What is PDPA in Singapore?

February 14, 2023 By CBS Off

Are you in the business of handling personal data? Are you wondering what PDPA Singapore is and how it affects you? If so, then this blog post is for you! We will explore PDPA Singapore, why it matters to your business, and how to best comply with the regulations. So read on if you are ready to learn more about PDPA Singapore.

Introduction to the PDPA


The PDPA is a new general data protection law in Singapore which regulates the collection, use and disclosure of individuals’ personal data by organisations. It safeguards against such data’s misuse by establishing principles that organisations must observe when handling it, including purpose limitation, key principles and data security requirements. They must also appoint a Data Protection Officer (DPO) to oversee the management of personal data, as well as establish a process for dispute resolution and manage data breaches. Furthermore, the PDPA also introduces the Do Not Call Register, which allows individuals to opt out of receiving marketing calls or messages from organisations. The PDPA also provides for certain exemptions from its compliance requirements. Compliance with the PDPA is enforced by the Personal Data Protection Commission (PDPC).

What is the PDPA


The Personal Data Protection Act (“PDPA”) is Singapore’s principal data protection legislation governing the collection, use, and disclosure of individuals’ personal data by organisations. It was enacted in 2012 and came into force in different phases. The PDPA establishes a baseline protection standard for personal data and complements sector-specific legislation, such as the Banking Act and the Health Products Act. Through purpose limitation, key principles, data security requirements, data protection officers and the Do Not Call Register, the PDPA aims to safeguard individuals’ personal data while allowing organisations to collect, use, and disclose personal data for legitimate business purposes. It also provides exemptions to certain organisations from PDPA compliance. The Personal Data Protection Commission carries out enforcement of the PDPA.

Purpose Limitation


The PDPA mandates organisations to obtain consent from the individual before they collect, use and disclose personal data, and to limit their collection, use and disclosure of personal data to what is necessary for the purpose for which it was collected. Organisations must also ensure that the personal data is accurate and up-to-date and take reasonable steps to protect it from unauthorised access, collection, use, disclosure or modification. The notification obligation requires organisations to inform individuals of their rights and how their personal data will be used. The Do Not Call Register helps individuals protect their privacy by allowing them to avoid receiving marketing calls or messages. Lastly, certain exemptions are available under the PDPA for specific purposes such as research, statistics and journalism.

Key Principles of the PDPA

The Key Principles of the PDPA are essential components of data protection and privacy regulations in Singapore. These principles cover organisations’ collection, use, and disclosure of personal data. The Purpose Limitation Obligation requires organisations to only use or disclose personal data for defined purposes. The Notification Obligation requires organisations to notify individuals about what personal data is collected, how it will be used, and to whom it may be disclosed. The Access and Correction Obligation states that individuals have a right to access their personal data held by organisations and correct any inaccuracies in it. Additionally, the Transfer Limitation Obligation prevents organisations from transferring personal data outside of Singapore except in certain circumstances. Finally, the Accountability Obligation holds organisations responsible for compliance with the PDPA.

Data Security Requirements


The PDPA requires organisations to take reasonable steps to protect personal data from unauthorised access, use and disclosure. Such security steps include implementing appropriate technical and organisational measures such as encryption, pseudonymisation, access control, data protection impact assessments and regular monitoring of the organisation’s data security practices. Organisations must also ensure that any third-party service providers they engage to process personal data comply with the PDPA. Failure to take these measures can result in fines or sanctions under the PDPA.

Data Protection Officers

Data Protection Officers (DPO) are responsible for ensuring that businesses in Singapore comply with the PDPA. The DPO may be a person or a team of persons appointed by the organisation, empowered to delegate certain responsibilities to others. Businesses must ensure that their DPO is knowledgeable and skilled enough to meet their duties as required by the PDPA. Furthermore, businesses should audit their current practices and policies relating to data collection and review any exemptions from compliance for which they may be eligible. The priority of the Data Protection Officer is to ensure that all data collected by the organisation is secure and compliant with the PDPA.

Do Not Call Register


The Do Not Call (DNC) Registry is a database established by the Personal Data Protection Act 2012 (PDPA) to allow individuals to opt out of marketing messages sent to their Singapore telephone numbers. Organizations wishing to register for a DNC Registry account can do so through the PDPC website. Upon registering, individuals will be added to the “No Voice Call Register” and will no longer receive unwanted marketing calls. The DNC Registry is just one of the key principles of the PDPA, which aims to protect personal data in Singapore and provide transparency and accountability in how data is collected and used.

Exemptions from PDPA Compliance

The PDPA does not apply to government agencies or public agencies, meaning they are exempt from the requirements of the PDPA. Any activities exempted under the Personal Data Protection Commission‘s (PDPC) Do Not Call Provisions, and the Spam Control Act will also be exempted from PDPA compliance. To be exempt from PDPA compliance, organisations must be able to demonstrate that the personal data is collected for a specified purpose and is necessary for that purpose. Furthermore, organisations must ensure that personal data is only collected for a specific purpose, is accurate, and is kept up-to-date with the latest information. In addition, organisations must ensure that personal data is kept secure and protected from unauthorised access or use. Finally, organisations should ensure that any third-party entities they engage with to process personal data comply with their obligations under the PDPA.

To sum up, PDPA covers personal information that is kept in both digital and non-digital formats.

It generally does not apply to:

    Enforcement of PDPA


    The PDPC is empowered to investigate and enforce the PDPA provisions. Section 29(1) of the PDPA provides that the Commission if satisfied that an organisation is not complying with any of the Data Protection Principles, issue an Enforcement Order requiring it to comply with such Principles. Amendments to Enforcement under the Personal Data Protection Act (PDPA) are outlined in the updated Advisory Guidelines and Guide effective from 1 October 2022. The enforcement of PDPA includes traceability of personal data, investigation of data breaches, and imposition of administrative fines for non-compliance with PDPA provisions.


    In conclusion, the PDPA is a critical piece of legislation that helps to protect the personal data of individuals in Singapore. Organisations need to understand their duties and obligations under the PDPA to ensure compliance and avoid penalties. The PDPA is also important for individuals, as it enables them to make informed decisions about how their personal data is used, collected and shared. Additionally, organisations must take the necessary steps to ensure that data security protocols are in place and that they are aware of their responsibilities under the Do Not Call Register. By understanding the key principles of the PDPA, organisations can ensure they are compliant and protect their customers’ data.