facebook-pixel

Singapore PDPA: Your Personal Data Protection Rights Explained

L
Lunyb Security Team
··11 min read

Singapore's Personal Data Protection Act (PDPA) is the country's cornerstone data privacy law, giving individuals meaningful control over how organisations collect, use, and disclose their personal data. Whether you're a Singapore resident, a business handling customer information, or simply someone curious about digital rights in the Lion City, understanding your Singapore PDPA rights is essential in an era where personal data flows across borders in seconds.

This guide walks through every right the PDPA grants you, the obligations it places on organisations, and the practical steps you can take when your data is mishandled. By the end, you'll know exactly what to do if a company loses your data, refuses your access request, or keeps marketing to you after you've said no.

What Is the Singapore PDPA?

The Personal Data Protection Act (PDPA) is Singapore's primary data protection law, enacted in 2012 and significantly amended in 2020. It governs how private-sector organisations collect, use, disclose, and protect personal data in Singapore, and it's enforced by the Personal Data Protection Commission (PDPC).

The PDPA applies to any organisation that handles personal data in Singapore, regardless of whether the organisation is physically based in Singapore. "Personal data" means any information about an identifiable individual — from your NRIC number and phone number to your browsing history or biometric data.

Who the PDPA Covers

  • Private-sector organisations operating in Singapore, including foreign companies collecting data from Singapore residents.
  • Data intermediaries that process data on behalf of others (e.g. cloud providers, payroll processors).
  • Individuals whose personal data is collected — you are the "data subject" with enforceable rights.

Public agencies are governed by a separate framework (the Public Sector Governance Act), though many principles overlap.

Your Core Rights Under the Singapore PDPA

The PDPA grants individuals a set of clearly defined rights that organisations must respect. Below are the most important ones you should know.

1. The Right to Be Informed (Notification Obligation)

Before or at the time an organisation collects your personal data, it must tell you the purposes for which the data will be collected, used, or disclosed. Generic statements like "for business purposes" aren't enough — the purpose must be specific and reasonable.

2. The Right to Give (and Withdraw) Consent

Consent is the backbone of the PDPA. Organisations generally cannot collect, use, or disclose your personal data without your consent. Equally important, you have the right to withdraw that consent at any time by giving reasonable notice.

Once you withdraw consent, the organisation must stop collecting, using, or disclosing your data — though they may retain it if required by law (e.g. tax records).

3. The Right of Access

You can ask an organisation to tell you:

  1. What personal data about you they hold or control.
  2. How that data has been used or disclosed within the past year.

Organisations must respond "as soon as reasonably possible," and in practice this typically means within 30 days. They may charge a small, reasonable fee to cover administrative costs.

4. The Right to Correction

If your personal data is inaccurate or incomplete, you can request a correction. Organisations must correct the data as soon as practicable and notify any third parties they previously shared it with, unless the correction is trivial or the organisation reasonably believes it is not needed.

5. The Right to Data Portability (Coming Into Force)

Introduced in the 2020 PDPA amendments, the data portability obligation allows you to request that an organisation transmit your data to another organisation in a commonly used machine-readable format. While the operational details continue to be finalised by the PDPC, this right mirrors similar provisions in the EU's GDPR.

6. The Right to Not Be Subject to Unwanted Marketing

Under the Do Not Call (DNC) Registry provisions of the PDPA, you can register your Singapore phone number to stop receiving telemarketing calls, texts, and faxes. Organisations must check the DNC Registry before sending marketing messages.

7. The Right to Be Notified of Data Breaches

Since 1 February 2021, organisations are legally required to notify both the PDPC and affected individuals of any data breach that:

  • Results in significant harm to affected individuals, or
  • Involves the personal data of 500 or more individuals.

Notifications must be made within specific timeframes (72 hours to the PDPC after assessment).

Obligations the PDPA Places on Organisations

Your rights are backed by nine (now expanded to eleven) core obligations that organisations must meet. Understanding these helps you recognise when a company is falling short.

ObligationWhat It Requires
ConsentObtain valid consent before collecting, using, or disclosing personal data.
Purpose LimitationOnly use data for purposes a reasonable person would consider appropriate.
NotificationInform individuals of the purpose before or at the time of collection.
Access & CorrectionProvide access to and allow correction of personal data on request.
AccuracyMake reasonable effort to ensure data is accurate and complete.
ProtectionImplement reasonable security arrangements to protect personal data.
Retention LimitationCease retention when purpose is fulfilled and legal retention isn't required.
Transfer LimitationEnsure comparable protection when transferring data overseas.
AccountabilityAppoint a Data Protection Officer (DPO) and develop policies.
Data Breach NotificationNotify PDPC and affected individuals of notifiable breaches.
Data PortabilityTransmit data to another organisation upon request (when in force).

How to Exercise Your PDPA Rights: A Step-by-Step Guide

Knowing your rights is one thing — enforcing them is another. Here's a practical roadmap.

Step 1: Identify the Organisation's Data Protection Officer

Every organisation subject to the PDPA must designate a DPO and publish their contact details. Look on the company's website (usually in the privacy policy or a dedicated PDPA page) for the DPO's email or contact form.

Step 2: Submit a Written Request

Send your request in writing (email is fine). Be specific about what you want:

  1. State clearly whether you're requesting access, correction, or withdrawal of consent.
  2. Provide enough information for the organisation to identify you and locate your records.
  3. Include your preferred contact method for the response.

Step 3: Wait for the Response

Organisations are expected to respond within 30 days. If they can't meet this timeline, they must inform you in writing and provide an estimated response date.

Step 4: Escalate to the PDPC If Unresolved

If the organisation refuses your request without valid grounds, or fails to respond, you can lodge a complaint with the PDPC. The commission can investigate, mediate, or issue directions and financial penalties.

