Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

A beginner’s guide to the Singapore PDPA

Singapore PDPA
Here’s a beginner’s guide to the Singapore PDPA, the Data Protection law of Singapore

A beginner’s guide to the Singapore PDPA

With the dawn of digitalization, personal data has become the prized possession of everyone and was even considered the new gold in today’s time. Sadly, this has also been the case of bad actors who will do whatever they can to get access to it that organizations carefully hold. 

With the looming threat from cybersecurity criminals having sophisticated tactics to infiltrate organization’s databases and systems, national authorities have taken steps to ensure that no bad actors cannot get their hands to information they can profit off through data protection policies. In Singapore, it is called Personal Data Protection Act (PDPA), and this is governed by the Personal Data Protection Commission (PDPC).

Also Read: The necessity of a data protection plan for businesses in Singapore

What is the Singapore PDPA?

The PDPA is a data protection law passed on 15 October 2012 by the Parliament of Singapore. The Act went into effect in its entirety in July 2014 and was most recently revised in November 2020.

PDPA is the one that regulates the collection, use, and disclosure of personal information about Singaporean citizens by various organizations. This law also recognizes the necessity for organizations to gather and utilize personal information in appropriate circumstances and obliges organizations who suffer data breaches to inform the authorities and those affected by it unless there is a rule that excepts them from doing so. 

Organizations have duties under the PDPA when they collect, use, or disclose any individual’s personal information. Any violation of these requirements would constitute a violation of the provisions of the aforementioned Act, which carries a penalty of up to S$1,000,000 in fines. The Personal Data Protection Act (PDPA) imposes 11 duties on organizations responsible for handling personal data:

There are 11 obligations under the PDPA that organizations must comply or risk the imposition of a financial penalty.

1. Accountability Obligation

Organizations must take steps to ensure that they are meeting their obligations under the PDPA, such as providing information about their data protection policies, practices, and complaints process upon request, appointing a data protection officer (DPO), and making business contact information available to the public.

Organizations should be willing to provide information about their data protection methods, policies, and complaint processes to anybody who asks.

2. Notification Obligation

Organizations are required to advise individuals of the objectives for which their personal data will be collected, used, or disclosed.

3. Consent Obligation

Organizations are only permitted to collect, use, or disclose personal data for purposes to which an individual has consented.

Furthermore, organizations must allow individuals to withdraw consent with reasonable notice and notify them of the possible implications of doing so. When consent is revoked, ensure that you stop collecting, using, or disclosing the individual’s personal data.

4. Purpose Limitation Obligation

Organizations may only collect, use, or disclose personal data for purposes that a reasonable person would consider appropriate under the circumstances and for which the individual has given consent.

An organization may not force an individual to agree to the collection, use, or disclosure of his or her personal data beyond what is necessary to offer that product or service as a condition of providing that product or service.

5. Accuracy Obligation

Organizations must make a reasonable effort to ensure that the personal data collected is accurate and complete, especially if it will be used to make a decision that affects the individual or is disclosed to another organization.

6. Protection Obligation 

To prevent unauthorized access, acquisition, use, disclosure, or other threats to personal data in an organization’s control, reasonable security mechanisms must be put in place.

7. Retention Limitation

Organizations are only required to stop retaining personal data or dispose of it properly when it is no longer required for any commercial or legal reason.

8. Transfer Limitation Obligation

Organizations are only required to transmit personal data to another country according to the legislation to guarantee that the quality of protection is similar to that provided by the PDPA unless exempted by the PDPC.

The PDPA is a data protection law passed on 15 October 2012 by the Parliament of Singapore.

9. Access and Correction Obligation

Organizations must offer individuals access to their personal data as well as details on how the data was used or disclosed during the previous year upon request.

Organizations must also correct any errors or omissions in the individual’s personal data as soon as possible and send the corrected data to other organizations to which the personal data was disclosed (or to selected organizations to which the individual has consented) within a year of the correction.

10. Data Breach Notification Obligation

In the case of a data breach, organizations must determine if it is notifiable. Suppose a data breach is likely to cause significant harm to individuals and/or is on a large scale. In that case, organizations must notify the PDPC and the affected individuals as soon as possible.

11. Data Portability

Organizations are expected to communicate the individual’s data that is in their custody or under their control to another organization in a generally used machine-readable format upon the individual’s request.

The purpose of Singapore PDPA

The purpose of this Act is to regulate the collection, use, and disclosure of personal data by organizations in a manner that acknowledges both the right of individuals to protect their personal data and the need for organizations to collect, use, and disclose personal data for purposes that a reasonable person would consider appropriate under the circumstances.

PDPA is the one that regulates the collection, use, and disclosure of personal information about Singaporean citizens by various organizations.

What does the Singapore PDPA apply to?

The PDPA, like other data protection laws such as the UK and EU GDPR and Brazil’s LGPD, has “extraterritorial consequences.” This means that organizations based outside of Singapore may be required to comply with the PDPA if they collect, use, or disclose data within Singapore.

For example, if a non-Singaporean corporation, such as Facebook, gathers Singaporean data online, it is subject to the PDPA. It will also be subject to sanctions if found to be in violation of the regulation.

What penalties result from PDPA non-compliance?

If an organization is determined to be in breach of the PDPA, the PDPC reserves the power to implement a variety of penalties. These include mandating that the organization to:

  • Destroy personal information gathered in violation of the PDPA.
  • Provide access to or correct personal data.
  • Pay a fine of up to 1 million Singapore dollars 

PDPC now has the authority to impose more severe monetary penalties. This includes up to 10 percent of the organization’s yearly turnover in Singapore if it exceeds SGD 10 million.


The PDPA is set in place so that organizations are obliged to ensure that they have enough security arrangements in place to protect the personal data they handle. This law protects customers from their confidential personal information being disclosed and bolsters businesses’ cybersecurity hygiene in the process. 

Also Read: Data Protection Act of Singapore: Validity in the Post-pandemic World



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us