Act 26 of 2012 Amended by Act 40 of 2020 Major operative provisions: 1 Feb 2021 PDPC, Singapore

The Personal Data Protection Act, at a glance.

An interactive guide to Singapore's data protection regime: one Act, six operating Regulations, eleven obligations, three Do Not Call registers, and a four-tier enforcement pathway from review to High Court. Cross-referenced, mapped, and built to read.

10% of SG turnover
Maximum financial penalty for organisations above S$10M revenue
500individuals
The threshold above which a data breach is notifiable for scale alone
3days
Calendar days to notify the PDPC after assessing a notifiable breach
21days
Validity window of a Do Not Call Register check before re-querying
§ 01 · The Stack

One Act, six Regulations.

The PDPA is a small constitution. The Act sets the principles; six subsidiary Regulations operationalise each Part. Knowing which Regulation governs which provision is half the battle of compliance, so the map below reads in two directions: by instrument, and by Act provision.

Parent statute
Personal Data Protection Act 2012
10 Parts · 60+ sections · last major amendment Act 40/2020
S 63 / 20212021
Personal Data Protection Regulations
Access & correction requests, cross-border transfer, deemed consent by notification, legitimate interests, deceased individuals, the Commission's symbol.
ss 21–22 s 26 s 15A 1st Sch Pt 3
S 64 / 20212021
Notification of Data Breaches Regulations
Defines what constitutes a notifiable breach by harm and by scale, the content of notifications to PDPC and to affected individuals.
Pt 6A s 26B s 26D
S 709 / 20132013
Do Not Call Registry Regulations
Three registers (voice, text, fax), subscriber registration, telco terminated-number reports, checker validity windows, fees.
Pt 9 ss 39–48 s 43A
S 62 / 20212021
Enforcement Regulations
How the PDPC reviews complaints, hears reconsiderations, exercises investigative powers, publishes voluntary undertakings.
Pt 9C s 48H s 48N s 50
S 65 / 20212021
Appeal Regulations
Procedure before the Data Protection Appeal Committee, Notice of Appeal, response and reply, hearing rules, appeals to the General Division of the High Court.
Pt 9D s 48Q s 48R
S 70 / 20212021
Composition of Offences Regulations
Lists which PDPA offences the Commission may compound in lieu of prosecution, including DNC offences, unauthorised access requests, and Part 9B individual-conduct offences.
s 51(1) s 55(1) s 55(2)
Cross-reference · which Regulation operationalises which Part of the Act
PDPR 2021
Breach 2021
DNC 2013
Enforce 2021
Appeal 2021
Compose 2021
Part 3 · General rules
·
·
·
·
·
Part 4 · Consent & purpose
·
·
·
·
·
Part 5 · Access & correction
·
·
·
·
Part 6 · Care of personal data
·
·
·
·
·
Part 6A · Data breaches
·
·
·
·
·
Part 9 · Do Not Call Registry
·
·
·
·
Part 9B · Individual offences
·
·
·
·
·
Part 9C · Enforcement
·
·
·
·
·
Part 9D · Appeals
·
·
·
·
·
◇ Read the stack as a sentence
The Act says what. The Personal Data Protection Regulations 2021 say how for general obligations. Three sibling Regulations carve out specialist regimes (breach, DNC, enforcement procedure). The Appeal Regulations and Composition Regulations sit at the back of the book as process and remedy: how to challenge a decision, and how the Commission may settle an offence without prosecution.
§ 02 · Parts 3 to 6A

The eleven obligations.

Together, Parts 3 through 6A of the Act impose eleven discrete duties on every organisation that collects, uses, or discloses personal data in Singapore. Treat them as a checklist for any new product, vendor, or process that touches personal data.

01 · Consent

Consent obligation

Collect, use, or disclose personal data only with the individual's consent, expressed or deemed. Consent obtained by deception or false information is invalid.

ss 13–17
02 · Purpose limitation

Purpose Limitation

Collect, use, or disclose only for purposes a reasonable person would consider appropriate in the circumstances, and only for purposes the individual has been notified of.

s 18
03 · Notification

Notification

Notify the individual of the purposes for which their personal data will be collected, used, or disclosed, on or before the collection.

s 20
04 · Access & correction

Access & Correction

On request, provide the individual with their personal data and information about how it has been used or disclosed in the year before the request, and correct errors.

ss 21–22
05 · Accuracy

Accuracy

Make a reasonable effort to ensure personal data is accurate and complete if it is likely to be used to make a decision affecting the individual or disclosed to another organisation.

s 23
06 · Protection

Protection

Make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, or disposal of personal data.

