facebook-pixel

Singapore PDPA: Your Personal Data Protection Rights Explained

L
Lunyb Security Team
··11 min read

Singapore's Personal Data Protection Act (PDPA) is the cornerstone of data privacy law in the country, giving every individual clear rights over how organisations collect, use, and disclose their personal information. Whether you're a Singapore resident wondering what a company can legally do with your NRIC, or a business owner trying to stay compliant, understanding your PDPA rights is essential in 2026.

This guide breaks down the PDPA in plain English, explains each of your rights, and shows you exactly how to exercise them when an organisation mishandles your data.

What Is the Singapore PDPA?

The Personal Data Protection Act 2012 (PDPA) is Singapore's primary data protection law, enforced by the Personal Data Protection Commission (PDPC). It governs how private sector organisations collect, use, disclose, and care for personal data, and it also includes the Do Not Call (DNC) Registry provisions.

The PDPA was significantly amended in 2020 and 2021 to introduce mandatory data breach notification, higher financial penalties, and new rights such as data portability. Today, non-compliant organisations can face fines of up to S$1 million or 10% of annual turnover in Singapore, whichever is higher.

Who the PDPA Applies To

The PDPA applies to all private sector organisations in Singapore, regardless of size, that collect, use, or disclose personal data. It also extends to organisations based overseas if they process the personal data of individuals located in Singapore.

The public sector is governed separately by the Public Sector (Governance) Act and internal government instruction manuals, though the standards are broadly similar.

What Counts as Personal Data

Personal data is any information about an individual who can be identified either from that data alone or in combination with other information the organisation holds. Common examples include:

  • Full name and NRIC or FIN number
  • Residential address and phone number
  • Email address and photographs
  • Bank account and financial information
  • Medical records and biometric data
  • Employment history and CCTV footage

Your Core PDPA Rights as an Individual

The PDPA grants individuals in Singapore several enforceable rights over their personal data. Understanding these rights is the first step to protecting your privacy.

1. The Right to Be Informed (Notification Obligation)

Before an organisation collects your personal data, it must inform you of the purposes for which the data will be collected, used, or disclosed. This is usually done through a privacy policy or a consent form at the point of collection.

If an organisation later wants to use your data for a new purpose, it must notify you and obtain fresh consent.

2. The Right to Give and Withdraw Consent

Organisations generally need your consent to collect, use, or disclose your personal data. Consent must be given freely and cannot be a condition of receiving a product or service beyond what is reasonably necessary.

You also have the right to withdraw consent at any time by giving reasonable notice. Once you withdraw, the organisation must stop using your data for the withdrawn purpose, though they may retain it if required by another law.

3. The Right of Access

You can request an organisation to provide you with:

  • The personal data about you that is in their possession or under their control
  • Information about how that data has been used or disclosed in the past year

Organisations must respond as soon as reasonably possible, generally within 30 days. They may charge a reasonable fee to cover administrative costs.

4. The Right of Correction

If your personal data held by an organisation is inaccurate or incomplete, you can request a correction. The organisation must correct the data as soon as practicable and notify every other organisation to which the data was disclosed in the past year, unless you agree otherwise.

5. The Right to Data Portability (New in 2021)

The Data Portability Obligation allows you to request an organisation to transmit your personal data to another organisation in a commonly used machine-readable format. This makes it easier to switch service providers without losing your data history.

Note: The full operational details of this right are being progressively rolled out by the PDPC, so implementation may vary by sector.

6. The Right to Be Notified of a Data Breach

Under the mandatory Data Breach Notification obligation, organisations must notify affected individuals and the PDPC when a breach is likely to result in significant harm, or when it affects 500 or more individuals.

You must be told what data was compromised, the potential consequences, and what steps the organisation is taking to address the breach.

The 11 Data Protection Obligations Organisations Must Follow

To protect your rights, the PDPA imposes eleven obligations on organisations. Understanding them helps you recognise when a company is falling short.

ObligationWhat It Requires
ConsentObtain valid consent before collecting or using data
Purpose LimitationOnly use data for purposes a reasonable person would consider appropriate
NotificationInform individuals of collection purposes
Access and CorrectionProvide access and correct inaccurate data on request
AccuracyMake reasonable efforts to ensure data accuracy
ProtectionImplement reasonable security safeguards
Retention LimitationStop retaining data once the purpose is fulfilled
Transfer LimitationEnsure comparable protection when transferring data overseas
AccountabilityAppoint a Data Protection Officer and have policies in place
Data Breach NotificationReport significant breaches to PDPC and affected individuals
Data PortabilityTransmit data to another organisation on request

How to Exercise Your PDPA Rights: A Step-by-Step Guide

Knowing your rights is one thing; using them effectively is another. Here's the practical process for making a PDPA request.

Step 1: Identify the Data Protection Officer (DPO)

Every organisation in Singapore must appoint a DPO whose contact details should be publicly available, usually in the privacy policy on their website. Look for a dedicated email like dpo@company.com.sg.

Step 2: Submit a Written Request

Send a clear, dated written request via email or letter. Include:

  1. Your full name and contact details
  2. Proof of identity (such as a partial NRIC)
  3. A specific description of the data or action you're requesting
  4. The right you are exercising (access, correction, withdrawal, etc.)

Step 3: Allow Reasonable Time for Response

Organisations should respond within 30 days. If they need more time, they must inform you and give a reasonable estimate of when they'll respond.

Step 4: Escalate if Unsatisfied

If the organisation refuses your request or fails to respond, you can:

  1. Ask the DPO for a written reason for the refusal
  2. Request an internal review by senior management
  3. Lodge a complaint with the PDPC at pdpc.gov.sg

The Do Not Call (DNC) Registry

The DNC provisions of the PDPA give Singapore consumers the right to opt out of telemarketing messages sent to their local phone numbers. You can register your Singapore-registered number on three separate lists: no voice calls, no text messages, and no fax messages.

Once registered, organisations must check the registry before sending marketing messages. Breaching DNC rules can result in fines up to S$200,000 for organisations.

Exceptions to DNC Rules

Organisations can still contact you if:

  • You have given clear and unambiguous consent in writing
  • They have an ongoing business relationship with you (specific exemption rules apply for text messages)
  • The message is not a specified marketing message under the Act

Data Breaches: What to Do if Your Data Is Compromised

If you receive a breach notification, or suspect your data has been leaked, take these actions immediately:

  1. Change affected passwords and enable two-factor authentication on all important accounts
  2. Monitor your bank statements and credit card activity for unauthorised transactions
  3. Alert Singpass if your NRIC or Singpass credentials may be compromised
  4. File a police report if you suspect identity theft or fraud
  5. Document everything including the breach notification, any losses, and your remediation steps
  6. Consider making a complaint to the PDPC if the organisation was negligent

Protecting Your Personal Data Online

While the PDPA gives you legal rights, prevention is always better than remediation. Here are practical steps to reduce your exposure online.

Minimise Data Sharing

Only provide personal information when strictly necessary. Question why an organisation needs your NRIC, and remember that under PDPC guidelines, businesses generally cannot collect, use, or disclose NRIC numbers except in specific circumstances such as where required by law.

Use Secure Tools for Sharing Links and Information

When sharing content online, use reputable services that respect user privacy and offer transparency about data collection. For shortening and sharing links, privacy-focused platforms like Lunyb allow you to share URLs without exposing unnecessary tracking data. For a deeper look at trusted options, see our 2026 URL shortener buyer's guide or our honest review of Lunyb.

Review Privacy Policies

Before signing up for a service, skim the privacy policy for how long data is retained, whether it is shared with third parties, and where it is stored. Overseas transfers are permitted under the PDPA only if the receiving organisation provides comparable protection.

Enable Encrypted DNS and Browser Privacy Features

Modern browsers like Firefox, Brave, and Safari offer built-in tracking protection and encrypted DNS options. These reduce the amount of data intermediaries can collect as you browse.

PDPA Penalties and Enforcement in 2026

The 2020 amendments significantly raised the stakes for non-compliance. Here's a quick overview of current penalty structures:

Violation TypeMaximum Penalty
Data protection breach (large organisations, annual turnover over S$10 million)Up to 10% of Singapore annual turnover
Data protection breach (other organisations)Up to S$1 million
DNC Registry breachUp to S$200,000 per organisation
Egregious mishandling by individuals (e.g. unauthorised disclosure)Up to S$5,000 fine or 2 years jail

The PDPC also publishes decisions publicly, meaning organisations face reputational as well as financial consequences.

PDPA vs GDPR: Key Differences

If you've dealt with the EU's General Data Protection Regulation (GDPR), you'll notice similarities but also important differences.

AspectPDPA (Singapore)GDPR (EU)
Consent basisConsent central, with deemed consent optionsSix lawful bases including consent
Right to erasureNot an explicit standalone rightExplicit "right to be forgotten"
Data portabilityRecently introduced, being phased inWell-established since 2018
DPO requirementMandatory for all organisationsMandatory only for certain organisations
Maximum fine10% of SG turnover or S$1M4% of global turnover or €20M

Special Considerations for Businesses

If you run a business in Singapore, PDPA compliance is not optional. At minimum, you should:

  1. Appoint a Data Protection Officer and publish their contact
  2. Draft a clear, plain-language privacy policy
  3. Map what personal data you collect, why, and how long you keep it
  4. Implement technical safeguards like encryption and access controls
  5. Train staff on their PDPA obligations annually
  6. Prepare a data breach response plan with clear escalation paths
  7. Vet third-party vendors and data processors carefully

The PDPC offers free guides, toolkits, and even the Data Protection Trustmark certification to help SMEs demonstrate compliance to customers.

Frequently Asked Questions

Can an organisation refuse my PDPA access request?

Yes, but only in specific circumstances outlined in the PDPA. These include when disclosure could threaten someone's safety, reveal personal data of another individual, or breach legal privilege. The organisation must give you a written reason for the refusal.

How long do I have to file a PDPA complaint?

There is no strict statutory time limit, but the PDPC generally expects complaints to be filed within a reasonable timeframe after the incident, typically within two years. Filing sooner improves the chances of a thorough investigation while evidence is still available.

Does the PDPA apply to personal use of data?

No. The PDPA does not apply to individuals acting in a personal or domestic capacity, such as keeping a personal address book. It also does not apply to employees acting within the scope of their employment, as the employer bears responsibility.

Can I sue an organisation directly for a PDPA breach?

Yes. Section 48O of the PDPA gives individuals a private right of action to seek civil remedies including damages for loss or emotional distress caused by a PDPA contravention. However, you must generally exhaust the PDPC complaint process first.

Are cookies and online tracking covered by the PDPA?

Yes, when the data collected via cookies or tracking technologies can identify an individual. Organisations must notify users and obtain valid consent, typically through cookie banners and clear privacy notices explaining tracking practices.

Final Thoughts

The PDPA gives Singapore residents meaningful, enforceable control over their personal data, but rights only matter if you use them. Whether you're checking what an insurer knows about you, correcting outdated contact details, or reporting a data breach, the framework is designed to be accessible to ordinary consumers.

Stay informed, question unnecessary data requests, and don't hesitate to escalate to the PDPC when organisations fall short. In an era where data is currency, your PDPA rights are your most valuable protection.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles