Compliance CalendarSingaporePDPA

Singapore PDPA deadlines and compliance calendar

Use this calendar to track PDPA timing windows that implementation teams can actually schedule: breach assessment, PDPC notification, affected-individual notification, DNC Registry checks, access and correction requests, and recurring privacy programme review.

The dates and time windows below are limited to facts supported by PDPC, DNC Registry, and Singapore Statutes Online grounding material.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
7

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Track PDPA milestone windows tied to obligation outcomes, owners, and required evidence.

Section 1

Breach response clocks to open immediately

Open a breach calendar entry when the organisation has credible grounds to believe that a data breach has occurred, including where a data intermediary reports the breach. The assessment owner should document containment, facts established, data affected, likely harm, number of affected individuals, and the notifiability decision.

The assessment should be completed within 30 calendar days. If the organisation cannot complete the assessment within that period, the file should contain an explanation for the time taken or required.

  • Trigger: credible grounds to believe that a data breach has occurred.
  • Assessment window: assess whether the breach is notifiable within 30 calendar days.
  • PDPC notification: if the breach is notifiable, notify the PDPC as soon as practicable and no later than three calendar days after determining notifiability.
  • Day-count rule: the first day of the three-day PDPC notification period starts on the day after the organisation determines that the breach is notifiable.
  • Affected individuals: where notification is required, notify them as soon as practicable, at the same time as or after notifying the PDPC.
  • Evidence to keep: breach log, containment record, assessment chronology, notifiability rationale, notification submission, late-notification reasons if applicable, and affected-individual communication plan.
Sources for this answer
PDPC data breach management guide
Supports the 30-calendar-day breach assessment window, the three-calendar-day PDPC notification deadline, affected-individual timing, and late-notification evidence.
PDPC required-to-notify page
Supports the rule that a notifiable breach must be reported to the PDPC as soon as practicable and no later than three calendar days.
Section 2

DNC Registry campaign checks and validity windows

Open a DNC calendar entry before a telemarketing campaign sends specified messages to Singapore telephone numbers, unless the campaign has clear and unambiguous consent in evidential form or another grounded exception applies.

DNC Registry results are not evergreen. Campaign operations should treat the result date as a hard expiry control and re-check before continuing telemarketing after the validity period lapses.

  • Trigger: planned voice call, text message, or fax telemarketing campaign to Singapore telephone numbers.
  • Register coverage: check the relevant No Voice Call, No Text Message, and No Fax Message registers before sending.
  • Result validity: DNC Registry results are valid for up to 21 days; re-check after that if telemarketing continues.
  • Bulk filtering service level: bulk filtering results are available within 24 hours, so campaign schedules should leave time for upload, result retrieval, and suppression.
  • Account and credit reminders: main accounts receive 1,000 free credits annually, free credits are valid for one year, and purchased credits are valid for three years.
  • Evidence to keep: campaign audience date, DNC submission method, result file, suppression list, consent evidence where relied on, checker account used, and result-expiry date.
Sources for this answer
PDPC DNC Registry business rules
Supports DNC result validity, bulk filtering turnaround, accepted number format, and DNC account credit validity windows.
PDPC advisory guidelines on the DNC provisions
Supports the duty to check the DNC Register before sending specified messages unless clear and unambiguous consent in evidential form is available.
Section 3

Access and correction request response timing

Open an access or correction request entry when a written request reaches the DPO business contact information, registered office, principal office, or another accepted channel with enough detail to identify the applicant and request.

The PDPA timing language is not a permission to wait until day 30. Access must be provided as soon as reasonably possible, and correction must be made as soon as practicable, subject to exceptions and valid grounds.

