Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Overview of the Personal Data Protection Act – SG

The PDPA applies to organizations in respect of the collection, use and disclosure of personal data in Singapore.

What is the Personal Data Protection Act (PDPA)?

The Personal Data Protection Act 2012 (PDPA) governs the collection, use and disclosure of personal data. The PDPA was passed by Parliament in October 2012 and was progressively enforced in several stages from January 2013 till July 2014.

The PDPA recognizes both:

  • The rights of individuals (natural persons, whether living or dead) to protect their personal data; and
  • The need of organizations (Any individual, company, association or body of persons, corporate or unincorporated) to collect, use or disclose the personal data for purposes that a reasonable person would consider appropriate in normal circumstances.

What is Personal Data?

Personal data refers to data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organization has or is likely to have access.

Examples of personal data that can on its own, or when made available together, identify an individual include:

  • Name
  • NRIC / FIN number / Passport Number
  • Personal Email Address
  • Personal mobile telephone number
  • Residential address
  • Photograph or video image of an individual
  • Voice recording
  • Biometric identifiers (e.g. Iris image, thumbprint, DNA profile)

Note that the PDPA’s disclosure and protection provisions protects the personal data of deceased individuals for up to 10 years.

Also Read: Understanding the mandatory data breach notification of Singapore

The PDPA was passed by Parliament in October 2012 and was progressively enforced in several stages from January 2013 till July 2014.

What types of Personal Data are excluded from the PDPA?

The PDPA does not apply to the following categories of personal data:

  • Personal data of deceased individuals who have been dead for more than 10 years
  • Business contact information (BCI) of individuals, even if the information is also used by the individual for personal purposes:
    • Name
    • Business title
    • Business telephone number
    • Business e-mail
    • Business office address

Who do not need to comply with the PDPA?

The PDPA applies to organizations in respect of the collection, use and disclosure of personal data in Singapore. There are however, certain parties that do not need to comply with these obligations.

Natural persons:

  • Any individual acting in a personal or domestic capacity
  • Any employee acting in the course of his/her employment

Employees acting in the course of their employment will have to adhere to their organisation’s policies for ensuring the organization’s compliance with the PDPA. They themselves will not be held personally liable for breaching the PDPA as a result of their actions instructed by their organization.


  • Any public agency
  • Any organisation in the course of acting on behalf of a public agency in relation to the collection, use and disclosure of the personal data

Public agencies are not governed by the PDPA because there are fundamental differences in how the public sector operates compared to the private sector. They have to comply with Government Instruction Manuals and the Public Sector (Governance) Act (PSGA). Collectively, these provide higher standards of data protection compared to the PDPA.

The Personal Data Protection Act 2012 (PDPA) governs the collection, use and disclosure of personal data.

Note that organisations which are data intermediaries are partially excluded from these obligations. Only the Protection and Retention Limitation Obligations apply. A “data intermediary” is defined as an organisation that processes personal data on behalf of another organisation.

Processing includes:

  • Recording
  • Holding
  • Organization
  • Adapting or alteration
  • Retrieval
  • Combination
  • Transmissions
  • Erasure

If you have any questions or concerns regarding PDPA compliance for your Organization, feel free to contact us at here or email us at [email protected]

Also Read:  What you need to know about appointing a Data Protection Officer in Singapore



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us