Speed Read
Data Privacy - Singapore
The full report, available to subscribers and those on a free trial, includes access to a detailed legal memorandum, Breach Response App, Horizon Scanning and Sanctions Tracking, Schrems II Toolkit and Territorial Scope View, all supported by daily monitoring and alerts.
Source Date : 1 August, 2025
Overview
Legal Framework
Relevant law: Personal Data Protection Act 2012 (PDPA)
Regulator: Personal Data Protection Commission (PDPC) - website
Fines and Enforcement
Maximum possible fine: 10% of Singapore turnover (if turnover exceeds S$10 million) or S$1 million in any other case
Top fine to-date: S$750,000 (c.USD 550,000) for a 2019 data breach involving over 1.5m patients' health data
Compliance Overview
Register with regulator: There is no general requirement to register with the PDPC. However, all organisations that use alphanumeric Sender IDs in their SMS messages to Singapore mobile users must first register with the Singapore SMS Sender ID Registry.
Appoint a DPO: All organisations (other than Data Intermediaries) must appoint a DPO. An organisation must designate one or more individuals to be responsible for ensuring compliance with the PDPA.
Appoint a CISO: There is no requirement to appoint a person with responsibility for information security and governance, but the DPO may be responsible for broader information security issues.
Formal compliance programme: Organisations must implement a privacy policy and complaints process, communicate it to staff, and make it available to individuals on request.
Publish/provide privacy notice: An organisation is required to proactively inform individuals of certain specific information in relation to the processing of their Personal Data.
Maintain records of activities: There is no explicit requirement to maintain an internal register of activities but the PDPC recommends maintaining a data inventory or data flow diagram and has provided example templates.
Conduct privacy assessment (DPIA): No express requirement to carry out a privacy assessment, but the PDPC recommends that organisations identify circumstances when they will conduct privacy assessments, and has provided example templates.
Data security measures: Organisations must make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification of Personal Data or similar risks. This is an area subject to extensive PDPC guidance and enforcement.
Key risks and considerations
1) Robust regime; PDPC guidance regularly referenced in enforcement.
2) Wide range of processing grounds available (despite general requirement for consent).
3) Robust rules around international transfers enforced by the PDPC.
4) Strict data breach notification obligations (individuals and regulator).
5) Specific laws governing the sending of direct marketing communications.
Find out how aosphere can help
Rulefinder Data Privacy is an easy-to-use online resource that provides practical analysis of data protection and privacy laws across key global markets. The analysis is simple to access online, easy to navigate and maintained by a dedicated team of senior lawyers.
