Launch Q3 2026
BearGuard®
BearGuard®
Governance & AI Guardrails
DE EN
🔒 International Privacy

PDPA – Personal Data Protection Act (Singapore)

Singapore's PDPA has protected personal data since 2014, enforced by the PDPC. Major 2021 amendments strengthened data subject rights and enforcement powers.

LinkedIn X WhatsApp

Summary

The Personal Data Protection Act (PDPA) is Singapore's comprehensive data protection law, which took effect on July 2, 2014. It is enforced by the Personal Data Protection Commission (PDPC) and forms the backbone of Singapore's data protection framework.

  • Consent-based approach: Consent as the primary legal basis, with exceptions for legitimate interests.
  • Do-Not-Call Registry: National registry protecting individuals from unwanted marketing communications.
  • Data breach notification duty: Mandatory notification of serious incidents since 2021.
  • Sanctions: Fines up to SGD 1 million (pre-October 2022) or 10% of annual Singapore turnover (from 1 October 2022).

History

Singapore enacted the PDPA in October 2012 in response to rapid digital economy growth and the need for a coherent data protection framework. The law entered into force in phases: first the Do-Not-Call Registry (January 2014), then the data protection provisions (July 2014).

A major data breach at SingHealth in 2018, compromising data of 1.5 million patients (including the Prime Minister), accelerated calls for stronger legislation. Comprehensive amendments were passed in 2020 and entered into force on February 1, 2021. This amendment introduced mandatory data breach notification, increased maximum fines, and new data subject rights. On 1 October 2022, the increased financial penalty cap (up to 10% of annual Singapore turnover) entered into force, and the PDPC updated its advisory guidelines on enforcement.

In March 2024, the PDPC issued Advisory Guidelines on Children's Personal Data in the Digital Environment. From September 30, 2024, organisations are required to register their DPO's business contact information with the PDPC via ACRA BizFile+.

Scope

The PDPA applies to all private sector organisations that collect, use, or disclose personal data in Singapore. Public agencies and organisations acting on behalf of public agencies are explicitly excluded and are instead subject to the Public Sector (Governance) Act. Further exemptions include:

  • Individuals processing data for personal or domestic purposes
  • Deceased individuals (their data falls outside PDPA)

The PDPA applies to processing in Singapore and, in certain circumstances, to the use abroad of data collected in Singapore. It does not apply to data in transit through Singapore without further processing.

Key Requirements

  • Consent obligation: Consent must be obtained before or at the time of collecting, using, or disclosing personal data; exceptions for legitimate interests and other statutory purposes.
  • Purpose limitation: Data may only be used for the notified purposes.
  • Notification obligation: Data subjects must be informed of purposes and recipients of their data.
  • Right of access: Data subjects may request information about personal data held about them.
  • Right to correct: Correction of inaccurate personal data.
  • Security obligation: Reasonable protective measures to prevent unauthorized access.
  • Retention limitation: Data must not be retained longer than necessary.
  • Transfer restrictions: Transfers only to countries with comparable protection levels or under contractual guarantees.
  • Data breach notification: Notification to PDPC and affected individuals for breaches causing significant harm.
  • Do-Not-Call Registry: Marketing communications to registered numbers are prohibited.

Corrections & Errata

2026-QA-210 Clarification 20 March 2026
Missing connection: pdpa-sg → gdpr

PDPA (Singapore) is equivalent to GDPR — baseline cross-reference was missing.

Full details on the errata page →
2026-QA-116 Correction 28 February 2026
Quality Audit: PDPA – Personal Data Protection Act (Singapore)

1 correction:
- Penalty date incorrect: 10% turnover fine cap effective from 1 October 2022, not from 2021
3 clarifications.
2 notes.

Full details on the errata page →

Content last reviewed: 23 February 2026. Found an error or need an update? [email protected]