facebook-pixel

Singapore PDPA: Your Personal Data Protection Rights Explained

L
Lunyb Security Team
··12 min read

Singapore's Personal Data Protection Act (PDPA) is the cornerstone of data privacy in the country, giving individuals meaningful control over how organisations collect, use, and disclose their personal data. Whether you're a Singapore citizen, permanent resident, or a foreign national living or working here, understanding your PDPA rights helps you push back against unwanted marketing calls, request corrections to inaccurate records, and hold companies accountable when they mishandle your information.

This guide breaks down the PDPA in plain English, explains each of your rights, and shows you exactly what to do when an organisation crosses the line.

What Is the Singapore PDPA?

The Personal Data Protection Act 2012 is Singapore's baseline data protection law, enforced by the Personal Data Protection Commission (PDPC). It governs how private-sector organisations collect, use, disclose, and care for personal data, and it also establishes the national Do Not Call (DNC) Registry.

The PDPA came into full force in July 2014 and was significantly strengthened by the Personal Data Protection (Amendment) Act 2020, which introduced mandatory data breach notification, higher financial penalties, and new individual rights such as data portability. Public agencies are governed separately under the Public Sector (Governance) Act, but the principles are broadly similar.

Who Does the PDPA Apply To?

The PDPA applies to all private-sector organisations that collect, use, or disclose personal data in Singapore, regardless of whether the organisation is formed or resident here. If a company overseas processes the personal data of individuals in Singapore, the PDPA can still reach them.

"Personal data" means any data about an identifiable individual, including obvious identifiers like NRIC numbers and email addresses, but also things like phone numbers, photographs, CCTV footage, and even certain combinations of data that could point to one person.

The Core Principles Behind Your PDPA Rights

Before diving into specific rights, it helps to understand the nine key obligations the PDPA places on organisations. Your rights essentially mirror these obligations.

  1. Consent Obligation – Organisations must obtain your consent before collecting, using, or disclosing your personal data.
  2. Purpose Limitation Obligation – Data can only be used for purposes a reasonable person would consider appropriate.
  3. Notification Obligation – You must be told the purpose before or at the time of collection.
  4. Access and Correction Obligation – You can request access to and correction of your data.
  5. Accuracy Obligation – Organisations must make reasonable efforts to keep data accurate.
  6. Protection Obligation – Reasonable security arrangements must protect your data.
  7. Retention Limitation Obligation – Data must be deleted when no longer needed.
  8. Transfer Limitation Obligation – Overseas transfers require comparable protection.
  9. Data Breach Notification Obligation – Serious breaches must be reported to the PDPC and affected individuals.

Your 7 Key Rights Under the Singapore PDPA

Here is a detailed look at each right you can exercise as an individual.

1. The Right to Be Informed

Before an organisation collects your personal data, it must inform you of the purposes. In practice, this is why you see privacy notices at the top of registration forms and cookie banners on websites. If a bank asks for your NRIC to open a savings account, it must state that clearly – it cannot then repurpose the NRIC for marketing without telling you.

2. The Right to Consent (and to Withdraw It)

Consent under the PDPA must be meaningful. Silence or a pre-ticked checkbox typically isn't enough for sensitive uses. Just as importantly, you have the right to withdraw consent at any time by giving reasonable notice. Once you withdraw, the organisation must stop the relevant collection, use, or disclosure – though it may still retain data required for legal or contractual obligations.

3. The Right of Access

You can request that an organisation provide you with:

  • The personal data it holds about you, and
  • Information on how that data has been used or disclosed within the past year.

The organisation must respond as soon as reasonably possible, generally within 30 days, or explain why more time is needed. A reasonable fee may be charged for retrieval, but the fee cannot be so high that it discourages you from exercising the right.

4. The Right of Correction

If your personal data is inaccurate or incomplete, you can request a correction. The organisation must correct the data as soon as practicable and inform other organisations it shared the data with in the past year, unless you agree otherwise.

5. The Right to Data Portability (New)

Introduced under the 2020 amendments, the Data Portability Obligation lets you request that certain electronic data held by one organisation be transmitted to another. This is designed to reduce lock-in and empower consumers – for example, moving transaction history from one bank to another. The full regime is being rolled out in stages by the PDPC.

6. The Right Not to Be Contacted (Do Not Call)

The DNC Registry lets you opt out of unsolicited telemarketing calls, SMS, and faxes to your Singapore phone number. Once you register, organisations must check the registry before contacting you, or face significant penalties. You can register free at the PDPC's DNC portal.

7. The Right to Be Notified of Data Breaches

Since 1 February 2021, organisations must notify the PDPC of a notifiable data breach within 3 calendar days, and affected individuals must also be told if the breach is likely to result in significant harm. This gives you a fighting chance to change passwords, monitor accounts, or freeze credit facilities.

PDPA Rights vs. Common Misconceptions

People often confuse what the PDPA actually protects. The table below clears up frequent misunderstandings.

Common Belief What the PDPA Actually Says
"Companies can never collect my NRIC." NRIC collection is restricted but allowed where required by law or necessary to accurately establish identity to a high degree of fidelity.
"I can demand full deletion of all my data." There is no absolute right to erasure like the EU's GDPR. Data must be deleted only when no longer needed for a legal or business purpose.
"Any marketing SMS is illegal if I'm on the DNC list." Ongoing relationships (e.g., messages from your bank about your own account) and messages you separately consented to may still be lawful.
"Only Singapore companies must follow the PDPA." Any organisation processing personal data of individuals in Singapore is caught, including overseas businesses.
"Employee data isn't covered." Employee personal data is covered, though certain provisions are relaxed for managing the employment relationship.

How to Exercise Your PDPA Rights: Step-by-Step

Exercising your rights is more practical than most people think. Here's the standard process.

  1. Identify the organisation's Data Protection Officer (DPO). Every organisation must appoint one and publish contact details on their website or privacy notice.
  2. Send a written request. Email is fine. State clearly whether you want access, correction, withdrawal of consent, or data portability.
  3. Provide identity verification. The organisation may ask for reasonable proof it's really you.
  4. Wait up to 30 days. If the request is complex, they can extend the deadline but must inform you.
  5. Escalate if ignored. If you don't get a satisfactory response, lodge a complaint with the PDPC.

Sample Language for an Access Request

You don't need a lawyer. A short message like this works:

"Dear Data Protection Officer, under section 21 of the Personal Data Protection Act, I request access to the personal data your organisation holds about me and information on how it has been used or disclosed in the past 12 months. My identifying details are [name, account number, email]. Kindly respond within 30 days."

Penalties: What Happens When Organisations Breach the PDPA

The 2020 amendments dramatically raised the stakes. Financial penalties for serious breaches can now reach:

  • Up to 10% of an organisation's annual turnover in Singapore, or
  • S$1 million, whichever is higher.

Individuals can also be prosecuted for offences like knowingly disclosing personal data without authorisation, with fines up to S$5,000 and/or imprisonment. Directors and senior officers can be held personally liable in some cases.

Special Situations Worth Knowing

NRIC and Other National Identifiers

Since September 2019, organisations generally cannot collect, use, or disclose NRIC numbers or make physical copies of NRIC cards unless required by law or necessary to accurately establish identity to a high degree of fidelity. A gym scanning your NRIC to give you a free trial, for example, is almost certainly a breach.

CCTV, Photographs, and Videos

Images that can identify individuals are personal data. Organisations using CCTV must post clear notices and cannot repurpose footage for marketing without consent.

Overseas Data Transfers

If your data is sent overseas – for instance, to a cloud provider in the US or India – the sending organisation must ensure a comparable standard of protection through contractual clauses, binding corporate rules, or recognised certifications.

Children's Data

While the PDPA does not set a specific age of consent, PDPC guidelines suggest that children aged 13 and above can generally give consent for straightforward matters. For anything more significant, parental consent is expected.