  • Access requests: respond as soon as reasonably possible after receiving the request.
  • Access 30-day update: if the organisation cannot respond within 30 days, inform the individual in writing within 30 days when it will be able to respond.
  • Correction requests: correct personal data as soon as practicable unless satisfied on reasonable grounds that the correction should not be made.
  • Correction 30-day update: if the organisation cannot correct the data within 30 days, inform the individual in writing within 30 days when it will be able to correct it.
  • Correction downstream lookback: send corrected personal data to other organisations to which it was disclosed within the year before the correction request, unless the other organisation does not need it for a legal or business purpose.
  • Evidence to keep: request intake, identity verification, scope clarification, exception or rejection rationale, fee estimate if charged for access, response date, correction notice, annotation where correction is rejected, and preservation record for withheld access data.
Sources for this answer
PDPC advisory guidelines on key concepts in the PDPA
Supports the access request response clock, correction request response clock, one-year correction disclosure lookback, and preservation expectations.
PDPC guide to developing a data protection management programme
Supports using an internal access-request policy that tracks response timeframe, identity verification, exceptions, and request records.
Section 4

Retention and privacy programme review cadence

The PDPA does not set one universal retention period for all personal data. Calendar entries should therefore track each record class against its collection purpose, legal or business need, retention rationale, and disposal or anonymisation method.

For privacy programme maintenance, PDPC guidance supports both ad-hoc updates when major incidents, legal changes, or organisational changes occur and periodic review at a pre-specified interval chosen by the organisation.

  • Retention trigger: purpose no longer served and retention no longer necessary for legal or business purposes.
  • Retention review: review personal data held on a regular basis to decide whether it is still needed.
  • Long retention periods: document the rationale in the personal data retention policy.
  • Programme review: revise data protection policies immediately for major incidents, legislative or regulatory amendments, and organisational or process changes.
  • Periodic review: schedule a pre-specified interval for policy and process review; PDPC examples also describe quarterly or annual reporting topics for risk monitoring.
  • Evidence to keep: data inventory, retention period by record class, legal or business rationale, disposal or anonymisation record, policy-review date, ad-hoc change trigger, audit finding, and remediation status.
Sources for this answer
PDPC advisory guidelines on key concepts in the PDPA
Supports the retention limitation rule, regular review of personal data held, and the absence of one fixed PDPA retention period.
PDPC guide to developing a data protection management programme
Supports ad-hoc and periodic review of data protection policies and examples of quarterly or annual risk reporting.
Recommended next step

Turn Singapore PDPA deadlines into assigned calendar controls

Use this Singapore PDPA calendar to create breach, DNC, access, correction, retention, and DPMP review controls with owners, due dates, and evidence fields.

Assessment workflow
Open Assessment Autopilot for Singapore PDPA

Turn PDPA timing windows into scoped questions, evidence fields, and review tasks.

Explore next step
Research workflow
Review Singapore PDPA source evidence

Use Research Copilot to check follow-up questions against cited PDPC and statutory sources.

Explore next step
Talk to Sorena
Talk through implementation

Review calendar ownership, escalation paths, and evidence records for Singapore PDPA operations.

Explore next step
Primary sources

References and citations

PDPC advisory guidelines on the DNC provisions
pdpc.gov.sg
Referenced sections
  • Supports the duty to check the DNC Register before sending specified messages unless clear and unambiguous consent in evidential form is available.
"Duty to check the DNC Register"
PDPC data breach management guide
pdpc.gov.sg
Referenced sections
  • Supports the 30-calendar-day breach assessment window, the three-calendar-day PDPC notification deadline, affected-individual timing, and late-notification evidence.
"within 30 calendar days"
PDPC DNC Registry business rules
pdpc.gov.sg
Referenced sections
  • Supports DNC result validity, bulk filtering turnaround, accepted number format, and DNC account credit validity windows.
"valid for up to 21 days"
PDPC required-to-notify page
pdpc.gov.sg
Referenced sections
  • Supports the rule that a notifiable breach must be reported to the PDPC as soon as practicable and no later than three calendar days.
"no later than three (3) calendar days"
Personal Data Protection Act 2012
sso.agc.gov.sg
Referenced sections
  • Supports the statutory PDPA context for access, correction, retention, DNC, and data breach notification obligations mapped by this calendar.
"Personal Data Protection Act 2012"
Related guides

