Essential information regarding Singapore’s PDPA compliance

As of October 15, 2012, the Parliament of Singapore passed a data protection bill called Personal Data Protection Act (PDPA). PDPA strives to protect an individual’s personal data by regulating how organisations collect, use and disclose such data. This aligns with Singapore’s vision of being a trusted and intelligent nation that strives to uphold the highest privacy protection standards. Here is everything you ought to be aware of about compliance with PDPA.

What Is Singapore’s PDPA?

The Singapore Personal Data Protection Act (PDPA) was introduced in 2012 and came into effect in July 2014. It is a data protection law that sets out the rules for how personal data should be collected, used, and disclosed by organisations in the country. Resultantly, the PDPA applies to all businesses that collect, use, or disclose personal data, regardless of whether they are based in Singapore or overseas.  

“Personal data” includes information about an individual that can be leveraged to identify that individual, such as a name, NRIC number, passport number, or email address. Businesses that collect these personal data are bound to the robust obligations of PDPA compliance. Failure to meet this compliance can result in fines of up to S$1 million.

A man's hand holding a confidential file being PDPA compliant

What Are the Types of Personal Data That PDPA Does Not Apply To?

The Personal Data Protection Act 2012 does not apply to specific types of personal data, such as when an individual engages in the gathering, using, or disclosure of personal data on a personal or domestic basis.  

Similarly, any individual acting in their position as an employee with an organisation and any public agency does not come under the scope of this law. Lastly, the PDPA Singapore guidelines do not pertain to business contact information such as a person’s name, position or title, business phone number, business address, business email, business fax number, or similar data.

What Are Your Business’ PDPA Obligations?

When businesses engage in activities such as obtaining, using, or disclosing personal data, they must meet certain PDPA obligations. The following are the ten primary obligations under Singapore’s PDPA compliance

Accountability Obligation

This implies that businesses are accountable for the personal data they possess.

Notification Obligation 

Businesses must notify users of the purpose of data collection. 

Businesses can only gather data with the user’s consent, with the provision for the user to withdraw their consent whenever. 

Purpose Limitation Obligation

Only practical purpose for the data collection is allowed, such as only what is necessary for delivering products or services. 

Accuracy Obligation

The entity must ensure the collected data’s accuracy to provide users with niched services. 

Protection Obligation

Necessary protection measures must be in place to safeguard the collected personal data from unauthorised access. 

Retention Limitation Obligation

If no longer required or legally outdated, stop the retention of personal data or properly dispose of it.

Transfer Limitation Obligation

Must meet PDPA regulations before transferring personal data to another country with a comparable data protection policy. 

Access and Correction Obligation

Businesses with personal data must comply with users’ requests to access their information and how they have used it. 

Data Breach Notification Obligation

When under a data breach, organisations must consider the severity of the situation before notifying the users and the PDPC. 

How a Mobile Visitor Management System Can Help You Comply With Singapore’s PDPA

Business owner pointing on a contract and holding a pen showing a business obligation to be PDPA compliant.

Under the PDPA, businesses must take reasonable steps to protect personal data from unauthorised access, destruction, use, modification, or disclosure. A mobile visitor management system (VMS) can help you comply with the PDPA by providing a secure way to collect and store personal data. Only authorised personnel can access the data for legitimate business purposes through this technology. As a result, a mobile visitor management system provides a secure and efficient way for PDPA compliance.

Qbasis Logo

Supercharge your business with Qbasis’ Smart Management Solutions


Qbasis Pte Ltd

+65 6908 5980

8 Ubi Road 2
Zervex #08-03
Singapore 408538