--- title: "Singapore PDPA FAQ: scope, DPO, consent, breaches and DNC" canonical_url: "https://www.sorena.io/artifacts/apac/singapore-pdpa/faq" source_url: "https://www.sorena.io/artifacts/apac/singapore-pdpa/faq/items/page/2" author: "Sorena AI" description: "FAQ answers for Singapore PDPA implementation, covering scope, accountability, consent, access and correction, security, retention, transfers, data intermediaries, breach notification, and DNC checks." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "Singapore PDPA FAQ" - "PDPC guidance" - "data protection officer Singapore" - "PDPA breach notification" - "DNC Registry" - "Singapore PDPA" - "PDPC" - "Data protection" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # Singapore PDPA FAQ: scope, DPO, consent, breaches and DNC FAQ answers for Singapore PDPA implementation, covering scope, accountability, consent, access and correction, security, retention, transfers, data intermediaries, breach notification, and DNC checks. *FAQ* *Singapore* *PDPA* ## Singapore PDPA FAQ Answer recurring Singapore PDPA questions with grounded implementation language for product, privacy, security, support, vendor, and marketing work. The FAQ focuses on operational rules supported by PDPC, DNC Registry, Singapore Statutes Online, and ASEAN transfer guidance. This Singapore PDPA FAQ summarizes the practical questions teams usually need to answer before collecting personal data, changing a privacy notice, appointing a DPO, responding to a request, using a data intermediary, transferring data overseas, assessing a breach, or running telemarketing checks. ## Browse sub-FAQ modules ### [Singapore PDPA anonymisation FAQ](/artifacts/apac/singapore-pdpa/faq/anonymisation.md) FAQ on anonymisation under the Singapore PDPA: de-identification, pseudonymisation, re-identification risk, when PDPA may no longer apply, and evidence records. - 3 items ### [Singapore PDPA breach notification thresholds FAQ](/artifacts/apac/singapore-pdpa/faq/breach-thresholds.md) FAQ on Singapore PDPA notifiable data breach tests: significant harm, significant scale, 500 affected individuals, assessment timing, PDPC notices, and affected-individual notices. - 6 items ### [Singapore PDPA Data Intermediaries FAQ](/artifacts/apac/singapore-pdpa/faq/data-intermediaries.md) FAQ guidance on Singapore PDPA data intermediary roles, direct obligations, organisation accountability, contracts, retention, protection, and breach escalation. - 4 items ### [Singapore PDPA Deemed Consent FAQ](/artifacts/apac/singapore-pdpa/faq/deemed-consent.md) FAQ on Singapore PDPA deemed consent by conduct, contractual necessity, notification, opt-out periods, adverse-effect assessment, withdrawal, and direct-marketing limits. - 6 items ### [Singapore PDPA DNC checking FAQ: when to check the DNC Registry](/artifacts/apac/singapore-pdpa/faq/dnc-checking.md) FAQ guidance on Singapore PDPA DNC checking: when to check the DNC Registry, which registers apply, 8-digit numbers, 21-day result validity, consent evidence, on-behalf checks, opt-outs, and supported exclusions. - 5 items ### [Singapore PDPA DPIAs: when to run and what to document](/artifacts/apac/singapore-pdpa/faq/dpias.md) FAQ-style implementation guidance on Singapore PDPA DPIAs, including when PDPC guidance recommends them, data-flow mapping, risk treatment, DPO review, and evidence records. - 5 items ### [Singapore PDPA DPMP Accountability FAQ | DPO, Policies, Evidence](/artifacts/apac/singapore-pdpa/faq/dpmp-accountability.md) FAQ for implementing Singapore PDPA accountability through a DPMP: DPO designation, policies, evidence, training, monitoring, incident logs, and review records. - 6 items ### [Singapore PDPA legitimate interests FAQ](/artifacts/apac/singapore-pdpa/faq/legitimate-interests.md) FAQ guidance on Singapore PDPA legitimate interests: assessment fields, adverse effects, mitigation, balancing, disclosure, records, and marketing limits. - 4 items ### [Singapore PDPA NRIC Handling FAQ](/artifacts/apac/singapore-pdpa/faq/nric-handling.md) FAQ guidance on when Singapore organisations may collect, use, disclose, retain, mask, or replace NRIC and other national identification numbers under PDPC guidance. - 6 items ### [Singapore PDPA transfer clauses FAQ](/artifacts/apac/singapore-pdpa/faq/transfer-clauses.md) FAQ guidance on Singapore PDPA transfer clauses, comparable protection, ASEAN MCCs, APEC CBPR and PRP certifications, onward transfers, and evidence records. - 6 items Browse all indexed questions: [/artifacts/apac/singapore-pdpa/faq/items](/artifacts/apac/singapore-pdpa/faq/items.md) ## All FAQ items *Page 2 of 3. Showing 20 of 51 items.* ### [Which DNC registers and telephone-number format should campaign systems use?](/artifacts/apac/singapore-pdpa/faq/dnc-checking.md#which-dnc-registers-and-telephone-number-format-should-campaign-systems-use) *Module: [Singapore PDPA DNC checking FAQ: when to check the DNC Registry](/artifacts/apac/singapore-pdpa/faq/dnc-checking.md)* Route the campaign channel to the matching register: No Voice Call Register for phone calls, No Text Message Register for texts including SMS and MMS, and No Fax Message Register for faxes. PDPC's business-rules page also says submitted numbers are checked against all three registers, so store the per-register status instead of reducing the result to a single allowed or blocked flag. - Store the original campaign channel, the submitted 8-digit number, the DNC result for each register, and any rejected-number reason. - Do not treat a rejected or invalid-format number as approved for sending. - Use the result receipt timestamp to calculate the end of the 21-day validity window for that campaign run. Sources for this answer: - [PDPC DNC Registry Business Rules](https://www.pdpc.gov.sg/Overview-of-PDPA/Do-Not-Call-Registry/Business-Owner/Do-Not-Call-Registry-Business-Rules?ref=sorena.io) - Supports the register names, accepted 8-digit Singapore number format, Small Number Lookup, Bulk Filtering, and returned result files. - [Personal Data Protection (Do Not Call Registry) Regulations 2013](https://sso.agc.gov.sg/SL/PDPA2012-S709-2013?ref=sorena.io) - Supports the statutory register definitions for No Fax Message, No Text Message, and No Voice Call registers. ### [What consent evidence can replace a DNC check for a Singapore telephone number?](/artifacts/apac/singapore-pdpa/faq/dnc-checking.md#what-consent-evidence-can-replace-a-dnc-check-for-a-singapore-telephone-number) *Module: [Singapore PDPA DNC checking FAQ: when to check the DNC Registry](/artifacts/apac/singapore-pdpa/faq/dnc-checking.md)* Consent can replace a DNC check only when it is clear, unambiguous, tied to the Singapore telephone number and message channel, and evidenced in written or other retrievable form. A broad marketing-purpose clause or a customer's failure to opt out is weak support if it does not clearly say that specified messages will be sent to the number. - Keep the consent statement, channel scope, number captured, positive action, timestamp, and source system. - For third-party leads, keep evidence showing the individual consented to this sender sending specified messages to that number, or run the DNC check before sending. - Do not infer clear and unambiguous consent from silence, pre-ticked assumptions, or generic marketing wording. Sources for this answer: - [PDPC Advisory Guidelines on the Do Not Call Provisions](https://www.pdpc.gov.sg/guidelines-and-consultation/2020/02/advisory-guidelines-on-the-do-not-call-provisions?ref=sorena.io) - Supports consent evidence expectations, including retrievable written or electronic records and retention while relying on consent. - [PDPC DNC Registry and Your Business](https://www.pdpc.gov.sg/overview-of-pdpa/do-not-call-registry/business-owner/do-not-call-registry-and-your-business?ref=sorena.io) - Supports the exception where the organisation has the recipient's clear and unambiguous consent to receive marketing messages. ### [How should teams handle on-behalf checks, vendors, and third-party checkers?](/artifacts/apac/singapore-pdpa/faq/dnc-checking.md#how-should-teams-handle-on-behalf-checks-vendors-and-third-party-checkers) *Module: [Singapore PDPA DNC checking FAQ: when to check the DNC Registry](/artifacts/apac/singapore-pdpa/faq/dnc-checking.md)* If an account holder checks the DNC Registry on behalf of another organisation, PDPC's business-rules page says the organisation names should be indicated during account creation and can be amended later. For bulk filtering, retain the On Behalf List output because it records the organisations on whose behalf the check was conducted at submission time. - Contractually require vendors to use the correct campaign channel, DNC register result, and 21-day validity window. - Keep the on-behalf declaration and output with the campaign approval record. - Escalate any campaign where the brand, agency, and call centre disagree about who authorised the message or which entity's consent evidence is being relied on. Sources for this answer: - [PDPC DNC Registry Business Rules](https://www.pdpc.gov.sg/Overview-of-PDPA/Do-Not-Call-Registry/Business-Owner/Do-Not-Call-Registry-Business-Rules?ref=sorena.io) - Supports account setup for checks conducted on behalf of other organisations and the On Behalf List bulk-filtering output. - [PDPC Advisory Guidelines on the Do Not Call Provisions](https://www.pdpc.gov.sg/guidelines-and-consultation/2020/02/advisory-guidelines-on-the-do-not-call-provisions?ref=sorena.io) - Supports sender responsibility for persons who send, cause, or authorise specified messages. - [PDPC DNC Registry and Your Business](https://www.pdpc.gov.sg/overview-of-pdpa/do-not-call-registry/business-owner/do-not-call-registry-and-your-business?ref=sorena.io) - Supports caution around third-party checkers and the need for accurate result and expiry information. ### [How should opt-outs and excluded messages affect DNC checking?](/artifacts/apac/singapore-pdpa/faq/dnc-checking.md#how-should-opt-outs-and-excluded-messages-affect-dnc-checking) *Module: [Singapore PDPA DNC checking FAQ: when to check the DNC