Applicability TestSingaporePDPA

Singapore PDPA Applicability Test

Use this test to decide whether a Singapore PDPA issue is about personal data handled by an organisation, a limited data intermediary role, an excluded public agency or individual context, or business contact information.

This scope record is scope review based on the official sources: data category, actor role, processing purpose, exclusions, ownership, and source-linked evidence. Validate all outcomes against jurisdiction-specific legal, contractual, and policy requirements before implementation.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
6

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

The Singapore PDPA applicability test starts with four questions: is the information personal data, who controls or processes it, is any statutory boundary or exclusion relevant, and which PDPA obligation set is triggered by the activity.

Section 1

1. Confirm that the information is personal data

Treat the PDPA as potentially relevant when the information is data about an individual who can be identified from that data alone, or from that data together with other information the organisation has or is likely to have access to. The test does not depend on whether the data is true or accurate.

Record the data elements, the individual or individuals they relate to, and the other datasets or systems that could make the individual identifiable. If the team claims the dataset is anonymised or outside personal data scope, keep the anonymisation method, residual re-identification assessment, and approval evidence.

  • In scope: customer, employee, user, patient, member, lead, or contact data that identifies a natural person directly or with other accessible information.
  • Still personal data: inaccurate, outdated, inferred, derived, or mixed records if the individual is identifiable under the PDPA definition.
  • Boundary check: business contact information is generally outside Parts 3, 4, 5, 6, and 6A unless expressly mentioned, but only when it is not provided solely for personal purposes.
  • Evidence to keep: data inventory row, sample fields, identifiability analysis, business-contact-purpose note, and any anonymisation or de-identification record.
Sources for this answer
PDPC PDPA Overview
Supports the baseline definition of personal data, the PDPA's role as Singapore's baseline protection law, and the stated exclusions for business contact information and other boundary cases.
Personal Data Protection Act 2012
Provides the statutory definitions of personal data, organisation, data intermediary, business contact information, and the application provisions used in this scope test.
PDPC Basic Anonymisation
Supports the evidence step for teams claiming a dataset has been anonymised before use, sharing, or analytics.
Section 2

2. Decide whether the actor is an organisation, data intermediary, or excluded actor

For each activity, identify who decides the purpose and means of collecting, using, disclosing, storing, retaining, transferring, or deleting the personal data. That actor is usually the organisation for PDPA accountability purposes.

A vendor or service provider may instead be a data intermediary when it processes personal data on behalf of another organisation. The role can change by activity: the same company may be a data intermediary for customer-hosted data and an organisation for its own HR, billing, security, or marketing data.

  • Organisation test: the actor decides why personal data is handled, what data is needed, who receives it, and how long it is retained.
  • Data intermediary test: the actor processes personal data on behalf of another organisation and within written contractual instructions.
  • Role-change trigger: if a data intermediary uses the personal data for its own purposes, assess that activity as an organisation activity.
  • Evidence to keep: role matrix, customer or vendor contract, processing instructions, system owner, purpose owner, and records showing whether the actor contacts individuals directly.
Sources for this answer
PDPC: The Distinction between Organisations and Data Intermediaries and Why It Matters
Explains the operational difference between organisations that control personal data processing and data intermediaries that process on behalf of another organisation.
Personal Data Protection Act 2012
Supports the statutory role definitions and the rule that an organisation remains responsible for personal data processed on its behalf.
Section 3

3. Apply the PDPA boundary and exclusion checks

Do not stop at the label on the project. Check the statutory boundary for the actor, data, and activity. Parts 3, 4, 5, 6, 6A, and 6B do not impose obligations on individuals acting in a personal or domestic capacity, employees acting in the course of employment with an organisation, or public agencies.

Also check data-specific boundaries. The Act excludes personal data in records that have existed for at least 100 years. For deceased individuals, the PDPA does not generally apply, except that disclosure provisions and the protection obligation can still apply to personal data about an individual who has been dead for 10 years or less.

  • Individual boundary: document whether the person is acting personally or domestically, or instead as an organisation or business actor.
  • Employee boundary: separate the employee's own employment conduct from the organisation's obligations for employee data and authorised staff actions.
  • Public agency boundary: confirm whether the actor is the Government, a ministry, department, agency, organ of State, tribunal, or specified statutory body.
  • Data boundary: check business contact information, records at least 100 years old, and personal data about deceased individuals before assigning a full PDPA control set.
  • Evidence to keep: exclusion rationale, actor classification, statutory body check, employment-context note, data age or deceased-person note, and reviewer approval.
Sources for this answer
Personal Data Protection Act 2012
Provides the statutory application provisions for individuals acting personally or domestically, employees, public agencies, data intermediaries, business contact information, old records, and deceased individuals.
PDPC PDPA Overview
Summarises the main PDPA scope boundaries for electronic and non-electronic data, personal or domestic activity, employees, public agencies, and business contact information.
Section 4

4. Assign the obligation set and evidence record

When the activity is in scope, assign the obligation set that matches the role. Organisations should assess consent, notification, purpose limitation, access and correction, accuracy, protection, retention, transfer, breach notification, accountability, and any DNC marketing issue that applies to the activity.

Data intermediaries should not be treated as if every individual-facing obligation automatically applies to them for processing done on behalf of another organisation. For that role, focus the record on contractual instructions, protection, retention, and breach escalation back to the organisation.

  • For organisation activities: keep the purpose statement, notice text, consent or exception basis, access/correction owner, retention rule, transfer basis, DPO contact, and complaint route.
  • For data intermediary activities: keep the written contract, processing instructions, security controls, deletion or return process, and breach escalation path.
  • For DNC marketing: separately record whether a Singapore telephone number is used for a specified marketing message and whether DNC checking or clear consent evidence is needed.
  • For breach response: record whether the incident involves personal data, who is the organisation, whether a data intermediary is involved, and who must assess or notify.
  • For governance: link the scope decision to the organisation's data protection policies, practices, training, and complaint process.
Sources for this answer
PDPC: The Distinction between Organisations and Data Intermediaries and Why It Matters
Supports the role-based obligation split between organisations and data intermediaries, including protection, retention, and breach escalation for data intermediaries.
PDPC Guide to Developing a Data Protection Management Programme
Supports keeping PDPA applicability decisions inside policies, practices, governance, and a Data Protection Management Programme.
PDPC Guide on Managing and Notifying Data Breaches Under the PDPA
Supports using the applicability record to identify personal data breach roles, assessment responsibility, notification criteria, and affected-individual evidence.
Recommended next step

Turn the Singapore PDPA scope test into evidence

Use this Singapore PDPA applicability test to capture personal data scope, organisation or data intermediary role, exclusions, owners, and review evidence for your team.

Assessment workflow
Open Assessment Autopilot for Singapore PDPA

Convert scope questions into assigned evidence fields, role checks, and review tasks.

Explore next step
Research workflow
Review Singapore PDPA source evidence

Use Research Copilot to check PDPA scope, role boundaries, exclusions, and cited sources.

Explore next step
Talk to Sorena
Talk through implementation

Review the applicability record, ownership model, exclusions, and next compliance actions with Sorena.

Explore next step
Primary sources

References and citations

PDPC Basic Anonymisation
pdpc.gov.sg
Referenced sections
  • Supports the evidence step for teams claiming a dataset has been anonymised before use, sharing, or analytics.
"anonymising data is one way to reduce that risk"
PDPC Guide on Managing and Notifying Data Breaches Under the PDPA
pdpc.gov.sg
Referenced sections
  • Supports using the applicability record to identify personal data breach roles, assessment responsibility, notification criteria, and affected-individual evidence.
"help organisations to identify, prepare for, and manage data breaches"
PDPC Guide to Developing a Data Protection Management Programme
pdpc.gov.sg
Referenced sections
  • Supports keeping PDPA applicability decisions inside policies, practices, governance, and a Data Protection Management Programme.
"Organisations that collect, use and disclose personal data are required to develop and implement policies and practices"
PDPC PDPA Overview
pdpc.gov.sg
Referenced sections
  • Summarises the main PDPA scope boundaries for electronic and non-electronic data, personal or domestic activity, employees, public agencies, and business contact information.
"The PDPA covers personal data stored in electronic and non-electronic formats."
Personal Data Protection Act 2012
sso.agc.gov.sg
Referenced sections
  • Provides the statutory application provisions for individuals acting personally or domestically, employees, public agencies, data intermediaries, business contact information, old records, and deceased individuals.
"Parts 3, 4, 5, 6, 6A and 6B do not impose any obligation on"
Related guides

Explore more topics

Singapore PDPA Anonymisation and DPIA Records
Build Singapore PDPA anonymisation and DPIA records around PDPC guidance: release model, re-identification risk, data flows, action plans, safeguards, and monitoring.
Singapore PDPA anonymisation FAQ
FAQ on anonymisation under the Singapore PDPA: de-identification, pseudonymisation, re-identification risk, when PDPA may no longer apply, and evidence records.
Singapore PDPA Breach Notification Playbook
A grounded Singapore PDPA breach-notification playbook covering assessment, notifiable-breach thresholds, PDPC and affected-individual notification steps, roles, records, and citations.
Singapore PDPA breach notification thresholds FAQ
FAQ on Singapore PDPA notifiable data breach tests: significant harm, significant scale, 500 affected individuals, assessment timing, PDPC notices, and affected-individual notices.
Singapore PDPA Breach Notification Workflow
A grounded Singapore PDPA workflow for containing a personal data breach, assessing notifiability, notifying PDPC or affected individuals, and retaining evidence.
Singapore PDPA Compliance Checklist
A grounded Singapore PDPA checklist for scope, DPO accountability, consent, data intermediaries, breach notification, DNC checks, transfers, and evidence records.
Singapore PDPA Compliance Guide
Build a Singapore PDPA compliance plan covering DPO accountability, consent and notification, protection, retention, access and correction, transfers, breach notification, and DNC checks.
Singapore PDPA Consent and Deemed Consent Workflow
Choose express consent, deemed consent by conduct, contractual necessity, notification, or the legitimate interests exception under Singapore PDPA with grounded intake fields and evidence records.
Singapore PDPA Consent, Notification and Purpose Rules
How Singapore PDPA consent, notification, purpose limitation, deemed consent, withdrawal, and consent exceptions should be handled in product and privacy workflows.
Singapore PDPA Cross-Border Transfers
Grounded Singapore PDPA guidance for overseas personal data transfers, comparable protection, ASEAN MCCs, APEC certifications, vendor roles, and evidence records.
Singapore PDPA Data Breach Notification Thresholds
Grounded Singapore PDPA breach notification thresholds covering significant harm, the 500-individual significant-scale test, assessment records, and notification timing.
Singapore PDPA Data Intermediaries FAQ
FAQ guidance on Singapore PDPA data intermediary roles, direct obligations, organisation accountability, contracts, retention, protection, and breach escalation.
Singapore PDPA Data Intermediary Responsibilities
Practical Singapore PDPA guide to data intermediary role boundaries, organisation accountability, protection, retention, breach escalation, and contract evidence.
Singapore PDPA Deadlines and Compliance Calendar
A grounded Singapore PDPA compliance calendar for breach notification, DNC checks, access and correction requests, retention reviews, and DPMP maintenance.
Singapore PDPA Deemed Consent and Legitimate Interests
How to apply Singapore PDPA deemed consent by conduct, contractual necessity, notification, and legitimate interests with opt-out, adverse-effect, disclosure, and assessment records.
Singapore PDPA Deemed Consent FAQ
FAQ on Singapore PDPA deemed consent by conduct, contractual necessity, notification, opt-out periods, adverse-effect assessment, withdrawal, and direct-marketing limits.
Singapore PDPA DNC and Marketing Messages Guide
A grounded Singapore PDPA guide to DNC checks, specified marketing messages, Singapore telephone numbers, consent evidence, opt-outs, sender duties, and excluded messages.
Singapore PDPA DNC checking FAQ: when to check the DNC Registry
FAQ guidance on Singapore PDPA DNC checking: when to check the DNC Registry, which registers apply, 8-digit numbers, 21-day result validity, consent evidence, on-behalf checks, opt-outs, and supported exclusions.
Singapore PDPA DNC Marketing Checks
Operational checklist for Singapore PDPA DNC marketing checks: account evidence, register status, 21-day result validity, consent evidence, and campaign owner records.
Singapore PDPA DNC Marketing Workflow
Workflow for Singapore PDPA DNC marketing campaigns: classify specified messages, check Singapore telephone numbers, document consent, suppress opt-outs, and approve sends.
Singapore PDPA DPIAs: when to run and what to document
FAQ-style implementation guidance on Singapore PDPA DPIAs, including when PDPC guidance recommends them, data-flow mapping, risk treatment, DPO review, and evidence records.
Singapore PDPA DPMP Accountability FAQ | DPO, Policies, Evidence
FAQ for implementing Singapore PDPA accountability through a DPMP: DPO designation, policies, evidence, training, monitoring, incident logs, and review records.
Singapore PDPA DPMP Accountability Guide
Build a Singapore PDPA Data Protection Management Programme with DPO ownership, policies, data inventories, DPIAs, training, monitoring, breach logs, and review records.
Singapore PDPA FAQ: scope, DPO, consent, breaches and DNC
FAQ answers for Singapore PDPA implementation, covering scope, accountability, consent, access and correction, security, retention, transfers, data intermediaries, breach notification, and DNC checks.
Singapore PDPA legitimate interests FAQ
FAQ guidance on Singapore PDPA legitimate interests: assessment fields, adverse effects, mitigation, balancing, disclosure, records, and marketing limits.
Singapore PDPA NRIC Handling FAQ
FAQ guidance on when Singapore organisations may collect, use, disclose, retain, mask, or replace NRIC and other national identification numbers under PDPC guidance.
Singapore PDPA NRIC Handling Rules
When Singapore organisations may collect, use, disclose, retain, mask, or replace NRIC numbers under PDPC guidance.
Singapore PDPA Penalties and Enforcement Cases
How PDPC enforcement under Singapore's PDPA works: directions, voluntary undertakings, published decisions, financial penalty caps, and implementation lessons from cases.
Singapore PDPA Penalties and Fines
Singapore PDPA penalty ceilings, PDPC directions, undertakings, breach notification context, and practical controls grounded in official PDPC and Singapore Statutes sources.
Singapore PDPA Privacy Policy Template
A Singapore PDPA privacy policy template for writing notices, DPO contact details, access and correction routes, retention, transfers, protection, withdrawal, and complaint handling without overclaiming compliance.
Singapore PDPA Requirements: Core Obligations
Map Singapore PDPA obligations across consent, notification, access, security, retention, transfers, accountability, breaches, DNC checks, and data intermediaries.
Singapore PDPA Scope, Exclusions, and Data Intermediaries
Classify Singapore PDPA coverage, business contact information, personal or domestic activity, employee acts, and data intermediary obligations with grounded implementation records.
Singapore PDPA Transfer Assessment Workflow
A Singapore PDPA workflow for assessing overseas personal data transfers, comparable protection, ASEAN MCCs, APEC CBPR/PRP certifications, vendor due diligence, onward transfers, and evidence records.
Singapore PDPA Transfer Clauses
Draft Singapore PDPA transfer clauses for overseas vendors, affiliates, data intermediaries, onward transfers, breach support, ASEAN MCCs, and APEC CBPR or PRP evidence.
Singapore PDPA transfer clauses FAQ
FAQ guidance on Singapore PDPA transfer clauses, comparable protection, ASEAN MCCs, APEC CBPR and PRP certifications, onward transfers, and evidence records.
Singapore PDPA Vendor Outsourcing and Contracts
Contract and operating checklist for Singapore PDPA vendor outsourcing: data intermediary status, written terms, security, retention, breach, transfers, sub-contracting, and exit evidence.
Singapore PDPA vs GDPR Comparison
Compare Singapore PDPA and GDPR implementation work across consent, DPO accountability, processors, transfers, breach notification, DNC marketing, rights, retention, and penalties.