TL;DR: Singapore's Personal Data Protection Act (PDPA) gives you real rights: access your data, correct errors, withdraw consent, and (since 2021) port your data to competitors. Companies face fines up to S$1 million or 10% of annual turnover for violations. But there's a critical gap: the government is completely exempt. PDPA only applies to the private sector. So while you can fight a company misusing your data, you have no equivalent recourse against government surveillance.
What Is the PDPA?
The Personal Data Protection Act 2012 (PDPA) is Singapore's main data protection law. It sets baseline standards for how private-sector organizations collect, use, disclose, and protect personal data [1].
The law underwent major amendments in 2020, which took effect on 1 February 2021, adding mandatory breach notification, data portability rights, and increased penalties.
What PDPA covers:
- All private-sector organizations operating in Singapore
- Foreign companies that collect data from individuals in Singapore
- Data intermediaries (processors) handling data on behalf of other organizations
What PDPA does NOT cover:
- Government agencies and public-sector bodies
- Individuals acting in personal or domestic capacity
- Business contact information
- Data about individuals who have been dead for more than 10 years
The government exemption is significant. While PDPA provides meaningful protection against corporate data misuse, it provides zero protection against government surveillance, data collection, or disclosure [2].
The 11 Data Protection Obligations
Organizations covered by PDPA must comply with 11 core obligations [3]:
| Obligation | What It Requires |
|---|---|
| Consent | Obtain clear consent before collecting, using, or disclosing personal data |
| Purpose Limitation | Only collect, use, or disclose data for purposes disclosed to the individual |
| Notification | Inform individuals of the purposes for which data is being collected |
| Access | Provide individuals access to their personal data upon request |
| Correction | Correct errors or omissions in personal data upon request |
| Accuracy | Ensure personal data is accurate and complete for its intended purpose |
| Protection | Implement reasonable security measures to protect personal data |
| Retention Limitation | Stop retaining personal data when no longer needed for legal/business purposes |
| Transfer Limitation | Ensure adequate protection when transferring data overseas |
| Data Portability | Transmit data to another organization upon request (added 2021) |
| Data Breach Notification | Notify PDPC and affected individuals of significant breaches (added 2021) |
As of 1 June 2025, all organizations must also appoint a Data Protection Officer (DPO) and notify the PDPC of this appointment [4].
Your Rights Under PDPA
Right to Access
You can request access to your personal data held by any organization, plus information about how that data was used or disclosed in the past year [5].
How to exercise it:
- Submit a written request to the organization's DPO
- Organizations must respond within 30 days
- Data should be provided in a readable format
- Organizations may charge a reasonable fee
Organizations can refuse if:
- Disclosure would reveal another individual's personal data
- Access would be contrary to national interest
- The request is frivolous or malicious
- Data relates to ongoing legal proceedings
Right to Correction
Under Section 22, you can request that organizations correct errors or omissions in your personal data. They must make corrections "as soon as practicable" and notify any third parties who received the incorrect data in the past year [6].
Limitations:
- Does not apply to professional or expert opinions
- Does not cover "derived data" (data the organization calculated or inferred)
Right to Data Portability
Added in 2021, this allows you to request that an organization transmit your personal data to another organization in a commonly used machine-readable format [7].
This covers:
- Data you provided directly
- Data created through your use of the service
- Electronic data only (not paper records)
This does NOT cover:
- Derived data (analytics, scores, insights)
- Data the organization obtained from third parties
Right to Withdraw Consent
Under Section 16, you can withdraw consent for any specific purpose by giving reasonable notice. The organization must stop collecting, using, or disclosing your data for that purpose [8].
Important: Withdrawal of consent may affect the organization's ability to provide services. They must inform you of the likely consequences before processing your withdrawal.
Do Not Call Registry
PDPA established a national Do Not Call (DNC) Registry. Register your Singapore phone number to opt out of:
- Marketing phone calls
- Marketing SMS and MMS messages
- Marketing faxes
After you opt out, organizations have 21 days to stop sending marketing messages. Register at dnc.gov.sg.
What You DON'T Have
Unlike GDPR, Singapore's PDPA does not give you:
- Right to erasure/deletion: No "right to be forgotten"
- Right to object to processing: You can withdraw consent, but can't object if processing is based on legitimate interests
- Right to restrict processing: No ability to freeze data while disputes are resolved
Data Breach Notification
Since February 2021, organizations must notify the PDPC and affected individuals of "notifiable data breaches" [9].
