facebook-pixel

Singapore PDPA: Your Personal Data Protection Rights Explained

L
Lunyb Security Team
··11 min read

Singapore's Personal Data Protection Act (PDPA) is the cornerstone law that governs how organisations collect, use, and disclose your personal data. Whether you're a resident, an expat, or a business operating in Singapore, understanding your PDPA rights is essential for protecting your privacy in an increasingly data-driven economy. This guide breaks down every right the PDPA grants you, how to exercise those rights, and what to do when an organisation fails to comply.

What Is the Singapore PDPA?

The Personal Data Protection Act 2012 (PDPA) is Singapore's primary data protection legislation, administered by the Personal Data Protection Commission (PDPC). It sets out the rules organisations must follow when handling personal data and gives individuals enforceable rights over how their information is processed.

The PDPA applies to all private sector organisations that collect, use, or disclose personal data in Singapore, regardless of whether the organisation itself is based locally or overseas. Public agencies are governed separately under the Public Sector (Governance) Act, but they follow similar data-handling principles.

Since its enactment, the PDPA has been amended several times, most notably in 2020 to introduce mandatory data breach notification, expanded consent frameworks, and increased financial penalties for non-compliance — up to 10% of an organisation's annual turnover in Singapore or S$1 million, whichever is higher.

What Counts as Personal Data Under the PDPA?

Personal data is defined broadly as any data — whether true or not — about an individual who can be identified from that data, or from that data combined with other information the organisation has access to. Examples include:

  • Full name and NRIC or FIN number
  • Residential address and phone numbers
  • Email addresses (personal and work)
  • Photographs, video footage, and voice recordings
  • Financial information such as bank account details
  • Health records and biometric identifiers
  • Online identifiers like IP addresses when linked to a person

The Nine Core Obligations Organisations Must Follow

The PDPA imposes nine main obligations on organisations that handle personal data. Knowing these helps you understand what to expect — and demand — from companies you interact with.

  1. Consent Obligation — Organisations must obtain your consent before collecting, using, or disclosing your personal data.
  2. Purpose Limitation — Data can only be used for purposes that a reasonable person would consider appropriate and that were disclosed to you.
  3. Notification Obligation — You must be informed of the purposes before or at the time of collection.
  4. Access and Correction — You have the right to see your data and correct inaccuracies.
  5. Accuracy Obligation — Organisations must make reasonable efforts to ensure your data is accurate and complete.
  6. Protection Obligation — Reasonable security arrangements must be in place to protect data.
  7. Retention Limitation — Data must be deleted when it is no longer needed for legal or business purposes.
  8. Transfer Limitation — Data transferred overseas must receive protection comparable to the PDPA.
  9. Accountability — Organisations must appoint a Data Protection Officer (DPO) and publish policies on data handling.

Your Key Rights Under the Singapore PDPA

The PDPA gives individuals five main enforceable rights. Each right comes with a defined process, and organisations must respond within reasonable timeframes — typically 30 days for most requests.

1. The Right to Be Informed

Before an organisation collects your personal data, it must tell you what data is being collected, why, and how it will be used. This is usually done through a privacy policy, a consent form, or a verbal notification. If a company changes the purpose later, fresh consent is required.

2. The Right to Access Your Personal Data

You can request a copy of any personal data an organisation holds about you, along with information on how that data has been used or disclosed in the past year. Organisations may charge a reasonable fee to cover the cost of retrieval but cannot use fees to discourage legitimate requests.

Access can be refused only in specific circumstances — for example, when disclosure would reveal personal data about another individual, threaten someone's safety, or compromise an ongoing investigation.

3. The Right to Correction

If your personal data is inaccurate, incomplete, or misleading, you have the right to request a correction. Once notified, the organisation must correct the data as soon as practicable and notify any third parties it has shared the data with in the past year, unless those parties no longer need the corrected version.

