--- title: "Singapore PDPA Consent and Deemed Consent Workflow" canonical_url: "https://www.sorena.io/artifacts/apac/singapore-pdpa/consent-and-deemed-consent-selection-workflow" source_url: "https://www.sorena.io/artifacts/apac/singapore-pdpa/consent-and-deemed-consent-selection-workflow" author: "Sorena AI" description: "Choose express consent, deemed consent by conduct, contractual necessity, notification, or the legitimate interests exception under Singapore PDPA with grounded intake fields and evidence records." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "Singapore PDPA consent" - "deemed consent by notification" - "deemed consent by conduct" - "deemed consent by contractual necessity" - "legitimate interests exception" - "Singapore PDPA" - "Consent" - "Deemed consent" - "Legitimate interests" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # Singapore PDPA Consent and Deemed Consent Workflow Choose express consent, deemed consent by conduct, contractual necessity, notification, or the legitimate interests exception under Singapore PDPA with grounded intake fields and evidence records. *Workflow* *Singapore PDPA* *Consent basis selection* ## Singapore PDPA Consent and deemed consent workflow Use this workflow before collecting, using, or disclosing personal data to decide whether express consent, deemed consent by conduct, contractual necessity, deemed consent by notification, or a consent exception fits the facts. The workflow is written for product, privacy, legal, marketing, and operations teams that need a practical record of purpose, notice, opt-out, withdrawal, assessment, and reviewer decisions. Singapore PDPA consent work starts with the purpose and data flow, not with a default checkbox. For each collection, use, or disclosure, record the personal data involved, the notified purpose, whether an exception applies, whether consent can be deemed, how withdrawal will be handled, and what evidence will be retained if PDPC asks for justification. ## Choose the PDPA basis before collecting, using, or disclosing personal data Start by confirming that the activity involves personal data and that anonymised or aggregated data cannot achieve the same purpose. If another written law requires or authorises the activity, document that law and keep the PDPA analysis limited to any remaining data protection obligations. If no other written law applies, check whether a consent exception fits before asking for consent. The general legitimate interests exception is one possible route, but only when the assessment and balancing test support it. If no exception fits, select a consent route: express consent, deemed consent by conduct, deemed consent by contractual necessity, or deemed consent by notification. - Intake fields: product or process, individual group, personal data fields, collection/use/disclosure action, purpose, recipient, and whether the activity is one-off or continuous. - Basis decision: required or authorised by written law, consent exception, express consent, deemed consent by conduct, deemed consent by contractual necessity, or deemed consent by notification. - Stop conditions: purpose not stated clearly enough, data use beyond what is reasonable for the product or service, unsupported marketing use, no reasonable opt-out period, residual adverse effect for deemed consent by notification, or a failed legitimate-interests balancing test. - Output record: selected basis, rejected alternatives, notice text or consent capture, assessment result where required, owner, approver, outcome date, withdrawal path, and evidence location. Sources for this answer: - [PDPA's Framework for the Collection, Use and Disclosure of Personal Data](https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/advisory-guidelines/ag-on-key-concepts/annex-a--pdpas-framework-for-the-collection-use-and-disclosure-of-personal-data-1-feb-2021.pdf?ref=sorena.io) - PDPC's framework supports the order used here: check whether personal data is involved, whether written law applies, whether a consent exception applies, and then select a consent route. - [Advisory Guidelines on Key Concepts in the Personal Data Protection Act](https://www.pdpc.gov.sg/guidelines-and-consultation/2020/03/advisory-guidelines-on-key-concepts-in-the-personal-data-protection-act?ref=sorena.io) - PDPC's key-concepts guidance supports the consent, notification, purpose limitation, deemed-consent, and