Personal Data Protection (PDPA)

Source: Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA); Personal Data Protection Regulations

Written in plain language for general understanding. This is educational content, not legal advice. Based on Singapore Acts of Parliament, subsidiary legislation, and official government guidance.

Singapore National Law

What is this right?

The PDPA governs how organisations collect, use, and disclose your personal data:

  • Consent: Organisations must obtain your consent before collecting, using, or disclosing your personal data (with certain exceptions for legitimate purposes).
  • Purpose limitation: Your data can only be used for the purposes you were informed of at the time of collection.
  • Access and correction: You have the right to request access to your personal data held by an organisation and to request corrections.
  • Do Not Call (DNC) Registry: You can register your phone number on the DNC Registry to stop unsolicited telemarketing calls and messages.
  • Data breach notification: Organisations must notify the Personal Data Protection Commission (PDPC) and affected individuals of significant data breaches.
  • Penalties: The PDPC can impose financial penalties of up to $1 million (or 10% of annual turnover for organisations with turnover above $10 million).

When does it apply?

  • You are an individual in Singapore and an organisation has collected, used, or disclosed your personal data.
  • Applies to all organisations (private sector) — the public sector has separate rules under the Government Instruction Manual.

What should you do?

  • Register on the DNC Registry (dnc.gov.sg) to stop unsolicited telemarketing calls and SMS. Email and physical mail are governed separately.
  • If an organisation is misusing your data, write to their Data Protection Officer (DPO) — every organisation must appoint one.
  • If the organisation does not respond, file a complaint with the PDPC (pdpc.gov.sg).
  • If you have suffered loss due to a data breach, you may have a private right of action — seek legal advice.

What should you NOT do?

  • Don't give blanket consent for data collection — read what you are agreeing to and withdraw consent where appropriate.
  • Don't assume all data collection is illegal — the PDPA allows collection for certain legitimate purposes (fulfilling a contract, legal obligations, etc.).
  • Don't post other people's personal data online — the PDPA applies to individuals who collect data for non-personal purposes too.

More in Consumer Rights

Lemon Law (Defective Goods)Singapore's "lemon law" (Part III of CPFTA, effective September 2012) gives consumers the right to demand a re...Read more →Unfair PracticesThe CPFTA protects consumers from unfair business practices:Misleading conduct: False claims about goods or services, ba...Read more →Small Claims TribunalsThe Small Claims Tribunals (SCT) provide a quick, low-cost forum for resolving consumer and tenancy disputes:Claim limit...Read more →

Related Topics

Workers' RightsRetrenchment BenefitsTax RightsStamp Duty
← Browse all Consumer Rights

Legal Resources

We may earn a commission if you use these services — at no extra cost to you. This supports our mission to make legal information free for everyone.

LawDepotSend a formal demand letter to a business or creditor. State-specific financial and consumer documents ready in minutes.Create a Demand LetterCredit KarmaFree credit monitoring, dispute tools, and alerts. Know when your credit report changes.Check Your Credit FreeIdentityGuardIdentity theft protection and monitoring. Get notified if your personal information is misused.Protect Your Identity

You came here to know your rights — help someone else know theirs.

Support This Mission