Data NuanceData>Nuance

These jurisdiction checklists are practical scoping aids for privacy, DPO, DSAR, transfer, incident, and vendor governance decisions. Confirm obligations against your facts before relying on any checklist as advice.

All checklistsScope review
Back to Checklists
SG

Singapore

Personal Data Protection Act (PDPA) 2012 Compliance Checklist

Key Provisions

Part 1 – Preliminary

Section 2: Interpretation

Defines key terms including personal data (any data about an individual from which they can be identified), organisation (any entity in Singapore), data intermediary (processor on behalf of another), and consent (voluntary, informed, current).

Section 4: Application

Parts 3–6A and 6B apply to organisations collecting/using/disclosing personal data in Singapore, excluding individuals acting in personal/domestic capacity, employees in course of employment, public agencies, data intermediaries (with certain carve-outs), data >100 years old or deceased >10 years, and business contact information (unless expressly covered).

Part 3 – General Rules (Accountability)

Section 11: Compliance with Act

Organisations must consider what a reasonable person deems appropriate, be responsible for data under their control, designate one or more individuals (e.g. DPOs) for compliance, allow delegation, and publish contact details.

Section 12: Policies and practices

Develop/implement policies and practices to meet Act obligations, set up complaint-handling process, train staff, and make policies and complaint process available on request.

Part 4 – Collection, Use & Disclosure

Section 13: Consent required

Organisations must not collect/use/disclose personal data without consent (actual, deemed, or notification-based) unless permitted by law or schedule.

Section 14: Provision of consent

Consent is valid only if individual informed of purposes (per section 20), consent freely given and not tied coercively to services, and no false or misleading practices.

Section 15: Deemed consent

Consent deemed if individual voluntarily provides data for that purpose and it is reasonable, or data contract-related (disclosure chain between A→B→C) with "reasonably necessary" test, subject to contractual limits.

Section 15A: Notification-based consent

"Notification-based" consent for low-risk uses requires organisation to assess risk, notify individual of intent, purpose, time frame and means to opt out, and wait prescribed period.

Section 16: Withdrawal of consent

Individuals may withdraw consent at any time with reasonable notice; organisation must inform of consequences and cease processing unless otherwise required by law.

Section 17: Collection/Use/Disclosure without consent

Permitted where listed in First Schedule (e.g. legal obligations, emergencies), Second Schedule (additional bases like national interest), or Third–Sixth Schedules for Do-Not-Call matters.

Section 18: Purpose limitation

Data may only be collected/used/disclosed for purposes a reasonable person would consider appropriate in the circumstances.

Section 20: Notification of purpose

Must inform individuals of purposes and contact info on or before collection (if direct), before first use/disclosure (if not direct), and must supply purpose details to third parties when disclosing without consent.

Part 5 – Access & Correction

Section 21: Access to personal data

On request, organisations must provide copy of personal data and record of uses/disclosures in past year, unless exception applies (Fifth Schedule: e.g. investigations, lawyer-client privilege, safety).

Section 22: Correction of personal data

Individuals may request correction; organisations must correct or annotate within prescribed time unless exception applies (Sixth Schedule: e.g. compliance with prescribed purposes).

Section 22A: Preservation of copies

If correction request refused, organisation must preserve a copy of the data or refusal notice for the prescribed period.

Part 6 – Care of Personal Data

Section 23: Accuracy

Organisations must make reasonable efforts to ensure data is accurate, complete, and up-to-date where likely to be used or disclosed.

Section 24: Protection

Implement reasonable security measures to prevent unauthorized access, use, disclosure, copying, modification, disposal, or loss of storage media.

Section 25: Retention

Cease retaining data (or de-identify) as soon as it is no longer needed for the purpose collected and not required for legal/business purposes.

Section 26: Transfer outside Singapore

Must not transfer personal data overseas unless comparable protection is ensured (e.g. via PDPC-approved countries, contracts, binding corporate rules); PDPC may grant exemptions with conditions.

Part 6A – Notification of Data Breaches

Section 26B: Notifiable data breaches

A breach is "notifiable" if it results in or is likely to result in significant harm, or is of a significant scale; excludes internal breaches not likely to harm.

