Loading…
The Personal Data Protection Act 2012 (Act 26 of 2012), substantially amended in 2020, governs the collection, use, disclosure, and care of personal data in Singapore. The 2020 amendments introduced mandatory data breach notification, enhanced financial penalties, and consent-equivalence regimes.
Enforcement sits with the Personal Data Protection Commission (PDPC), which publishes Advisory Guidelines and operates the national Do Not Call Registry.
Plus six additional obligations — Retention, Transfer, Openness, Breach Notification, Accountability, and DNC.
Obtain consent before collecting, using, or disclosing personal data. Deemed consent and legitimate-interests exceptions apply.
Collect and use personal data only for purposes that a reasonable person would consider appropriate.
Notify individuals of purposes before or at the time of collection.
Provide individuals with access to their personal data and the ability to correct inaccuracies.
Make reasonable effort to ensure personal data collected is accurate and complete.
Make reasonable security arrangements to prevent unauthorised access, modification, or disposal.
Singapore is the APAC hub for many MNCs — both controller and processor obligations apply.
MAS-regulated entities face PDPA on top of MAS Technology Risk Management Guidelines.
DNC Registry compliance is the highest-volume enforcement area.
Transfer Limitation requires comparable-protection assessments for processors outside Singapore.
Mandatory Data Protection Officer (s.11(3) PDPA) registered with the PDPC, with name and contact published.
Privacy notices, Just-in-time consent, and withdrawal flows aligned with PDPC Advisory Guidelines.
PDPC and affected-individuals notification under the Data Breach Notification obligation.
Automated DNC scrubbing for voice, SMS, and fax telemarketing to Singapore numbers.
Comparable-protection assessments, contracts, and Binding Corporate Rules under the Transfer Limitation obligation.
Inquiry, investigation, and undertaking response with the Personal Data Protection Commission.
We act as your appointed Data Protection Officer, register with the PDPC, and manage Do Not Call compliance for your telemarketing programmes.