s 24
07 · Retention limitation

Retention Limitation

Cease retention or anonymise personal data as soon as the purpose for which it was collected is no longer served and retention is no longer necessary for legal or business reasons.

s 25
08 · Transfer limitation

Transfer Limitation

Before transferring personal data outside Singapore, ensure the recipient is bound by legally enforceable obligations to provide a comparable standard of protection.

s 26 · PDPR Pt 3
09 · Accountability

Accountability & Openness

Develop and implement policies and practices to comply with the Act, designate a Data Protection Officer with publicly available business contact information, and make these policies available on request.

ss 11–12
10 · Data breach notification

Data Breach Notification

Assess any data breach without delay; notify the PDPC within 3 calendar days, and affected individuals as soon as practicable, where the breach is notifiable.

Pt 6A · ss 26A–26E
11 · Data portability

Data Portability

On request, transmit an individual's data in machine-readable form to another organisation. Introduced by Act 40/2020 with operative provisions to be commenced.

Pt 6B · ss 26F–26J
⚡ Two carve-outs to remember
Public agencies sit largely outside Parts 3 to 6 (s 4(1)(c)). Personal or domestic activity is exempt under s 4(1)(a). Both carve-outs are narrower than they sound: contractors of public agencies and businesses processing personal data on behalf of others remain in scope as data intermediaries.
§ 03 · Part 6A · Breach Regs

What makes a breach notifiable.

Not every breach must be reported. Under section 26B, a breach becomes notifiable if it crosses either of two tests, harm or scale. Once an organisation has reason to believe a breach has occurred, the assessment must begin without delay; the moment that assessment confirms it is notifiable, a 3-day clock starts ticking to the PDPC.

Test A · Significant harm
By kind of data

A breach is deemed to result in significant harm to an individual if it relates to either (a) the individual's full name or identification number plus any of the prescribed categories of personal data, or (b) the individual's account identifier with login or biometric credentials.

  • Salary, income, net worth, or any account balance held with a bank or finance company
  • Credit, charge, or debit card numbers
  • Insurance policy details, claims, and underlying medical conditions
  • Medical assessment of HIV, sexually transmitted disease, schizophrenia, or substance addiction
  • Adoption proceedings, donor or transplant information, suicide or attempted suicide
  • Domestic, child, or sexual abuse involving the individual
  • Account credentials including passwords, biometric data, or security responses
Test B · Significant scale
By number affected

Independently of harm, a breach is notifiable if it affects, or is likely to affect, 500 or more individuals. Where the exact number is not yet known, the organisation must still notify and update the figure as the investigation matures.

  • Counted across the same incident, not per system or per data category
  • Includes individuals whose data is in the possession of a data intermediary acting for the organisation
  • Public availability of the data (other than by the breach itself) takes the data outside Test A but does not exempt Test B
3calendar days

Section 26D(1): notify the PDPC as soon as practicable, and in any case no later than 3 calendar days after the organisation assesses the breach to be notifiable.

The notification, made in the form on pdpc.gov.sg, must include the chronology of discovery, how the breach occurred, the personal data and number of individuals affected, the potential harm, mitigating actions taken, the plan to inform affected individuals, and DPO contact information. Late notifications must additionally state reasons and supporting evidence.

§ 04 · Part 9 · DNC Regs

Three Do Not Call registers.

Singapore runs a per-channel opt-out system. Subscribers register the same number on as many lists as they wish; senders must check the register relevant to the channel they intend to use within 21 days of sending. Under section 43A, a checker reselling DNC results must pass on the date of check and the expiry date.

No Voice Call Register

Specified messages sent by voice call or video call using a telephone, data service, or any other electronic means are subject to the voice register.

Voice + video calls
21-day check window

No Text Message Register

Covers text, sound, or visual messages sent to a Singapore telephone number, including SMS and MMS. Excludes fax and voice messages.

SMS / MMS / RCS
21-day check window

No Fax Message Register

Specified messages sent by way of facsimile transmission. Mostly relevant for B2B-facing senders that still use fax for marketing in regulated sectors.

Facsimile only
21-day check window
◇ The 21-day rule, simplified
A DNC check is valid for 21 days from the day the Commission's reply is received. After that, the sender (or the checker reselling the result) must re-query before sending. The same 21-day clock applies to withdrawal of consent: an organisation has 21 days from receiving a withdrawal notice to stop sending under section 47.
§ 05 · Section 26 · PDPR Part 3

Cross-border transfer, four routes.

Personal data leaves Singapore frequently, but section 26 only permits a transfer if the recipient is bound to a comparable standard of protection. Regulation 11 of the Personal Data Protection Regulations 2021 lists exactly how that binding may arise. Pick one route and document it before any data leaves.

Route 01

Statute of the destination

The recipient is already bound by the law of the destination country to a comparable standard. Most useful where the destination has its own data protection statute with extra-territorial reach.

Route 02

Contract

A bilateral contract that requires comparable protection and specifies the territories to which onward transfer is permitted. The most common route for vendor and processor relationships.

Route 03

Binding Corporate Rules

Group-wide BCRs binding intra-group recipients, used only between related entities, specifying the recipients, territories, rights, and obligations covered. Distinct from contract because it travels with the corporate group.

Route 04

APEC certification

The recipient holds APEC CBPR certification, or APEC PRP certification if the recipient is a data intermediary. Useful when no contract is feasible and the recipient is in a participating economy.

⚡ Deemed-comparable conditions (reg 10(2))
A transferring organisation is taken to satisfy the comparable-protection requirement if any of these holds: the individual has consented after being given a reasonable summary of the destination's protection; consent is deemed under sections 15(3) to (8); the transfer is necessary for a permitted use under the First Schedule; the data is in transit only; or the data is publicly available in Singapore. Consent cannot be a condition of providing the product unless the transfer is reasonably necessary to provide it.
§ 07 · Parts 9C & 9D

The enforcement pathway.

From a complaint to a final ruling, the regime moves in five stages. Each stage carries its own time limit, fee, and procedural rules, and each Regulation in the stack governs a different stage. The same 28-day clock recurs at every gate.

Stage 01
Complaint & ADR
s 48G
Commission may direct parties to alternative dispute resolution. Many cases resolve here without reaching a formal review.
Stage 02
Review & investigation
s 48H · ER Pt 2 · s 50
PDPC reviews access or correction refusals, fee disputes, and investigates compliance with the Act. Powers under the Ninth Schedule include entry, examination, and seizure.
Stage 03
Reconsideration
s 48N · ER Pt 3 · 28 days · S$25 / S$250
An aggrieved party may apply within 28 days of service of the contestable decision for the Commission to reconsider on grounds of error of fact or law.
Stage 04
Appeal Committee
s 48Q · AR · 28 days · S$50 / S$600
Notice of Appeal filed with the Secretary to the Data Protection Appeal Panel. The Committee may confirm, vary, or set aside the decision, and may suspend its effect during the appeal.
Stage 05
High Court
s 48R · AR reg 32 · 28 days
Appeal lies to the General Division of the High Court within 28 days of issue of the Appeal Committee's direction or decision, on a point of law or as to the amount of any financial penalty.
◇ Reconsideration auto-withdraws an appeal
Section 48Q(3) and Appeal Regulations regulation 6 are linked: if any party applies for reconsideration after a Notice of Appeal has been filed, the appeal is deemed withdrawn from the date of the reconsideration application. Choose one route, not both.
§ 08 · Sections 48J, 51, 55

Three regimes of consequence.

The PDPA distinguishes administrative penalties on organisations from criminal liability of individuals from compoundable offences settled before prosecution. The three sit at different points on the severity scale and carry different procedural protections.

Tier 01 · Administrative
10% of SG turnoveror S$1M, whichever is higher · for organisations with annual SG turnover above S$10M
Financial penalty for contravention of Parts 3, 4, 5, 6, 6A or 6B
Imposed by the Commission on an organisation that intentionally or negligently breaches a data protection obligation. Smaller organisations are capped at S$1M. Subject to representations under section 48K and appealable to the Appeal Committee.
Relative severity
Tier 02 · Criminal · Individual
S$5,000+ up to 2 years' imprisonment, on conviction
Unauthorised disclosure, improper use, or re-identification of anonymised data
Sections 48D, 48E, and 48F target individual conduct: an employee who knowingly leaks personal data, uses it for personal gain, or re-identifies anonymised information without authority. Defences include public availability and authorised purposes.
Relative severity
Tier 03 · Composition
Settledin lieu of prosecution, by the Commission
Compoundable offences under sections 51(1), 61(2), 42(2), and DNC offences
The Composition of Offences Regulations 2021 list which offences may be compounded by the Commission, including unauthorised access requests under section 21 and DNC contraventions still within the pre-2021 regime.
Relative severity
◇ Below the S$10M revenue line
Section 48J(3) caps the financial penalty at S$1 million for organisations whose annual Singapore turnover does not exceed S$10 million. The 10% formula only bites at the upper end. For individuals breaching DNC duties or section 48B (dictionary attacks), the cap is S$200,000.
§ 09 · Self-Assessment

Where does your situation sit?

A guided walk through the Act's logic. Answer up to four questions to identify the regime that governs your situation and the obligations that follow. This is a heuristic for orientation; the binding text is the Act and its Regulations.