Explore more topics

Singapore PDPA Anonymisation and DPIA Records
Build Singapore PDPA anonymisation and DPIA records around PDPC guidance: release model, re-identification risk, data flows, action plans, safeguards, and monitoring.
Singapore PDPA anonymisation FAQ
FAQ on anonymisation under the Singapore PDPA: de-identification, pseudonymisation, re-identification risk, when PDPA may no longer apply, and evidence records.
Singapore PDPA Applicability Test
Test whether Singapore PDPA obligations apply by checking personal data, organisation role, data intermediary status, public agency and individual boundaries, and business contact information.
Singapore PDPA Breach Notification Playbook
A grounded Singapore PDPA breach-notification playbook covering assessment, notifiable-breach thresholds, PDPC and affected-individual notification steps, roles, records, and citations.
Singapore PDPA breach notification thresholds FAQ
FAQ on Singapore PDPA notifiable data breach tests: significant harm, significant scale, 500 affected individuals, assessment timing, PDPC notices, and affected-individual notices.
Singapore PDPA Breach Notification Workflow
A grounded Singapore PDPA workflow for containing a personal data breach, assessing notifiability, notifying PDPC or affected individuals, and retaining evidence.
Singapore PDPA Compliance Checklist
A grounded Singapore PDPA checklist for scope, DPO accountability, consent, data intermediaries, breach notification, DNC checks, transfers, and evidence records.
Singapore PDPA Compliance Guide
Build a Singapore PDPA compliance plan covering DPO accountability, consent and notification, protection, retention, access and correction, transfers, breach notification, and DNC checks.
Singapore PDPA Consent and Deemed Consent Workflow
Choose express consent, deemed consent by conduct, contractual necessity, notification, or the legitimate interests exception under Singapore PDPA with grounded intake fields and evidence records.
Singapore PDPA Consent, Notification and Purpose Rules
How Singapore PDPA consent, notification, purpose limitation, deemed consent, withdrawal, and consent exceptions should be handled in product and privacy workflows.
Singapore PDPA Cross-Border Transfers
Grounded Singapore PDPA guidance for overseas personal data transfers, comparable protection, ASEAN MCCs, APEC certifications, vendor roles, and evidence records.
Singapore PDPA Data Breach Notification Thresholds
Grounded Singapore PDPA breach notification thresholds covering significant harm, the 500-individual significant-scale test, assessment records, and notification timing.
Singapore PDPA Data Intermediaries FAQ
FAQ guidance on Singapore PDPA data intermediary roles, direct obligations, organisation accountability, contracts, retention, protection, and breach escalation.
Singapore PDPA Data Intermediary Responsibilities
Practical Singapore PDPA guide to data intermediary role boundaries, organisation accountability, protection, retention, breach escalation, and contract evidence.
Singapore PDPA Deemed Consent and Legitimate Interests
How to apply Singapore PDPA deemed consent by conduct, contractual necessity, notification, and legitimate interests with opt-out, adverse-effect, disclosure, and assessment records.
Singapore PDPA Deemed Consent FAQ
FAQ on Singapore PDPA deemed consent by conduct, contractual necessity, notification, opt-out periods, adverse-effect assessment, withdrawal, and direct-marketing limits.
Singapore PDPA DNC and Marketing Messages Guide
A grounded Singapore PDPA guide to DNC checks, specified marketing messages, Singapore telephone numbers, consent evidence, opt-outs, sender duties, and excluded messages.
Singapore PDPA DNC checking FAQ: when to check the DNC Registry
FAQ guidance on Singapore PDPA DNC checking: when to check the DNC Registry, which registers apply, 8-digit numbers, 21-day result validity, consent evidence, on-behalf checks, opt-outs, and supported exclusions.
Singapore PDPA DNC Marketing Checks
