Managing personal data (PDPA)

What are the important PDPA policy requirements to highlight for Singapore companies?


  • In Singapore, in order to prevent abusing the usage of personal data, Singapore has established Personal Data Protection Act (PDPA) in 2013 which provides a standard guideline of protection for personal data in Singapore. It comprises various requirements governing the collection, use, disclosure and care of personal data in Singapore. It consists of 10 key obligations and Do Not Call (“DNC”) provisions for companies in Singapore.

    10 key obligations comprise of: The Consent Obligation, The Purpose Limitation Obligation, The Notification Obligation, The Access and Correction Obligations, The Accuracy Obligation, The Protection Obligation, The Retention Limitation Obligation, The Transfer Limitation Obligation, The Data Breach Notification Obligation, The Accountability Obligation.

    In summary, all companies are encouraged to create a checkbox to specifically obtain users consent for them to provide their Singapore telephone numbers and notify users on the usage of their personal data.

    Companies are advised to inform users on how they can withdraw their consent to receive marketing or promotional information.

    Companies are advised to exercise sufficient due diligence checks on access before responding to an access request to their employees.

    Companies are advised to restrict employee access to confidential documents to a need-to-know basis and to review the access rights on a periodic basis.

    Companies are encouraged to conduct training sessions to all employees to strengthen awareness of threats to security of personal data, and nominate a headcount for Data Protection Officer (“DPO”) and register under ACRA. Companies are also advised to formalise policies for the respective PDPA obligations.