A breach is notifiable if it:
- Results in or is likely to result in significant harm to individuals, OR
- Affects 500 or more individuals
Timeline:
- PDPC notification: Within 3 calendar days of determining breach is notifiable
- Individual notification: As soon as practicable (can be same time or after PDPC)
- Financial sector (MAS-regulated): Within 1 hour of discovering a security breach
Notification must include:
- Nature of the breach
- Types of personal data affected
- Number of individuals affected
- Steps taken to contain the breach
- Recommendations for individuals to protect themselves
Penalties and Enforcement
Since October 2022, PDPA violations can result in serious financial penalties [10]:
Financial penalties:
- Up to S$1 million, OR
- 10% of annual turnover in Singapore (for organizations with turnover exceeding S$10 million)
- Whichever is higher
Criminal penalties (for egregious mishandling):
- Up to S$5,000 fine
- Up to 2 years imprisonment
- Applies to knowing or reckless unauthorized disclosure, unauthorized use for gain/harm, or re-identification of anonymized data
Other enforcement actions:
- Directions to stop collecting, using, or disclosing data
- Orders to destroy or delete data
- Public warnings and reprimands
Recent Enforcement Examples
The PDPC has become increasingly active in enforcement:
- 2025: Integrated resort operator fined S$315,000 for protection obligation breach
- 2024: Eatigo fined S$62,400 for 2020 breach affecting 2.76 million users
- 2024: ShopBack fined S$74,400 for security failures
- May 2024 alone: S$102,000 in fines across three decisions
Aggravating factors include: sensitive data (minors, NRIC/passport numbers), repeat offenses, and large-scale breaches. Cooperation and voluntary compliance improvements are mitigating factors [11].
Cross-Border Data Transfers
Section 26 of PDPA restricts transfers of personal data outside Singapore. Organizations must ensure the receiving country provides comparable protection [12].
Acceptable transfer mechanisms:
- Recipient country has comparable data protection laws
- Binding corporate rules
- Contractual arrangements ensuring compliance
- Individual's consent to transfer
- Transfer is necessary to perform a contract
In January 2025, ASEAN Digital Ministers adopted Joint Guidelines for ASEAN Model Contractual Clauses, facilitating data transfers within the region [13].
The Government Exemption: The Critical Gap
This is the most important thing to understand about PDPA: it does not apply to the government.
Government agencies are completely exempt from PDPA. This means:
- No consent requirement for government data collection
- No access or correction rights for government-held data
- No retention limits on government databases
- No breach notification if government systems are compromised
- No penalties for government misuse of personal data
The government has separate internal policies (the Public Sector Governance Act and Government Instruction Manuals), but these don't provide individual rights or external enforcement mechanisms [14].
In practice, this means:
- SingPass can collect facial recognition data without the consent requirements that apply to private companies
- The 90,000+ police cameras operate outside any data protection framework
- Government agencies can share your data between themselves without your knowledge
- If government systems are breached (like the SingHealth breach in 2018), there's no PDPA violation, because PDPA doesn't apply
PDPA protects you from corporate data abuse. It does nothing about government surveillance.
How to Exercise Your Rights
Request Access to Your Data
1. Find the organization's DPO contact (usually in privacy policy)
2. Submit written request specifying what data you want
3. Wait up to 30 days for response
4. If denied, request written explanation
5. Escalate to PDPC if you believe denial is improper
Request Data Correction
1. Document what's incorrect and what it should be
2. Submit correction request to DPO in writing
3. Provide supporting documentation if needed
4. Organization must correct "as soon as practicable"
5. Request confirmation that third parties were notified
Withdraw Consent
1. Review what you've consented to (check privacy policy)
2. Send written notice specifying which purpose(s)
3. Allow "reasonable time" for processing
4. Organization must stop that use of your data
5. Understand service limitations may result
File a Complaint
1. Try resolving with the organization first
2. Document all communications
3. File complaint with PDPC at pdpc.gov.sg
4. PDPC will investigate and may take enforcement action
5. Consider private legal action if you've suffered harm
Practical Privacy Tips for Singapore
Given PDPA's limitations, here's how to protect yourself:
Against corporate data collection:
- Exercise your access rights annually with major data holders
- Withdraw consent for non-essential marketing
- Register all numbers with DNC Registry
- Use data portability to consolidate accounts and close old ones
- Check privacy policies before signing up for services
Against government data collection:
- Understand that PDPA won't help you here
- Minimize optional government digital service use where feasible
- Use encrypted messaging for sensitive communications
- Be aware of what's captured on public cameras
- Know that telecom data can be accessed without court orders
For everyone:
- Protect your NRIC number: don't use it as a password
- Use strong, unique passwords for all accounts
- Enable 2FA on all services that support it
- Review app permissions regularly
- Monitor for breach notifications
Key Resources
- PDPC Official Website (guidelines, complaint forms, enforcement decisions)
- Do Not Call Registry (register phone numbers to opt out of marketing)
- PDPC Enforcement Decisions (see how violations are handled)
- PDPA Full Text (the actual law)
References
- PDPC - Personal Data Protection Act Overview
- New Naratif - The Use and Abuse of Personal Data by the PAP Government
- PDPC - Data Protection Obligations
- Hawksford - The Essential Guide to Singapore PDPA Compliance
- ICLG - Data Protection Laws and Regulations Singapore 2025-2026
- CMS - Data protection and cybersecurity laws in Singapore
- Future of Privacy Forum - Singapore's PDPA Data Portability
- CookieYes - Singapore's Personal Data Protection Act (PDPA)
- PDPC - Guide on Managing and Notifying Data Breaches
- Baker McKenzie - Regulators, Enforcement Priorities and Penalties
- Privacy World - Singapore Ramps Up Data Protection Enforcement (May 2024)
- Baker McKenzie - Security Requirements and Breach Notification
- Chambers - Data Protection & Privacy 2025 Singapore
- EngageMedia - Singapore under the Pandemic: Digital Authoritarianism