Personal Data Protection Act 2012 (PDPA)
Complete compliance guide for companies with <200 employees. Everything you need to know about PDPA requirements, deadlines, and penalties.
30 calendar days
+ 30 days extension
SGD 1,000,000/violation
Up to SGD $1 million or 10% of annual turnover (whichever is higher) for organizations, following 2021 amendments. The PDPC can also issue directions to stop collection/use/disclosure. Individuals face fines up to SGD $5,000 for egregious mishandling.
No threshold
$5,000 – $18,000
6-14 weeks
Mid-Market Compliance Guide
Singapore's PDPA applies to all private organizations in Singapore, with no revenue or size threshold. The 2021 amendments increased maximum fines to 10% of turnover, added mandatory breach notification, and introduced data portability. The PDPC is actively enforcing and publishes all enforcement decisions online.
Key Requirements
- Obtain consent before collecting, using, or disclosing personal data
- Allow individuals to withdraw consent at any time
- Protect personal data with reasonable security arrangements
- Mandatory Data Breach Notification to PDPC and affected individuals
- Comply with the Do Not Call Registry (DNCR)
- Appoint a Data Protection Officer
Consumer Rights
Business Obligations
- 1.Appoint a Data Protection Officer
- 2.Respond to access and correction requests within 30 days
- 3.Notify PDPC of significant data breaches within 3 days of assessment
- 4.Implement reasonable security measures for personal data
- 5.Comply with Do Not Call Registry for marketing messages
Exemptions
- •Personal or domestic data use
- •Business contact information for business purposes
- •Public agencies (governed by separate rules)
- •Employee data for employment purposes (partial exemption)
Related Privacy Laws
Recommended Compliance Tools
BigID
AI-powered data intelligence for privacy and security
PDPA data discovery for Singapore compliance
TrustArc
Enterprise privacy management with built-in regulatory intelligence
PDPA regulatory compliance framework
Securiti
AI-powered data command center for privacy, security, and governance
PDPA data protection program management
Usercentrics
Enterprise consent management with Google-certified CMP status
PDPA consent collection
Get a mid-market compliance checklist for PDPA
We'll send you a practical, step-by-step checklist tailored for companies with <200 employees. No spam, unsubscribe anytime.
See how DPAs enforce PDPA in practice
Real fines, real violations, real lessons. Browse our enforcement database to understand what gets penalized under PDPA.
Disclaimer: This is general information, not legal advice. Consult a qualified attorney for your specific situation. Laws and regulations may change. Last reviewed: 3/27/2026.