Practical Ways to Reduce Your Personal Data Exposure

Rights are only useful if there's less data floating around to misuse. A few habits go a long way:

  • Use disposable or masked contact details where possible – such as email aliases and secondary numbers – so a leak from one merchant doesn't compromise everything.
  • Read privacy notices before ticking consent boxes, especially for loyalty programmes that often bundle broad marketing consent.
  • Register on the DNC Registry and refresh your preferences yearly.
  • Use link shorteners that respect privacy when sharing URLs publicly. Tools like Lunyb allow you to share links without exposing raw destinations that could reveal personal accounts, project files, or internal systems. See our honest Lunyb review for a deeper look.
  • Enable encrypted DNS and use privacy-focused browsers to reduce passive data collection by network intermediaries.
  • Review app permissions on your phone at least twice a year and revoke access no longer needed.

If you regularly share marketing or business links, choosing the right shortener matters – both for reliability and to avoid inadvertently sharing tracking-heavy URLs. Our 2026 URL shortener buyer's guide compares the main options, and our Rebrandly review looks at one of the most well-known enterprise options.

How to File a Complaint With the PDPC

If an organisation fails to respond, mishandles your data, or refuses a legitimate request, you can escalate to the PDPC. The steps are:

  1. Attempt to resolve it directly first. The PDPC will typically ask what steps you've already taken with the organisation.
  2. Gather evidence. Save emails, screenshots, dated request letters, and any responses.
  3. Submit a complaint via the PDPC website. Provide clear facts, a timeline, and what outcome you're seeking.
  4. Consider Alternative Dispute Resolution. The PDPC may direct parties to mediation before formal investigation.
  5. Await the PDPC's decision. Enforcement can include directions, financial penalties, and public disclosure of findings.

You may also have a private right of action – meaning you can sue the organisation in court for loss or damage suffered because of a PDPA breach, after the PDPC has made a decision.

PDPA vs GDPR: A Quick Comparison

Many Singaporeans deal with services that also follow the EU's GDPR. Here's how the two compare at a glance.

Feature Singapore PDPA EU GDPR
Right to Erasure Limited (retention limitation) Explicit right to be forgotten
Data Portability Yes, being phased in Yes, established
Breach Notification Within 3 calendar days Within 72 hours
Max Penalty 10% of SG turnover or S$1 million 4% of global turnover or €20 million
Consent Standard Consent-based with deemed consent options Strict, freely given and specific
Extraterritorial Scope Yes, for data of Singapore individuals Yes, for data of EU residents

Frequently Asked Questions

Can I ask a company to completely delete my personal data under the PDPA?

The PDPA does not include an absolute "right to be forgotten" like the GDPR. However, organisations are required to cease retention when the data is no longer needed for any legal or business purpose. You can also withdraw consent, which effectively forces the organisation to stop most further use of your data.

How long does an organisation have to respond to my access request?

Organisations must respond as soon as reasonably possible. If they cannot do so within 30 days, they must inform you in writing of the timeframe by which they will respond. Unreasonable delays can be reported to the PDPC.

Does the PDPA apply to messages from overseas companies?

Yes, if the overseas organisation is processing the personal data of individuals in Singapore, the PDPA generally applies. Enforcement can be more challenging in practice, but the PDPC has taken action against foreign entities before.

Is my NRIC number always considered highly sensitive under the PDPA?

Yes. Since 2019, PDPC guidelines heavily restrict NRIC collection. Organisations should only collect NRIC numbers when required by law or when necessary to accurately establish or verify identity to a high degree of fidelity. Alternatives like membership numbers should be used whenever possible.

What can I do if a company ignores my PDPA request?

Document your request and any responses (or lack thereof), then file a complaint with the PDPC through their website. In serious cases where you have suffered loss or damage, you may also pursue a private right of action in court after the PDPC's decision.

Final Thoughts

The Singapore PDPA has evolved into a robust data protection regime that gives individuals real leverage over how their information is handled. Knowing your rights – to be informed, to consent, to access, to correct, to portability, to be left alone by telemarketers, and to be notified of breaches – transforms you from a passive data subject into an empowered one.

The most effective privacy strategy combines legal rights with practical habits: exercise your PDPA rights when needed, but also minimise the personal data you hand out in the first place. That combination – informed consent plus data minimisation – is how you keep control of your digital identity in Singapore in 2026 and beyond.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles