Understanding Personal Data Protection in Singapore

Posted by Written by Ayman Falak Medina Reading Time: 2 minutes

The Personal Data Protection Act (PDPA) provides baseline protection for personal data in Singapore. The PDPA protects individuals’ data as well as regulates how an organization collects, uses, or discloses personal data.

First enacted in 2012, the PDPA was updated in 2020 and shares many of the provisions under the European Union’s GDPR laws. Further, the PDPA provides for the establishment of the national Do Not Call (DNC) Registry. Individuals in Singapore can register with the DNC Registry to opt out of unwanted telemarketing calls.

The PDPA encompasses a wide scope, applying to individuals, businesses, public agencies, and employees alike. Its stringent data protection obligations emphasize transparency, accountability, and consent in the collection, use, and disclosure of personal data. From notification and consent requirements to purpose limitation and accuracy standards, organizations are obligated to uphold the highest levels of data security and integrity.

Definition of personal data

The PDPA defines personal data as any data that can be used to identify an individual or from that data to which the organization has access.

Scope of the PDPA

The PDPA generally applies to:

  • Any individual acting on a personal or domestic basis;
  • Business contact information such as an individual’s name, position, business email, business address, and other similar information;
  • Any public agency that collects, uses, or discloses personal data; and
  • Any individual acting in his/her capacity as an employee in an organization.

Data protection obligations


Organizations must make available information about their data protection policies and complaints process upon request. They must also designate a data protection officer (DPO).

Organizations need to take an accountability-based approach to managing their consumers’ data. This will help strengthen the trust of an organization with its consumers and make the business more competitive.


Organizations must notify the individuals whose data there are intending to collect, use, or disclose.


Organizations are only allowed to disclose personal data of which an individual has given his/her consent. This must be done with reasonable notice and the individual must be informed of the consequences of withdrawing their consent.

Purpose limit obligation

Businesses must be transparent to individuals as to why their data is being collected, how it will be used, and how the personal data will be disclosed.


Businesses must ensure that the personal data collected is accurate and complete. This is particularly important if their data is to be disclosed to another organization.


Organizations must ensure that their data security arrangements are of the highest standards in Singapore to prevent any unauthorized access, collection, or disclosure of data.

Retention limitation

Personal data may only be kept for a certain period, after which the data must be deleted permanently.

Transfer limitation

Personal data may not be transferred to outside of Singapore to any territory that does not have the same standards as those set out under the PDPA.

Data breach notification

In the event of a data breach, businesses must notify the individuals whose data is impacted, especially if the breach can result in significant harm to the individuals.

About Us

ASEAN Briefing is produced by Dezan Shira & Associates. The firm assists foreign investors throughout Asia and maintains offices throughout ASEAN, including in Singapore, Hanoi, Ho Chi Minh City, and Da Nang in Vietnam, in addition to Jakarta, in Indonesia. We also have partner firms in Malaysia, the Philippines, and Thailand as well as our practices in China and India. Please contact us at asean@dezshira.com or visit our website at www.dezshira.com.