Artifact GuideSingaporePDPA requirements

Singapore PDPA requirements

A practical map of the core Singapore PDPA requirements teams need to implement across customer journeys, systems, vendors, marketing, and breach response.

Use this page to assign owners and evidence for consent, notification, purpose limitation, access, correction, accuracy, protection, retention, transfer limitation, accountability, breach notification, DNC checks, and data intermediary boundaries.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 17, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
6

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 17, 2026
Overview

The Singapore PDPA requirements should be implemented as a lifecycle control set, not as a single privacy notice task. They generally apply to organisations that collect, use, or disclose personal data in Singapore; data intermediaries have a narrower set of direct obligations; and the PDPA generally does not apply to individuals acting on a personal or domestic basis, employees acting in their capacity as employees, or public agencies. For each product flow or business process, record what personal data is collected, why it is used or disclosed, how individuals are notified, which consent or exception is relied on, where the data is stored or transferred, who can change it, how it is protected and deleted, and who is accountable for breach and vendor decisions.

Section 1

Core PDPA obligations to map for each data flow

Start with the PDPC's core data protection obligations. For collection, use, and disclosure, the control record should state the purpose, whether a reasonable person would consider that purpose appropriate, the notification shown to the individual, and the consent, deemed consent, or exception relied on.

Then map the individual-rights and lifecycle controls. Access and correction processes need an intake route, identity checks, response owner, disclosure-history lookup, correction workflow, and exception handling. Accuracy controls should apply where personal data is likely to be used to make decisions affecting individuals or disclosed to another organisation.

Protection, retention, transfer limitation, breach notification, and accountability should be owned outside copy review alone. Security must cover personal data in the organisation's possession or control; retention must stop when the purpose is no longer served and retention is no longer needed for legal or business purposes; overseas transfers need a PDPA-comparable protection basis; and accountability requires policies, procedures, a DPO, complaint handling, and public information about policies and practices.

  • Consent and notification: keep the consent source, notified purpose, withdrawal path, and any deemed-consent or exception assessment with the product or process record.
  • Purpose limitation: reject uses that are not appropriate in the circumstances or not aligned with the purpose notified to the individual where notification is required.
  • Access, correction, and accuracy: maintain a request queue, response evidence, correction logs, and data-quality controls for decisioning and onward disclosure.
  • Protection and retention: link each system or repository to security controls, access restrictions, backup handling, deletion or anonymisation criteria, and legal or business retention reasons.
  • Transfer limitation and accountability: document overseas recipients, contractual or other transfer safeguards, DPO ownership, public policy information, complaint handling, and review triggers.
Sources for this answer
PDPC Advisory Guidelines on Key Concepts in the PDPA
Identifies the PDPA's core data protection obligations, including consent, purpose limitation, notification, access, correction, accuracy, protection, retention, transfers, breach notification, and accountability.
Recommended next step

Turn Singapore PDPA requirements into assigned controls

Use this Singapore PDPA requirements map to assign owners, evidence fields, vendor controls, breach steps, transfer safeguards, and DNC checks inside Sorena.

Assessment workflow
Open Assessment Autopilot for Singapore PDPA

Turn PDPA obligations into scoped questions, evidence fields, owners, and review tasks.

Explore next step
Research workflow
Review Singapore PDPA source evidence

Use Research Copilot to answer implementation questions with cited PDPC and DNC source material.

Explore next step
Talk to Sorena
Talk through implementation

Review scope, vendors, breach handling, DNC checks, and next compliance actions with Sorena.

Explore next step
Section 2

Breach notification and incident evidence

Treat breach notification as an assessment workflow. Once there are credible grounds to believe a data breach occurred, record the first-awareness date, systems and data involved, containment actions, affected-individual estimate, whether prescribed personal data is involved, likely harm, and whether the breach reaches significant scale.

The PDPC guide supports two key notification paths: notify the PDPC where a breach is notifiable, and notify affected individuals where required. A breach involving personal data of 500 or more individuals is treated as significant scale for PDPC notification, even if prescribed personal data is not involved. Where notification to PDPC is required, the guide states that notification must be as soon as practicable and no later than three calendar days after the organisation determines the breach is notifiable.

Keep a breach file that can explain the assessment, not just the final yes/no decision. It should include the chronology, root-cause findings, containment and remediation plan, individual-notification plan, late-notification reasons if applicable, and any sectoral regulator or law-enforcement reporting handled separately.

  • Open the assessment when a breach is suspected or confirmed by internal monitoring, a customer, a vendor, or a data intermediary.
  • Assess significant harm, prescribed personal data, and significant scale; escalate if the affected-individual count may be 500 or more.
  • Prepare PDPC notification content before the deadline: awareness circumstances, chronology, cause, affected count, affected data classes, likely harm, mitigation, remediation, and representative contact details.
  • Notify affected individuals as soon as practicable when required, at the same time as or after notifying PDPC, and include practical mitigation steps for the individual.
  • For data intermediaries, require immediate escalation to the organisation so the organisation can assess PDPC and individual notification duties.
Sources for this answer
PDPC Guide on Managing and Notifying Data Breaches under the PDPA
Supports breach assessment, significant-scale notification, PDPC and affected-individual notification timing, and the evidence to include in breach records.
Section 3

Data intermediary and vendor boundaries

Classify each vendor or internal service by role before assigning obligations. A data intermediary processes personal data on behalf of and for the purposes of another organisation under a contract. In that role, the PDPA does not apply the full organisation obligation set directly to the data intermediary, but the data intermediary remains responsible for protection, retention limitation, and notifying the organisation of data breaches.

The organisation that decides the purposes and engages the data intermediary remains responsible for the wider PDPA programme. That means it should define the outsourced processing scope, permitted purposes, instructions, security requirements, retention and deletion rules, sub-processing limits, breach escalation route, audit or review rights, and cross-border transfer safeguards in written contractual terms or written evidence of the key terms.

A supplier can move out of the data-intermediary lane if it uses or discloses personal data beyond the customer's instructions. Vendor intake should therefore include a role test, a permitted-use clause, a transfer map, and a breach reporting obligation rather than relying only on the supplier's marketing description.

  • Record whether the party is acting as an organisation, a data intermediary, or both for different processing activities.
  • Keep written scope and instruction evidence for processing operations such as recording, holding, adapting, retrieving, combining, transmitting, erasing, or destroying personal data.
  • Require protection and retention controls from the data intermediary, with operational reporting and review arrangements proportionate to data sensitivity and outsourcing scale.
  • State whether the data intermediary may transfer data overseas or use sub-processors, and require equivalent downstream obligations where sub-processing is allowed.
  • Route access, correction, notification, consent, and purpose decisions back to the organisation unless the contract expressly assigns operational support.
Sources for this answer
PDPC Guide to Managing Data Intermediaries
Grounds the data intermediary role test, written-contract expectations, and the limited direct PDPA obligations for data intermediaries processing for another organisation.
Section 4

Transfers, DNC marketing checks, and operating ownership

For overseas transfers, document the recipient, country or territory, data categories, processing purpose, onward-transfer terms, and the safeguard used to provide protection comparable to the PDPA. The PDPC recognises and encourages ASEAN Model Contractual Clauses for Transfer Limitation Obligation compliance, but teams should still check that the clauses and operational controls match the actual transfer.

For marketing to Singapore telephone numbers, run a separate DNC check where the message is a specified telemarketing message and no clear and unambiguous consent in evidential form is being used. Results returned from the DNC Registry are valid for up to 21 days, so campaign evidence should keep the submission date, register result, message channel, sender or authorising party, consent evidence if relied on, and suppression logic.

Accountability should bind these controls together. The DPO or privacy owner should maintain the obligation map, but operational owners must be named for notice text, consent capture, access/correction handling, system security, retention jobs, vendor contracts, breach response, transfer safeguards, and DNC campaign checks.

  • Transfer record: recipient, location, purpose, data categories, comparable-protection safeguard, onward-transfer conditions, and breach notification clause.
  • DNC record: campaign, channel, sender and authoriser, Singapore telephone number list, consent evidence or registry check result, and validity window.
  • Accountability record: DPO contact, published data protection policy, complaint process, internal policy owner, review cadence, and change triggers.
  • Review triggers: new product purposes, new data categories, new vendors, overseas hosting changes, high-risk incidents, marketing-channel changes, or material PDPC guidance updates.
  • Do not combine PDPA consent records and DNC evidence without showing which rule each record supports.
Sources for this answer
PDPC ASEAN Data Management Framework and Model Contractual Clauses page
Supports using ASEAN Model Contractual Clauses as an encouraged transfer safeguard while preserving the need to fit the safeguard to the transfer.
Do Not Call Registry Business Rules
Supports the operational requirement to create DNC access and user accounts before checking Singapore telephone numbers for telemarketing campaigns.
PDPC Do Not Call Registry Business Rules
Supports checking the relevant DNC Register before telemarketing and the 21-day validity window for DNC Registry results.
Primary sources

References and citations

Do Not Call Registry Business Rules
dnc.gov.sg
Referenced sections
  • Supports the operational requirement to create DNC access and user accounts before checking Singapore telephone numbers for telemarketing campaigns.
"one or more sub-accounts can also be created under a main account"
PDPC Advisory Guidelines on Key Concepts in the PDPA
pdpc.gov.sg
Referenced sections
  • Identifies the PDPA's core data protection obligations, including consent, purpose limitation, notification, access, correction, accuracy, protection, retention, transfers, breach notification, and accountability.
"The Data Protection Provisions comprises 11 main obligations"
PDPC Do Not Call Registry Business Rules
pdpc.gov.sg
Referenced sections
  • Supports checking the relevant DNC Register before telemarketing and the 21-day validity window for DNC Registry results.
"Results returned from the DNC Registry are valid for up to 21 days."
PDPC Guide on Managing and Notifying Data Breaches under the PDPA
pdpc.gov.sg
Referenced sections
  • Supports breach assessment, significant-scale notification, PDPC and affected-individual notification timing, and the evidence to include in breach records.
"Data breaches that meet the criteria of significant scale are those that involve the personal data of 500 or more individuals."
PDPC Guide to Managing Data Intermediaries
pdpc.gov.sg
Referenced sections
  • Grounds the data intermediary role test, written-contract expectations, and the limited direct PDPA obligations for data intermediaries processing for another organisation.
"A DI is subject to the Data Protection Provisions relating to protection of personal data"
Related guides

Explore more topics

Singapore PDPA Anonymisation and DPIA Records
Build Singapore PDPA anonymisation and DPIA records around PDPC guidance: release model, re-identification risk, data flows, action plans, safeguards, and monitoring.
Singapore PDPA anonymisation FAQ
FAQ on anonymisation under the Singapore PDPA: de-identification, pseudonymisation, re-identification risk, when PDPA may no longer apply, and evidence records.
Singapore PDPA Applicability Test
Test whether Singapore PDPA obligations apply by checking personal data, organisation role, data intermediary status, public agency and individual boundaries, and business contact information.
Singapore PDPA Breach Notification Playbook
A grounded Singapore PDPA breach-notification playbook covering assessment, notifiable-breach thresholds, PDPC and affected-individual notification steps, roles, records, and citations.
Singapore PDPA breach notification thresholds FAQ
FAQ on Singapore PDPA notifiable data breach tests: significant harm, significant scale, 500 affected individuals, assessment timing, PDPC notices, and affected-individual notices.
Singapore PDPA Breach Notification Workflow
A grounded Singapore PDPA workflow for containing a personal data breach, assessing notifiability, notifying PDPC or affected individuals, and retaining evidence.
Singapore PDPA Compliance Checklist
A grounded Singapore PDPA checklist for scope, DPO accountability, consent, data intermediaries, breach notification, DNC checks, transfers, and evidence records.
Singapore PDPA Compliance Guide
Build a Singapore PDPA compliance plan covering DPO accountability, consent and notification, protection, retention, access and correction, transfers, breach notification, and DNC checks.
Singapore PDPA Consent and Deemed Consent Workflow
Choose express consent, deemed consent by conduct, contractual necessity, notification, or the legitimate interests exception under Singapore PDPA with grounded intake fields and evidence records.
Singapore PDPA Consent, Notification and Purpose Rules
How Singapore PDPA consent, notification, purpose limitation, deemed consent, withdrawal, and consent exceptions should be handled in product and privacy workflows.
Singapore PDPA Cross-Border Transfers
Grounded Singapore PDPA guidance for overseas personal data transfers, comparable protection, ASEAN MCCs, APEC certifications, vendor roles, and evidence records.
Singapore PDPA Data Breach Notification Thresholds
Grounded Singapore PDPA breach notification thresholds covering significant harm, the 500-individual significant-scale test, assessment records, and notification timing.
Singapore PDPA Data Intermediaries FAQ
FAQ guidance on Singapore PDPA data intermediary roles, direct obligations, organisation accountability, contracts, retention, protection, and breach escalation.
Singapore PDPA Data Intermediary Responsibilities
Practical Singapore PDPA guide to data intermediary role boundaries, organisation accountability, protection, retention, breach escalation, and contract evidence.
Singapore PDPA Deadlines and Compliance Calendar
A grounded Singapore PDPA compliance calendar for breach notification, DNC checks, access and correction requests, retention reviews, and DPMP maintenance.
Singapore PDPA Deemed Consent and Legitimate Interests
How to apply Singapore PDPA deemed consent by conduct, contractual necessity, notification, and legitimate interests with opt-out, adverse-effect, disclosure, and assessment records.
Singapore PDPA Deemed Consent FAQ
FAQ on Singapore PDPA deemed consent by conduct, contractual necessity, notification, opt-out periods, adverse-effect assessment, withdrawal, and direct-marketing limits.
Singapore PDPA DNC and Marketing Messages Guide
A grounded Singapore PDPA guide to DNC checks, specified marketing messages, Singapore telephone numbers, consent evidence, opt-outs, sender duties, and excluded messages.
Singapore PDPA DNC checking FAQ: when to check the DNC Registry
FAQ guidance on Singapore PDPA DNC checking: when to check the DNC Registry, which registers apply, 8-digit numbers, 21-day result validity, consent evidence, on-behalf checks, opt-outs, and supported exclusions.
Singapore PDPA DNC Marketing Checks
Operational checklist for Singapore PDPA DNC marketing checks: account evidence, register status, 21-day result validity, consent evidence, and campaign owner records.
Singapore PDPA DNC Marketing Workflow
Workflow for Singapore PDPA DNC marketing campaigns: classify specified messages, check Singapore telephone numbers, document consent, suppress opt-outs, and approve sends.
Singapore PDPA DPIAs: when to run and what to document
FAQ-style implementation guidance on Singapore PDPA DPIAs, including when PDPC guidance recommends them, data-flow mapping, risk treatment, DPO review, and evidence records.
Singapore PDPA DPMP Accountability FAQ | DPO, Policies, Evidence
FAQ for implementing Singapore PDPA accountability through a DPMP: DPO designation, policies, evidence, training, monitoring, incident logs, and review records.
Singapore PDPA DPMP Accountability Guide
Build a Singapore PDPA Data Protection Management Programme with DPO ownership, policies, data inventories, DPIAs, training, monitoring, breach logs, and review records.
Singapore PDPA FAQ: scope, DPO, consent, breaches and DNC
FAQ answers for Singapore PDPA implementation, covering scope, accountability, consent, access and correction, security, retention, transfers, data intermediaries, breach notification, and DNC checks.
Singapore PDPA legitimate interests FAQ
FAQ guidance on Singapore PDPA legitimate interests: assessment fields, adverse effects, mitigation, balancing, disclosure, records, and marketing limits.
Singapore PDPA NRIC Handling FAQ
FAQ guidance on when Singapore organisations may collect, use, disclose, retain, mask, or replace NRIC and other national identification numbers under PDPC guidance.
Singapore PDPA NRIC Handling Rules
When Singapore organisations may collect, use, disclose, retain, mask, or replace NRIC numbers under PDPC guidance.
Singapore PDPA Penalties and Enforcement Cases
How PDPC enforcement under Singapore's PDPA works: directions, voluntary undertakings, published decisions, financial penalty caps, and implementation lessons from cases.
Singapore PDPA Penalties and Fines
Singapore PDPA penalty ceilings, PDPC directions, undertakings, breach notification context, and practical controls grounded in official PDPC and Singapore Statutes sources.
Singapore PDPA Privacy Policy Template
A Singapore PDPA privacy policy template for writing notices, DPO contact details, access and correction routes, retention, transfers, protection, withdrawal, and complaint handling without overclaiming compliance.
Singapore PDPA Scope, Exclusions, and Data Intermediaries
Classify Singapore PDPA coverage, business contact information, personal or domestic activity, employee acts, and data intermediary obligations with grounded implementation records.
Singapore PDPA Transfer Assessment Workflow
A Singapore PDPA workflow for assessing overseas personal data transfers, comparable protection, ASEAN MCCs, APEC CBPR/PRP certifications, vendor due diligence, onward transfers, and evidence records.
Singapore PDPA Transfer Clauses
Draft Singapore PDPA transfer clauses for overseas vendors, affiliates, data intermediaries, onward transfers, breach support, ASEAN MCCs, and APEC CBPR or PRP evidence.
Singapore PDPA transfer clauses FAQ
FAQ guidance on Singapore PDPA transfer clauses, comparable protection, ASEAN MCCs, APEC CBPR and PRP certifications, onward transfers, and evidence records.
Singapore PDPA Vendor Outsourcing and Contracts
Contract and operating checklist for Singapore PDPA vendor outsourcing: data intermediary status, written terms, security, retention, breach, transfers, sub-contracting, and exit evidence.
Singapore PDPA vs GDPR Comparison
Compare Singapore PDPA and GDPR implementation work across consent, DPO accountability, processors, transfers, breach notification, DNC marketing, rights, retention, and penalties.