facebook-pixel

Singapore PDPA: Your Personal Data Protection Rights Explained

L
Lunyb Security Team
··11 min read

Singapore's Personal Data Protection Act (PDPA) gives every individual meaningful control over how organisations collect, use, and disclose their personal data. Whether you're signing up for a rewards card at NTUC, banking with DBS, or clicking a shortened link on Telegram, the PDPA sets the ground rules that protect you. This guide breaks down your rights under the PDPA, how to exercise them, and what to do when an organisation gets it wrong.

What Is the Singapore PDPA?

The Personal Data Protection Act 2012 is Singapore's baseline law governing the collection, use, disclosure, and care of personal data by private-sector organisations. It is enforced by the Personal Data Protection Commission (PDPC), a division under the Infocomm Media Development Authority (IMDA).

The Act was substantially amended in 2020 and 2021, introducing mandatory data breach notification, higher financial penalties (up to 10% of an organisation's annual turnover in Singapore), and new consent frameworks. In 2026, the PDPA remains the primary reference point for anyone asking, "What rights do I actually have over my personal data in Singapore?"

Who Does the PDPA Apply To?

The PDPA applies to all private-sector organisations in Singapore that collect, use, or disclose personal data, regardless of whether the organisation is physically based here. It also applies to data intermediaries (third parties that process data on behalf of another organisation). Public agencies are covered by a separate framework, the Public Sector (Governance) Act.

What Counts as Personal Data?

Personal data is any data, true or false, about an individual who can be identified from that data alone or in combination with other information. This includes:

  • NRIC or FIN numbers
  • Full name, home address, and mobile number
  • Email address and IP address (in many contexts)
  • Photographs, CCTV footage, and voice recordings
  • Medical, financial, and employment records
  • Location data and behavioural tracking data

Your Core PDPA Rights at a Glance

The PDPA does not use the phrase "data subject rights" as directly as the EU's GDPR, but it grants equivalent protections through nine data protection obligations imposed on organisations. From your perspective as an individual, these translate into concrete rights you can exercise.

Your RightWhat It MeansPDPA Basis
Right to be informedOrganisations must tell you why they're collecting your data before or at collectionNotification Obligation
Right to consent (and withdraw it)Your consent is required, and you can withdraw it at any timeConsent Obligation
Right of accessYou can request a copy of your personal data held by an organisationAccess Obligation
Right to correctionYou can request correction of inaccurate or incomplete dataCorrection Obligation
Right to data accuracyOrganisations must keep your data reasonably accurateAccuracy Obligation
Right to securityReasonable security arrangements must protect your dataProtection Obligation
Right to breach notificationYou must be told of significant data breaches affecting youData Breach Notification Obligation
Right to data portability (limited)Move certain data to another provider (framework in progress)Data Portability Obligation
Right to opt out of marketing calls/SMSRegister on the Do Not Call (DNC) RegistryDNC Provisions

Right 1: The Right to Be Informed

Before an organisation collects your personal data, it must tell you the purposes for which the data will be collected, used, and disclosed. This is usually done through a privacy policy, a consent notice at sign-up, or a clear statement at the point of collection.

In practice, look for phrases like "purposes stated in our Data Protection Notice" or "we collect your data to process your order and provide customer support." If the purposes change later, the organisation must inform you again and, in most cases, seek fresh consent.

What a Compliant Notice Looks Like

  1. States a specific purpose (not vague catch-alls like "business purposes")
  2. Identifies the organisation and provides a Data Protection Officer (DPO) contact
  3. Explains what happens if you refuse to provide the data
  4. Describes any third-party disclosures

Right 2: Consent and the Right to Withdraw It

Consent is the cornerstone of the PDPA. Organisations generally cannot collect, use, or disclose your personal data without your consent, unless an exception applies (such as legitimate interests, business improvement, or legal obligations under the amended PDPA).

Types of Consent Recognised Under the PDPA

  • Express consent: You explicitly tick a box or sign a form.
  • Deemed consent by conduct: You voluntarily provide data for an obvious purpose (e.g., handing over a name card at a networking event).
  • Deemed consent by notification: The organisation notifies you and gives you a reasonable window to opt out.

How to Withdraw Consent

You can withdraw consent at any time by giving reasonable notice. The organisation must:

  1. Inform you of the likely consequences of withdrawal (for example, you may no longer be able to use a service)
  2. Stop collecting, using, or disclosing your data for the withdrawn purposes
  3. Cease sending you marketing communications tied to that consent

They cannot penalise you for withdrawing consent, though they may legitimately terminate a service that depended on the data.

Right 3: The Right of Access

You have the right to request a copy of the personal data an organisation holds about you, together with information on how that data has been used or disclosed within the last year.

How to Make an Access Request

  1. Identify the organisation's DPO (usually listed in the privacy policy)
  2. Submit a written request identifying yourself and the data you want
  3. Pay a reasonable fee if one is charged (the organisation must give you an estimate first)
  4. Expect a response within 30 days, or a written explanation for any delay

When Access Can Be Refused

Organisations may refuse access if disclosing the data would reveal personal data about another individual, threaten someone's safety, prejudice an investigation, or breach legal privilege. Refusals must be explained in writing.

Right 4: The Right to Correction

If the personal data an organisation holds about you is inaccurate or incomplete, you can request that it be corrected. This is particularly important for banks, insurers, credit bureaus, and employers, where errors can have real financial consequences.

Once a correction is made, the organisation must send the corrected data to every other organisation to which it disclosed the incorrect data within the past year, unless you agree otherwise.

Right 5: Data Breach Notification

Since 1 February 2021, organisations are legally required to notify the PDPC of a data breach that:

  • Results in, or is likely to result in, significant harm to affected individuals, or
  • Affects 500 or more individuals

Where significant harm is likely, the organisation must also notify affected individuals directly. Notification to the PDPC must occur within 3 calendar days of determining that a notifiable breach has occurred.

What "Significant Harm" Means

The PDPA regulations specifically flag categories such as full NRIC or passport numbers combined with other data, financial account details, health information, and login credentials. If any of these are exposed, expect a notification.

Right 6: Protection From Unsolicited Marketing

The Do Not Call (DNC) provisions sit within the PDPA and give you strong control over telemarketing:

  1. Register your Singapore telephone number(s) on the DNC Registry at no cost
  2. Choose which channels to block: voice calls, text messages, or fax
  3. Organisations must check the registry before contacting you for marketing purposes

Registration takes effect within 21 days. If you continue to receive marketing messages after that, you can lodge a complaint with the PDPC.

Right 7: Data Portability (Emerging)

The Data Portability Obligation was introduced in the 2020 amendments but is being rolled out in phases with sector-specific regulations. Once fully operational, it will let you request that your data be transmitted directly from one organisation to another in a commonly used machine-readable format, similar to Open Banking initiatives. Keep an eye on PDPC announcements for the sectors covered.

How to Exercise Your PDPA Rights: A Step-by-Step Playbook

  1. Find the DPO. Every organisation must appoint one and publish their contact. Check the privacy policy footer.
  2. Put it in writing. Email is acceptable. Be specific about what you're requesting: access, correction, withdrawal of consent, or a complaint.
  3. Keep records. Save timestamps, screenshots, and correspondence.
  4. Wait 30 days. This is the general response window.
  5. Escalate if needed. If the organisation does not respond or refuses unreasonably, file a complaint with the PDPC at pdpc.gov.sg.

Filing a Complaint With the PDPC

Before the PDPC will accept a complaint, you generally need to demonstrate that you tried to resolve the issue with the organisation first. The PDPC also encourages mediation through its Data Protection Dispute Resolution scheme for lower-value disputes.

What Happens After You File

  • The PDPC may conduct an investigation and request documents from the organisation
  • Findings can result in directions, financial penalties, or public decisions
  • Since 1 October 2022, maximum financial penalties are S$1 million or 10% of the organisation's annual turnover in Singapore, whichever is higher

Everyday Steps to Protect Your Personal Data

Knowing your rights is only half the battle. The other half is practising good data hygiene so you have less exposure to begin with.