4. The Right to Withdraw Consent

You can withdraw consent for the collection, use, or disclosure of your personal data at any time by giving reasonable notice. Once withdrawn, the organisation must stop processing your data for the affected purposes and inform you of any consequences — for example, that they can no longer provide a service.

5. The Right to Data Portability (Coming into Effect)

Introduced in the 2020 PDPA amendments, the data portability obligation allows you to request that your personal data be transmitted to another organisation in a commonly used machine-readable format. This right is being operationalised in phases, with detailed regulations rolled out by the PDPC.

How to Exercise Your PDPA Rights: Step by Step

Exercising your rights is straightforward if you follow the right process. Here's how to submit a valid request:

  1. Identify the Data Protection Officer (DPO) — Every organisation must publish DPO contact details on its website or in its privacy policy.
  2. Submit a written request — Email or letter is best. State clearly whether you're requesting access, correction, or withdrawal, and provide enough detail to identify yourself and the data in question.
  3. Verify your identity — Organisations may ask for reasonable proof of identity to prevent fraudulent requests.
  4. Wait for a response — Organisations should acknowledge your request promptly and respond within 30 days. If they need more time, they must inform you in writing.
  5. Escalate if necessary — If the response is unsatisfactory or absent, you can file a complaint with the PDPC.

Do Not Call (DNC) Registry: A Separate but Related Right

The PDPA also administers Singapore's Do Not Call (DNC) Registry, which lets you opt out of marketing calls, texts, and faxes to your Singapore telephone numbers. Registration is free at the DNC website. Once your number is listed, organisations must check the registry before sending marketing messages, and failure to do so carries significant fines.

Note that the DNC only covers unsolicited marketing. It does not block calls from organisations you have an existing relationship with, service messages, or non-commercial communications.

Mandatory Data Breach Notification

Since February 2021, organisations must notify both the PDPC and affected individuals when a data breach is likely to result in significant harm to individuals, or when it affects 500 or more people. Notification must happen as soon as practicable — no later than 3 calendar days after the organisation determines the breach is notifiable.

If you receive a breach notification, you should:

  • Change passwords for any affected accounts immediately
  • Monitor bank statements and credit card activity closely
  • Enable two-factor authentication where possible
  • Be alert for phishing attempts referencing the breach
  • Consider requesting a credit report if financial data was exposed

PDPA vs Other Major Privacy Laws

Singapore's PDPA shares principles with other global privacy laws but has distinct features. Here's a quick comparison:

Feature Singapore PDPA EU GDPR Australia Privacy Act
Regulator PDPC National DPAs + EDPB OAIC
Max Financial Penalty 10% turnover or S$1M 4% global turnover or €20M AU$50M or 30% turnover
Right to Erasure Limited (via withdrawal) Yes, explicit Limited
Data Portability Yes (phased rollout) Yes Yes (CDR sectors)
Breach Notification Deadline 3 days to PDPC 72 hours to DPA 30 days assessment
Consent Standard Deemed and expressed Freely given, specific Bundled consent restricted

Filing a Complaint With the PDPC

If an organisation refuses to comply with your rights or mishandles your data, you can escalate the issue to the Personal Data Protection Commission. The PDPC encourages complainants to first raise the matter directly with the organisation before escalating.

Steps to File a Complaint

  1. Contact the organisation first — Send a formal written complaint to the DPO and give them 30 days to respond.
  2. Gather evidence — Keep copies of all correspondence, timestamps, and any relevant screenshots.
  3. Submit to the PDPC — Use the online complaint form on the PDPC website, providing details of the incident and the organisation's response.
  4. Cooperate with investigation — The PDPC may request additional information or mediation.
  5. Consider civil action — Under Section 48O, you may sue for damages if you suffered loss or damage directly from a PDPA breach.