Registry](/artifacts/apac/singapore-pdpa/faq/dnc-checking.md)* Opt-outs must be handled separately from DNC checking. PDPC's business page says organisations must provide opt-out information using the same medium and have 21 days after receiving an opt-out request to ensure marketing messages are no longer sent to the individual's telephone number. - Keep opt-out source, timestamp, channel, number, sender, and scope so suppression rules match the request. - Classify service, survey, charitable, religious, and B2B messages before campaign launch, and reclassify if promotional copy is added. - For ongoing-relationship text or fax exemptions, verify the supported conditions before relying on them, including whether the recipient has withdrawn consent, opted out, or otherwise indicated no consent. Sources for this answer: - [PDPC DNC Registry and Your Business](https://www.pdpc.gov.sg/overview-of-pdpa/do-not-call-registry/business-owner/do-not-call-registry-and-your-business?ref=sorena.io) - Supports opt-out handling, covered message types, and PDPC's listed exception examples for business users. - [PDPC Advisory Guidelines on the Do Not Call Provisions](https://www.pdpc.gov.sg/guidelines-and-consultation/2020/02/advisory-guidelines-on-the-do-not-call-provisions?ref=sorena.io) - Supports the caution that an excluded-purpose message can still become a specified message if it includes non-excluded marketing content. - [Personal Data Protection (Exemption from section 43) Order 2013](https://sso.agc.gov.sg/SL-Supp/S817-2013/Published/20131227170000?ref=sorena.io) - Supports the limited exemption for specified fax or text messages in an ongoing relationship and the opt-out conditions attached to that exemption. ### [Are DPIAs mandatory under the Singapore PDPA?](/artifacts/apac/singapore-pdpa/faq/dpias.md#are-dpias-mandatory-under-the-singapore-pdpa) *Module: [Singapore PDPA DPIAs: when to run and what to document](/artifacts/apac/singapore-pdpa/faq/dpias.md)* PDPC guidance does not frame a DPIA as a standalone statutory obligation where failing to run one is automatically a PDPA breach. The guidance says organisations may use DPIAs, Data Protection by Design, and Data Protection Management Programmes to demonstrate accountability in appropriate circumstances. - Do not describe DPIAs as a universal PDPA filing requirement unless a separate sector, contract, customer, or internal policy requires one. - Do run a DPIA where the project needs a defensible record of personal data risks, controls, risk owners, and approvals. - Use the DPIA to show how privacy-by-design controls were considered before the system, process, product, or service was implemented. Sources for this answer: - [Advisory Guidelines on Key Concepts in the PDPA](https://www.pdpc.gov.sg/guidelines-and-consultation/2020/03/advisory-guidelines-on-key-concepts-in-the-personal-data-protection-act?ref=sorena.io) - Supports the distinction that DPIAs and DPbD are accountability measures in appropriate circumstances, not standalone automatic breach triggers. - [Guide to Data Protection Impact Assessments](https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/other-guides/dpia/guide-to-data-protection-impact-assessments-14-sep-2021.pdf?ref=sorena.io) - Explains that a DPIA identifies, assesses, and addresses personal data protection risks for an organisation's functions, needs, and processes. ### [When should a team conduct or refresh a Singapore PDPA DPIA?](/artifacts/apac/singapore-pdpa/faq/dpias.md#when-should-a-team-conduct-or-refresh-a-singapore-pdpa-dpia) *Module: [Singapore PDPA DPIAs: when to run and what to document](/artifacts/apac/singapore-pdpa/faq/dpias.md)* PDPC guidance points to DPIAs when a new system or process handles personal data, when an existing system or process is substantially redesigned, when the organisation starts collecting new types of personal data, or when organisational changes affect the department handling personal data. - Trigger the DPIA intake before design is finalised, because retrofitting controls after implementation can increase cost and effort. - Run one DPIA for similar projects only when their purpose, scope, and context are similar enough for the same assessment to be meaningful. - Refresh the DPIA when new data touchpoints, vendors, purposes, technologies, or processing steps change the personal data risk assessment. Sources for this answer: - [Guide to Data Protection Impact Assessments](https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/other-guides/dpia/guide-to-data-protection-impact-assessments-14-sep-2021.pdf?ref=sorena.io) - Identifies new systems, new processes, substantial redesigns, new data types, and risk changes as situations where DPIAs should be conducted or reviewed. - [Guide to Developing a Data Protection Management Programme](https://www.pdpc.gov.sg/help-and-resources/2019/07/guide-to-developing-a-data-protection-management-programme?ref=sorena.io) - Supports using DPIAs within a broader governance and risk programme, including review when systems, processes, business models, or external