The Personal Data Protection Act (PDPA) of Singapore

As part of Singapore’s effort in strengthening our position as a trusted hub for businesses, the Personal Data Protection Act 2012 (PDPA) was introduced and passed in October 2012 by the Singapore parliament.

Under this Act, the PDPA regulates the collection, use and disclosure of personal data. This provides a baseline standard of protection for personal data in Singapore.


What is as considered personal data under PDPA?

Personal data refers to data related to an individual who can be identified based on that data, or from that data itself and other information to which the organisation has or is likely to have access to.

Examples of personal data includes: name and NRIC numbers, photographs or video images of an individual, voice of an individual and biometric identifiers.

PDPA covers personal data stored in electronic and non-electronic formats.


Who is exempted from PDPA?

The PDPA generally does not apply to:

  • Any individual acting in a person or domestic capacity (i.e. between family members);

  • Any individual acting in his/her capacity as an employee with an organisation

  • Any public agency; and

  • Any organisation in the course of acting on behalf of a public agency in relations to the collection, use and disclosure of the personal data

  • Business contact information such as individual’s name, position or title, business telephone number, business address, business email and similar information


Is a data protection officer mandatory in Singapore?

It is compulsory under the PDPA for all organisations and companies to appoint one or more Data Protection Officer(s) (DPO) to supervise their organisation and/or company’s collection, usage, and disclosure of personal data.

It is the duty of the DPO to ensure that their company processes personal data of its employee, clients, providers, or any other individual in compliance with the data protection rules.

The DPO will also serve as a point of contact for individuals to get in touch with your business in relation to PDPA matters.

Dormant companies that do not have any business activities do not need to appoint a Data Protection Officer with PDPC.



What happens if my company does not have a DPO?

If any organisation is found not PDPA-compliant, they may face penalties by the Personal Data Protection Commission (PDPC)

  • A financial penalty of up to $1million

  • Direct your business to stop collecting, using or disclosing personal data in contravention of the PDPA

  • Direct your business to destroy personal data collected in contravention of the PDPA


How do I appoint a Data Protection Officer?

An organisation DPO can either be an employee or a third-party individual or organisation. The company may register and update the officer business contact via ACRA BizFIle+ portal with their CorpPass.

As part of Lionsworld Incorporation service, we would be able to assist you with updating your DPO details on ACRA.

Ready to Incorporate? View our incorporation package here or arrange an appointment now!

Have more questions regarding company incorporation in Singapore? View more FAQs or Send us an enquiry below!

    Need Help? Message us!

    By clicking send, I agree to the Privacy Policy.