Singapore PDPA: Your Personal Data Protection Rights Explained
Singapore's Personal Data Protection Act (PDPA) is the cornerstone of personal data protection in the country, governing how organisations collect, use, disclose, and safeguard your personal information. Whether you are a Singapore citizen, permanent resident, or even a foreigner whose data is processed in Singapore, the PDPA grants you a set of legally enforceable rights you should understand and use.
This guide explains your Singapore PDPA rights in plain English, walks through how to exercise them, and outlines what to do when an organisation mishandles your personal data.
What Is the Singapore PDPA?
The Personal Data Protection Act 2012 (PDPA) is Singapore's primary data protection law. It establishes a baseline standard for the protection of personal data in the private sector, complemented by sector-specific laws (such as the Banking Act and Healthcare Services Act). The Act is enforced by the Personal Data Protection Commission (PDPC), which falls under the Infocomm Media Development Authority (IMDA).
The PDPA was significantly amended in 2020 and the changes came into effect in stages through 2021 and 2022, introducing mandatory data breach notification, the right to data portability, increased financial penalties, and new offences for the mishandling of personal data by individuals.
Who Does the PDPA Apply To?
The PDPA applies to all private organisations that collect, use, or disclose personal data in Singapore, regardless of whether they are physically based in Singapore. It does not apply to:
- Public agencies (which are governed by the Public Sector (Governance) Act).
- Individuals acting in a personal or domestic capacity.
- Employees acting in the course of their employment.
- Business contact information (such as a person's name, title, and work email used for business purposes).
What Counts as "Personal Data" Under the PDPA?
Personal data refers to any data, true or false, about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access.
Examples include:
- Full name and NRIC/FIN number
- Passport number
- Mobile phone number and home address
- Personal email address
- Photographs and videos that identify you
- Biometric data (fingerprints, facial recognition data)
- Financial information and banking details
- Health and medical records
Your Core Rights Under the Singapore PDPA
The PDPA gives individuals several enforceable rights. Understanding each one helps you take control of how organisations handle your information.
1. The Right to Be Informed (Notification Obligation)
Before or at the time an organisation collects your personal data, it must inform you of the purposes for which the data will be collected, used, or disclosed. If those purposes change later, the organisation must notify you again and obtain fresh consent where required.
2. The Right to Consent (and to Withdraw It)
Organisations generally need your consent to collect, use, or disclose your personal data. Consent must be given freely and for specific, identified purposes. Importantly, you can withdraw your consent at any time by giving reasonable notice. Once withdrawn, the organisation must stop collecting, using, or disclosing your data, except where retention is required by law.
3. The Right of Access
You have the right to request that an organisation provide you with:
- The personal data about you that is in its possession or under its control.
- Information about the ways in which that personal data has been or may have been used or disclosed within the past year.
Organisations must respond to access requests as soon as reasonably possible, typically within 30 days. They may charge a reasonable fee for fulfilling the request.
4. The Right of Correction
If you believe personal data held about you is inaccurate or incomplete, you can request a correction. The organisation must correct the data as soon as practicable and send the corrected data to every other organisation to which it had disclosed the data within the past year, unless you consent otherwise.
5. The Right to Data Portability
Introduced through the 2020 amendments, this right allows you to request that an organisation transmit your personal data in a commonly used machine-readable format to another organisation. This makes it easier to switch service providers (for example, from one telco or bank to another) without losing your data history. Note that this provision is being implemented progressively through subsidiary legislation.
6. The Right to Be Notified of Data Breaches
Since 1 February 2021, organisations must notify both the PDPC and affected individuals of data breaches that result in, or are likely to result in, significant harm, or that affect 500 or more individuals. Notifications must be made as soon as practicable, and to the PDPC within 3 calendar days.
7. The Right to Protection From Unsolicited Marketing (Do Not Call Registry)
The PDPA includes provisions for the Do Not Call (DNC) Registry. You can register your Singapore phone number with the DNC Registry to opt out of telemarketing calls, text messages, and faxes. Organisations must check the registry before sending marketing messages and respect your registration.
