Loading…
Singapore's PDPA is a thoughtful and pragmatic privacy law that has matured significantly since the 2020 amendments. It uses an obligations-based framework rather than GDPR's lawful-basis enumeration, has integrated direct-marketing rules through the Do Not Call Registry, and caps penalties at 10% of Singapore turnover. For APAC-headquartered businesses, PDPA is often where the global privacy programme actually gets built.
| Dimension | 🇪🇺 GDPR | 🇸🇬 PDPA |
|---|---|---|
| Legal instrument | Regulation (EU) 2016/679 | Personal Data Protection Act 2012 (Act 26 of 2012); 2020 amendments substantially strengthened it |
| Regulator | 27 EU Member State DPAs + EDPB | Personal Data Protection Commission (PDPC) |
| Structural approach | Lawful-basis enumeration (Art. 6); rights-based (Chapter III) | Obligations-based — 9 core obligations + Do Not Call regime + breach notification |
| Maximum fine | €20M or 4% global turnover (Art. 83(5)) | S$1M cap; for orgs with >S$10M annual turnover in Singapore, up to 10% of annual turnover |
| Lower-tier fine | €10M or 2% global turnover | Same per-breach cap; varies by violation type |
| Consent model | Opt-in (one of six lawful bases) | Consent obligation + deemed consent (notification-based) + legitimate-interests exception |
| Lawful bases | Six — consent, contract, legal obligation, vital interests, public task, legitimate interests | Consent or one of 13 statutory exceptions (Schedules 1–2) |
| Notification requirement (consent) | Privacy notice at the point of collection | Notification obligation — purpose communicated before/at collection |
| Right of access | Article 15 — confirmation + copy within 1 month | Access obligation — within reasonable time, fee permissible |
| Right to correction | Article 16 | Correction obligation |
| Right to portability | Article 20 — structured, commonly used format | Yes — added by 2020 amendments |
| Right to deletion | Article 17 | Implicit through retention-limitation obligation; no standalone deletion right pre-2020 |
| DPO requirement | Mandatory in defined cases (Article 37) | Mandatory for all controllers (Section 11(3) PDPA) — name and contact must be published |
| Breach notification | 72 hours to SA + notify subjects if high risk | 72 hours to PDPC + notify affected individuals — threshold: significant harm OR 500+ individuals |
| Cross-border transfer | SCC, BCR, adequacy (Chapter V) | Transfer Limitation — comparable-protection assessment; contractual safeguards |
| Direct marketing | Lawful basis required + ePrivacy rules | Do Not Call Registry obligation; consent + opt-out architecture |
| Sensitive data | Article 9 — special category data, explicit consent + condition | No formal sensitive category — handled through purpose-specific consent |
| Children's data | Default age 16 (Member States may lower to 13) | Below 13 — parental consent |
| Data Protection Trustmark | No formal scheme | Yes — voluntary certification (PDPA DPTM) |
| Sanctions started | May 2018 | Substantive sanctions started 2014; 2020 amendments enhanced cap structure |
Mostly. Add a DPO appointed under Section 11(3) with publicly available contact, register direct-marketing campaigns against the DNC Registry where applicable, ensure breach notification within 72 hours to PDPC, and verify Transfer Limitation safeguards for transfers out of Singapore.
Singapore maintains a national Do Not Call Registry. Before sending telemarketing voice, SMS, or fax communications to a Singapore number, organisations must check against the relevant DNC register (Voice, Text, Fax). Violations are separately penalised under the PDPA.
Voluntary certification administered by IMDA. Demonstrates the holder's compliance with the PDPA — useful trust signal for B2B sales, particularly to government and financial-sector buyers.
Moderate but consistent. PDPC publishes enforcement decisions and has imposed fines in the millions of dollars on organisations like SingHealth (S$250K), Integrated Health Information Systems (S$750K), and various marketing organisations for DNC violations.
Not strictly. The DPO must be reachable at a Singapore-published contact but does not have to be Singapore-resident. RegulatoryBridge typically appoints a regional DPO with Singapore presence.
Map controls once, comply twice. RegulatoryBridge gives you a single DSAR pipeline, single DPO, single breach runbook — covering both frameworks.