The Personal Data Protection Act 2012 (PDPA) is a Singapore law governing the collection, use, disclosure and care of personal data. It applies to individuals and organisations, whether registered or unregistered, for profit or non-profit. There are however exceptions as to whom it applies.


The PDPA also establishes the Do Not Call (DNC) Registry which governs unsolicited telemarketing communications.


The Personal Data Protection Commission (PDPC) may impose a financial penalty of up to 10% of an organisation's annual gross turnover in Singapore or S$1 million, whichever is higher.


As at September 2019, the Personal Data Protection Commission (PDPC), which administers and enforces the PDPA, fined 26 organisations a total of $1.25 million for violating the PDPA. The PDPC slapped fines  on IHiS, SingHealth amounting to a total of S$1 million for data breach following a cyberattack.

The PDPA imposes 9 general obligations.

​1. Consent Obligation

(PDPA sections 13 to 17) An organisation must obtain the consent of the individual before collecting, using or disclosing his personal data for a purpose.

2. Purpose Limitation Obligation

(PDPA section 18) An organisation may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances and, if applicable, have been notified to the individual concerned.

3. Notification Obligation

(PDPA section 20) An organisation must notify the individual of the purpose(s) for which it intends to collect, use or disclose the individual’s personal data on or before such collection, use or disclosure of the personal data.

4. Access and Correction Obligation

(PDPA sections 21 and 22) An organisation must, upon request:

  • provide an individual with his or her personal data in the possession or under the control of the organisation and information about the ways in which the personal data may have been used or disclosed during the past year; and

  • correct an error or omission in an individual’s personal data that is in the possession or under the control of the organisation.

5. Accuracy Obligation

(PDPA section 23) An organisation must make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete if the personal data is likely to be –

  • used by the organisation to make a decision that affects the individual concerned; or

  • disclosed by the organisation to another organisation

6. Protection Obligation

(PDPA section 24) An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.

7. Retention Obligation

(PDPA section 25) An organisation must cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals as soon as it is reasonable to assume that:

  • the purpose for which the personal data was collected is no longer being served by retention of the personal data; and

  • retention is no longer necessary for legal or business purposes.

8. Transfer Limitation Obligation

(PDPA section 26) An organisation must not transfer personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA.

9. Openness Obligation

(PDPA sections 11 and 12) An organisation must implement the necessary policies and procedures in order to meet its obligations under the PDPA and shall make information about its policies and procedures publicly available.

Unsure if you are PDPA compliant? Try our free self-assessment tool now.


Need to check / audit if you are compliant with the Singapore Personal Data Protection Act 2012?

Need free legal templates and sample clauses for your data protection policy / standard operating procedures (SOP), standard forms, terms & conditions and contracts / agreements?

This website provides a free self-assessment self-guided tool for your PDPA compliance needs.

Up to $1,000,000 fine or 10% turnover

Why risk being penalised up to $1,000,000 or 10% of your organisation's annual gross turnover in Singapore (whichever higher) for breaching the PDPA?

Why risk losing goodwill, reputation, trust and clients?

Why risk being sued in a civil claim for personal data breaches?

Why waste the time and costs of undergoing a regulatory offence inquiry?