Skip to Main Content
Main Menu

Personal Data Protection Act (PDPA)

The PDPA complements sector-specific legislative and regulatory frameworks, governing the collection, use, disclosure and care of personal data in Singapore.

Are you subject to the PDPA?

PDPA is highly localized and centered in Singapore, it applies to any international business that operates or does business in the Republic. Additionally, international businesses that do transactions with employees or customers in Singapore are mandated to follow the Personal Data Protection Act’s guidelines. PDPA does not apply to:
  • Any individual acting on a personal or domestic basis.

  • Any individual acting in his/her capacity as an employee with an organization.

  • Any public agency in relation to the collection, use or disclosure of personal data.

  • Business contact information such as an individual’s name, position or title, business telephone number, business address, business email, business fax number and similar information.

Obligations under PDPA

Purpose Limitation

Businesses must be transparent when it comes to informing individuals as to why their personal data is being collected, how it will be used, and in which cases personal data will be disclosed. Furthermore, businesses must not use data for any other reason than its stated purpose.

Notification and Consent

Inform the individuals on the purposes for collection, use and disclosure of their personal data during collection and ensure that the consent has been obtained from the individuals before collecting, using or disclosure of the personal data.

Individual Rights

Upon request, provide the personal data of the individual and information on how the individual’s personal data has been used or disclosed in the past year. Correct an individual’s personal data upon request.

Retention Limitation

Retain personal data only for business/legal purposes and securely destroy personal data when no longer needed.

Cross-Border Transfers

Ensure overseas external organizations provide a standard of protection comparable to the protection under the Singapore PDPA.

Do-Not-Call (DNC)

Do not send marketing messages to individuals who have registered in the National DNC registry through voice, text messages or fax unless you have obtained their clear and unambiguous consent or have an on-going relationship (for text / fax).


CBPR – Navigating Cross-Border Data Privacy Compliance

In this highly anticipated webinar, we explore the background the future direction and assess the potential business case for companies considering certification under the new Global CBPR System.


  • How does the PDPA benefit business?

    The PDPA is intended to support business innovation while ensuring that businesses use personal data responsibly and consumer interests are safeguarded. The law provides clarity on the rules and requirements for businesses hosting personal data in Singapore.

  • How is the PDPA different from the Spam Control Act?

    The PDPA and the Spam Control Act (SCA) operate jointly but cover different areas. The SCA regulates the sending of unsolicited commercial electronic messages (electronic mail, text and multimedia messaging sent to instant messaging identifiers) in bulk. The PDPA regulates the sending of specified messages to Singapore telephone numbers (Do Not Call Provisions), and the collection, use and disclosure of individuals’ personal data (Data Protection Provisions).

  • What should organizations take note of in complying with withdrawal of consent requirements?

    Upon withdrawal of consent, the organization must cease collecting, using or disclosing the personal data. Organizations may provide in their marketing messages a facility for individuals to withdraw their consent (e.g. by clicking on an “unsubscribe” link within an e-mail). Organizations are also encouraged to clearly indicate the scope of the withdrawal in such instances and inform individuals of how they may withdraw consent for matters outside the scope of such withdrawal.

  • Does the PDPA apply to the sale and purchase of databases comprising randomly generated mobile numbers?

    Sellers of databases comprising randomly generated numbers beginning with ‘8’ or ‘9’ which have been ascertained to be in use would be considered to be disclosing personal data, and the PDPA would apply. Among other things, consent of the individual is required for the collection, use or disclosure of the personal data, unless any exception applies. The PDPA also prohibits the sending of messages to Singapore telephone numbers generated or obtained through the use of dictionary attacks or address-harvesting software.

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top