Protecting Your Personal Data in Everyday Life

Knowing your rights is only half the battle — you also need to take practical steps to minimise the personal data you expose. Here are some habits worth adopting:

  • Read privacy policies — At least skim them to see what data is collected and shared.
  • Use unique passwords — A password manager makes this effortless and dramatically reduces breach impact.
  • Enable two-factor authentication — Especially for banking, email, and Singpass-linked services.
  • Limit data sharing on forms — Only provide what is strictly necessary. If a field isn't mandatory, leave it blank.
  • Use encrypted DNS and private browsers — These reduce tracking without complex setups.
  • Be careful with shortened links — Use reputable link tools that don't harvest excessive data. For example, Lunyb is a privacy-focused URL shortener that lets you share links without exposing unnecessary tracking data. You can read our honest review of Lunyb for more context.
  • Register on the DNC — A simple, free way to reduce marketing intrusion.
  • Review app permissions — Revoke access for apps you no longer use, especially those linked to social media or Singpass.

PDPA and Businesses: What SMEs Should Know

If you run a business in Singapore, PDPA compliance is not optional — even small enterprises must appoint a DPO and publish a privacy policy. The PDPC has taken enforcement action against companies of all sizes, from local retailers to multinational platforms.

Key compliance steps include:

  1. Appoint and register a Data Protection Officer with the PDPC
  2. Publish a clear, accessible privacy policy on your website
  3. Maintain a data inventory documenting what personal data you hold and why
  4. Train staff on PDPA basics and phishing awareness
  5. Implement reasonable technical safeguards — encryption, access controls, backups
  6. Have a data breach response plan tested at least annually
  7. Review third-party data processors and ensure contracts require PDPA-equivalent protection

Businesses that use link management, analytics, or marketing platforms should carefully vet those tools. For a comparison of link-sharing tools that respect user privacy, see our 2026 URL shortener buyer's guide.

Recent PDPA Enforcement Trends

The PDPC publishes enforcement decisions regularly, providing a useful window into how the law is applied in practice. Common themes in recent years include:

  • Insufficient security controls leading to unauthorised access (weak passwords, unpatched systems)
  • Misconfigured cloud storage exposing personal data to the public internet
  • Unauthorised disclosure by employees, particularly in healthcare and finance
  • Failure to obtain valid consent for marketing communications
  • Delayed breach notifications and inadequate incident response

Penalties in recent decisions have ranged from a few thousand dollars for minor lapses to six-figure sums for large-scale breaches affecting hundreds of thousands of individuals.

Frequently Asked Questions

Does the PDPA apply to my employer's handling of employee data?

Yes, but with some carve-outs. Employers can collect, use, and disclose personal data for reasonable employment-related purposes without explicit consent, provided employees are notified. However, the protection, accuracy, and retention obligations still apply fully.

Can I request deletion of my personal data under the PDPA?

The PDPA doesn't include a standalone "right to erasure" like the GDPR. However, by withdrawing consent, you effectively force the organisation to stop using your data, and the retention limitation obligation requires them to delete data once it is no longer needed for a legal or business purpose.

How long does an organisation have to respond to my access or correction request?

Organisations should respond as soon as reasonably possible, and typically within 30 days. If they need more time, they must inform you in writing with an estimated response date. Unreasonable delays can be reported to the PDPC.

What penalties can the PDPC impose for PDPA violations?

Since October 2022, the PDPC can impose financial penalties of up to 10% of an organisation's annual turnover in Singapore or S$1 million, whichever is higher. It can also issue directions to stop certain data practices, destroy improperly collected data, or implement specific remedial measures.

Does the PDPA cover data collected before it came into force?

Yes. The PDPA applies to all personal data held by organisations, regardless of when it was originally collected. However, transitional provisions apply to consent obtained before the Act came into effect, generally treating existing collections as validly consented if the historical purpose is unchanged.

Final Thoughts

The Singapore PDPA gives you meaningful, enforceable rights over your personal data — but those rights only work if you know how to use them. Take time to understand what data organisations hold about you, exercise your access and correction rights when needed, and don't hesitate to escalate to the PDPC when an organisation falls short. Combined with sensible digital hygiene, your PDPA rights form a solid foundation for protecting your privacy in Singapore's digital economy.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles