Manage user consent online and meet PDPA compliance
Automate consent management and align your business with regulatory compliance with our no-code, easy-to-use cookie consent solution.
The #1 cookie consent solution, trusted by 1.4 Million+ websites
Singapore’s Personal Data Protection Act (PDPA) is a law that governs the collection, use and disclosure of personal data by private organizations. The PDPA aims to safeguard individuals’ personal data and mandates organisations to use personal data for legitimate and reasonable purposes. The PDPA was enacted in 2012 and was amended in November 2020 via the Personal Data Protection (Amendment) Act 2020. PDPA came into effect on February 1, 2021.
PDPA Compliance Checklist for Websites
- Obtain user consent for cookies and trackers
- Record user consents to demonstrate proof
- Enlist with ‘Do Not Call’ (DNC) Registry
- Limit data collection only for legitimate purposes
- Notify data breaches to DPAs and users
Comply with PDPA Singapore using CookieYes
Display cookie consent banner for visitors
PDPA requires businesses to notify users regarding the use and disclosure of personal data at the point of collection and request users for their consent.
With CookieYes you can
Automate consent management
Businesses should also ensure ongoing compliance with PDPA’s obligations for consent and leverage automated tools.
With CookieYes you can
Under PDPA Singapore, businesses should notify users of the purposes for which they collect personal data and it should be easy to read and understand.
Achieve regulatory compliance with
the #1 cookie consent solution
Learn more about PDPA Singapore and take the
next step towards compliance
What is PDPA Singapore?
The Personal Data Protection Act is a law enacted by Singapore that intends to regulate the collection, use, and disclosure of personal data by organizations in the private sector. The PDPA Singapore was passed by the Singapore Parliament in October 2012 and came into full effect by July 2014.
The Personal Data Protection (Amendment) Act 2020 or PDPA Amendments was passed in November 2020. The first batch of amendments came into effect on 1 February 2021, including mandatory data breach notifications and new exemptions for processing data without consent. The increase in the monetary penalty under the Amendment came into force on 1 October 2022.
Who does PDPA apply to?
PDPA Singapore applies to any business in the private sector that handles the personal data of Singapore residents. Similar to data privacy regulations like the GDPR in the EU and UK, Brazil’s LGPD, PDPA Singapore has extraterritorial reach, meaning organizations outside, can be required to comply with the law if they collect, uses, or discloses data of Singapore residents.
The PDPA does not apply to public sector organizations including Government ministries and departments. The public sector is governed by other laws such as the Public Sector (Governance) Act 2018 and the Government Instruction Manual on Infocomm Technology & Smart Systems Management.
What are consumer rights under PDPA?
Right to be informed
TThe right to be informed about how their personal data will be used, and to be notified if personal data is disclosed to third parties.
Right to access
The right to access personal data and to have it available in a clear and readable format, free of cost.
Right to correction
The right to request to correct, update, or complete personal data about them.
Right to opt-out
The right to withdraw their consent to the collection, use or disclose their personal data at any moment by providing a reasonable explanation for such request.
Right to erasure
Individuals have the right to request that their personal data be deleted in certain circumstances, such as when it is no longer necessary for the purposes for which it was collected.
Right to data portability
The right to portability of data to another organization, upon request in a commonly used machine-readable format.
What is the penalty for non-compliance?
The maximum financial penalty for non-compliance includes a fine of up to SGD 10 million (approximately USD 7.4 million) or 10% of an organization’s annual turnover in Singapore. Non-compliance with provisions of the PDPA such as the Do Not Call Registry is punishable upon conviction with a fine not exceeding USD 7,400 and/or imprisonment for a term not exceeding three years.
Individuals who suffer loss or damage as a result of a violation of PDPA have private rights of action and can initiate civil proceedings against organizations.
FAQ on PDPA Singapore Compliance
The first batch of changes introduced by the Personal Data Protection (Amendment) Act 2020 or PDPA Amendments came into effect on 1 February 2021. The next set of amendments came into force on 1 October 2022.
The PDPA was first passed by the Parliament of Singapore in October 2012 and was implemented in three phases by July 2014.
Personal data is data about an individual
- Who can be identified from that data or
- Who can be identified from that data and other information to which the organisation has or is likely to have access to.
Business contact information used for the purposes of business is exempt from PDPA unless it is solely for personal purposes.
The PDPA imposes certain restrictions for transferring personal data outside of Singapore. Organizations are allowed to transfer personal data outside of Singapore if the recipient of the data is legally bound to provide a standard of protection for the personal data that is comparable to the protection under the PDPA.
Organizations are advised to take steps such as implementing data transfer agreements, and contractual clauses, obtaining the individual’s consent, or ensuring that the recipient is located in a jurisdiction that has data protection laws similar to the protections available in PDPA.
The Personal Data Protection Commission (PDPC) is the regulating authority that is in charge of enforcing the PDPA in Singapore and ensuring that organizations comply with its provisions. Under PDPA, the PDPC has the power to investigate and take enforcement action against organizations for violations, including imposing fines and issuing directions to cease or correct the offending conduct.
The PDPC is part of the Telecommunications and Media Regulatory Authority, IMDA, which remains under the supervision of the Ministry of Communications.
As GDPR has extra-territorial scope, businesses in Singapore that collect and process the personal data of EU/EEA may be required to comply with the provisions of GDPR.
Similar to GDPR, the PDPA has extraterritorial applicability and applies to any organization that collects, uses and discloses the personal data of Singapore residents.
Here are some links you can refer to for additional reading:
Fast-track your PDPA compliance in minutes
Set up a cookie consent banner in 3 simple steps and automate your compliance.