Personal Data Protection Act (PDPA) Singapore

Regulation Summary

October 15, 2012: Enactment of the PDPA.
July 2, 2014: Full enforcement of the PDPA.
February 1, 2021: Amendments to strengthen enforcement and introduce mandatory breach notifications.

All private sector organizations collecting, using, or disclosing personal data in Singapore.
Foreign businesses operating in Singapore or handling the data of Singaporean residents.
Excludes government agencies, public authorities, and individuals handling data for personal use.

Personal data collected for personal or domestic purposes.
Business contact information used solely for professional communications.
Data processed under national security or law enforcement purposes.

Obtain clear and informed consent before collecting personal data.
Ensure data is used only for specific, disclosed purposes.
Provide individuals with access to and the ability to correct their data.
Maintain reasonable security measures to protect against breaches.
Notify the PDPC and affected individuals of data breaches.
Ensure compliance for international data transfers.

Implement cookie consent mechanisms.
Maintain a clear and accessible privacy policy.
Secure online data collection and processing.
Provide users with easy access to opt-out and data control mechanisms.

Cross-Border Data Transfers: Companies must ensure data transfers provide comparable protection.
Privacy Impact Assessments: Required for high-risk processing activities.
Data Protection Officers (DPOs): Mandatory for organizations handling significant volumes of personal data.

Access: Request access to personal data held by an organization.
Correction: Rectify inaccurate or outdated personal information.
Withdrawal of Consent: Opt-out of data processing.
Objection: Restrict data use for specific purposes.

Regulatory Authority: Personal Data Protection Commission (PDPC).
Penalties: Fines up to SGD 1 million (~USD 740,000) or 10% of annual turnover for serious violations.