Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Singapore’s PDPA Act 2019: All you need to know

PDPA Act 2019
Singapore adopted its Personal Data Protection Act (PDPA Act 2019) way back in 2012 before the EU’s GDPR made its appearance on the legal stage.

All you need to know about Singapore’s PDPA Act 2019

Singapore adopted its Personal Data Protection Act (PDPA Act 2019) way back in 2012 before the EU’s General Data Protection Regulation (GDPR) made its appearance on the legal stage. It came into full force on 2 July 2014 and governs the collection, use, disclosure, and care of personal data. It also regulates telemarketing practices through the Do Not Call registry which allows Singaporeans who sign up for it to opt-out of marketing messages on their telephones, mobile phones, and fax machines.

While it may be considered progressive for its time and contains much of the same jargon that has now become the staple of data protection regulations across the world, the PDPA Act 2019 falls short of the GDPR’s hard-line approach to privacy and personal data protection. It was criticized for its many exemption clauses and did not have any requirements for special categories of sensitive data such as those relating to health, race, ethnicity, etc.

This particular failing was not without its consequences: in June 2018, Singapore suffered its worst data breach to date when the personal data of 1.5 million healthcare patients, including that of its Prime Minister, Lee Hsien Loong, was compromised. The Personal Data Protection Committee (PDPC), tasked with enforcing the PDPA Act 2019, fined Integrated Health Information Systems (IHIS), the technology agency running the healthcare institutions’ IT systems, S$750,000 (approx. $540,000), and SingHealth, the data controller, S$250,000 (approx. $181,000). A probe report found that weak cybersecurity practices primarily caused the data breach.

The PDPC has since announced its intention to update the PDPA Act 2019 requirements, most notably adding mandatory data breach notifications and data portability to the legislation. It also issued a number of guides to assist organizations in understanding its approach to regulating Singapore’s personal data protection regime. Its most recent, released on 22 May 2019, covers data protection management, active enforcement, and managing data breaches.

Who does the PDPA Act 2019 apply to?

The PDPA Act 2019 has an extraterritorial reach and applies to organizations collecting personal data from individuals in Singapore, whether the companies are located in the country or not. The Act does not apply to the public sector, which is governed by other rules.

PDPA Act 2019 falls short of the GDPR’s hard-line approach to privacy and personal data protection.

What is personal information under the PDPA Act 2019?

Personal data under the PDPA Act 2019 is defined as data that, whether true or not, can be used to identify an individual by itself or together with other information to which the organization has or is likely to have access.

Business contact information, when used for business purposes and not in a personal capacity, is not protected by the PDPA Act 2019. Neither is personal data about an individual that has been in existence for at least 100 years or personal data about individuals that have been deceased for over ten years.

As previously mentioned, the PDPA Act 2019 does not include special requirements for sensitive data. However, the PDPC has recently issued new guidelines for the protection of National Registration Identification Card (NRIC) numbers and similar national identification numbers. When it comes into force on 1 September 2019, it will make it illegal for organizations to collect, use or disclose NRIC numbers or to make copies of identity cards, except under specifically permitted situations such as legal requirements, if a consent exception under the PDPA Act 2019 applies or it is necessary to accurately establish or verify an individual’s identity to a high degree of fidelity.

The thorny issue of consent

The PDPA Act 2019 consent requirements are much more relaxed than those of more recently adopted regulations such as the CCPA and GDPR. It requires express consent from individuals to collect personal data but includes no less than 18 exemptions to the rule, which allows organizations to collect personal data without consent. While some of these are familiar, for example in case personal data is publically available, is being collected for national security purposes or for journalistic reasons, it also includes other, more contentious exemptions such as data collected for evaluative purposes or in the interest of the individual. When it comes to using personal data without consent, there are 10 exemptions and for disclosure without consent, 19 exemptions.

The PDPA Act 2019 goes a step further than exemptions and also accepts deemed consent as valid consent. Deemed consent is essentially data provided voluntarily by an individual to an organization when it is reasonable for the individual to do so. This voluntarily provided data can then be passed on to another organization for a particular purpose.

Also read: 9 Policies For Security Procedures Examples

The PDPA Act 2019 has an extraterritorial reach and applies to organizations collecting personal data from individuals in Singapore

Individuals’ rights

Singaporeans have the option of withdrawing consent, even in the case of deemed consent. However, any legal consequences of the withdrawal have to be borne by the individual who must be informed of these likely consequences by the organization from whom they request the withdrawal. Companies are also not obligated to inform third parties of consent withdrawals, so it falls to the individual to seek them out and withdraw consent from them as well. The withdrawal of consent cannot be requested if the collection, use or disclosure of the information is required by law, or if it is necessary for legal or business purposes.

The PDPA offers limited rights of access and correction of information collected by organizations. Individuals can request access to personal data held by an organization and information concerning its use or disclosure in the last year, but this right is subject to exceptions. While individuals can request that organizations make corrections to their personal data, companies can decide, on reasonable grounds, not to apply them.

The PDPA does not currently include any right to be forgotten or data portability among its requirements. However, the PDPC recently started a six-week public consultation to seek views on proposals to introduce data portability and data innovation provisions in the PDPA.

Cross-border data transfers

Organizations can transfer personal information from Singapore to other countries only in compliance with the PDPA or if they have applied for and received exemption from the PDPC. Those that need to transfer data across borders in accordance with the PDPA, must ensure that the country to which the data is being transferred has a comparable level of data protection to the standards set forth by the PDPA.

Data can also be transferred to other countries if organizations have received consent from the individual to do so, if data transfer agreements have been put in place or transfers are necessary for certain prescribed circumstances.

The penalties

If organizations tamper with personal data or hide information concerning its collection, use or disclosure, they face a fine not exceeding S$50,000 (approx. $36,000). Any attempts to hinder a PDPC investigation can lead to a fine of not more than S$100,000 (approx. $72,000). Companies are also liable for their employees’ actions in the eyes of the PDPA, whether they are aware of them or not.

The maximum penalty allowed by the PDPA is of S$1,000,000 (approx. $725,000) and, as shown in the case of the SingHealth data breach, the PDPC is not shy about issuing it.

Also read: 7 Client Data Protection Tips to Keep Customers Safe



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us