withdrawal rules reflected in the workflow. ## Select express consent or the right deemed-consent route Use express consent when the individual is notified of the purpose and gives consent in writing or in another accessible record. If consent is verbal, keep a confirmation record or a written note of the fact that consent was given. Use deemed consent by conduct only when the individual voluntarily provides personal data and the purpose is objectively obvious and reasonably appropriate from the circumstances. Use deemed consent by contractual necessity only for downstream disclosure, collection, use, or further disclosure that is reasonably necessary to conclude or perform the transaction between the individual and the organisation. - Express consent evidence: purpose notice, consent statement, timestamp or form version, channel, data fields covered, and any separate optional marketing consent. - Conduct evidence: the individual's action, the personal data voluntarily provided, the immediate purpose, and why that purpose would be obvious in context. - Contractual necessity evidence: the transaction with the individual, each downstream recipient, the processing chain, and why each disclosure or use is reasonably necessary to perform the transaction. - Marketing guardrail: do not rely on deemed consent by notification for direct marketing messages; where specified messages go to Singapore telephone numbers, record the consent and DNC analysis separately. Sources for this answer: - [Advisory Guidelines on Key Concepts in the Personal Data Protection Act](https://www.pdpc.gov.sg/guidelines-and-consultation/2020/03/advisory-guidelines-on-key-concepts-in-the-personal-data-protection-act?ref=sorena.io) - PDPC's key-concepts guidance distinguishes express consent, inferred consent, deemed consent by conduct, deemed consent by contractual necessity, and marketing-consent handling. - [PDPA's Framework for the Collection, Use and Disclosure of Personal Data](https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/advisory-guidelines/ag-on-key-concepts/annex-a--pdpas-framework-for-the-collection-use-and-disclosure-of-personal-data-1-feb-2021.pdf?ref=sorena.io) - PDPC's framework lists express consent and the three deemed-consent modes as consent routes after exceptions have been considered. ## Use deemed consent by notification only after assessment and opt-out design Deemed consent by notification is for a notified collection, use, or disclosure where the individual is told how to opt out and does not opt out within the specified period. Before relying on it, complete an assessment covering purpose, notification method, opt-out period and method, likely adverse effects, mitigation, residual adverse effects, and final decision outcome. Do not start the notified collection, use, or disclosure until the opt-out period has lapsed. If the assessment identifies residual adverse effect after mitigation, choose another basis instead of relying on deemed consent by notification. - Notification fields: purpose, personal data types, collection/use/disclosure method, whether the activity is one-off or continuous, direct or mass notification channel, contact point, opt-out method, and opt-out period rationale. - Adverse-effect fields: sensitivity of the personal data, scale of collection, whether datasets will be combined, whether predictions or decisions may exclude, discriminate against, defame, or harm individuals, likely impact, and mitigating measures. - Decision fields: whether reliance is allowed, further actions, outcome date, completed by, endorsed by, and management approval where appropriate. - Retention fields: keep the deemed-consent-by-notification assessment for the period during which the organisation collects, uses, or discloses personal data on that basis, and be ready to provide it to PDPC if requested. Sources for this answer: - [Assessment Checklist for Deemed Consent by Notification](https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/advisory-guidelines/ag-on-key-concepts/annex-b--assessment-checklist-for-deemed-consent-by-notification-1-feb-2021.pdf?ref=sorena.io) - PDPC's Annex B checklist supports the specific assessment fields for purpose, notification, opt-out, adverse effects, mitigation, decision outcome, and approvals. - [Advisory Guidelines on Key Concepts in the Personal Data Protection Act](https://www.pdpc.gov.sg/guidelines-and-consultation/2020/03/advisory-guidelines-on-key-concepts-in-the-personal-data-protection-act?ref=sorena.io) - PDPC's key-concepts guidance supports the rules that consent is deemed only after the opt-out period lapses and that assessments must be retained while relying on deemed consent by notification. ## Use the legitimate interests exception as an assessed exception, not as consent The legitimate interests exception is an exception to consent, so it should be recorded separately from express or deemed consent. Use it only where the identified legitimate interests of the organisation or another person outweigh any adverse effect on the individual. The assessment should define the purpose, identify benefits, assess likely adverse effects, document mitigation and residual effects, and complete the balancing test. If reliance continues, disclose that the organisation is relying on the exception, but do not publish the assessment itself. - Purpose fields: legitimate interest, objective, personal data types, collection/use/disclosure method, and whether the activity is one-off or continuous. - Benefit fields: direct benefit, beneficiary, and negative impact if the activity cannot be carried out. - Risk fields: sensitivity, scale, reasonableness of purpose, foreseeable financial/social/physical/psychological effects, dataset combination, prediction or decision impact, and mitigation. - Record fields: balancing-test conclusion, whether the exception can be relied on, further actions, outcome date, completed by, endorsed by, and management approval where appropriate. Sources for this answer: - [Assessment Checklist for Legitimate Interests Exception](https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/advisory-guidelines/ag-on-key-concepts/annex-c--assessment-checklist-for-legitimate-interests-exception-1-feb-2021.pdf?ref=sorena.io) - PDPC's Annex C checklist supports the legitimate-interests purpose, benefits, adverse-effect, mitigation, residual-effect, balancing-test, and approval fields. - [Advisory Guidelines on Key Concepts in the Personal Data Protection Act](https://www.pdpc.gov.sg/guidelines-and-consultation/2020/03/advisory-guidelines-on-key-concepts-in-the-personal-data-protection-act?ref=sorena.io) - PDPC's key-concepts guidance supports documenting legitimate-interests assessments, making reliance known to individuals, and retaining the assessment while relying on the exception. ## Handle withdrawal as part of every consent route Individuals may withdraw consent that has been given or deemed to have been given. Build the withdrawal path before launch, including how a person submits notice, who receives it, how consequences are explained, and which systems, data intermediaries, or agents must stop collecting, using, or disclosing the personal data. Separate necessary purposes from optional purposes. For example, an individual should be able to withdraw consent for optional marketing without also withdrawing consent needed to provide the contracted service. - Withdrawal intake: individual identifier, purpose withdrawn, channel, notice date received, scope of withdrawal, and whether the request covers one channel or all channels. - Response record: likely consequences communicated, effective timing, affected systems, data intermediaries or agents notified, and any legal basis for continued processing without consent. - Control update: suppress optional uses, update consent status, keep channel-specific marketing records, and preserve evidence of the action taken. - Review trigger: revisit the selected basis when the purpose changes, the recipient chain changes, notification effectiveness changes, individuals complain, or withdrawal handling reveals unclear purpose boundaries. Sources for this answer: - [Advisory Guidelines on Key Concepts in the Personal Data Protection Act](https://www.pdpc.gov.sg/guidelines-and-consultation/2020/03/advisory-guidelines-on-key-concepts-in-the-personal-data-protection-act?ref=sorena.io) - PDPC's key-concepts guidance supports withdrawal handling, consequences notices, ceasing collection/use/disclosure, and distinguishing optional purposes from necessary purposes. - [Assessment Checklist for Deemed Consent by Notification](https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/advisory-guidelines/ag-on-key-concepts/annex-b--assessment-checklist-for-deemed-consent-by-notification-1-feb-2021.pdf?ref=sorena.io) - PDPC's