technical guidance on anonymisation methods and risk assessment. - **2019-09-01 - NRIC Advisory Guidelines Take Effect**: PDPC's Advisory Guidelines on the PDPA for NRIC and other national identification numbers take effect on 1 Sep 2019. - **2020-06-09 - APEC CBPR/PRP Sample Clause Updated**: PDPC updated its sample clause for data transfers to APEC CBPR and PRP certified organisations. - **2020-11-02 - Major PDPA Amendments Passed**: Personal Data Protection (Amendment) Act 2020 (Act 40 of 2020) passed by Parliament, introducing mandatory data breach notification, enhanced penalties, and new exceptions. - **2021-01-02 - PDPA Historical Version Listed (Amended by Act 40 of 2019)**: Singapore Statutes Online lists a PDPA historical version dated 02 Jan 2021, with amendments referenced as Act 40 of 2019. - **2021-01-22 - ASEAN MCC Guidance Published**: PDPC published Guidance for Use of ASEAN Model Contractual Clauses for cross-border data transfers. - **2021-02-01 - 2020 Amendments in Force - Phase 1**: First phase of Act 40 of 2020 amendments took effect, including mandatory data breach notification obligations, enhanced enforcement powers, and new exceptions. - **2021-02-01 - DNC Advisory Guidelines Revised**: PDPC revised the Advisory Guidelines on the DNC Provisions, including changes that took effect from 1 Feb 2021 (for example, the validity period of DNC Registry check results). - **2021-02-01 - Guide on Data Protection Clauses Updated**: PDPC updated its guide on data protection clauses for agreements relating to data intermediaries to account for PDPA amendments that came into force on 1 Feb 2021. - **2021-03-15 - Data Breach Guide Updated**: PDPC updated its Guide on Managing and Notifying Data Breaches under the PDPA, including the C.A.R.E. framework (Contain, Assess, Report, Evaluate). - **2021-09-14 - DPMP Guide Updated**: Guide to Developing a Data Protection Management Programme revised to incorporate best practices in accountability. - **2021-12-31 - 2020 Revised Edition Published**: PDPA 2020 Revised Edition came into operation, incorporating all amendments up to 1 December 2021. - **2022-05-16 - Key Concepts Guidelines Revised**: Advisory Guidelines on Key Concepts in the PDPA revised to reflect 2020 amendments including deemed consent by notification and legitimate interests. - **2022-10-01 - Active Enforcement Guide Revised**: Guide on Active Enforcement revised, setting out PDPC's proactive compliance approach and enforcement framework. - **2023-09-20 - Healthcare Sector Advisory Guidelines Revised**: PDPC revised its Advisory Guidelines for the Healthcare Sector. - **2024-03-01 - AI Recommendation and Decision Systems Advisory Guidelines Issued**: PDPC issued Advisory Guidelines on the Use of Personal Data in AI Recommendation and Decision Systems. - **2024-05-23 - Selected Topics Guidelines Revised**: Advisory Guidelines on the PDPA for Selected Topics revised covering analytics, anonymisation, photography, CCTVs, drones, and data portability. - **2024-07-24 - Basic Anonymisation Guide Updated**: Guide to Basic Anonymisation updated with practical guidance for small organizations on anonymisation workflow and techniques. - **2024-12-13 - NRIC Guidance Update Announced**: Following an MDDI statement on 13 Dec 2024 about appropriate use and misuse of NRIC numbers, PDPC noted that its NRIC advisory guidance would be updated (and remains valid in the meantime). - **2025-07-07 - New Tools and Trust Ecosystem Announced**: PDPC published a press release on new tools for data protection and trusted AI deployment, including updates around the Data Protection Trustmark and Singapore's data protection ecosystem. - **2025-12-05 - PDPA Version Listed (Amended by Act 19 of 2025)**: Singapore Statutes Online lists a PDPA version with ValidDate 05 Dec 2025, with amendments referenced as Act 19 of 2025. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/apac/singapore-pdpa