Operational checklist for Singapore PDPA DNC marketing checks: account evidence, register status, 21-day result validity, consent evidence, and campaign owner records.
Singapore PDPA DNC Marketing Workflow
Workflow for Singapore PDPA DNC marketing campaigns: classify specified messages, check Singapore telephone numbers, document consent, suppress opt-outs, and approve sends.
Singapore PDPA DPIAs: when to run and what to document
FAQ-style implementation guidance on Singapore PDPA DPIAs, including when PDPC guidance recommends them, data-flow mapping, risk treatment, DPO review, and evidence records.
Singapore PDPA DPMP Accountability FAQ | DPO, Policies, Evidence
FAQ for implementing Singapore PDPA accountability through a DPMP: DPO designation, policies, evidence, training, monitoring, incident logs, and review records.
Singapore PDPA DPMP Accountability Guide
Build a Singapore PDPA Data Protection Management Programme with DPO ownership, policies, data inventories, DPIAs, training, monitoring, breach logs, and review records.
Singapore PDPA FAQ: scope, DPO, consent, breaches and DNC
FAQ answers for Singapore PDPA implementation, covering scope, accountability, consent, access and correction, security, retention, transfers, data intermediaries, breach notification, and DNC checks.
Singapore PDPA legitimate interests FAQ
FAQ guidance on Singapore PDPA legitimate interests: assessment fields, adverse effects, mitigation, balancing, disclosure, records, and marketing limits.
Singapore PDPA NRIC Handling FAQ
FAQ guidance on when Singapore organisations may collect, use, disclose, retain, mask, or replace NRIC and other national identification numbers under PDPC guidance.
Singapore PDPA NRIC Handling Rules
When Singapore organisations may collect, use, disclose, retain, mask, or replace NRIC numbers under PDPC guidance.
Singapore PDPA Penalties and Enforcement Cases
How PDPC enforcement under Singapore's PDPA works: directions, voluntary undertakings, published decisions, financial penalty caps, and implementation lessons from cases.
Singapore PDPA Penalties and Fines
Singapore PDPA penalty ceilings, PDPC directions, undertakings, breach notification context, and practical controls grounded in official PDPC and Singapore Statutes sources.
Singapore PDPA Privacy Policy Template
A Singapore PDPA privacy policy template for writing notices, DPO contact details, access and correction routes, retention, transfers, protection, withdrawal, and complaint handling without overclaiming compliance.
Singapore PDPA Requirements: Core Obligations
Map Singapore PDPA obligations across consent, notification, access, security, retention, transfers, accountability, breaches, DNC checks, and data intermediaries.
Singapore PDPA Scope, Exclusions, and Data Intermediaries
Classify Singapore PDPA coverage, business contact information, personal or domestic activity, employee acts, and data intermediary obligations with grounded implementation records.
Singapore PDPA Transfer Assessment Workflow
A Singapore PDPA workflow for assessing overseas personal data transfers, comparable protection, ASEAN MCCs, APEC CBPR/PRP certifications, vendor due diligence, onward transfers, and evidence records.
Singapore PDPA Transfer Clauses
Draft Singapore PDPA transfer clauses for overseas vendors, affiliates, data intermediaries, onward transfers, breach support, ASEAN MCCs, and APEC CBPR or PRP evidence.
Singapore PDPA transfer clauses FAQ
FAQ guidance on Singapore PDPA transfer clauses, comparable protection, ASEAN MCCs, APEC CBPR and PRP certifications, onward transfers, and evidence records.
Singapore PDPA Vendor Outsourcing and Contracts
Contract and operating checklist for Singapore PDPA vendor outsourcing: data intermediary status, written terms, security, retention, breach, transfers, sub-contracting, and exit evidence.
Singapore PDPA vs GDPR Comparison
Compare Singapore PDPA and GDPR implementation work across consent, DPO accountability, processors, transfers, breach notification, DNC marketing, rights, retention, and penalties.