Singapore Personal Data Protection Act (PDPA)

The Personal Data Protection Act (PDPA) is Singapore's primary data protection legislation governing the collection, use, disclosure, and care of personal data. Enacted in 2012, the law aims to safeguard individuals' personal information while enabling organizations to use data for legitimate purposes.

The PDPA establishes a comprehensive framework that:

• Recognizes both individual privacy rights and organizational needs
• Creates the Personal Data Protection Commission (PDPC) as the primary regulatory authority
• Implements the Do Not Call Registry
• Sets standards for data protection and breach notification
• Provides enforcement mechanisms and penalties for non-compliance

Key Objectives and Scope

The PDPA applies to:

• All organizations collecting, using or disclosing personal data in Singapore
• Electronic and non-electronic data
• Both private and public sectors (with some exemptions)

Excludes:

• Individuals acting in personal/domestic capacity
• Public agencies
• Business contact information (except where explicitly mentioned)
• Records over 100 years old

Core Requirements

Organizations must comply with:

1. Consent Obligation

   • Obtain valid consent before collecting, using or disclosing personal data
   • Provide notification of purpose
   • Allow withdrawal of consent

2. Purpose Limitation

   • Collect, use or disclose data only for reasonable purposes
   • Use data only for purposes that were notified and consented to

3. Protection Obligation

   • Implement reasonable security measures
   • Prevent unauthorized access, collection, use, disclosure
   • Maintain data protection policies and practices

4. Accuracy Obligation

   • Ensure personal data is accurate and complete
   • Particularly when likely to be used to make decisions

Technical Requirements

Organizations must implement:

• Reasonable security arrangements
• Data breach notification systems
• Access and correction mechanisms
• Data retention limitations
• Cross-border transfer controls

Compliance Mechanisms

The PDPC enforces through:

1. Investigations
2. Directions for compliance
3. Financial penalties up to:
   • 10% of annual turnover in Singapore
   • SGD 1 million, whichever is higher

Implementation Timeline

• Enacted: 2012
• Main provisions effective: July 2014
• Data Portability Obligation: Phased implementation
• Mandatory Breach Notification: Effective February 2021

Territorial Scope

• Applies to all organizations operating in Singapore
• Extends to data transferred overseas
• Includes foreign organizations collecting data in Singapore