Annex B checklist supports retaining the outcome, approver, and further-action fields for a deemed-consent-by-notification basis that may later be withdrawn. *Recommended next step* *Placement: after the practical guidance* ## Turn Singapore PDPA consent basis selection into assigned work Use this workflow to assign intake questions, basis decisions, notification text, withdrawal handling, and assessment evidence for Singapore PDPA consent and exception reviews. - [Open Assessment Autopilot for Singapore PDPA](/solutions/assessment.md): Convert consent-basis choices into scoped questions, evidence fields, and review tasks. - [Review Singapore PDPA source evidence](/solutions/research-copilot.md): Use Research Copilot to answer follow-up questions with cited source material. - [Talk through implementation](/contact.md): Review consent routes, exception assessments, withdrawal handling, and evidence records with Sorena. ## Primary sources - [Advisory Guidelines on Key Concepts in the Personal Data Protection Act](https://www.pdpc.gov.sg/guidelines-and-consultation/2020/03/advisory-guidelines-on-key-concepts-in-the-personal-data-protection-act?ref=sorena.io) - PDPC's key-concepts guidance supports the page's consent, notification, deemed-consent, marketing, withdrawal, and evidence-record handling. - Quote: "The Consent Obligation" - [PDPA's Framework for the Collection, Use and Disclosure of Personal Data](https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/advisory-guidelines/ag-on-key-concepts/annex-a--pdpas-framework-for-the-collection-use-and-disclosure-of-personal-data-1-feb-2021.pdf?ref=sorena.io) - PDPC's Annex A framework supports the workflow order for checking personal data, written-law authority, consent exceptions, and the four consent routes. - Quote: "Rely on consent" - [Assessment Checklist for Deemed Consent by Notification](https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/advisory-guidelines/ag-on-key-concepts/annex-b--assessment-checklist-for-deemed-consent-by-notification-1-feb-2021.pdf?ref=sorena.io) - PDPC's Annex B checklist supports the deemed-consent-by-notification assessment fields, adverse-effect analysis, opt-out design, outcome date, and reviewer records. - Quote: "reasonable reliance on deemed consent by notification" - [Assessment Checklist for Legitimate Interests Exception](https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/advisory-guidelines/ag-on-key-concepts/annex-c--assessment-checklist-for-legitimate-interests-exception-1-feb-2021.pdf?ref=sorena.io) - PDPC's Annex C checklist supports the legitimate-interests purpose, benefits, adverse-effect, mitigation, residual-effect, balancing-test, and approval records. - Quote: "Assessment Checklist for Legitimate Interests Exception" ## Related Topic Guides - [Singapore PDPA Anonymisation and DPIA Records](/artifacts/apac/singapore-pdpa/anonymisation-and-dpias.md): Build Singapore PDPA anonymisation and DPIA records around PDPC guidance: release model, re-identification risk, data flows, action plans, safeguards, and monitoring. - [Singapore PDPA anonymisation FAQ](/artifacts/apac/singapore-pdpa/faq/anonymisation.md): FAQ on anonymisation under the Singapore PDPA: de-identification, pseudonymisation, re-identification risk, when PDPA may no longer apply, and evidence records. - [Singapore PDPA Applicability Test](/artifacts/apac/singapore-pdpa/applicability-test.md): Test whether Singapore PDPA obligations apply by checking personal data, organisation role, data intermediary status, public agency and individual boundaries, and business contact information. - [Singapore PDPA Breach Notification Playbook](/artifacts/apac/singapore-pdpa/breach-notification-playbook.md): A grounded Singapore PDPA breach-notification playbook covering assessment, notifiable-breach thresholds, PDPC and affected-individual notification steps, roles, records, and citations. - [Singapore PDPA breach notification thresholds FAQ](/artifacts/apac/singapore-pdpa/faq/breach-thresholds.md): FAQ on Singapore PDPA notifiable data breach tests: significant harm, significant scale, 500 affected individuals, assessment timing, PDPC notices, and affected-individual notices. - [Singapore PDPA Breach Notification Workflow](/artifacts/apac/singapore-pdpa/breach-notification-workflow.md): A grounded Singapore PDPA workflow for containing a personal data breach, assessing notifiability, notifying PDPC or affected individuals, and retaining evidence. - [Singapore PDPA Compliance Checklist](/artifacts/apac/singapore-pdpa/checklist.md): A grounded Singapore PDPA checklist for scope, DPO accountability, consent, data intermediaries, breach notification, DNC checks, transfers, and evidence records. - [Singapore PDPA Compliance Guide](/artifacts/apac/singapore-pdpa/compliance.md): Build a Singapore PDPA compliance plan covering DPO accountability, consent and notification, protection, retention, access and correction, transfers, breach notification, and DNC checks. - [Singapore PDPA Consent, Notification and Purpose Rules](/artifacts/apac/singapore-pdpa/consent-notification-and-purposes.md): How Singapore PDPA consent, notification, purpose limitation, deemed consent, withdrawal, and consent exceptions should be handled in product and privacy workflows. - [Singapore PDPA Cross-Border Transfers](/artifacts/apac/singapore-pdpa/cross-border-transfers.md): Grounded Singapore PDPA guidance for overseas personal data transfers, comparable protection, ASEAN MCCs, APEC certifications, vendor roles, and evidence records. - [Singapore PDPA Data Breach Notification Thresholds](/artifacts/apac/singapore-pdpa/breach-notification-thresholds.md): Grounded Singapore PDPA breach notification thresholds covering significant harm, the 500-individual significant-scale test, assessment records, and notification timing. - [Singapore PDPA Data Intermediaries FAQ](/artifacts/apac/singapore-pdpa/faq/data-intermediaries.md): FAQ guidance on Singapore PDPA data intermediary roles, direct obligations, organisation accountability, contracts, retention, protection, and breach escalation. - [Singapore PDPA Data Intermediary Responsibilities](/artifacts/apac/singapore-pdpa/data-intermediary-responsibilities.md): Practical Singapore PDPA guide to data intermediary role boundaries, organisation accountability, protection, retention, breach escalation, and contract evidence. - [Singapore PDPA Deadlines and Compliance Calendar](/artifacts/apac/singapore-pdpa/deadlines-and-compliance-calendar.md): A grounded Singapore PDPA compliance calendar for breach notification, DNC checks, access and correction requests, retention reviews, and DPMP maintenance. - [Singapore PDPA Deemed Consent and Legitimate Interests](/artifacts/apac/singapore-pdpa/deemed-consent-and-legitimate-interests.md): How to apply Singapore PDPA deemed consent by conduct, contractual necessity, notification, and legitimate interests with opt-out, adverse-effect, disclosure, and assessment records. - [Singapore PDPA Deemed Consent FAQ](/artifacts/apac/singapore-pdpa/faq/deemed-consent.md): FAQ on Singapore PDPA deemed consent by conduct, contractual necessity, notification, opt-out periods, adverse-effect assessment, withdrawal, and direct-marketing limits. - [Singapore PDPA DNC and Marketing Messages Guide](/artifacts/apac/singapore-pdpa/dnc-and-marketing-messages.md): A grounded Singapore PDPA guide to DNC checks, specified marketing messages, Singapore telephone numbers, consent evidence, opt-outs, sender duties, and excluded messages. - [Singapore PDPA DNC checking FAQ: when to check the DNC Registry](/artifacts/apac/singapore-pdpa/faq/dnc-checking.md): FAQ guidance on Singapore PDPA DNC checking: when to check the DNC Registry, which registers apply, 8-digit numbers, 21-day result validity, consent evidence, on-behalf checks, opt-outs, and supported exclusions. - [Singapore PDPA DNC Marketing Checks](/artifacts/apac/singapore-pdpa/dnc-marketing-checks.md): Operational checklist for Singapore PDPA DNC marketing checks: account evidence, register status, 21-day result validity, consent evidence, and campaign owner records. - [Singapore PDPA DNC Marketing Workflow](/artifacts/apac/singapore-pdpa/dnc-marketing-workflow.md): Workflow for Singapore PDPA DNC marketing campaigns: classify specified messages, check Singapore telephone numbers, document consent, suppress opt-outs, and approve sends. - [Singapore PDPA DPIAs: when to run and what to document](/artifacts/apac/singapore-pdpa/faq/dpias.md): FAQ-style implementation guidance on Singapore PDPA DPIAs, including when PDPC guidance recommends them, data-flow mapping, risk treatment, DPO review, and evidence records. - [Singapore PDPA DPMP Accountability FAQ | DPO, Policies, Evidence](/artifacts/apac/singapore-pdpa/faq/dpmp-accountability.md): FAQ for implementing