Practical Data Minimisation Habits

  1. Question every NRIC request. Since 1 September 2019, organisations generally cannot collect, use, or disclose full NRIC numbers unless required by law or necessary for accurate identification. Push back if a gym or lucky draw asks for it.
  2. Use masked or shortened links when sharing content on social media or in messaging apps. A shortener like Lunyb lets you share a cleaner destination while keeping tracking parameters and long query strings out of your public-facing URL.
  3. Enable two-factor authentication on Singpass, banking, and email accounts.
  4. Review app permissions monthly on your phone. Revoke location or contact access from apps that don't need it.
  5. Prefer encrypted DNS and privacy-focused browsers such as Brave or Firefox with strict tracking protection.
  6. Use unique passwords stored in a reputable password manager.

If you frequently share links in newsletters, WhatsApp groups, or online communities, take a moment to read our guide to the best URL shorteners reviewed and compared for 2026 — the tool you pick affects how much of your click-through data ends up with third parties. You can also read our honest review of Lunyb if you want to understand how a privacy-first shortener is structured.

Common PDPA Misconceptions

"The PDPA Doesn't Apply to Small Businesses"

False. The PDPA applies to organisations of every size, from sole proprietors to multinationals. Small businesses have the same obligations regarding consent, purpose, and breach notification.

"I Signed the Form, So They Can Do Anything With My Data"

Also false. Consent is limited to the purposes disclosed at collection. Any new use requires fresh consent or must fall under a specific exception.

"CCTV Footage Isn't Personal Data"

Untrue when individuals are identifiable. Condominium MCSTs, retailers, and offices operating CCTV must comply with the PDPA, including displaying notices and safeguarding footage.

PDPA vs GDPR: A Quick Comparison for Singapore Residents

Many Singapore businesses serve customers in the EU and vice versa, so it helps to understand how the two frameworks align.

FeatureSingapore PDPAEU GDPR
Legal basis for processingConsent-centric with limited exceptionsSix legal bases, consent is one of them
Right to erasureNo general right, but withdrawal of consent forces cessationExplicit right to be forgotten
Breach notification window3 calendar days to regulator72 hours to regulator
Max financial penalty10% of Singapore turnover or S$1 million4% of global turnover or €20 million
Extraterritorial scopeApplies if data is collected in SingaporeApplies globally if EU residents are targeted

Frequently Asked Questions

How long do organisations have to respond to my PDPA access request?

Organisations should respond as soon as reasonably possible, and in any case within 30 days. If they cannot meet this timeline, they must inform you in writing of the expected response date and the reason for delay.

Can I sue an organisation directly for a PDPA breach?

Yes. The PDPA provides a private right of action. If you have suffered loss or damage as a result of a contravention, you may commence civil proceedings after the PDPC has made a finding on the breach.

Does the PDPA cover data collected before 2012?

The core data protection provisions came into force on 2 July 2014. Data collected before that date is still subject to the PDPA for ongoing use and disclosure, though organisations were given transitional latitude for consent obtained under previous frameworks.

What should I do if I receive a suspicious call asking for my NRIC?

Do not disclose your full NRIC. Ask why it is required, whether a partial identifier will suffice, and which law mandates the collection. If the caller cannot justify the request, decline and report the incident to the PDPC and, if it appears to be a scam, to the Singapore Police Force via ScamShield.

Are foreign companies without a Singapore office bound by the PDPA?

Yes, if they collect, use, or disclose personal data in Singapore. The PDPC has taken enforcement action against overseas operators whose services affect Singapore residents, so location is not a shield from compliance.

Final Thoughts

The PDPA gives Singapore residents a robust, practical set of rights over their personal data — but those rights only work when you use them. Bookmark your key DPO contacts, register on the DNC list, question unnecessary NRIC requests, and don't hesitate to escalate to the PDPC when organisations fall short. Combined with sensible digital habits like unique passwords, privacy-respecting browsers, and cleaner link-sharing tools, you can meaningfully reduce your data exposure in an increasingly connected Singapore.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles