Singapore PDPA vs GDPR

The PDPA analysis starts with the collection, use, or disclosure purpose. Record the notified purpose, consent basis, deemed-consent route, exception, withdrawal impact, and whether a reasonable person would consider the purpose appropriate.

For EU SCC transfers, the Joint Guide notes that the data exporter must comply with the GDPR, including Article 6 legal basis, and that transferred data should be adequate, relevant, and limited to what is necessary for the transfer purpose.

Do not reduce both regimes to a single consent checkbox. Keep a Singapore purpose/consent note and, for EU transfers, a separate GDPR legal-basis and data-minimisation note tied to the SCC transfer.

A Singapore data intermediary that processes personal data for another organisation under a written or evidenced contract is directly subject to protection, retention, and breach-notification duties, while the organisation remains responsible for other PDPA obligations and for transfer limitation.

For EU SCC controller-to-processor transfers, the Joint Guide describes SCC module evidence such as importer instructions, technical and organisational measures, documentation, audits, sub-processing, and supervisory-authority cooperation.

Map vendors twice: Singapore data intermediary scope and contract evidence on one side; EU SCC module, exporter/importer role, audit, documentation, and sub-processor evidence on the other.

Singapore organisations must designate one or more individuals responsible for PDPA compliance, make business contact information available, and maintain data protection policies and practices. The organisation remains responsible even when duties are delegated.

The grounding set does not include an official GDPR DPO article. For this page, do not infer GDPR DPO appointment criteria from Singapore's DPO/accountability rule; verify GDPR DPO scope separately before reusing the same owner.

A Singapore DPO appointment and contact-publication record is useful evidence for PDPA accountability, but it is not enough by itself to prove GDPR DPO compliance.

The PDPA transfer limitation rule requires overseas recipients to be protected to a comparable PDPA standard through prescribed requirements, legally enforceable obligations, specified certifications, or supported alternatives such as consent with a written summary where applicable.

For GDPR-linked transfers, the grounded comparison is EU SCC work: parties complete transfer appendices, identify exporter/importer details, describe transferred data and purpose, specify technical and organisational measures, and document local-law assessments where required.

Do not assume ASEAN MCCs, Singapore transfer clauses, and EU SCCs are interchangeable. Each transfer packet needs the correct mechanism, parties, appendix, safeguards, and assessment record.

For Singapore, assess whether the breach is notifiable because it results in significant harm or affects at least 500 individuals. Notify PDPC as soon as practicable, and no later than 3 calendar days after determining that the breach is notifiable; notify affected individuals where required.

Under EU SCC transfer clauses in the Joint Guide, the data importer must address and mitigate breach effects, notify the exporter and competent supervisory authority when risk to rights and freedoms is likely, notify data subjects in high-risk cases with the exporter, and document breach facts and remedial action.

Run separate breach clocks and content checklists: Singapore notifiability and PDPC/individual notice on one side; SCC importer/exporter, supervisory-authority, data-subject, and documentation duties on the other.

Singapore has DNC-specific duties for specified messages to Singapore telephone numbers. Unless an exception or clear and unambiguous consent in evidential form applies, teams need a DNC Register check, sender analysis, message identification/contact information, and controls against dictionary attacks or address-harvesting.

The provided GDPR grounding does not support a general GDPR marketing comparison. Keep GDPR direct-marketing or ePrivacy analysis out of this page unless a separate official source is added.

Treat DNC as a Singapore-specific marketing gate. Do not mark a campaign GDPR-ready, or DNC-ready, based only on the other regime's consent record.

PDPC may issue directions and impose financial penalties. For intentional or negligent contraventions of data protection provisions, the enforcement guidance states a maximum of S$1 million or 10% of annual turnover in Singapore, whichever is higher, where annual turnover in Singapore exceeds S$10 million. DNC penalty ranges differ by contravention type.

The grounding set supports GDPR SCC enforcement through supervisory-authority cooperation and SCC redress routes, but it does not include an official GDPR administrative-fine source. Do not compare headline GDPR fine caps from this source set.

Escalate Singapore enforcement exposure to PDPC-focused owners, and escalate EU SCC failures to the transfer owner, exporter/importer contract owner, and supervisory-authority evidence owner.

Singapore access and correction duties apply to personal data in an organisation's possession or under its control, including data held by a data intermediary. The organisation must respond as soon as reasonably possible and use the PDPA procedure for timeframe notices, refusals, fees, and preservation where relevant.

The SCC-focused GDPR grounding supports EU SCC data-subject redress and SCC enquiries, but it does not support a full GDPR data-subject-rights comparison. Verify GDPR access, rectification, and deadline rules from an official GDPR source before aligning workflows.

For shared portals, keep a Singapore access/correction runbook that includes intermediary-held data, and keep any GDPR rights workflow under a separately sourced GDPR standard.

The PDPA retention limitation rule requires organisations to stop retaining documents containing personal data, or remove the means of association with individuals, once the original purpose is no longer served and retention is no longer needed for legal or business purposes.

The GDPR grounding in this folder supports SCC documentation and transfer data-minimisation references, but not a full GDPR retention-rule comparison. Avoid importing GDPR storage-limitation conclusions without a separate source.

Keep a Singapore retention rationale, deletion/anonymisation action, and legal or business purpose record. Treat GDPR retention mapping as a separate verification item unless it is tied to the SCC transfer purpose and minimisation evidence.