SG PDPA

Personal Data Protection Act 2012 (as amended 2020)

Cap. 224 / Act No. 40 of 2020Enforced — Fully enforceable with enhanced penalties since 1 October 2022

Singapore's Personal Data Protection Act establishes 10 data protection obligations for all private sector organisations. The 2020 amendments introduced mandatory data breach notification, expanded deemed consent, data portability, enhanced financial penalties, and a private right of action. The PDPC actively enforces the law with a growing track record of enforcement decisions.

Data Protection Obligations

30d

Breach Notification Window

SGD 1M

Max Fine (or 10% turnover)

Oct 2022

Enhanced Penalties

Implementation Timeline

1 July 2014

Original PDPA became effective

2 November 2020

Parliament passed PDPA Amendment Act 2020

1 February 2021

Major amendment provisions in force, including breach notification

1 October 2022

Enhanced financial penalty caps in effect

Who's In Scope

Private Sector

All private-sector organisations in Singapore
No size or industry threshold — applies universally
Includes sole proprietors, partnerships, and companies

Extraterritorial

Foreign companies offering services to Singapore customers
Entities processing Singapore residents' personal data regardless of location

Exempt Entities

Public agencies (governed by Public Sector Governance Act)
Individuals processing data for personal/household use

Key Requirements

Part III

Consent Obligation

Obtain clear, unambiguous consent before collecting, using, or disclosing personal data, with deemed consent provisions for specified contexts.

Part IV, VA

Purpose Limitation & Breach Notification

Use data only for stated purposes, notify PDPC within 30 days and affected individuals of significant data breaches.

Parts V, VI

Accuracy & Protection

Maintain accurate personal data, implement reasonable physical, technical, and organisational security measures.

Parts VI, VIB

Retention & Transfer Limitation

Retain data only as long as necessary, ensure overseas transfers meet PDPA equivalent protection standards.

Parts VII, VIII

Access, Correction & DPO

Provide individuals right to access and correct personal data, appoint a Data Protection Officer for organisational compliance.

Penalties & Enforcement

Data Protection Breaches

SGD 1M or 10% Singapore turnover

Whichever is higher; applies to organisations with SGD 10M+ turnover

DNC Violations

SGD 1M or 5% Singapore turnover

Applies to organisations with SGD 20M+ turnover

Enforcement Powers

PDPC directions and financial penalties

Warnings, directions to comply, financial penalties, prosecutions

How Orizon Can Help

Compliance Management

We provide structured preparation and compliance support for SG PDPA.

Learn more

Official Sources

Assess Your Readiness

Schedule a consultation with our regulatory experts to assess your SG PDPA compliance posture and build a practical roadmap.

Get Started