SecurePrivacy Logo

Singapore Personal Data Protection Act (PDPA)

View Law Text
Maximum Fine
SGD$1M
Scope
National
Regulator
PDPC
Enacted
2012

Need Help with Singapore Personal Data Protection Act (PDPA) Compliance?

Get expert guidance on implementing Singapore's data protection requirements and ensuring ongoing compliance for your organization.

Get Expert Help

Overview

The Personal Data Protection Act establishes a comprehensive framework for the protection of personal data in Singapore, enforced by the Personal Data Protection Commission (PDPC).

Key Facts

  • Enacted in 2012, major amendments in 2020
  • Enforced by Personal Data Protection Commission
  • Includes mandatory breach notification requirements

Key Principles

Purpose Limitation

Personal data can only be collected, used or disclosed for purposes that would be considered appropriate.

Requirements

  • Define clear purposes
  • Limit collection scope
  • Document purposes
  • Regular reviews
  • Update as needed

Examples

  • Purpose statements
  • Collection notices
  • Documentation records
  • Review procedures

Protection Obligation

Organizations must protect personal data in their possession or control.

Requirements

  • Implement security measures
  • Control access rights
  • Secure storage systems
  • Regular assessments
  • Incident response

Examples

  • Security policies
  • Access controls
  • Encryption measures
  • Assessment reports

Compliance Requirements

Data Protection Officer

Organizations must appoint at least one individual as Data Protection Officer.

Implementation Steps

  • Designate DPO
  • Define DPO responsibilities
  • Provide necessary resources
  • Publish DPO contact details
  • Train DPO on requirements

Required Documentation

  • DPO appointment letter
  • Role description
  • Contact information
  • Training records
  • Resource allocation

Policies and Procedures

Development and implementation of data protection policies and practices.

Implementation Steps

  • Create privacy policy
  • Develop internal procedures
  • Implement security measures
  • Train employees
  • Regular reviews

Required Documentation

  • Privacy policies
  • Procedure manuals
  • Security documentation
  • Training materials
  • Review records

Enforcement & Penalties

Administrative Penalties

The Personal Data Protection Commission (PDPC) can impose significant financial penalties for violations.

Penalty Categories

Severe Violations
Up to SGD$1M
For serious breaches of the PDPA
Directions
Mandatory Changes
Orders to stop collecting, using or disclosing personal data
Remedial Orders
Corrective Actions
Requirements to implement specific measures

Example Cases

Grab
SGD$10,000
2020 - Unauthorized disclosure of customer data
Singtel
SGD$25,000
2020 - Data breach affecting 129,000 customers

Additional Measures

The PDPC can impose various corrective measures beyond monetary penalties.

Penalty Categories

Public Notice
Publication
Public disclosure of violations
Compliance Audits
Mandatory Reviews
Required data protection audits
Stop Processing
Processing Ban
Orders to cease data processing activities

Example Cases

Challenger
SGD$8,000
2021 - Failure to protect customer data
Genki Sushi
SGD$16,000
2020 - Insufficient security measures leading to breach