What is PDPA (Personal Data Protection Act - Singapore)?
Singapore's PDPA is a comprehensive data protection law that governs the collection, use, disclosure, and care of personal data by organizations, enforced by the Personal Data Protection Commission.
The Personal Data Protection Act (PDPA) of Singapore was enacted in 2012 and has undergone significant amendments, most notably in 2020. It establishes a baseline standard for data protection across the private sector in Singapore, governing how organizations collect, use, disclose, and care for personal data. The PDPA works alongside sector-specific legislation such as the Banking Act and the Insurance Act.
The PDPA is built on several key obligations: consent, purpose limitation, notification, access and correction, accuracy, protection, retention limitation, transfer limitation, and openness. The 2020 amendments introduced a mandatory data breach notification regime, expanded the deemed consent framework, and established a data portability obligation. Organizations must notify the Personal Data Protection Commission (PDPC) and affected individuals of data breaches that are likely to result in significant harm or are of a significant scale.
The PDPC serves as the enforcement authority and can impose financial penalties of up to 10% of annual turnover in Singapore for organizations with annual turnover exceeding 10 million SGD, or up to 1 million SGD for other organizations. The PDPA also established the Do Not Call Registry. IQWorks supports PDPA compliance through ComplyIQ for managing obligations, ConsentIQ for consent management, and ProtectIQ for data protection controls.
How IQWorks Helps
Related Terms
GDPR (General Data Protection Regulation)
The General Data Protection Regulation is the European Union's comprehensive data protection law that sets strict rules for how organizations collect, store, and process personal data of EU residents, with fines up to 4% of annual global turnover.
Consent Management
Consent management is the systematic process of obtaining, recording, tracking, and managing individuals' consent for the collection and processing of their personal data in compliance with privacy regulations.
Data Breach Notification
Data breach notification is the legal requirement for organizations to inform supervisory authorities and affected individuals when a security incident results in unauthorized access to, or loss of, personal data.
Supervisory Authority
A supervisory authority is an independent public body established by a country to monitor and enforce compliance with data protection laws, such as the ICO in the UK or the CNIL in France.
Cross-Border Data Transfer
Cross-border data transfer refers to the movement of personal data from one country or jurisdiction to another, which is regulated by data protection laws that impose specific requirements to ensure adequate protection.