Personal Data Protection (PDPA) in Singapore

By , Founding Editor

Last verified:

Source: Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA); Personal Data Protection Regulations

Reviewed by the Commoner Law Editorial Team. Sourced from Singapore Acts of Parliament, subsidiary legislation, and official government guidance. Written in plain language for general understanding — this is educational content, not legal advice. Our editorial standards

Singapore National Law

What is this right?

The PDPA governs how organisations collect, use, and disclose your personal data:

  • Consent: Organisations must obtain your consent before collecting, using, or disclosing your personal data (with certain exceptions for legitimate purposes).
  • Purpose limitation: Your data can only be used for the purposes you were informed of at the time of collection.
  • Access and correction: You have the right to request access to your personal data held by an organisation and to request corrections.
  • Do Not Call (DNC) Registry: You can register your phone number on the DNC Registry to stop unsolicited telemarketing calls and messages.
  • Data breach notification: Organisations must notify the Personal Data Protection Commission (PDPC) and affected individuals of significant data breaches.
  • Penalties: The PDPC can impose financial penalties of up to $1 million (or 10% of annual turnover for organisations with turnover above $10 million).

When does it apply?

  • You are an individual in Singapore and an organisation has collected, used, or disclosed your personal data.
  • Applies to all organisations (private sector) — the public sector has separate rules under the Government Instruction Manual.

What to Do If a Singapore Organisation Has Misused Your Personal Data or Disclosed It Without Consent

  • Register on the DNC Registry (dnc.gov.sg) to stop unsolicited telemarketing calls and SMS. Email and physical mail are governed separately.
  • If an organisation is misusing your data, write to their Data Protection Officer (DPO) — every organisation must appoint one.
  • If the organisation does not respond, file a complaint with the PDPC (pdpc.gov.sg).
  • If you have suffered loss due to a data breach, you may have a private right of action — seek legal advice.

What should you NOT do?

  • Don't give blanket consent for data collection — read what you are agreeing to and withdraw consent where appropriate.
  • Don't assume all data collection is illegal — the PDPA allows collection for certain legitimate purposes (fulfilling a contract, legal obligations, etc.).
  • Don't post other people's personal data online — the PDPA applies to individuals who collect data for non-personal purposes too.

Common Questions

What is the maximum PDPA fine in Singapore?

The PDPC can impose financial penalties of up to S$1 million, or 10% of annual turnover for organisations with turnover above S$10 million. Organisations must obtain consent before collecting, using, or disclosing personal data, and can only use it for the purposes they told you about at collection.

How do I stop telemarketing calls in Singapore?

Register your phone number on the Do Not Call (DNC) Registry at dnc.gov.sg to stop unsolicited telemarketing calls and SMS. Email and physical mail are governed separately. The DNC Registry is free and your registration does not expire.

What should I do if a Singapore company misuses my personal data?

Write to the organisation's Data Protection Officer first — every organisation must appoint one. If they do not respond, file a complaint with the Personal Data Protection Commission at pdpc.gov.sg. If you have suffered loss due to a data breach, you may also have a private right of action and should seek legal advice.

When does it applypersonal data protection (pdpa)?

You are an individual in Singapore and an organisation has collected, used, or disclosed your personal data.Applies to all organisations (private sector) — the public sector has separate rules under the Government Instruction Manual.

What should I do if a company in Singapore has shared my personal data without my permission or breached the PDPA?

Register on the DNC Registry (dnc.gov.sg) to stop unsolicited telemarketing calls and SMS. Email and physical mail are governed separately.If an organisation is misusing your data, write to their Data Protection Officer (DPO) — every organisation must appoint one.If the organisation does not respond, file a complaint with the PDPC (pdpc.gov.sg).If you have suffered loss due to a data breach, you may have a private right of action — seek legal advice.

What should you NOT dopersonal data protection (pdpa)?

Don't give blanket consent for data collection — read what you are agreeing to and withdraw consent where appropriate.Don't assume all data collection is illegal — the PDPA allows collection for certain legitimate purposes (fulfilling a contract, legal obligations, etc.).Don't post other people's personal data online — the PDPA applies to individuals who collect data for non-personal purposes too.

More in Consumer Rights

Lemon Law (Defective Goods)Singapore's "lemon law" (Part III of CPFTA, effective September 2012) gives consumers the right to demand a re...Read more →Unfair PracticesThe CPFTA protects consumers from unfair business practices:Misleading conduct: False claims about goods or services, ba...Read more →Small Claims TribunalsThe Small Claims Tribunals (SCT) provide a quick, low-cost forum for resolving consumer and tenancy disputes:Claim limit...Read more →

Related Topics

Workers' RightsRetrenchment BenefitsTax RightsStamp Duty
← Browse all Consumer Rights

Last verified:

You came here to know your rights — help someone else know theirs.

Support This Mission