facebook-pixel

Singapore PDPA: Your Personal Data Protection Rights Explained

L
Lunyb Security Team
··10 min read

Singapore's Personal Data Protection Act (PDPA) is the cornerstone of consumer privacy law in the Lion City. Whether you're a Singapore resident wondering how companies handle your NRIC, a business owner navigating compliance, or a foreign visitor whose data was collected during a hotel booking, understanding your PDPA rights is essential in 2026. This guide breaks down every right you have under the PDPA, how to exercise them, and what to do when organisations don't comply.

What Is the Singapore PDPA?

The Personal Data Protection Act (PDPA) is Singapore's primary data protection law, enacted in 2012 and enforced by the Personal Data Protection Commission (PDPC). It regulates how private sector organisations collect, use, disclose, and protect personal data belonging to individuals in Singapore.

The PDPA has undergone significant amendments, most notably in 2020 and further refinements through 2024-2025, which strengthened enforcement powers, introduced mandatory data breach notifications, and added data portability rights. The law applies to all organisations operating in Singapore, regardless of whether they are locally incorporated, and covers both electronic and non-electronic personal data.

Who Does the PDPA Protect?

The PDPA protects any identifiable individual whose personal data is held by an organisation. This includes:

  • Singapore citizens and Permanent Residents
  • Foreign nationals residing or working in Singapore
  • Tourists and short-term visitors whose data is collected by Singapore-based businesses
  • Deceased persons (limited protections for 10 years after death)

What Counts as Personal Data?

Personal data refers to any data about an individual who can be identified from that data, or from that data combined with other information the organisation has or is likely to have access to. Examples include:

  • Full name, NRIC/FIN number, and passport details
  • Residential address, mobile number, and email address
  • Photographs, CCTV footage, and biometric data
  • Bank account details and financial history
  • Medical records and health information
  • IP addresses when combined with other identifiers

Your Core PDPA Rights in Singapore

The PDPA grants individuals several enforceable rights over their personal data. Understanding these rights empowers you to control how organisations handle your information.

1. The Right to Be Informed (Notification Obligation)

Before or at the time of collecting your personal data, organisations must notify you of the purposes for which they intend to collect, use, or disclose that data. This means every consent form, sign-up page, or data collection point must clearly state why your data is being taken.

2. The Right to Consent

Organisations generally cannot collect, use, or disclose your personal data without your consent. Consent must be voluntary, informed, and specific to the stated purpose. The PDPA recognises several types of consent:

  • Express consent: You actively agree (e.g., ticking a checkbox)
  • Deemed consent by conduct: Voluntarily providing data for an obvious purpose
  • Deemed consent by notification: Where you're notified and given a reasonable period to opt out

3. The Right to Withdraw Consent

You can withdraw consent at any time by giving reasonable notice to the organisation. Once withdrawn, the organisation must stop collecting, using, or disclosing your personal data, unless required by law. However, be aware that withdrawing consent may affect your ability to use certain services.

4. The Right of Access

You have the right to request access to your personal data held by an organisation and information about how it has been used or disclosed within the past year. Organisations must respond within 30 days and may charge a reasonable fee for retrieval.

5. The Right to Correction

If your personal data held by an organisation is inaccurate, incomplete, or outdated, you can request correction. The organisation must correct the data as soon as practicable and send the corrected version to every other organisation to which the original data was disclosed in the past year.

6. The Right to Data Portability (2025 Amendment)

Under the newer data portability provisions, you can request that an organisation transmit your personal data in a commonly used machine-readable format to another organisation. This right applies to specified categories of data and makes switching between service providers considerably easier.

7. The Right to Be Notified of Data Breaches

If an organisation suffers a data breach that is likely to result in significant harm to affected individuals, or involves 500 or more individuals, they must notify both the PDPC and the affected persons without undue delay, typically within 3 calendar days of assessing the breach as notifiable.

The 11 Data Protection Obligations for Organisations

To help you understand what companies must do, here is a summary of the obligations imposed on organisations under the PDPA:

ObligationWhat It Requires
ConsentObtain valid consent before collecting, using, or disclosing personal data
Purpose LimitationOnly collect data for purposes a reasonable person would consider appropriate
NotificationInform individuals of collection purposes before or at the time of collection
Access & CorrectionProvide access to personal data and correct inaccuracies on request
AccuracyMake reasonable effort to ensure data is accurate and complete
ProtectionImplement reasonable security arrangements to prevent unauthorised access
Retention LimitationCease retention when the purpose is no longer served
Transfer LimitationEnsure overseas transfers meet PDPA-comparable standards
AccountabilityAppoint a Data Protection Officer (DPO) and develop internal policies
Data Breach NotificationNotify PDPC and affected individuals of notifiable breaches
Data PortabilityTransmit data to another organisation upon request

How to Exercise Your PDPA Rights: Step by Step

Knowing your rights is one thing; enforcing them is another. Here's how to properly submit a request to an organisation.

Step 1: Identify the Data Protection Officer (DPO)

Every organisation must publish contact details of their DPO. Look on the company's website, typically in the privacy policy or a dedicated "Contact Us" page. If you cannot find this, you can call the organisation and specifically ask for the DPO.

Step 2: Submit a Written Request

Write a clear email or letter stating:

  1. Your full name and identification details (enough to verify your identity)
  2. The specific right you're exercising (access, correction, withdrawal, etc.)
  3. The specific data or purpose you're referring to
  4. Your preferred format for receiving the response
  5. Your contact details

Step 3: Wait for the 30-Day Response

Organisations must respond within 30 days. If they cannot comply within this timeframe, they must inform you and provide an estimated response time. For access requests, they may charge a reasonable retrieval fee, which they must disclose upfront.

