Singapore PDPA FAQ

The PDPA is Singapore's baseline personal data protection law for organisations that collect, use, disclose, or care for personal data. PDPC describes personal data as data about an identifiable individual, whether the data is held electronically or in non-electronic form.

The core exclusions matter in everyday scoping. The data protection provisions generally do not apply to an individual acting in a personal or domestic capacity, an individual acting as an employee for an organisation, public agencies, or business contact information that was not provided solely for personal purposes. If the same work contact details are provided for a personal transaction, treat them as personal data for that context.

Yes. PDPC's key concepts guidance states that section 11(3) requires an organisation to designate one or more individuals responsible for ensuring PDPA compliance. The DPO does not absorb the organisation's legal responsibility; the organisation remains responsible for complying with the PDPA.

The practical implementation point is to publish a reachable DPO or data protection contact, give that person enough authority and knowledge to coordinate policies, requests, training, risks, and breach handling, and connect the role to senior management or another effective governance route.

For ordinary collection, use, or disclosure, organisations should obtain consent for notified purposes unless an exception applies or consent is deemed under the PDPA. Consent is not valid if the individual has not been notified of the purposes or has not consented to those purposes.

Notification is not a formality. State purposes on or before collection, use, or disclosure, and avoid broad catch-all purposes that a reasonable person would not understand. For deemed consent by notification or legitimate interests, keep the required assessment and safeguards before relying on that route.

On request, an organisation must provide the individual's personal data in its possession or control and information about how it may have been used or disclosed during the past year, subject to PDPA limits and exceptions. Correction requests require the organisation to consider whether an error or omission should be corrected.

Operationally, log the request, verify the requester, identify the relevant systems quickly, preserve requested data while assessing access, and explain the reason if access is refused. For correction, correct the data as soon as practicable unless there are reasonable grounds not to, and send corrected personal data to relevant recipients to whom it was disclosed within the prior year unless they do not need it for legal or business purposes.

The protection obligation requires reasonable security arrangements against unauthorised access, collection, use, disclosure, copying, modification, disposal, similar risks, and loss of storage media or devices. PDPC expects arrangements that fit the nature of the personal data, the form it is held in, who can access it, and the potential harm if it is compromised.

Retention is purpose-based, not a fixed universal period. Organisations must stop retaining documents containing personal data, or remove the means of association with individuals, when the collection purpose is no longer served and retention is no longer necessary for legal or business purposes.

A data intermediary processes personal data on behalf of and for the purposes of another organisation under a written or evidenced contract. In that role, the data intermediary is directly subject to the PDPA obligations for protection, retention limitation, and notifying the organisation of data breaches without undue delay.

The customer organisation still needs to manage the processing scope, contract, instructions, risks, transfer basis, and supervision. If the intermediary uses or discloses the personal data beyond the remit granted by the customer organisation, it may become responsible for all applicable data protection provisions for that activity.

The transfer limitation obligation requires organisations not to transfer personal data outside Singapore except in accordance with PDPA requirements. PDPC frames this as an accountability obligation: the transferring organisation must ensure the overseas recipient provides a comparable standard of protection.

Common routes include legally enforceable obligations, contracts specifying comparable protection and destination countries or territories, binding corporate rules, other legally binding instruments, or specified certifications such as APEC CBPR or APEC PRP where applicable. PDPC also recognises circumstances such as informed consent with a written summary of overseas protection, contract necessity, vital interests, national interest, data in transit, and publicly available data.

Once an organisation has credible grounds to believe a data breach occurred, it must take reasonable and expeditious steps to assess whether the breach is notifiable. PDPC's breach guide states the assessment should be completed within 30 calendar days, and an explanation should be available if more time is needed.

A breach is notifiable to PDPC if it is likely to result in significant harm to affected individuals or if it is of significant scale. PDPC guidance states that significant scale means personal data of 500 or more individuals. If notification to PDPC is required, it must be made as soon as practicable and no later than three calendar days after the organisation determines that the breach is notifiable. Affected individuals are notified as soon as practicable, at the same time or after PDPC, where individual notification is required.

The DNC provisions apply to specified messages sent to Singapore telephone numbers. PDPC's DNC guidance explains that a specified message generally includes messages whose purpose includes advertising, promoting, or offering goods, services, land interests, business opportunities, investment opportunities, or suppliers of those items.

Before sending a specified message to a Singapore telephone number, the sender must check the relevant DNC Register unless it has clear and unambiguous consent in evidential form from the user or subscriber. DNC Registry business rules state that returned results are valid for up to 21 days. DNC messages also need sender identification and contact information, and voice calls must not conceal calling line identity.