Singapore PDPA accountability through a DPMP: DPO designation, policies, evidence, training, monitoring, incident logs, and review records. - [Singapore PDPA DPMP Accountability Guide](/artifacts/apac/singapore-pdpa/dpmp-accountability.md): Build a Singapore PDPA Data Protection Management Programme with DPO ownership, policies, data inventories, DPIAs, training, monitoring, breach logs, and review records. - [Singapore PDPA FAQ: scope, DPO, consent, breaches and DNC](/artifacts/apac/singapore-pdpa/faq.md): FAQ answers for Singapore PDPA implementation, covering scope, accountability, consent, access and correction, security, retention, transfers, data intermediaries, breach notification, and DNC checks. - [Singapore PDPA legitimate interests FAQ](/artifacts/apac/singapore-pdpa/faq/legitimate-interests.md): FAQ guidance on Singapore PDPA legitimate interests: assessment fields, adverse effects, mitigation, balancing, disclosure, records, and marketing limits. - [Singapore PDPA NRIC Handling FAQ](/artifacts/apac/singapore-pdpa/faq/nric-handling.md): FAQ guidance on when Singapore organisations may collect, use, disclose, retain, mask, or replace NRIC and other national identification numbers under PDPC guidance. - [Singapore PDPA NRIC Handling Rules](/artifacts/apac/singapore-pdpa/nric-handling.md): When Singapore organisations may collect, use, disclose, retain, mask, or replace NRIC numbers under PDPC guidance. - [Singapore PDPA Penalties and Enforcement Cases](/artifacts/apac/singapore-pdpa/pdpa-penalties-and-enforcement-cases.md): How PDPC enforcement under Singapore's PDPA works: directions, voluntary undertakings, published decisions, financial penalty caps, and implementation lessons from cases. - [Singapore PDPA Penalties and Fines](/artifacts/apac/singapore-pdpa/penalties-and-fines.md): Singapore PDPA penalty ceilings, PDPC directions, undertakings, breach notification context, and practical controls grounded in official PDPC and Singapore Statutes sources. - [Singapore PDPA Privacy Policy Template](/artifacts/apac/singapore-pdpa/pdpa-privacy-policy-template.md): A Singapore PDPA privacy policy template for writing notices, DPO contact details, access and correction routes, retention, transfers, protection, withdrawal, and complaint handling without overclaiming compliance. - [Singapore PDPA Requirements: Core Obligations](/artifacts/apac/singapore-pdpa/requirements.md): Map Singapore PDPA obligations across consent, notification, access, security, retention, transfers, accountability, breaches, DNC checks, and data intermediaries. - [Singapore PDPA Scope, Exclusions, and Data Intermediaries](/artifacts/apac/singapore-pdpa/scope-exclusions-and-data-intermediaries.md): Classify Singapore PDPA coverage, business contact information, personal or domestic activity, employee acts, and data intermediary obligations with grounded implementation records. - [Singapore PDPA Transfer Assessment Workflow](/artifacts/apac/singapore-pdpa/transfer-assessment-workflow.md): A Singapore PDPA workflow for assessing overseas personal data transfers, comparable protection, ASEAN MCCs, APEC CBPR/PRP certifications, vendor due diligence, onward transfers, and evidence records. - [Singapore PDPA Transfer Clauses](/artifacts/apac/singapore-pdpa/transfer-clauses.md): Draft Singapore PDPA transfer clauses for overseas vendors, affiliates, data intermediaries, onward transfers, breach support, ASEAN MCCs, and APEC CBPR or PRP evidence. - [Singapore PDPA transfer clauses FAQ](/artifacts/apac/singapore-pdpa/faq/transfer-clauses.md): FAQ guidance on Singapore PDPA transfer clauses, comparable protection, ASEAN MCCs, APEC CBPR and PRP certifications, onward transfers, and evidence records. - [Singapore PDPA Vendor Outsourcing and Contracts](/artifacts/apac/singapore-pdpa/vendor-outsourcing-and-contracts.md): Contract and operating checklist for Singapore PDPA vendor outsourcing: data intermediary status, written terms, security, retention, breach, transfers, sub-contracting, and exit evidence. - [Singapore PDPA vs GDPR Comparison](/artifacts/apac/singapore-pdpa/singapore-pdpa-vs-gdpr.md): Compare Singapore PDPA and GDPR implementation work across consent, DPO accountability, processors, transfers, breach notification, DNC marketing, rights, retention, and penalties. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/apac/singapore-pdpa/consent-and-deemed-consent-selection-workflow