Personal Data Protection Act (PDPA) Singapore
Regulation Summary
- October 15, 2012: Enactment of the PDPA.
- July 2, 2014: Full enforcement of the PDPA.
- February 1, 2021: Amendments to strengthen enforcement and introduce mandatory breach notifications.
- All private sector organizations collecting, using, or disclosing personal data in Singapore.
- Foreign businesses operating in Singapore or handling the data of Singaporean residents.
- Excludes government agencies, public authorities, and individuals handling data for personal use.
- Personal data collected for personal or domestic purposes.
- Business contact information used solely for professional communications.
- Data processed under national security or law enforcement purposes.
- Obtain clear and informed consent before collecting personal data.
- Ensure data is used only for specific, disclosed purposes.
- Provide individuals with access to and the ability to correct their data.
- Maintain reasonable security measures to protect against breaches.
- Notify the PDPC and affected individuals of data breaches.
- Ensure compliance for international data transfers.
- Implement cookie consent mechanisms.
- Maintain a clear and accessible privacy policy.
- Secure online data collection and processing.
- Provide users with easy access to opt-out and data control mechanisms.
- Cross-Border Data Transfers: Companies must ensure data transfers provide comparable protection.
- Privacy Impact Assessments: Required for high-risk processing activities.
- Data Protection Officers (DPOs): Mandatory for organizations handling significant volumes of personal data.
- Access: Request access to personal data held by an organization.
- Correction: Rectify inaccurate or outdated personal information.
- Withdrawal of Consent: Opt-out of data processing.
- Objection: Restrict data use for specific purposes.
- Regulatory Authority: Personal Data Protection Commission (PDPC).
- Penalties: Fines up to SGD 1 million (~USD 740,000) or 10% of annual turnover for serious violations.