PrivacyTerrain

Editorial caveat

Structured values summarize official materials for research and planning. They are reviewed by humans before publication and should not be treated as legal advice.

medium confidence, Good baseline, but legitimate interests and business improvement exceptions need more nuance.

Breach

Breach deadline (hours): 72
Breach notification required: Yes

Marketing

Cookie consent rule: Cookie and direct marketing analysis is shaped by consent principles and Do Not Call rules.

Transfers

Cross-border transfer restricted: Yes
Data localization required: No

Governance

DPO required: Yes
Impact assessment required: No
Records of processing required: No

Identity

Effective date: 2014-07-02
Effective status: in-force
Last amended: 2021-02-01
Law status: active

Scope

Extraterritorial application: Yes
Private sector coverage: Applies to private-sector organizations processing personal data.
Public sector coverage: Public agencies are generally governed by separate public-sector rules.
Territorial scope: Applies to organizations in Singapore and, in some contexts, overseas organizations collecting or disclosing personal data in Singapore.

Legal Basis

Legal bases: consent, deemed consent, business improvement, legitimate interests
Requires legal basis: Yes

Enforcement

Maximum fine: The PDPA allows significant financial penalties, especially for larger organizations.
Private right of action: Yes
Regulator or enforcement authority summary: PDPC

Definitions

Personal data definition: Personal data means data, whether true or not, about an individual who can be identified.
Sensitive data recognized: No

Rights

Right of access: Yes
Right to appeal: Yes
Right to deletion: No
Right to erasure or delete summary: Retention-limitation driven deletion
Right to object: No
Right to portability: No
Right to rectification or correction summary: Correction right

Official sources

PDPA textPrimary official law • en • html
PDPC guidanceSecondary official material • en • html

Singapore