The PDPA in Singapore was established in 2012, to put regulations and terms in place for data protection of individuals. The primary aim of this statutory body is to safeguard individuals’ personal data while being handled by organizations to collect, use, and disclose as per the legitimate business purposes.
PDPA is applicable to both private sector organizations and individuals also who in any commercial capacity are required to handle personal data. PDPA doesn’t apply to public agencies, which are governed under different laws.
The PDPA consists of two main parts:
- Data Protection Provisions (DPP) – To regulate how personal data is handled to ensure accountability and transparency.
- Do Not Call (DNC) Provisions – To govern telemarketing regulations to ensure no unsolicited marketing communications are conducted without consent.
What is the PDPA?
“Section 2(1) of the PDPA defines personal data as “data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organization has or is likely to have access.”
Also Read: Key Risks in Payroll Outsourcing in 2025: A Singapore Perspective
It contains several requirements to govern the collection, use, disclosure and proper monitoring of personal data in Singapore.
Key Obligations Under the PDPA
The PDPA contains various obligations that organizations must be compliant to while handling personal data. Below I have explained some critical ones;
1. Consent Obligation (Section 13-17)
Organizations must obtain consent of the individual before they collect their personnel data, use it or disclose for any purpose. Consent must be voluntary and individuals must be clearly made aware of the purposes for which their data is collected.
2. Purpose Limitation Obligation (Section 18)
Organizations can only collect, use, or disclose the personal data for the purposes which they have already notified the individual about.
3. Access and Correction Obligation (Section 21-22)
Individuals can anytime request access to their personal data as per their rights and understand how it’s been used or disclosed. Any irregularities can be submitted for corrections in case of inaccuracy.
4. Accuracy Obligation (Section 23)
Organizations must verify that personal data being collected is accurate and complete before using or disclosing it, ensuring it becomes crucial when it impacts decisions relying on the data.
5. Protection Obligation (Section 24)
Organizations must put forward comprehensive security measures and encryption practices to protect personal data from any malware attacks, unauthorized access, collection, use, disclosure, copying, modification, or disposal..
6. Retention Limitation Obligation (Section 25)
Individual’s personal data must not be retained longer than the period required for legal or business purposes.
7. Transfer Limitation Obligation (Section 26)
In case of the transfer of personal data outside Singapore, organizations must ensure that the receiving country has binding corporate data protection rules and standards.
8. Accountability Obligation (Section 11-12)
The Accountability Obligation, as outlined in Sections 11 and 12, requires organizations to integrate comprehensive policies, practices, and measures that ensures complete compliance with the PDPA. Organizations must also appoint Data Protection Officers (DPO) to monitor data protection processes.
9. Data Breach Notification Obligation (Section 26A-26E)
Organizations must timely notify the PDPC and the concerned individuals in case of any data breach within 3 calendar days.
Penalties under the Law
As per the Singapore’s Personal Data Protection Act (PDPA), organizations could be levied significant fines and penalties for any non-compliance. Per the PDPA, organizations for being non-compliant or concealing information regarding its collection, utilization, or disclosure will be levied with financial penalties not exceeding S$50,000 (approximately $36,000).
Also Read: The Future of Payroll: Trends to Watch in 2025
In June 2022, the Commission collected about S$750,000 and S$250,000 fines, the highest amounts reported till date on Integrated Health Information Systems and Singapore Health Services respectively for inadequacies in policies to protect the medical records of data subjects, which resulted in a massive breach from a cyberattack.
Ensuring Compliance With Singapore’s PDPA
If you run a business involving you to control personal data in Singapore or of Singaporean data subjects, you must under specific obligations outlined in Part III to VI of the PDPA;
- Publish and execute the required policies & procedures to fulfill obligations.
- Must delete any document with personal data, anonymize it, or remove the means by which specific data is collected once for the initial purpose for collecting.
- You would be accountable for any procession of personal data on your behalf by other parties or contractors (data intermediaries).
Conclusion
Handling personal data of any individual in Singapore comes with various restrictions which are laid in order to protect the data and privacy. Taking measures and integrating third party tools could be a smart move for handling various tasks which require personnel data for the procession of many tasks. Such tools limit human intervention, put protection requiring passwords which would create logs for proper monitoring.