Step 4: Escalate to the PDPC if Necessary

If the organisation refuses your request, ignores you, or provides an inadequate response, you can lodge a complaint with the Personal Data Protection Commission at pdpc.gov.sg. Include copies of all correspondence.

PDPA Penalties: What Organisations Face for Non-Compliance

The 2020 amendments significantly increased financial penalties, giving the PDPA real enforcement teeth in 2026.

  • Financial penalties: Up to 10% of an organisation's annual turnover in Singapore (for organisations with turnover exceeding S$10 million), or S$1 million, whichever is higher
  • Criminal offences: Up to S$5,000 fine or 12 months imprisonment for individuals who knowingly disclose or misuse personal data
  • Directions: The PDPC can compel organisations to stop collecting data, destroy data, or comply with specific remedies
  • Private right of action: Individuals can sue for direct loss or damage caused by PDPA contraventions

Special Considerations Under the PDPA

The Do Not Call (DNC) Registry

The PDPA also governs the Do Not Call Registry, which lets you opt out of unsolicited marketing calls, SMS, and faxes. You can register your Singapore telephone numbers for free at dnc.gov.sg. Organisations must check the DNC registry before sending marketing messages, with limited exceptions for existing business relationships.

NRIC Collection Restrictions

Since 2019, organisations are generally prohibited from collecting, using, or disclosing NRIC numbers or making copies of NRIC cards, except where required by law or necessary to accurately establish or verify identity to a high degree of fidelity. Retailers asking for your NRIC for a lucky draw or membership sign-up are likely breaching the PDPA.

Cross-Border Data Transfers

When Singapore organisations transfer your personal data overseas, they must ensure the receiving country provides a comparable standard of protection. This is often done through contractual clauses, binding corporate rules, or certification schemes.

Protecting Your Data Beyond the PDPA

While the PDPA provides strong legal rights, proactive personal privacy practices remain essential. Every link you click, form you fill, and account you create adds to your digital footprint.

Consider these practical steps:

  • Use encrypted DNS providers (like Cloudflare's 1.1.1.1 or Quad9) to prevent your ISP from logging every website you visit
  • Enable multi-factor authentication on all accounts holding personal data
  • Review privacy settings on social media platforms quarterly
  • Use privacy-focused browsers like Brave or Firefox with strict tracking protection
  • When sharing links publicly, consider a privacy-respecting shortener like Lunyb, which doesn't harvest excessive analytics or resell click data
  • Regularly request access reports from services you use to see what they've collected

If you use link shorteners for business or marketing, evaluate their data practices carefully. Our 2026 buyer's guide to URL shorteners compares privacy policies across major providers, and our detailed Rebrandly review examines how established players handle user and click data.

Recent PDPA Developments in 2025-2026

The PDPC has been active in strengthening the framework. Key developments include:

  • Enhanced AI governance: New advisory guidelines on the use of personal data in AI systems for training and inference
  • Increased enforcement actions: More frequent and higher financial penalties issued against major organisations for breaches
  • Children's data protections: Stronger consent requirements for individuals under 18
  • Deepfake and synthetic media: Clarifications on how the PDPA applies to AI-generated personal data

PDPA vs GDPR: Quick Comparison for Singapore Residents

Many Singapore residents interact with European services and wonder how their rights differ.

FeatureSingapore PDPAEU GDPR
Response time for access requests30 days30 days (extendable)
Maximum fine10% of Singapore turnover or S$1M4% of global turnover or €20M
Right to erasureLimited (via consent withdrawal)Explicit "right to be forgotten"
Data portabilityYes (specified data)Yes (broader scope)
Breach notification deadline3 days after assessment72 hours after awareness
Extraterritorial reachLimitedBroad

Frequently Asked Questions

Can I request my data from a foreign company that operates in Singapore?

Yes. The PDPA applies to any organisation collecting or using personal data in Singapore, regardless of where the company is incorporated. Global platforms like social networks, e-commerce sites, and streaming services must comply with your PDPA requests when your data was collected in Singapore.

How much can an organisation charge me for an access request?

Organisations may charge a reasonable fee to cover the cost of retrieving and preparing the data. There is no fixed statutory amount, but the fee must not be excessive. They must inform you of the fee upfront, and you can choose to withdraw or proceed with the request. Simple requests often incur no fee at all.

What happens if I give false NRIC details to a company that shouldn't be asking?

While the organisation may be breaching the PDPA by collecting your NRIC unnecessarily, providing false information could constitute a separate offence, especially for services like banking or telecoms. The correct approach is to refuse to provide it and cite the PDPA's NRIC restrictions, or file a complaint with the PDPC.

Are employees' work data covered by the PDPA?

Yes, though with modifications. The PDPA covers employees' personal data held by their employer, but certain obligations (like consent) are relaxed for data reasonably needed to manage the employment relationship. Employees still have rights to access and correct their data.

How long does the PDPC take to investigate complaints?

Investigation timelines vary based on complexity. Simple cases may be resolved within a few months, while complex investigations involving multiple parties or cross-border elements can take a year or more. The PDPC publishes its enforcement decisions publicly, which can serve as useful reference points.

Final Thoughts

Your PDPA rights are meaningful, enforceable, and increasingly relevant as more of daily life moves online in Singapore. The 2020 and 2025 amendments have strengthened both individual protections and enforcement powers, making 2026 an especially important year to understand what you can demand from organisations handling your personal data.

Start by reviewing the privacy policies of services you use most frequently. Submit an access request to one organisation this month just to see what data they hold. Register your phone number on the DNC registry. Small proactive steps compound over time into meaningful control over your digital identity.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles