Artifact GuideSingaporeScope and data intermediaries

Singapore PDPA Scope, exclusions, and data intermediaries

Use this page to classify whether a processing activity is handled as an organisation activity, an excluded boundary, or data intermediary processing on behalf of a customer.

The practical output is a role-and-scope record that identifies the actor, the written contract or exclusion relied on, the PDPA obligations that remain, and the evidence needed before launch or vendor approval.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
5

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

The Singapore PDPA scope question is not just whether personal data exists. Teams need to record who controls the purpose and means of processing, whether any statutory exclusion applies, whether the data is only business contact information, and whether a vendor is processing personal data on behalf of and for the purposes of another organisation under a written contract.

Section 1

Classify the actor before assigning PDPA obligations

Start with the PDPA Act definitions. An organisation can include an individual, company, association, or body of persons, whether or not formed or recognised under Singapore law or resident or having an office or place of business in Singapore. A data intermediary is an organisation that processes personal data on behalf of another organisation, but does not include an employee of that other organisation.

For implementation, do not classify a whole company once and reuse that answer everywhere. A SaaS provider, payroll vendor, agency, or group company may be a data intermediary for customer data, but an organisation for its own employee records, prospect lists, analytics, billing, security logs, or marketing uses.

  • Record the processing activity, dataset, system, customer or internal business process, and the party deciding the purpose and means of processing.
  • Mark the customer or business unit as the organisation when it decides why the personal data is processed and how the processing is carried out.
  • Mark the vendor as a data intermediary only for processing performed on behalf of and for the purposes of another organisation under a contract evidenced or made in writing.
  • Escalate any use outside customer instructions, such as the vendor using customer personal data for its own marketing, product profiling, resale, or unrelated analytics, because that processing can shift the vendor into an organisation role for that use.
Sources for this answer
Personal Data Protection Act 2012
Supports the statutory definitions of organisation, data intermediary, employee, business, business contact information, and the written-contract condition for data intermediary treatment.
The Distinction between Organisations and Data Intermediaries and Why It Matters
Supports the role-based allocation between organisations and data intermediaries, including the customer-instruction example and role changes when a processor uses data for its own purposes.
Section 2

Separate statutory exclusions from operational convenience

The PDPA Act states that Parts 3, 4, 5, 6, 6A, and 6B do not impose obligations on an individual acting in a personal or domestic capacity, an employee acting in the course of employment with an organisation, a public agency, or other prescribed organisations or personal data. That does not mean the organisation can ignore PDPA governance when employees handle personal data for work; it means the employee is not the obligated actor for that employment act.

Business contact information is another boundary to record carefully. Except where business contact information is expressly mentioned, Parts 3, 4, 5, 6, and 6A do not apply to business contact information. The Act defines it as information such as a person's name, position, business telephone number, business address, business email address, business fax number, or similar information, where it was not provided solely for personal purposes.

  • Use personal or domestic capacity only for activity related to home or family, not for a founder, employee, contractor, or administrator acting for a business system.
  • Treat employee acts in the course of employment as organisational processing that still needs the employer's policies, instructions, access controls, retention rules, and incident handling.
  • Classify business contact information by source and purpose: business card, procurement contact, B2B support contact, or professional directory data is different from the same email address collected for a personal account or consumer service.
  • Do not rely on a public-agency or prescribed-exclusion label unless the record identifies the agency, statutory basis, and the exact processing activity covered.
Sources for this answer
Personal Data Protection Act 2012
Supports the personal or domestic capacity, employee, public agency, data intermediary, deceased-record, and business contact information boundaries in section 4 and the Act definitions.
Advisory Guidelines on Key Concepts in the PDPA
Supports practical handling of DPO and business contact information for organisation accountability and access/correction contact points.
Section 3

Allocate organisation and data intermediary duties in the contract record

When a vendor qualifies as a data intermediary for a processing activity, the PDPA does not impose most organisation-facing obligations on that vendor for that activity. The core duties that remain for the data intermediary are the Protection Obligation and Retention Limitation Obligation, plus the duty to notify the organisation or public agency of a data breach without undue delay once it has credible grounds to believe a breach occurred.

The engaging organisation remains accountable for personal data processed on its behalf and for its purposes by the data intermediary as if the organisation processed it itself. The contract record should therefore show what the intermediary may process, what it must not do, what safeguards and deletion/return steps apply, and how breach escalation works.

  • Contract fields: customer organisation, data intermediary, services, personal data categories, processing operations, authorised purposes, sub-processor or subcontractor controls, location or transfer assumptions, security measures, retention and deletion instructions, audit or assurance evidence, and exit handling.
  • Customer-owned duties: purpose, notification, consent or exception logic, access and correction response, accuracy decisions, transfer basis, breach assessment and PDPC or affected-individual notification where required.
  • Data intermediary duties: protect personal data, retain it only as permitted or needed for the contracted processing, follow documented instructions, restrict independent use, and notify the customer or public agency of suspected data breaches without undue delay.
  • Evidence to keep: signed agreement or order form, data protection clauses, security schedule, data flow, data inventory, breach-contact matrix, deletion certificate or return confirmation, and an approval note explaining why the vendor is or is not a data intermediary for each processing activity.
Sources for this answer
Advisory Guidelines on Key Concepts in the PDPA
Supports the allocation table showing that data intermediaries have protection, retention limitation, and data-breach notification duties while organisations retain the broader PDPA obligations.
Guide to Managing Data Intermediaries
Supports contract and lifecycle controls for outsourced processing, including governance, risk assessment, policies and practices, service management, and exit management.
Recommended next step

Turn Singapore PDPA role classification into assigned work

Use this scope and data intermediary guide to create role records, vendor evidence requests, contract checks, and breach escalation paths inside Sorena.

Assessment workflow
Open Assessment Autopilot for Singapore PDPA

Convert scope, exclusion, and data intermediary questions into assigned intake fields and evidence requests.

Explore next step
Research workflow
Review Singapore PDPA source evidence

Use Research Copilot to check role allocation, contract evidence, and unresolved PDPA scope assumptions against cited sources.

Explore next step
Talk to Sorena
Talk through implementation

Review Singapore PDPA role classification, vendor records, and accountable owners with Sorena.

Explore next step
Section 4

Use a role-and-scope record before launch, renewal, or incident response

A useful PDPA scope record should be short enough to attach to a procurement ticket, product review, data inventory entry, or incident file, but specific enough that legal, privacy, security, and commercial teams can see why the role classification was made.

Create or refresh the record when a new vendor is onboarded, a customer asks for a processor schedule, a product begins using customer data for analytics or AI features, employee or business contact data is reused, a sub-processor is added, a data flow crosses jurisdictions, or a suspected breach involves a service provider.

  • Required classification fields: processing activity, data subjects, personal data categories, business contact information flag, personal/domestic or employment boundary, organisation, data intermediary, public agency involvement, written contract reference, and unresolved assumptions.
  • Required obligation fields: organisation-owned duties, data intermediary-owned duties, customer instructions, protection controls, retention and deletion action, breach notification route, access/correction handling route, and transfer assumption.
  • Required evidence fields: source citation, contract clause or schedule, data flow diagram, data inventory link, security assurance, DPO or privacy reviewer, commercial owner, vendor owner, approval date, and next review trigger.
  • Stop release or renewal until the record explains any mixed-role processing, independent vendor use, missing written contract, unclear deletion instruction, unsupported business-contact classification, or breach notice path that bypasses the accountable organisation.
Sources for this answer
The Distinction between Organisations and Data Intermediaries and Why It Matters
Supports the need to classify roles by processing activity because a company may act as a data intermediary for customer processing and as an organisation for its own internal processing.
Guide to Managing Data Intermediaries
Supports using data intermediary management records across governance, risk assessment, service management, and exit management rather than treating the role label as a one-time procurement note.
Primary sources

References and citations

Advisory Guidelines on Key Concepts in the PDPA
pdpc.gov.sg
Referenced sections
  • Supports the allocation table showing that data intermediaries have protection, retention limitation, and data-breach notification duties while organisations retain the broader PDPA obligations.
"To notify organisation of data breaches without undue delay"
Guide to Managing Data Intermediaries
pdpc.gov.sg
Referenced sections
  • Supports contract and lifecycle controls for outsourced processing, including governance, risk assessment, policies and practices, service management, and exit management.
"key considerations for organisations when outsourcing data processing activities to data intermediaries"
Guide to Managing Data Intermediaries
pdpc.gov.sg
Referenced sections
  • Supports using data intermediary management records across governance, risk assessment, service management, and exit management rather than treating the role label as a one-time procurement note.
"governance and risk assessment, policies and practices, service management and exit management"
Personal Data Protection Act 2012
sso.agc.gov.sg
Referenced sections
  • Supports the personal or domestic capacity, employee, public agency, data intermediary, deceased-record, and business contact information boundaries in section 4 and the Act definitions.
"Parts 3, 4, 5, 6, 6A and 6B do not impose any obligation"
Related guides

Explore more topics

Singapore PDPA Anonymisation and DPIA Records
Build Singapore PDPA anonymisation and DPIA records around PDPC guidance: release model, re-identification risk, data flows, action plans, safeguards, and monitoring.
Singapore PDPA anonymisation FAQ
FAQ on anonymisation under the Singapore PDPA: de-identification, pseudonymisation, re-identification risk, when PDPA may no longer apply, and evidence records.
Singapore PDPA Applicability Test
Test whether Singapore PDPA obligations apply by checking personal data, organisation role, data intermediary status, public agency and individual boundaries, and business contact information.
Singapore PDPA Breach Notification Playbook
A grounded Singapore PDPA breach-notification playbook covering assessment, notifiable-breach thresholds, PDPC and affected-individual notification steps, roles, records, and citations.
Singapore PDPA breach notification thresholds FAQ
FAQ on Singapore PDPA notifiable data breach tests: significant harm, significant scale, 500 affected individuals, assessment timing, PDPC notices, and affected-individual notices.
Singapore PDPA Breach Notification Workflow
A grounded Singapore PDPA workflow for containing a personal data breach, assessing notifiability, notifying PDPC or affected individuals, and retaining evidence.
Singapore PDPA Compliance Checklist
A grounded Singapore PDPA checklist for scope, DPO accountability, consent, data intermediaries, breach notification, DNC checks, transfers, and evidence records.
Singapore PDPA Compliance Guide
Build a Singapore PDPA compliance plan covering DPO accountability, consent and notification, protection, retention, access and correction, transfers, breach notification, and DNC checks.
Singapore PDPA Consent and Deemed Consent Workflow
Choose express consent, deemed consent by conduct, contractual necessity, notification, or the legitimate interests exception under Singapore PDPA with grounded intake fields and evidence records.
Singapore PDPA Consent, Notification and Purpose Rules
How Singapore PDPA consent, notification, purpose limitation, deemed consent, withdrawal, and consent exceptions should be handled in product and privacy workflows.
Singapore PDPA Cross-Border Transfers
Grounded Singapore PDPA guidance for overseas personal data transfers, comparable protection, ASEAN MCCs, APEC certifications, vendor roles, and evidence records.
Singapore PDPA Data Breach Notification Thresholds
Grounded Singapore PDPA breach notification thresholds covering significant harm, the 500-individual significant-scale test, assessment records, and notification timing.
Singapore PDPA Data Intermediaries FAQ
FAQ guidance on Singapore PDPA data intermediary roles, direct obligations, organisation accountability, contracts, retention, protection, and breach escalation.
Singapore PDPA Data Intermediary Responsibilities
Practical Singapore PDPA guide to data intermediary role boundaries, organisation accountability, protection, retention, breach escalation, and contract evidence.
Singapore PDPA Deadlines and Compliance Calendar
A grounded Singapore PDPA compliance calendar for breach notification, DNC checks, access and correction requests, retention reviews, and DPMP maintenance.
Singapore PDPA Deemed Consent and Legitimate Interests
How to apply Singapore PDPA deemed consent by conduct, contractual necessity, notification, and legitimate interests with opt-out, adverse-effect, disclosure, and assessment records.
Singapore PDPA Deemed Consent FAQ
FAQ on Singapore PDPA deemed consent by conduct, contractual necessity, notification, opt-out periods, adverse-effect assessment, withdrawal, and direct-marketing limits.
Singapore PDPA DNC and Marketing Messages Guide
A grounded Singapore PDPA guide to DNC checks, specified marketing messages, Singapore telephone numbers, consent evidence, opt-outs, sender duties, and excluded messages.
Singapore PDPA DNC checking FAQ: when to check the DNC Registry
FAQ guidance on Singapore PDPA DNC checking: when to check the DNC Registry, which registers apply, 8-digit numbers, 21-day result validity, consent evidence, on-behalf checks, opt-outs, and supported exclusions.
Singapore PDPA DNC Marketing Checks
Operational checklist for Singapore PDPA DNC marketing checks: account evidence, register status, 21-day result validity, consent evidence, and campaign owner records.
Singapore PDPA DNC Marketing Workflow
Workflow for Singapore PDPA DNC marketing campaigns: classify specified messages, check Singapore telephone numbers, document consent, suppress opt-outs, and approve sends.
Singapore PDPA DPIAs: when to run and what to document
FAQ-style implementation guidance on Singapore PDPA DPIAs, including when PDPC guidance recommends them, data-flow mapping, risk treatment, DPO review, and evidence records.
Singapore PDPA DPMP Accountability FAQ | DPO, Policies, Evidence
FAQ for implementing Singapore PDPA accountability through a DPMP: DPO designation, policies, evidence, training, monitoring, incident logs, and review records.
Singapore PDPA DPMP Accountability Guide
Build a Singapore PDPA Data Protection Management Programme with DPO ownership, policies, data inventories, DPIAs, training, monitoring, breach logs, and review records.
Singapore PDPA FAQ: scope, DPO, consent, breaches and DNC
FAQ answers for Singapore PDPA implementation, covering scope, accountability, consent, access and correction, security, retention, transfers, data intermediaries, breach notification, and DNC checks.
Singapore PDPA legitimate interests FAQ
FAQ guidance on Singapore PDPA legitimate interests: assessment fields, adverse effects, mitigation, balancing, disclosure, records, and marketing limits.
Singapore PDPA NRIC Handling FAQ
FAQ guidance on when Singapore organisations may collect, use, disclose, retain, mask, or replace NRIC and other national identification numbers under PDPC guidance.
Singapore PDPA NRIC Handling Rules
When Singapore organisations may collect, use, disclose, retain, mask, or replace NRIC numbers under PDPC guidance.
Singapore PDPA Penalties and Enforcement Cases
How PDPC enforcement under Singapore's PDPA works: directions, voluntary undertakings, published decisions, financial penalty caps, and implementation lessons from cases.
Singapore PDPA Penalties and Fines
Singapore PDPA penalty ceilings, PDPC directions, undertakings, breach notification context, and practical controls grounded in official PDPC and Singapore Statutes sources.
Singapore PDPA Privacy Policy Template
A Singapore PDPA privacy policy template for writing notices, DPO contact details, access and correction routes, retention, transfers, protection, withdrawal, and complaint handling without overclaiming compliance.
Singapore PDPA Requirements: Core Obligations
Map Singapore PDPA obligations across consent, notification, access, security, retention, transfers, accountability, breaches, DNC checks, and data intermediaries.
Singapore PDPA Transfer Assessment Workflow
A Singapore PDPA workflow for assessing overseas personal data transfers, comparable protection, ASEAN MCCs, APEC CBPR/PRP certifications, vendor due diligence, onward transfers, and evidence records.
Singapore PDPA Transfer Clauses
Draft Singapore PDPA transfer clauses for overseas vendors, affiliates, data intermediaries, onward transfers, breach support, ASEAN MCCs, and APEC CBPR or PRP evidence.
Singapore PDPA transfer clauses FAQ
FAQ guidance on Singapore PDPA transfer clauses, comparable protection, ASEAN MCCs, APEC CBPR and PRP certifications, onward transfers, and evidence records.
Singapore PDPA Vendor Outsourcing and Contracts
Contract and operating checklist for Singapore PDPA vendor outsourcing: data intermediary status, written terms, security, retention, breach, transfers, sub-contracting, and exit evidence.
Singapore PDPA vs GDPR Comparison
Compare Singapore PDPA and GDPR implementation work across consent, DPO accountability, processors, transfers, breach notification, DNC marketing, rights, retention, and penalties.