Summary Table: Your PDPA Rights at a Glance
| Right | What It Means | How to Exercise It |
|---|---|---|
| Right to Be Informed | Know why your data is collected | Read privacy notices; ask the organisation |
| Right to Consent / Withdraw | Approve or revoke data use | Submit written notice to organisation |
| Right of Access | See what data they hold | Submit access request (small fee may apply) |
| Right of Correction | Fix inaccurate data | Submit correction request in writing |
| Right to Data Portability | Transfer data to another provider | Submit portability request (where applicable) |
| Right to Breach Notification | Be told if your data is leaked | Automatic — organisation must notify you |
| Right to Stop Marketing | Avoid unwanted calls/SMS | Register at dnc.gov.sg |
Organisations' Obligations Under the PDPA
Knowing your rights is only half the picture. The PDPA also imposes nine main obligations on organisations:
- Consent Obligation – Obtain valid consent before collecting, using, or disclosing personal data.
- Purpose Limitation Obligation – Collect, use, and disclose data only for purposes that are reasonable and notified.
- Notification Obligation – Inform individuals of the purposes of data collection.
- Access and Correction Obligation – Provide access and correction upon request.
- Accuracy Obligation – Make reasonable efforts to keep personal data accurate and complete.
- Protection Obligation – Implement reasonable security arrangements to protect data.
- Retention Limitation Obligation – Cease retention of personal data when no longer needed.
- Transfer Limitation Obligation – Ensure overseas transfers offer comparable protection.
- Accountability Obligation – Appoint a Data Protection Officer (DPO) and develop policies.
How to Exercise Your PDPA Rights: Step-by-Step
Step 1: Identify the Organisation's Data Protection Officer
Every organisation must publish the contact details of its DPO. Look on their website footer, privacy policy page, or contact page. If you cannot find the DPO, email the company's general contact and request the DPO's details.
Step 2: Submit a Written Request
Make your request in writing (email is acceptable). Be specific:
- State clearly which right you are exercising (access, correction, withdrawal, etc.).
- Provide enough information to identify yourself and the data in question.
- Keep a record (date, recipient, copy of message).
Step 3: Wait for the Response
Organisations must respond as soon as reasonably possible. For access and correction requests, if they cannot respond within 30 days, they must inform you in writing of the reason for the delay.
Step 4: Escalate to the PDPC if Needed
If the organisation refuses your request unreasonably, fails to respond, or you believe your data has been mishandled, you can lodge a complaint with the Personal Data Protection Commission at pdpc.gov.sg.
Penalties for PDPA Violations
The 2020 amendments significantly increased the financial penalties under the PDPA. As of 1 October 2022:
- Organisations with annual turnover in Singapore exceeding S$10 million can face fines of up to 10% of their annual local turnover.
- Smaller organisations can be fined up to S$1 million.
- Individuals who knowingly or recklessly mishandle personal data can be fined up to S$5,000 and/or imprisoned for up to 2 years.
High-profile enforcement actions, such as the SingHealth breach (S$250,000 fine on SingHealth, S$750,000 on IHiS) and various financial sector cases, demonstrate that the PDPC actively enforces the law.
PDPA in the Digital Age: Online Tracking, Cookies, and Shortened URLs
Modern data collection often happens invisibly — through cookies, tracking pixels, analytics scripts, and sometimes through links you click. Under the PDPA, if a cookie or tracker collects personal data (for example, a unique identifier tied to your account), the organisation must notify you and obtain consent.
Shortened links are another quiet data-collection vector. Many URL shorteners log clicker IP addresses, locations, devices, and browser fingerprints, which can amount to personal data when combined. If you are a business operating in Singapore, the link-shortening tool you choose should be PDPA-aware: minimal data collection, transparent privacy policies, and secure infrastructure.
Privacy-conscious tools like Lunyb (lunyb.com) are designed with data minimisation in mind, making them a good fit for Singapore-based marketers and creators who want to remain PDPA-compliant. For a deeper comparison, see our 2026 buyer's guide to URL shorteners or our honest review of Lunyb.
