Your Rights Under Singapore's PDPA 2012Singapore

Researched by , Head Researcher

Primary sources cited; not legal advice.

Last verified:

Source: Personal Data Protection Act 2012 (amended 2020); PDPC.

Sourced from Singapore Acts of Parliament, subsidiary legislation, and official government guidance. Written in plain language for general understanding — this is educational content, not legal advice. Our editorial standards

Singapore National Law

What is this right?

Singapore's Personal Data Protection Act 2012 (PDPA), significantly amended in 2020, gives data-subject rights of access, correction, and (since 2020) portability. Regulator: PDPC. Mandatory data-breach notification in force from 1 February 2021. Maximum financial penalty since 2020 amendments: higher of SGD 1 million or 10% of annual turnover in Singapore for organisations with SG-derived turnover above SGD 10 million.

When does it apply?

  • An organisation refuses to disclose, correct, or port your data.
  • You withdraw consent but processing continues.
  • Data breach.
  • Marketing without consent (DNC Registry).

Using Your Rights Under PDPA

  1. Send a written access / correction request to the organisation.
  2. If unsatisfied, complain to PDPC at pdpc.gov.sg.
  3. For damages, civil litigation under PDPA s.32 (right of private action).

What should you NOT do?

  • Don't skip the organisation's internal channel.
  • Don't provide more identifying data than necessary.

Common Questions

What's the breach-notification timeline?

Under the 2020 PDPA amendments (in force 1 Feb 2021), notifiable data breaches must be reported to PDPC within 3 calendar days of an organisation's assessment that the breach is notifiable. Individuals affected must be notified 'as soon as practicable'. Notifiable breaches are those resulting in significant harm or where personal data of 500+ individuals is affected.

Is there a private right of action?

Yes — PDPA s.32 gives any individual who has suffered loss or damage due to a contravention of the PDPA a right of action for relief in civil proceedings. Court of Appeal case-law has clarified what qualifies as 'loss or damage'.

When does it applyyour rights under singapore's pdpa 2012?

An organisation refuses to disclose, correct, or port your data.You withdraw consent but processing continues.Data breach.Marketing without consent (DNC Registry).

What are my data-protection rights in Singapore?

Send a written access / correction request to the organisation.If unsatisfied, complain to PDPC at pdpc.gov.sg.For damages, civil litigation under PDPA s.32 (right of private action).

What should you NOT doyour rights under singapore's pdpa 2012?

Don't skip the organisation's internal channel.Don't provide more identifying data than necessary.

More in Data Privacy & Digital Rights

Removing Non-Consensual Intimate Imagery (NCII)NCII in Singapore is criminal under Penal Code s.377BE — distribution of intimate image without consent. Penalty up to 5...Read more →Cyberstalking and Online Harassment Under POHA 2014Singapore has a dedicated Protection from Harassment Act 2014 (POHA) covering criminal harassment (ss.3-5), doxxing, sta...Read more →
← Browse all Data Privacy & Digital Rights

Last verified:

You came here to know your rights — help someone else know theirs.

Support This Mission