IDC Names Securiti a Worldwide Leader in Data Privacy


What is Singapore’s Personal Data Protection Act (PDPA)?

By Anas Baig
Published December 28, 2020 / Updated November 22, 2023

Listen to the content

Singapore enacted the Personal Data Protection Act (the "PDPA") in 2012, which came into force in different phases; the provisions concerning data protection were enforced on 2nd July 2014. There are two main sets of provisions in the PDPA; provisions related to ‘Data Protection’ govern the collection, use, and disclosure of individuals' personal data, and the provisions pertaining to Singapore’s national ‘Do Not Call Registry’ set out the organisation’s obligations in relation to sending marketing messages to Singapore's national phone numbers.

The Personal Data Protection Regulations 2014, issued under the PDPA, specifically lay down the data transfer out of Singapore requirements, and the procedure of data access and/or correction requests from individuals. Singapore has recently introduced new extensive amendments to PDPA through the Personal Data Protection (Amendment) Act 2020

Definition of Personal Data under the PDPA

  • The PDPA defines 'personal data' as ‘data, whether true or not, about an individual who can be identified (a) from that data; or (b) from that data and other information to which the organisation has or is likely to have access.’ All types of personal data come under the ambit of the PDPA, whether it is electronic data or nonelectronic, and regardless of its sensitive nature.
  • ‘Anonymised data' does not come under the scope of the PDPA.

Data Subjects’ Rights Under the PDPA

Anonymised data' does not come under the scope of the PDPA.

  • The right to give and withdraw consent at any time by giving reasonable notice, unless it jeopardizes the performance of a legal obligation;
  • The right to request an organisation to provide them with access to their personal data held by the organization and information about the ways in which their personal data is being processed subject to the exceptions in the Fifth Schedule of the PDPA;
  • The right to request an organisation to correct any inaccurate data held by the organisation subject to the exceptions in the Sixth Schedule of the PDPA;
  • The right to portability is a new data subject right added to PDPA through the aforementioned new amendments. Under this right, data subjects can request the transmission of their data to another service provider provided with certain requirements and exceptions.

Organisations’ Obligations under PDPA

Organisations that handle and control personal data must comply with the following obligations stated under Part III to VI of the PDPA.

  • An organisation must implement the necessary policies and procedures in order to meet its obligations under the PDPA and shall make information about its policies and procedures publicly available.
  • An organisation must cease to retain documents containing personal data, or remove the means by which the personal data is collected once the purpose is fulfilled for which data is collected.
  • Organisations are responsible for the personal data processed on their behalf by other parties/contractors (data intermediaries). It indicates that the organisation may be held liable for any non-compliance with this provision by the data intermediaries.
  • An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks. Organisations must also appoint a Data Protection Officer to ensure compliance with the PDPA.
  • An organisation must not transfer personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA.

Mandatory Data Breach Notification Requirement

  • Through new amendments to PDPA in 2020, Singapore has introduced the mandatory requirement for the organizations to notify the PDPC and affected individuals of a data breach that
    • results in, or is likely to result, in significant harm to the affected individuals; or
    • is of a significant scale
  • Organisations will also be required to notify affected individuals if the data breach is likely to result in significant harm to them. Where an organisation has reason to believe that a data breach has occurred, it must conduct, in a reasonable and expeditious manner, an assessment to assess whether it is a notifiable data breach or not.

Who must comply with PDPA?

PDPA covers any organisation that deals with the collection, use, and/or disclosure of personal data from individuals in Singapore, whether the organisation is located in Singapore or not. However, this Act does not cover the following:





Non Compliance Risks

As per Part II of the PDPA, Personal Data Protection Commission (PDPC) is the regulatory body to enforce the provisions of PDPA. The PDPC is empowered with broad discretion to issue remedial directions, initiate investigation inquiries, and impose fines and penalties on the organisations in case of any non-compliance of PDPA.


If organisations misuse the personal data or hide information concerning its collection, use, or disclosure, PDPA states penalties not exceeding S$50,000 (approx. $36,000).


Penalty for hindering a PDPC investigation can lead to a fine of not more than S$100,000 (approx. $72,000). The PDPA states that companies are also liable for their employees’ actions, whether they are aware of them or not.


New amendments to PDPA have enforced increased financial penalties for breaches of the PDPA up to 10% of annual gross turnover in Singapore, or S$ 1 million, whichever is higher.


Non-compliance with specific provisions under the PDPA may also constitute an offense, for which a fine or a term of imprisonment may be imposed.


An individual can bring a private civil action against an organisation for having suffered loss or damage directly due to a contravention of the provisions of the PDPA.

Automating privacy operations across your organization

The multi-disciplinary practice to grow trust-equity of your brand and comply with privacy regulations.

Get the Book

“By leveraging the PrivacyOps constructs from this book across our organization we were able to not only save time and money but also mitigate the risks associated with manual methods of privacy management.”

- Marty Collins, Chief Privacy and Legal Officer, QuinStreet, Inc

Automating Compliance and how Securiti can help?

Given the complex obligations for the organisations to manage the disclosure, access, and modification requests of the individuals, ensuring the effective security measures, fulfilling data breach notification requirements, and other compliance requirements, complying with the PDPA can be very labor-intensive and costly.

Securiti is the leader in AI-powered PrivacyOps and data governance. Similar to DevOps for software, PrivacyOps reimagines how to implement privacy management throughout an organization efficiently.

Securiti is a recognized innovator in this market, having been awarded "Most Innovative Startup" at RSA Conference 2020, and Leader in the Forrester Wave: Privacy Management Software. Securiti's PrivacyOps solution uniquely combines real-time sensitive data intelligence harnessing bot and AI technology with full workflow automation of all the major privacy compliance functions.

Frequently Asked Questions (FAQs)

No, Singapore is not part of the European Union, so GDPR does not directly apply. Singapore's data protection law is called the Personal Data Protection Act (PDPA).

Yes, the Personal Data Protection Act (PDPA) is mandatory in Singapore and applies to organizations that handle personal data.

The Personal Data Protection Commission (PDPC) is the authority responsible for regulating and enforcing the Personal Data Protection Act in Singapore.

PDPA stands for the Personal Data Protection Act in Singapore. It regulates personal data collection, use, and disclosure and aims to protect individuals' data privacy rights.

PDPA (Personal Data Protection Act) in Singapore and GDPR (General Data Protection Regulation) in the EU share similar principles but differ in specific requirements, jurisdiction, and scope.

To comply with Singapore's Personal Data Protection Act, organizations need to ensure they have proper data protection policies, consent mechanisms, data breach procedures, and overall data protection measures in place. They should also appoint a Data Protection Officer and educate their employees about data protection practices.

Anas Baig

Authored by Anas Baig

Anas Baig is a Product Marketing Manager with a proven track record in the cybersecurity industry. He has been a prominent contributor to numerous esteemed publications, including Infosecurity Magazine, CSO Online, Tripwire, Security Affairs, Network Computing, Security Boulevard, and several other renowned cybersecurity blogs.His in-depth knowledge and extensive experience in the industry make him a trusted source for cutting-edge insights and information in the ever-evolving world of cybersecurity.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


More Stories that May Interest You

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.


Gartner Cool Vendor Award Forrester Badge IAPP Innovation award 2020 IDC Worldwide Leader RSAC Leader CBInsights Forbes Security Forbes Machine Learning G2 Users Most Likely To Recommend