Section 26C: Duty to assess

Organisations must expeditiously assess whether a breach is notifiable; data intermediaries must notify principal organisations immediately.

Section 26D: Duty to notify

If assessed notifiable, must notify PDPC within 3 calendar days and affected individuals "as soon as reasonably possible," unless PDPC or law-enforcement directs otherwise, or mitigation measures render harm unlikely.

Part 8 – Do-Not-Call Registry

Sections 36–48

Establishes DNC register, defines "specified message," procedures for registration, obligations of "checkers" (who must scrub lists), consent/withdrawal, defences for employees, and enforcement.

Part 9A – Dictionary Attacks & Address-Harvesting

Section 48A–48B

Prohibits use of dictionary-attack software and address-harvesting tools to collect email addresses for unsolicited messages.

Part 9B – Offences Affecting Personal Data

Section 48C–48F

Criminalizes unauthorized disclosure (48D), improper use (48E), and re-identification of anonymized info (48F) with fines ≤SGD 5,000 or 2 years imprisonment for knowingly/recklessly committing these offences.

Part 9C – Enforcement

Section 48G–48M

PDPC's enforcement toolkit includes ADR (48G), Review (48H), Directions for non-compliance (48I), Financial penalties (48J–48K), Voluntary undertakings (48L), and District Court enforcement (48M).

Key Schedules

Schedule 1: Collection without Consent

Lists 11 specific bases such as compliance with legal obligations, court proceedings, emergencies, employment management, business asset transfers, research, public safety, and journalism.

Schedule 2: Additional Bases

Permits processing for public-interest purposes including national security, public health surveillance, disaster relief, judicial proceedings, and compliance with statutory notices.

Schedule 5: Exceptions from Access

Organisations may refuse access if disclosure would reveal another's data, endanger safety, impede investigations, or breach privilege.

Schedule 6: Exceptions from Correction

Correction may be refused if accuracy is disputed, would breach privilege, relates to forecasts, or data no longer held.

Key Regulations

Personal Data Protection (Notification of Data Breaches) Regulations 2021

Defines "significant harm" (involving ID numbers or prescribed data categories) and "significant scale" (≥500 affected individuals). Specifies notification requirements to PDPC and affected individuals.

Personal Data Protection Regulations 2021

Covers access & correction procedures (30-day response), cross-border transfer mechanisms (approved countries, contracts, BCRs), deemed consent & legitimate interests, and rights for deceased individuals.

Personal Data Protection (Do Not Call Registry) Regulations 2013

Establishes register administration, checker registration and obligations, terminated numbers reporting, and list-scrubbing requirements (within 3 days for SMS/fax, 7 days for voice).

Compliance Checklist

Accountability (ss 11–12; PDPR 2021, Reg 2–4)

  • Designate one or more responsible individuals (s 11(3)); may delegate (s 11(4))
  • Publish their business contact information (s 11(5), PDPR 2021 Reg 4)
  • Develop & implement policies and practices to meet PDPA obligations (s 12(a))
  • Must include a complaint-handling process (s 12(b))
  • Train staff on those policies (s 12(c))
  • Provide on request: copies of policies and complaint process (s 12(d))

Consent (ss 13–17; Notification Regs 2021, Reg 3–6, 14–15)

  • Obtain actual consent (s 14): only after providing required info (s 20) and not as a service "condition" (s 14(2))
  • Deemed consent if data is voluntarily provided (s 15(1)) or in contract-chain contexts (s 15(3)–(8))
  • Notification-based consent (Reg 15A): for low-risk uses, complete risk assessment, notify user of intent/purpose/contact/opt-out window, wait until opt-out period lapses
  • Record and retain consent records and opt-outs

Purpose Limitation (ss 18–20)

  • Data may be processed only for purposes a reasonable person would deem appropriate (s 18)
  • Notify individual of each purpose before: Direct collection (on or before collection); Indirect collection or new purposes (before first use/disclosure)
  • Provide contact info for questions (s 20(c))
  • When disclosing to 3rd parties, supply sufficient info for that party to judge PDPA compliance (s 20(2))

Access (s 21; PDPR 2021, Reg 2–5)

  • Request must be in writing to the DPO (PDPR Reg 2)
  • Response: provide data copy + record of disclosures within 30 days (PDPR Reg 4) or notify extension (PDPR Reg 5)
  • Fees: may charge prescribed fee; must issue written estimate if fees exceed threshold (PDPR Reg 3)
  • Exceptions: may refuse under Fifth Schedule (e.g. privilege, safety, investigations); must cite exception and preserve copies of refused data

Correction (ss 22–22A; PDPR 2021, Reg 6–8)

  • Request in writing to DPO (PDPR Reg 6)
  • Action: correct inaccuracies or annotate record within 30 days (PDPR Reg 7)
  • Notify data subject of outcome in writing (s 22(2))
  • Notify third parties to whom the data was disclosed, where practicable (s 22(4))
  • Preservation: if refusing, preserve copies of original record or refusal notice for 1 year (s 22A; PDPR Reg 8)

Data Care (Security) (s 24)

  • Implement reasonable security arrangements (technical, physical, organisational) to prevent unauthorized collection, use, disclosure, copying, modification, disposal or similar risks (s 24(1))
  • Regularly review security measures, especially after a data breach or material change in processing

Data Retention (s 25)

  • Cease retention or de-identify personal data as soon as no longer needed for original purposes (s 25(1))
  • Exceptions only if retention is required by law or for business records (s 25(2))

Cross-Border Transfer (s 26; PDPR 2021, Reg 9–12)

  • Transfer only if "comparable protection" is ensured by one of:
  • PDPC-approved countries list (PDPR Reg 9)
  • Binding contractual clauses (PDPR Reg 10)
  • Binding corporate rules (PDPR Reg 11)
  • PDPC-approved certification (PDPR Reg 12)
  • Record and retain copies of the mechanism used

Breach Notification (ss 26A–26E; Notification Regs 2021, Reg 3–6)

  • Assess all breaches expeditiously to determine "notifiable" status (s 26C; Reg 3–4)
  • Notify PDPC within 3 calendar days of assessment (s 26D(1); Reg 5) with details: breach date, scope, data types, harm assessment, mitigation steps, notification plan, contact info
  • Notify affected individuals as soon as reasonably possible, unless PDPC directs otherwise (s 26D(3); Reg 6)
  • Data intermediaries (public agencies) must notify principal agencies "without undue delay" (s 26E)

Do-Not-Call Compliance (DNC Regs 2013, Reg 3–7, 8–11, 12–14, 15–19)

  • Subscribe/Unsubscribe: honour requests via prescribed modes (voice, SMS, web) and confirm via CLI (Reg 3–7)
  • Checker Registration: register as a "checker," authenticate, maintain confidentiality, pay fees (Reg 8–11; Sch 1)
  • Terminated-Number Reports: obtain monthly lists from telcos; fees in Sch 3 (Reg 12–14)
  • Scrub marketing lists against the Register within the last 3 days for SMS/fax or 7 days for voice (Reg 15–17)
  • Technical Requirements: maintain logs, secure connections for API/web-service scrubbing (Reg 17A)

Offence Composition (Composition Regs 2021, Reg 2–3)

  • PDPC may compound (settle) offences under:
  • PDPA s 51(1): non-compliance with general or Advisory Guideline obligations
  • PDPA s 61(2): misuse of PDPC symbol
  • PDPA s 42(2): obstruction of enforcement
  • Pre-2021 DNC offences (PDPA ss 43(2), 44(2), 45(2))
  • Maintain a register of compounding notices and ensure designated staff handle compounding applications

Enforcement Registration (ROC 2021, O 57 r 2)

  • To enforce PDPC Directions or Financial Penalty Notices under PDPA s 48M(4), file the instrument in the High Court Registry using Form 140
  • Once registered as a judgment, obtain writ of seizure/garnishee

Need Help with Singapore PDPA Compliance?

Our expert team can provide tailored compliance solutions for your organization's specific needs under Singapore's Personal Data Protection Act.

Get Expert ConsultationView All Checklists

Checklist to implementation

Need a fact-specific view?

Data>Nuance can turn this checklist into a scoped action plan for your product, vendor stack, cross-border transfers, DSAR workflow, breach readiness, or DPO operating model.

Book a consultationSend structured brief