How the PDPA Compares to GDPR
Many Singapore businesses also deal with the EU's General Data Protection Regulation (GDPR). While the two share principles, they differ in important ways:
| Feature | Singapore PDPA | EU GDPR |
|---|---|---|
| Territorial Scope | Organisations operating in Singapore | Anyone processing EU residents' data |
| Lawful Bases | Primarily consent-based | Six lawful bases (consent + 5 others) |
| Right to Erasure | Limited (via consent withdrawal) | Explicit "right to be forgotten" |
| Data Portability | Yes (being phased in) | Yes |
| Breach Notification | Within 3 days to PDPC | Within 72 hours to DPA |
| Max Fine | 10% of local turnover or S$1M | 4% of global turnover or €20M |
| DPO Requirement | Always required | Required in specific cases |
Practical Tips to Protect Your Personal Data in Singapore
- Register on the DNC Registry at dnc.gov.sg to stop unwanted telemarketing.
- Read privacy policies before signing up for new services — focus on retention period and overseas transfers.
- Limit NRIC sharing. Since 2019, organisations cannot collect, use, or disclose NRIC numbers except where required by law or necessary for high-fidelity identification.
- Use strong, unique passwords and enable two-factor authentication (2FA) wherever possible.
- Audit your digital footprint annually — request access reports from major platforms you use.
- Be cautious with public Wi-Fi and use a reputable VPN when transmitting sensitive data.
- Withdraw consent from services you no longer use, and request deletion where possible.
Frequently Asked Questions
Does the PDPA apply to foreigners in Singapore?
Yes. The PDPA protects personal data of any individual whose data is collected, used, or disclosed by an organisation in Singapore, regardless of citizenship or residency status.
Can I sue an organisation directly for a PDPA breach?
Yes. The PDPA provides a private right of action. If you suffer loss or damage as a result of an organisation's breach of certain PDPA obligations, you may bring a civil claim in court — though most individuals start by lodging a complaint with the PDPC, which is faster and free.
How long does an organisation have to respond to my access request?
Organisations should respond as soon as reasonably possible. If they cannot respond within 30 days, they must notify you in writing of the expected timeline. They may also charge a reasonable fee.
What is the difference between the PDPA and the Spam Control Act?
The PDPA's Do Not Call provisions cover unsolicited telemarketing to Singapore phone numbers. The Spam Control Act regulates unsolicited commercial electronic messages sent in bulk (e.g., bulk emails and SMS). They overlap but address different channels.
Are public agencies covered by the PDPA?
No. Government agencies are governed by the Public Sector (Governance) Act and internal data-handling rules under the Government Instruction Manual on IT&SS, not the PDPA. However, private contractors handling data on behalf of public agencies have their own obligations.
Final Thoughts
Singapore's PDPA gives individuals real, enforceable rights — but those rights only matter when people use them. By understanding what counts as personal data, knowing the obligations on organisations, and being willing to submit access, correction, or withdrawal requests, you take active control of your digital identity.
For businesses, the message is equally clear: respecting the PDPA is no longer just a compliance exercise. With penalties now reaching 10% of local turnover, data protection is a board-level risk and a meaningful competitive advantage with privacy-aware customers.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Australian Data Breach Notification Scheme: A Complete 2026 Guide
A complete 2026 guide to Australia's Notifiable Data Breaches scheme. Learn who it covers, what counts as an eligible breach, notification timeframes, penalties up to AUD $50 million, and how to build a compliance programme that actually works.
ICO Fines 2026: Biggest Data Protection Penalties in the UK
The ICO has issued record-breaking fines in 2026, with UK organisations facing penalties for data breaches, AI misuse, and PECR violations. We break down the biggest cases, key enforcement trends, and how to avoid joining the list.
PIPEDA vs GDPR: Canadian Privacy Law Explained (2026 Guide)
PIPEDA and GDPR both protect personal data, but they differ significantly in consent rules, enforcement, and penalties. This guide breaks down the key differences and shows Canadian businesses how to stay compliant with both.
How Canadian Businesses Should Handle Data Privacy in 2026
Canadian businesses face a complex web of privacy laws in 2026, from PIPEDA to Quebec's Law 25 and the proposed CPPA. This guide explains how to build a compliant privacy program, handle breaches, and turn data protection into a competitive advantage.