Singapore PDPA Deemed Consent FAQ

The PDPA guidance identifies three forms of deemed consent: deemed consent by conduct, deemed consent by contractual necessity, and deemed consent by notification. Treat them as separate routes, not interchangeable labels.

Start by documenting which route is being used, the personal data involved, the purpose, and why the surrounding facts fit that route. If the purpose is outside the obvious transaction, outside contractual performance, or a secondary use that needs notification and opt-out, the team should not rely on a generic deemed-consent statement.

Deemed consent by conduct fits narrow, obvious situations: for example, a person provides payment details to pay, proceeds with a health check after being told what tests involve, or gives contact details so a taxi booking can be confirmed. It should not be stretched to unrelated marketing or secondary analytics just because the organisation already has the data.

Deemed consent by contractual necessity covers disclosures and downstream processing that are reasonably necessary to conclude or perform the transaction with the individual. Examples in the guidance include payment processing chains, GIRO and tax-relief processing, and delivery partners needed to fulfil an e-commerce purchase.

Before using deemed consent by notification, the team should write a purpose-specific assessment. PDPC's Annex B checklist says the assessment should minimally cover the purpose, the appropriateness of notification, the reasonableness of the opt-out mode and period, likely adverse effects, and the final decision outcome.

The notification should bring the intended collection, use, or disclosure, the purpose, and the opt-out method and period to the individual's attention. Direct channels such as email, SMS, push notification, portal notice, or regular customer communications are stronger when they are likely to reach the affected individuals; mass communication needs stronger justification.

For deemed consent by notification, the assessment must identify likely adverse effects, mitigation measures, and any residual adverse effects. PDPC guidance describes adverse effect broadly, including physical harm, harassment, serious alarm, distress, and decisions or predictions that may affect individuals.

If residual adverse effects remain after mitigation, the organisation should not rely on deemed consent by notification for that purpose. Keep the assessment for the whole period during which the organisation collects, uses, or discloses personal data based on that deemed-consent route.

For deemed consent by notification, the individual must be given a reasonable way and period to opt out before the processing starts. If the individual opts out within that period, do not start the notified collection, use, or disclosure for that individual.

After the opt-out period has passed, an individual can still withdraw consent. The organisation should allow and facilitate withdrawal, explain likely consequences, cease the relevant collection, use, or disclosure, and cause its data intermediaries and agents to cease unless continued processing is required or authorised under the PDPA or another written law.

No. PDPC guidance states that the Personal Data Protection Regulations 2021 prescribe that deemed consent by notification does not apply to sending direct marketing messages. Teams should use express opt-in consent for direct marketing rather than relying on opt-out or pre-checked boxes.

For specified marketing messages sent to Singapore telephone numbers by voice call, text, or fax, the DNC provisions also apply. The sender must check the relevant DNC Register unless it has clear and unambiguous consent in evidential form from the user or subscriber, and the message must include sender identification and contact information.