conditions change. ### [What should the DPIA cover for personal data and data flows?](/artifacts/apac/singapore-pdpa/faq/dpias.md#what-should-the-dpia-cover-for-personal-data-and-data-flows) *Module: [Singapore PDPA DPIAs: when to run and what to document](/artifacts/apac/singapore-pdpa/faq/dpias.md)* The DPIA should start with the concrete system or process. Record the project description, the scope of the assessment, the parties involved, and the methodology for rating risks. Then identify the personal data handled, why it is collected, who can access it, where and how it is stored, how it is used, who it is disclosed or transferred to, how long it is retained, and how it is disposed. - Map collection points, notice and consent touchpoints, compulsory and optional fields, and the purpose for each type of personal data. - Map internal users, access levels, databases, files, manual handling, vendor disclosures, overseas transfers, retention periods, and disposal methods. - Attach project plans, contracts, functional specifications, security assessments, screenshots, workflow diagrams, and vendor documents used to verify the data flow. Sources for this answer: - [Guide to Data Protection Impact Assessments](https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/other-guides/dpia/guide-to-data-protection-impact-assessments-14-sep-2021.pdf?ref=sorena.io) - Sets out the DPIA phase for identifying personal data and mapping personal data flows across the project lifecycle. - [Data Flow Illustration](https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/other-guides/dpmp/data-flow-illustration-pdf-v2.pdf?ref=sorena.io) - Supports using lifecycle stages such as collection, storage, use, disclosure, transfer, archival, and disposal when documenting data flows. ### [How should teams assess and treat risks in a Singapore PDPA DPIA?](/artifacts/apac/singapore-pdpa/faq/dpias.md#how-should-teams-assess-and-treat-risks-in-a-singapore-pdpa-dpia) *Module: [Singapore PDPA DPIAs: when to run and what to document](/artifacts/apac/singapore-pdpa/faq/dpias.md)* After the data flow is mapped, assess the project against PDPA requirements and data protection best practices. PDPC's sample questions cover consent, notification, purpose limitation, accuracy, access and correction, protection, third-party disclosure, overseas transfer, retention, disposal, breach response, and accountability. - Use likelihood and impact criteria that fit the organisation, and document why the selected risk rating is appropriate. - Treat high-priority risks with concrete controls such as consent withdrawal processes, access controls, encryption, security review, vendor contract terms, retention schedules, or staff training. - Do not leave a DPIA at issue discovery; assign action owners and implementation timelines, then monitor whether the actions actually address the risk. Sources for this answer: - [Guide to Data Protection Impact Assessments](https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/other-guides/dpia/guide-to-data-protection-impact-assessments-14-sep-2021.pdf?ref=sorena.io) - Supports using a risk framework, assessing PDPA and best-practice gaps, and creating an action plan with owners, timelines, and monitoring. - [Guide to Developing a Data Protection Management Programme](https://www.pdpc.gov.sg/help-and-resources/2019/07/guide-to-developing-a-data-protection-management-programme?ref=sorena.io) - Connects DPIA outputs to risk registers, controls, monitoring, reporting, and remediation plans under a data protection management programme. ### [Who should review a Singapore PDPA DPIA and what evidence should be kept?](/artifacts/apac/singapore-pdpa/faq/dpias.md#who-should-review-a-singapore-pdpa-dpia-and-what-evidence-should-be-kept) *Module: [Singapore PDPA DPIAs: when to run and what to document](/artifacts/apac/singapore-pdpa/faq/dpias.md)* PDPC guidance says an effective DPIA should involve relevant stakeholders, and the DPIA lead should ideally be the project manager or the organisation's Data Protection Officer. The DPO advises throughout the process, helps define and apply the risk assessment framework, reviews the DPIA report before management submission, and assists with review when personal data risks change. - Assign a DPIA lead, DPO reviewer, management approver, and action owners for legal, security, product, operations, vendor, and customer-facing changes. - Record DPO comments and management approval before implementation where the DPIA produces a material action plan. - Update the record when risk changes, not only on a fixed review date. Sources for this answer: - [Guide to Data Protection Impact Assessments](https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/other-guides/dpia/guide-to-data-protection-impact-assessments-14-sep-2021.pdf?ref=sorena.io) - Supports DPO involvement, DPO review of the DPIA report, management approval, action owner implementation, and later review when risks change. - [Guide to Developing a Data Protection Management Programme](https://www.pdpc.gov.sg/help-and-resources/2019/07/guide-to-developing-a-data-protection-management-programme?ref=sorena.io) - Supports embedding data protection into business processes from the earliest project design stage and throughout the project lifecycle. ### [What does Singapore PDPA accountability require in a DPMP?](/artifacts/apac/singapore-pdpa/faq/dpmp-accountability.md#what-does-singapore-pdpa-accountability-require-in-a-dpmp) *Module: [Singapore PDPA DPMP Accountability](/artifacts/apac/singapore-pdpa/faq/dpmp-accountability.md)* It requires more than a privacy notice. An organisation should designate one or more individuals responsible for PDPA compliance, develop and implement the necessary data protection policies and practices, make information about those policies and practices available, train staff, and keep the programme under monitoring and review. - Name the DPO or DPO team, their reporting line, and the senior management owner who can remove blockers. - Keep internal policies for staff and operational teams, plus external-facing information that individuals can use to understand practices and complaints handling. - Maintain evidence that policies were approved, communicated, implemented, monitored, and reviewed. Sources for this answer: - [PDPC Guide to Developing a Data Protection Management Programme](https://www.pdpc.gov.sg/help-and-resources/2019/07/guide-to-developing-a-data-protection-management-programme?ref=sorena.io) - Supports the DPMP structure, including governance, policies, processes, maintenance, DPO role, risk monitoring, training, and incident records. - [PDPC Advisory Guidelines on Key Concepts in the PDPA](https://www.pdpc.gov.sg/guidelines-and-consultation/2020/03/advisory-guidelines-on-key-concepts-in-the-personal-data-protection-act?ref=sorena.io) - Explains the Accountability Obligation, including DPO designation, policies and practices, staff training, complaints handling, and public availability of policy information. ### [How should an organisation designate and evidence its DPO?](/artifacts/apac/singapore-pdpa/faq/dpmp-accountability.md#how-should-an-organisation-designate-and-evidence-its-dpo) *Module: [Singapore PDPA DPMP Accountability](/artifacts/apac/singapore-pdpa/faq/dpmp-accountability.md)* Record the DPO designation as a governance decision, not just an email alias. The record should identify at least one designated individual, the responsibilities delegated to any DPO team or outsourced DPO function, the reporting line to senior management, and the business contact information made available for PDPA queries. - Keep an appointment record naming the DPO, back-up contact, reporting line, and scope of authority. - Publish or otherwise make available the relevant business contact information for PDPA questions and complaints. - Keep role descriptions for common DPO support functions such as access and correction request handling, incident response, department representatives, communications, legal, and internal audit support where used. Sources for this answer: - [Personal Data Protection Act 2012](https://sso.agc.gov.sg/Act/PDPA2012?ref=sorena.io) - Supports the legal basis for organisational responsibility, DPO designation, and making business contact information available. - [PDPC Guide to Developing a Data Protection Management Programme](https://www.pdpc.gov.sg/help-and-resources/2019/07/guide-to-developing-a-data-protection-management-programme?ref=sorena.io) - Supports practical DPO governance, senior-management reporting, outsourced DPO oversight, and example DPO team responsibilities. ### [What should DPMP policies and data inventories cover?](/artifacts/apac/singapore-pdpa/faq/dpmp-accountability.md#what-should-dpmp-policies-and-data-inventories-cover) *Module: [Singapore PDPA DPMP Accountability](/artifacts/apac/singapore-pdpa/faq/dpmp-accountability.md)* DPMP policies should answer the operational questions staff, vendors, customers, and reviewers expect: which personal datasets the policy applies to, why the organisation handles the data, who handles it, which third parties receive it, how queries and requests are handled, how protection and retention work, how incidents are managed, when DPIAs are conducted, and how exceptions are escalated. - Keep policy fields for dataset, purpose, audience, owner, approver, review frequency, roles, third-party sharing, protection measures, retention, incident handling, DPIA triggers, and exceptions. - Keep data inventory fields for department, personal data type, collection purpose, data owner, source, collection medium, users, access, external disclosure, transfer, storage, retention, and disposal. - Keep a risk register that links each risk to the affected data flow, risk rating, owner, control, remediation action, and status. Sources for this answer: - [PDPC Guide to Developing a Data Protection Management Programme](https://www.pdpc.gov.sg/help-and-resources/2019/07/guide-to-developing-a-data-protection-management-programme?ref=sorena.io) - Supports DPMP policy contents, data inventory maps, data-flow diagrams, consent registers, risk registers, and control implementation. - [PDPC Accountability Within an Organisation](https://www.pdpc.gov.sg/help-and-resources/2021/09/accountability/accountability-within-an-organisation?ref=sorena.io) - Supports the four accountability steps: governance and risk assessment, policies and practices, processes, and review. ### [How should training, monitoring, and management reporting work?](/artifacts/apac/singapore-pdpa/faq/dpmp-accountability.md#how-should-training-monitoring-and-management-reporting-work) *Module: [Singapore PDPA DPMP Accountability](/artifacts/apac/singapore-pdpa/faq/dpmp-accountability.md)* Training should match job role and lifecycle stage. PDPC's DPMP guide supports onboarding briefings for all staff, in-depth training for staff handling personal data, additional training when job scope changes, ongoing refreshers, and communications when policies or processes change. - Keep a training matrix by audience: board, senior management, all staff, staff handling personal data, DPO team, and staff with changed responsibilities. - Track training date, trigger, audience, topic, materials, completion evidence, and follow-up actions. - Use management reports for policy changes, DPIA or PATO results, existing and new risks, risk ratings, remedial measures, audit plans, incidents, and unresolved issues. Sources for this answer: - [PDPC Guide to Developing a Data Protection Management Programme](https://www.pdpc.gov.sg/help-and-resources/2019/07/guide-to-developing-a-data-protection-management-programme?ref=sorena.io) - Supports role-based PDPA training, awareness communications, DPO risk monitoring, and quarterly or annual management reporting examples. ### [What incident logs and review triggers should the DPMP keep?](/artifacts/apac/singapore-pdpa/faq/dpmp-accountability.md#what-incident-logs-and-review-triggers-should-the-dpmp-keep) *Module: [Singapore PDPA DPMP Accountability](/artifacts/apac/singapore-pdpa/faq/dpmp-accountability.md)* The DPMP should include a breach management process and an incident record log. PDPC's DPMP guide describes a process for containing a breach, assessing risk, reporting the incident, and evaluating the response and recovery to prevent future breaches. It also says the DPO may document data incidents and breaches in an incident record log. - Keep incident log fields for incident date, reporter, affected dataset, suspected cause, containment action, risk assessment, notification analysis, remediation owner, status, and lessons learned. - Trigger an ad-hoc policy review for major incidents, law or regulator changes, organisational restructuring, mergers and acquisitions, and material process changes. - Use periodic reviews for scheduled policy refreshes, batches of minor incidents, low-impact process changes, and updates such as DPO business contact information. Sources for this answer: - [PDPC Guide to Developing a Data Protection Management Programme](https://www.pdpc.gov.sg/help-and-resources/2019/07/guide-to-developing-a-data-protection-management-programme?ref=sorena.io) - Supports incident record logs, breach management activities, policy review triggers, audit structure, and monitoring of internal and external changes. ### [Which evidence records best show Singapore PDPA accountability?](/artifacts/apac/singapore-pdpa/faq/dpmp-accountability.md#which-evidence-records-best-show-singapore-pdpa-accountability) *Module: [Singapore PDPA DPMP Accountability](/artifacts/apac/singapore-pdpa/faq/dpmp-accountability.md)* The strongest evidence is a connected record set that shows the DPMP is owned, implemented, monitored, and revised. Keep records that link governance decisions to operational controls instead of storing policies separately from inventories, incidents, training, and management reports. - Governance evidence: DPO appointment, reporting line, senior management oversight, committee minutes, and DPO contact publication evidence. - Operating evidence: approved policies, data inventory or data-flow diagram, consent register where used, risk register, DPIA or PATO outputs, vendor/data intermediary controls, and access control reviews. - Assurance evidence: training records, staff communications, incident logs, management reports, audit findings, remediation plans, policy review notes, stakeholder notifications, and external validation if pursued. Sources for this answer: - [PDPC Guide to Developing a Data Protection Management Programme](https://www.pdpc.gov.sg/help-and-resources/2019/07/guide-to-developing-a-data-protection-management-programme?ref=sorena.io) - Supports evidence categories across DPO governance, policies, inventories, registers, controls, monitoring, reporting, incidents, audits, and DPMP validation. - [PDPC Advisory Guidelines on Key Concepts in the PDPA](https://www.pdpc.gov.sg/guidelines-and-consultation/2020/03/advisory-guidelines-on-key-concepts-in-the-personal-data-protection-act?ref=sorena.io) - Supports keeping evidence that the organisation developed and implemented necessary policies and practices and made policy information available. ### [When can an organisation rely on legitimate interests under the Singapore PDPA?](/artifacts/apac/singapore-pdpa/faq/legitimate-interests.md#when-can-an-organisation-rely-on-legitimate-interests-under-the-singapore-pdpa) *Module: [Singapore PDPA legitimate interests](/artifacts/apac/singapore-pdpa/faq/legitimate-interests.md)* An organisation may rely on the Singapore PDPA legitimate interests exception to collect, use, or disclose personal data without consent only where the identified legitimate interests of the organisation or another person outweigh any adverse effect on the individual. - Start by confirming that personal data is being collected, used, or disclosed and that no more specific written-law basis or consent exception better fits the facts. - Describe the legitimate interest and direct benefits, including who benefits and what negative impact may arise if the activity cannot be carried out. - Do not use the general legitimate interests exception for a purpose of sending marketing messages. Sources for this answer: - [PDPA's framework for collection, use and disclosure of personal data](https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/advisory-guidelines/ag-on-key-concepts/annex-a--pdpas-framework-for-the-collection-use-and-disclosure-of-personal-data-1-feb-2021.pdf?ref=sorena.io) - Shows legitimate interests as an exception to consent and states that the general exception applies to collection, use, and disclosure subject to assessment and marketing-message limits. - [Assessment checklist for legitimate interests exception](https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/advisory-guidelines/ag-on-key-concepts/annex-c--assessment-checklist-for-legitimate-interests-exception-1-feb-2021.pdf?ref=sorena.io) - Supports the core rule that identified legitimate interests must outweigh adverse effects on individuals and that organisations should document the assessment. ### [What fields should a Singapore PDPA legitimate interests assessment include?](/artifacts/apac/singapore-pdpa/faq/legitimate-interests.md#what-fields-should-a-singapore-pdpa-legitimate-interests-assessment-include) *Module: [Singapore PDPA legitimate interests](/artifacts/apac/singapore-pdpa/faq/legitimate-interests.md)* A useful assessment should mirror the PDPC checklist: define the context and purpose, list the personal data types, describe the collection, use, or disclosure, state whether the activity is one-off or continuous, identify the benefits, assess sensitivity and reasonableness, and document likely adverse effects. - Purpose field: the legitimate interest, objective, personal data types, processing method, and one-off or continuous occurrence. - Benefit field: direct benefits to the organisation, another person, customers, employees, the public, a sector, or another identified group. - Reasonableness field: the extent of collection, sensitivity of the data, reasonableness of the purpose, and whether the same aim can be achieved with less identifiable data. Sources for this answer: - [Assessment checklist for legitimate interests exception](https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/advisory-guidelines/ag-on-key-concepts/annex-c--assessment-checklist-for-legitimate-interests-exception-1-feb-2021.pdf?ref=sorena.io) - Provides the assessment fields for purpose, data types, collection/use/disclosure method, activity frequency, benefits, sensitivity, and reasonableness. ### [How should teams assess adverse effects, mitigation, residual effects, and the balancing test?](/artifacts/apac/singapore-pdpa/faq/legitimate-interests.md#how-should-teams-assess-adverse-effects-mitigation-residual-effects-and-the-balancing-test) *Module: [Singapore PDPA legitimate interests](/artifacts/apac/singapore-pdpa/faq/legitimate-interests.md)* The assessment should name reasonably foreseeable adverse effects on individuals, including financial, social, physical, or psychological effects. It should also check whether other datasets will be used to make predictions or decisions, whether those predictions or decisions could exclude, discriminate against, defame, or harm an individual, and the likelihood and severity of the impact. - Adverse-effect field: foreseeable harm type, affected individuals, datasets used, decision or prediction impact, likelihood, severity, and social-norm context. - Mitigation field: data minimisation, access limits, review controls, notice/contact channels, exclusion rules, or other measures tied to the specific adverse effect. - Balancing field: a written evaluation of benefits against residual adverse effects, followed by a clear yes/no decision on whether the exception can be relied on for this purpose. Sources for this answer: - [Assessment checklist for legitimate interests exception](https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/advisory-guidelines/ag-on-key-concepts/annex-c--assessment-checklist-for-legitimate-interests-exception-1-feb-2021.pdf?ref=sorena.io) - Lists adverse-effect, mitigation, residual-effect, and balancing-test questions, including prediction harms and the requirement to justify the balancing outcome. ### [What disclosure and records should teams keep when relying on legitimate interests?](/artifacts/apac/singapore-pdpa/faq/legitimate-interests.md#what-disclosure-and-records-should-teams-keep-when-relying-on-legitimate-interests) *Module: [Singapore PDPA legitimate interests](/artifacts/apac/singapore-pdpa/faq/legitimate-interests.md)* The PDPA framework says organisations relying on the general legitimate interests exception should provide individuals reasonable access to information on the organisation's reliance on the exception. The assessment checklist also asks how the organisation provided contact details for someone who can give individuals more information about the collection, use, or disclosure. - Individual-facing disclosure: explain reliance on legitimate interests and provide a contact route for more details about the collection, use, or disclosure. - Internal record: keep the completed assessment and the source-linked justification for each yes/no answer that affects the outcome. - Approval record: capture outcome date, preparer, endorsement, and agreement by management with sufficient authority. Sources for this answer: - [PDPA's framework for collection, use and disclosure of personal data](https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/advisory-guidelines/ag-on-key-concepts/annex-a--pdpas-framework-for-the-collection-use-and-disclosure-of-personal-data-1-feb-2021.pdf?ref=sorena.io) - Supports the requirement to provide individuals reasonable access to information about reliance on the general legitimate interests exception. - [Assessment checklist for legitimate interests exception](https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/advisory-guidelines/ag-on-key-concepts/annex-c--assessment-checklist-for-legitimate-interests-exception-1-feb-2021.pdf?ref=sorena.io) - Supports keeping a documented assessment with outcome date, completion, endorsement, and management agreement fields. ### [When may an organisation collect, use, or disclose a full NRIC number under Singapore PDPA guidance?](/artifacts/apac/singapore-pdpa/faq/nric-handling.md#when-may-an-organisation-collect-use-or-disclose-a-full-nric-number-under-singapore-pdpa-guidance) *Module: [Singapore PDPA NRIC Handling](/artifacts/apac/singapore-pdpa/faq/nric-handling.md)* For private-sector use, PDPC's NRIC FAQs say organisations should collect, use, or disclose NRIC numbers or copies of NRIC only where the collection, use, or disclosure is required by law, or where it is necessary to establish or verify an individual's identity to a high degree of accuracy. - Allowed trigger: a written law requires the collection, use, or disclosure. - Allowed trigger: the service genuinely needs high-accuracy identity establishment or verification. - Not enough: convenience, legacy database design, duplicate-account prevention, loyalty programme membership, or using NRIC as a username. Sources for this answer: - [PDPC NRIC FAQs](https://www.pdpc.gov.sg/guidelines-and-consultation/2020/02/advisory-guidelines-on-the-personal-data-protection-act-for-nric-and-other-national-identification-numbers/nric-faqs?ref=sorena.io) - Supports the two permitted bases for collecting, using, or disclosing full NRIC numbers or NRIC copies. - [PDPC advisory guidelines for NRIC and other national identification numbers](https://www.pdpc.gov.sg/guidelines-and-consultation/2020/02/advisory-guidelines-on-the-personal-data-protection-act-for-nric-and-other-national-identification-numbers?ref=sorena.io) - Identifies the PDPC guidance as covering collection, use, disclosure, and physical NRIC retention. ## FAQ Pagination - Canonical index (page 1): [/artifacts/apac/singapore-pdpa/faq/items](/artifacts/apac/singapore-pdpa/faq/items.md) - Page 1 rule: `/page/1` is intentionally not generated; use the canonical index markdown URL. - Current page: 2 of 3 Pages: [1](/artifacts/apac/singapore-pdpa/faq/items.md) | [2](/artifacts/apac/singapore-pdpa/faq/items/page/2.md) | [3](/artifacts/apac/singapore-pdpa/faq/items/page/3.md) [Previous page](/artifacts/apac/singapore-pdpa/faq/items.md) | [Next page](/artifacts/apac/singapore-pdpa/faq/items/page/3.md) *Recommended next step* *Placement: after the FAQ answers* ## Turn Singapore PDPA FAQ answers into operating controls Use the FAQ answers to assign DPO ownership, update notices and consent records, review vendors and transfers, and prepare breach and DNC evidence. - [Open Assessment Autopilot for Singapore PDPA](/solutions/assessment.md): Convert scope, consent, transfer, breach, and DNC questions into evidence requests and review tasks. - [Review Singapore PDPA source evidence](/solutions/research-copilot.md): Use Research Copilot to answer follow-up PDPA questions with cited source material. - [Talk through implementation](/contact.md): Review PDPA scope, DPO accountability, vendor controls, breach handling, and marketing checks with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/apac/singapore-pdpa/faq/items/page/2