The Architecture
of Trust.
Personal Data Protection Act 2012 (PDPA). Singapore's pragmatic, pro-innovation approach to data privacy governance.
PDPA Obligations
Consent Obligation
Obtain consent before collecting, using, or disclosing personal data
Purpose Limitation
Collect, use, or disclose only for purposes a reasonable person would consider appropriate
Notification Obligation
Notify individuals of purposes for data collection
Access & Correction
Provide access to and correct personal data upon request
Accuracy Obligation
Make reasonable effort to ensure data is accurate and complete
Protection Obligation
Protect personal data with reasonable security arrangements
Retention Limitation
Cease retention when no longer necessary for legal or business purposes
Transfer Limitation
Ensure adequate protection for overseas transfers
Data Breach Notification
Notify PDPC and affected individuals within 3 days of significant breaches
Personal Data Protection Commission
The PDPC administers and enforces the PDPA, promotes data protection awareness, and provides guidance on compliance. It operates under the Infocomm Media Development Authority (IMDA).
Investigation
Investigate complaints and conduct inquiries
Enforcement
Issue directions and impose financial penalties
Guidance
Publish advisory guidelines and decisions
Notable Enforcement
1.5M patient records
Security lapses in healthcare
Personal data in URLs
APEC CBPR System
Singapore participates in the APEC Cross-Border Privacy Rules (CBPR) system, facilitating trusted data flows across the Asia-Pacific region through certification.
- APEC CBPR Certification
- ASEAN Model Framework
- Bilateral Arrangements
- Contractual Safeguards
Transfer Considerations
For transfers between India and Singapore, organizations must comply with both DPDPA Section 16 and PDPA Transfer Limitation Obligation.
Adequacy Analysis →Navigate APAC Privacy
Our Singapore node provides comprehensive PDPA compliance advisory for India-ASEAN data flows.
Get in Touch