PDPA Data-Subject Rights: Access, Correction, Breach Notification in Singapore

By , Founding Editor

Last verified:

Source: Personal Data Protection Act 2012 (ss 16, 21, 22, 22A, 26A-26E, 43-48, 48O); Personal Data Protection Regulations 2021; PDPC Advisory Guidelines on Key Concepts (revised 17 May 2022); Reed, Michael v Bellingham, Alex [2022] SGCA 60

Reviewed by the Commoner Law Editorial Team. Sourced from Singapore Acts of Parliament, subsidiary legislation, and official government guidance. Written in plain language for general understanding — this is educational content, not legal advice. Our editorial standards

Singapore National Law

What is this right?

The Personal Data Protection Act 2012 (PDPA) gives you specific rights over personal data that private-sector organisations in Singapore hold about you. These rights go beyond the general overview — they are individually enforceable through the Personal Data Protection Commission (PDPC) and, since 2022, in the civil courts:

  • Right of access (s 21): Write to an organisation's Data Protection Officer and ask for your personal data plus how it has been used or disclosed in the past year. The organisation has a 30-calendar-day benchmark to respond.
  • Right of correction (s 22): Ask for errors to be fixed "as soon as practicable." Opinions cannot be corrected — but the record must be annotated with the change you requested.
  • Right to withdraw consent (s 16): On reasonable notice, tell an organisation to stop collecting, using, or sharing your data for any purpose.
  • Mandatory breach notification (ss 26A-26E, in force 1 Feb 2021): Organisations must notify PDPC within 3 calendar days of determining a breach is notifiable (significant harm, or 500+ people affected), and notify you where significant harm is likely.
  • Do Not Call Registry (Part 9): Register your Singapore number free at dnc.gov.sg across the No Voice Call, No Text, and No Fax registers. Registration never expires.
  • Private right of action (s 48O): Sue in your own name for loss or damage directly caused by a breach. After Reed v Bellingham [2022] SGCA 60, this includes emotional distress — but not mere loss of control over data.
  • Not yet in force: The Data Portability Obligation (Part 6B, passed in 2020) has still not been commenced as of 2026. Ignore third-party guides claiming otherwise.

When does it apply?

  • An organisation (private sector) in Singapore holds your personal data — or a data intermediary holds it on their behalf.
  • You want to know what they have, fix an error, withdraw consent, respond to a breach notice, or stop telemarketing.
  • You are considering a complaint to PDPC or a civil claim for loss or distress.
  • Public-sector data is governed by the Government Instruction Manual, not the PDPA — different rules apply.

What to Do If You Want to Exercise Your PDPA Rights or Respond to a Data Breach in Singapore

  • For an access request: Write to the organisation's Data Protection Officer (contact must be published under s 11(5)). Describe the data you want and the year of activity you need. Pay any reasonable fee covering photocopying and retrieval — fees for general overheads are not permitted.
  • If refused: The organisation must preserve a copy of the data for at least 30 days (s 22A) so you can apply to PDPC under s 48H for review.
  • For correction: Write to the DPO identifying the error and the correct information. If the organisation declines, it must annotate the record — keep a copy of the annotation.
  • For a DNC complaint: File directly at pdpc.gov.sg/complaints-and-reviews — there is a dedicated DNC form.
  • For a data breach: If you receive a breach notice, ask the organisation for the facts, type of data, potential harm, and mitigation. Escalate to PDPC if the response is inadequate.
  • For a civil claim: Wait until any PDPC decision is final, then file in the State Courts or High Court. You must prove direct causation — the breach must have caused the distress or loss, not just be correlated.
  • Escalation ladder: DPO → PDPC complaint (s 48H) → Reconsideration by the Commissioner (28 days) → Data Protection Appeal Committee (28 days) → High Court on a point of law.

What should you NOT do?

  • Don't skip the DPO — file at PDPC first and they will usually ask you to approach the organisation. Give the DPO at least 10 business days.
  • Don't expect to correct an opinion — s 22(6) specifically excludes opinions (including professional opinions). Annotation is the only remedy.
  • Don't rely on sites claiming data portability is live — Part 6B has not been commenced. Watch PDPC announcements and sso.agc.gov.sg for a commencement order.
  • Don't assume emotional distress is automaticPiper v Singapore Kindness Movement [2025] SGHC 173 demands clear evidence of a direct causal link. Trivial upset is not enough.
  • Don't miss the 3-day PDPC clock (for organisations) — it runs from the determination that a breach is notifiable, not from first discovery. Document the assessment chronology.

Common Questions

How long does a company have to respond to a PDPA access request in Singapore?

The PDPC's Advisory Guidelines set a 30-calendar-day benchmark under section 21. If the organisation needs longer, it must tell you in writing within 30 days when it will respond. Fees must reflect the actual incremental cost of responding — general overheads are not allowed.

Can I sue a Singapore company for leaking my data under the PDPA?

Yes, under section 48O, but only for loss or damage directly caused by the breach. After Reed v Bellingham [2022] SGCA 60, 'loss or damage' includes emotional distress — but not trivial upset and not mere loss of control over your data. You must wait for any PDPC decision to become final before suing.

When must a Singapore organisation notify me of a data breach?

If the breach is likely to cause you significant harm (for example, your NRIC combined with financial, medical, or account-credential data), the organisation must notify you as soon as practicable after notifying PDPC. PDPC itself must be notified within 3 calendar days of the organisation deciding the breach is notifiable — which includes any breach affecting 500 or more people.

Is PDPA data portability in force in Singapore yet?

No. Part 6B of the PDPA was passed in 2020 but has not been commenced as of 2026. Any site telling you the right is already live is wrong. Check pdpc.gov.sg or sso.agc.gov.sg for the eventual commencement order.

What is the maximum PDPA fine in Singapore right now?

From 1 October 2022, data-protection breaches carry the higher of S$1 million or 10% of the organisation's annual Singapore turnover (for organisations over S$10 million turnover). Do Not Call Registry and dictionary-attack breaches are capped at the higher of S$1 million or 5% of turnover (for organisations over S$20 million).

When does it applypdpa data-subject rights: access, correction, breach notification?

An organisation (private sector) in Singapore holds your personal data — or a data intermediary holds it on their behalf.You want to know what they have, fix an error, withdraw consent, respond to a breach notice, or stop telemarketing.You are considering a complaint to PDPC or a civil claim for loss or distress.Public-sector data is governed by the Government Instruction Manual, not the PDPA — different rules apply.

What should I do if I want to see what data a Singapore company holds about me, or my data has been leaked?

For an access request: Write to the organisation's Data Protection Officer (contact must be published under s 11(5)). Describe the data you want and the year of activity you need. Pay any reasonable fee covering photocopying and retrieval — fees for general overheads are not permitted.If refused: The organisation must preserve a copy of the data for at least 30 days (s 22A) so you can apply to PDPC under s 48H for review.For correction: Write to the DPO identifying the error and the correct information. If the organisation declines, it must annotate the record — keep a copy of the annotation.F...

What should you NOT dopdpa data-subject rights: access, correction, breach notification?

Don't skip the DPO — file at PDPC first and they will usually ask you to approach the organisation. Give the DPO at least 10 business days.Don't expect to correct an opinion — s 22(6) specifically excludes opinions (including professional opinions). Annotation is the only remedy.Don't rely on sites claiming data portability is live — Part 6B has not been commenced. Watch PDPC announcements and sso.agc.gov.sg for a commencement order.Don't assume emotional distress is automatic — Piper v Singapore Kindness Movement [2025] SGHC 173 demands clear evidence of a direct causal link. Trivial upset is...

More in Consumer Rights

Lemon Law (Defective Goods)Singapore's "lemon law" (Part III of CPFTA, effective September 2012) gives consumers the right to demand a re...Read more →Unfair PracticesThe CPFTA protects consumers from unfair business practices:Misleading conduct: False claims about goods or services, ba...Read more →Small Claims TribunalsThe Small Claims Tribunals (SCT) provide a quick, low-cost forum for resolving consumer and tenancy disputes:Claim limit...Read more →

Related Topics

Workers' RightsWork Pass Cancellation & Appeals (EP, S Pass, Work Permit)Tax RightsIncome Tax Filing
← Browse all Consumer Rights

Last verified:

You came here to know your rights — help someone else know theirs.

Support This Mission