Penalties for PDPA Violations

The 2020 amendments significantly increased the financial penalties for breaches. Organisations that violate the PDPA can now face fines of up to:

  • 10% of annual turnover in Singapore (for organisations with turnover above S$10 million), or
  • S$1 million, whichever is higher.

Individuals who mishandle data — such as employees who leak customer records — can also face personal criminal liability, including fines and imprisonment for offences like unauthorised disclosure or re-identification of anonymised data.

PDPA vs GDPR: How Singapore's Law Compares

Singapore's PDPA is often compared to the EU's General Data Protection Regulation (GDPR). While both aim to protect personal data, they differ in scope, penalties, and specific rights.

FeatureSingapore PDPAEU GDPR
Consent StandardDeemed consent allowed in some casesExplicit, freely given consent required
Right to ErasureNo standalone "right to be forgotten"Explicit right to erasure
Data PortabilityYes (being operationalised)Yes, fully in force
Breach NotificationWithin 72 hours of assessmentWithin 72 hours of awareness
Maximum Fine10% turnover or S$1 million4% global turnover or €20 million
Extraterritorial ReachApplies to foreign orgs handling SG dataApplies to foreign orgs handling EU data

Protecting Your Personal Data in Practice

Legal rights are powerful, but proactive privacy hygiene reduces your exposure in the first place. Here are practical steps every Singapore resident can take.

Minimise the Data You Share

Only provide the information a service genuinely needs. When signing up for a loyalty programme, ask yourself whether they really need your NRIC or full date of birth.

Use Privacy-Respecting Tools

Choose services that publish clear privacy policies, offer strong encryption, and don't monetise your data. For example, when sharing links on social media or in email newsletters, a privacy-conscious URL shortener like Lunyb lets you create clean, trackable short links without exposing your recipients to invasive analytics scripts. You can read our honest review of Lunyb to see how it stacks up.

Register with the Do Not Call Registry

Sign up your Singapore mobile number at the DNC Registry to block most unsolicited telemarketing. Organisations that ignore the DNC face substantial fines.

Audit Your Digital Footprint Annually

Once a year, request access reports from services you no longer use and ask them to delete your account. Many organisations retain data long after you've stopped being an active customer.

Enable Strong Authentication

Two-factor authentication (2FA) via an authenticator app dramatically reduces the risk that a data breach on one service will cascade into others.

Common PDPA Scenarios and What You Can Do

Scenario 1: A Company Keeps Emailing You After You Unsubscribed

Send a formal written withdrawal of consent to the DPO. If marketing continues beyond a reasonable period (usually 30 days), file a complaint with the PDPC.

Scenario 2: You Discover Your Data Was in a Breach

Change any reused passwords immediately, enable 2FA, and monitor your accounts. The organisation is required to notify you if the breach is notifiable — if they didn't, that's itself a PDPA violation you can report.

Scenario 3: An Employer Asks for Your NRIC on a Job Application

Since 2019, organisations generally cannot collect NRIC numbers unless required by law or necessary to verify identity to a high degree of fidelity. A recruiter has no reason to collect it at the application stage.

Scenario 4: A Business Refuses Your Access Request

They must provide a written reason for refusal. If the refusal doesn't fall within the PDPA's limited exceptions (e.g. legal privilege, national security), escalate to the PDPC.

The Future of Data Protection in Singapore

The PDPA continues to evolve. The PDPC regularly publishes advisory guidelines on emerging areas including artificial intelligence, biometric data, children's data, and cross-border data transfers. Organisations that treat PDPA compliance as a one-time exercise are quickly falling behind — the standard of "reasonable" security and consent keeps rising.

For individuals, this means your rights are expanding, not shrinking. Data portability is being operationalised, breach notifications are becoming the norm, and enforcement is tightening. Understanding the framework today prepares you for the next wave of changes.

Frequently Asked Questions

Does the PDPA apply to overseas companies collecting data from Singapore?

Yes. The PDPA applies to any organisation that collects, uses, or discloses personal data in Singapore, regardless of where the organisation is physically located. A US-based e-commerce site that ships to Singapore customers must comply with the PDPA in relation to those customers' data.

Can I sue an organisation directly for a PDPA breach?

Yes. Since the 2020 amendments, individuals who suffer loss or damage as a direct result of a PDPA contravention can bring a private civil action against the organisation, in addition to filing a complaint with the PDPC.

How long does an organisation have to respond to my access request?

Organisations must respond as soon as reasonably possible, typically within 30 days. If they need more time, they must inform you in writing and provide an estimated response date. Unreasonable delays can be reported to the PDPC.

Is my NRIC number specially protected under the PDPA?

Yes. The PDPC has issued specific guidance restricting the collection, use, and disclosure of NRIC numbers and copies of NRIC. Organisations generally cannot collect NRIC data unless required by law or necessary for high-fidelity identity verification.

What's the difference between the PDPA and the Do Not Call Registry?

The Do Not Call Registry is part of the PDPA. It specifically addresses unsolicited telemarketing messages sent to Singapore phone numbers. The broader PDPA covers all forms of personal data handling, not just marketing communications.

Final Thoughts

The Singapore PDPA gives you real, enforceable control over your personal data — but those rights are only as strong as your willingness to exercise them. Take five minutes today to check the privacy policy of a service you use often, register your number on the DNC Registry, and bookmark the PDPC website for future reference.

If you're a business handling customer data, invest in a proper compliance programme, appoint a qualified DPO, and treat data protection as a competitive advantage rather than a checkbox. In an era of frequent breaches and rising customer expectations, respecting personal data is one of the strongest trust signals a Singapore brand can offer.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles