PDPA Compliance14 min read12 April 2026

10 PDPA Obligations Every Singapore Business Must Follow

Complete guide to all 10 PDPA obligations for Singapore businesses. Learn each requirement with real examples, compliance tips, and penalties for non-compliance.

ComplyHQ Team

10 PDPA Obligations Every Singapore Business Must Follow

The Personal Data Protection Act (PDPA) is built around 10 core obligations that govern how organisations collect, use, store, and share personal data. These obligations are not aspirational guidelines — they are enforceable legal requirements with financial penalties of up to S$1 million per breach.

This pillar guide covers each obligation in depth, with practical examples and compliance tips for Singapore businesses.

Overview: The 10 Obligations at a Glance

#ObligationPDPA SectionKey Question It Answers
1ConsentPart IV, Div 1 (Ss 13-17)Do I have permission to collect this data?
2Purpose LimitationPart IV, Div 2 (Ss 18-19)Am I using the data only for its stated purpose?
3NotificationPart IV, Div 3 (Ss 20-21)Have I told people why I am collecting their data?
4AccessPart IV, Div 4 (S 21)Can people see what data I have on them?
5CorrectionPart IV, Div 4 (S 22)Can people fix errors in their data?
6AccuracyPart IV, Div 5 (S 23)Is the data I hold accurate and complete?
7ProtectionPart IV, Div 6 (S 24)Am I protecting the data from unauthorised access?
8Retention LimitationPart IV, Div 7 (S 25)Am I keeping data only as long as necessary?
9Transfer LimitationPart IV, Div 8 (S 26)Am I protecting data sent overseas?
10Data Breach NotificationPart VIA (Ss 26A-26E)Am I reporting breaches promptly?

Plus: Every organisation must appoint a Data Protection Officer (DPO) under Section 11(3).

Obligation 1: Consent

Section: Part IV, Division 1 (Sections 13-17)

The rule: You must obtain consent before collecting, using, or disclosing personal data. Consent must be informed — the individual must know what data you are collecting and why.

Types of Consent

Express consent: The individual actively agrees. Examples include checking a consent box on a form, signing a consent clause, or verbally agreeing after being informed of the purpose.

Deemed consent: Consent is implied from the individual's behaviour. If someone voluntarily fills in a contact form on your website, they are deemed to have consented to their data being used to respond to their enquiry.

Deemed consent by notification: You notify the individual that you intend to collect, use, or disclose their data for a specific purpose, and provide a reasonable period for them to opt out. If they do not opt out, consent is deemed given. This mechanism was introduced by the 2020 PDPA amendments.

What You Cannot Do

  • Bundle consent: You cannot make consent to non-essential data collection a condition of providing a product or service. For example, requiring someone to consent to marketing emails before they can make a purchase.
  • Refuse withdrawal: If someone wants to withdraw consent, you must allow it. You can inform them of the consequences (e.g., "if you withdraw consent for email communication, we cannot send you order updates"), but you cannot refuse the withdrawal.
  • Collect beyond purpose: You cannot collect data "just in case" or for vague future purposes. Each piece of data must have a specific, stated purpose.

Practical Example

An online store collects names, addresses, email addresses, and phone numbers for order fulfilment. This is straightforward consent — the customer provides data to complete a purchase. But if the store also uses those phone numbers for marketing SMS without separate consent, that is a breach.

For a detailed guide, see Understanding Consent Under PDPA.

Obligation 2: Purpose Limitation

Section: Part IV, Division 2 (Sections 18-19)

The rule: You may only collect, use, or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances and that have been notified to the individual.

What This Means in Practice

  • Collect only the data you actually need for the stated purpose
  • Do not repurpose data for unrelated uses without obtaining fresh consent
  • If you collect email addresses for order confirmations, you cannot use them for marketing without additional consent
  • Regularly review your data practices to ensure you are not using data beyond its original purpose

The DNC Connection

Section 19 specifically addresses marketing messages. You must not send marketing messages (voice calls, SMS, fax) to Singapore telephone numbers registered on the Do Not Call (DNC) Registry unless you have clear and unambiguous consent.

Obligation 3: Notification

Section: Part IV, Division 3 (Sections 20-21)

The rule: You must notify individuals of the purposes for which you are collecting, using, or disclosing their personal data, on or before the time of collection.

How to Notify

The standard mechanism is a privacy policy published on your website. This should be complemented by:

  • Point-of-collection notices on forms and sign-up pages
  • Verbal notifications during phone or in-person data collection
  • Clear signage where CCTV is in operation

The notification must be in a form that allows individuals to "easily understand" the purposes. This means plain language, not impenetrable legal text.

For guidance, see Do I Need a Privacy Policy for My Singapore Website?.

Obligation 4: Access

Section: Part IV, Division 4 (Section 21)

The rule: Upon request, you must provide individuals with access to their personal data that is in your possession or control, and information about how the data has been used or disclosed in the past year.

Key Requirements

  • Respond to access requests within 30 calendar days (extendable to 60 days with notice)
  • You may charge a reasonable fee for processing access requests
  • Provide the data in a readable format
  • You can refuse access if it would threaten safety, reveal another person's data, or if the request is frivolous or vexatious

Practical Tip

Have a documented process for handling access requests. Know where all personal data is stored (this is why the data inventory is important) so you can respond within the 30-day deadline.

Obligation 5: Correction

Section: Part IV, Division 4 (Section 22)

The rule: You must correct errors or omissions in personal data as soon as practicable when requested and when you are satisfied of the error.

Key Requirements

  • Correct errors as soon as practicable
  • If you decide not to make a correction, annotate the data with the correction that was requested
  • Send the corrected data to other organisations to which you disclosed the data in the past year (unless the individual agrees otherwise)

Obligation 6: Accuracy

Section: Part IV, Division 5 (Section 23)

The rule: You must make reasonable efforts to ensure personal data is accurate and complete, particularly if it is likely to be used to make decisions affecting the individual or disclosed to another organisation.

Practical Measures

  • Validate data at the point of collection (e.g., email format checks, address verification)
  • Allow individuals to update their own information (self-service portals)
  • Periodically review stored data for accuracy
  • Flag and address data quality issues before making decisions based on the data

Obligation 7: Protection

Section: Part IV, Division 6 (Section 24)

The rule: You must make reasonable security arrangements to protect personal data from unauthorised access, collection, use, disclosure, copying, modification, disposal, or loss.

This is the obligation most frequently breached in PDPC enforcement actions.

What "Reasonable" Means

The PDPC applies a proportionality test. Factors considered include:

  • The nature and sensitivity of the data (health records need more protection than business emails)
  • The volume of data processed
  • The potential harm from a breach
  • Your organisation's size and resources
  • Industry norms and best practices

Minimum Security Measures

Regardless of size, every organisation should implement:

  • Access controls: Limit who can access personal data based on job function
  • Strong passwords and MFA: On all systems containing personal data
  • Encryption: For sensitive data at rest and in transit
  • Software updates: Keep all systems patched and up to date
  • Secure disposal: Shred paper documents, wipe hard drives, delete digital files securely
  • Physical security: Locked cabinets for paper files, secured server rooms
  • Staff training: Ensure employees understand security practices

Enforcement Spotlight

The Protection Obligation is where most PDPC penalties are imposed. Common failures include unpatched systems, weak passwords, improper access controls, and insufficient monitoring. The SingHealth breach (S$1 million total penalty) is the landmark case, but the PDPC regularly acts against smaller organisations for similar failures at a smaller scale.

Obligation 8: Retention Limitation

Section: Part IV, Division 7 (Section 25)

The rule: You must not keep personal data longer than necessary for the purpose for which it was collected, or for legal or business purposes. When data is no longer needed, you must destroy it or anonymise it.

How to Comply

  1. Define retention periods for each type of personal data you collect
  2. Document these periods in a data retention policy
  3. Schedule regular reviews (at least annually) to identify and purge data that has exceeded its retention period
  4. Destroy securely: Shred paper, securely wipe digital storage
  5. Consider anonymisation: If you need historical data for analytics, remove identifying information

Common Retention Periods in Singapore

  • Financial records: 5 years (IRAS requirement)
  • Employment records: Up to 2 years after employment ends
  • Customer transaction records: Typically 5-7 years
  • Marketing consent records: As long as consent is active
  • CCTV recordings: Typically 30-90 days unless an incident occurred

Obligation 9: Transfer Limitation

Section: Part IV, Division 8 (Section 26)

The rule: You must not transfer personal data to a country or territory outside Singapore unless you ensure a comparable standard of protection.

When This Applies

Any time personal data leaves Singapore, including:

  • Storing data on cloud servers located overseas
  • Sharing data with overseas business partners or vendors
  • Using SaaS tools hosted in other countries (e.g., US-based email marketing tools, CRM systems)
  • Sending employee data to an overseas head office

How to Comply

You can transfer data overseas if:

  1. The recipient country has comparable data protection laws
  2. You have contractual clauses binding the recipient to PDPA-equivalent obligations
  3. The individual consents to the transfer after being informed of the risks
  4. The transfer is necessary for a contract between you and the individual

Practical tip: Review your cloud service agreements. Most major providers (AWS, Google Cloud, Microsoft Azure) offer data processing agreements that include appropriate safeguards.

For businesses operating internationally, see PDPA vs GDPR: Key Differences.

Obligation 10: Data Breach Notification

Section: Part VIA (Sections 26A-26E)

The rule: Since 1 February 2021, you must notify the PDPC within 3 calendar days of completing your assessment that a data breach is notifiable. You must also notify affected individuals if the breach is likely to result in significant harm.

Notifiable Thresholds

A breach is notifiable if:

  1. It results in or is likely to result in significant harm to any affected individual, OR
  2. It affects or is likely to affect 500 or more individuals

Key Actions

  • Have a documented Data Breach Response Plan
  • Contain breaches immediately upon discovery
  • Assess whether the breach is notifiable as soon as practicable
  • Notify the PDPC within 3 calendar days of assessment completion
  • Notify affected individuals if significant harm is likely
  • Remediate and prevent recurrence

For a comprehensive guide, see PDPA Data Breach Notification: Step-by-Step Guide.

The DPO Requirement: Obligation Zero

While not counted among the 10 data protection obligations, Section 11(3) requires every organisation to designate a Data Protection Officer (DPO). This is arguably the foundation that supports all other obligations, because without a responsible person driving compliance, the other obligations tend to be neglected.

For details, see How to Appoint a Data Protection Officer in Singapore.

How the Obligations Work Together

The 10 obligations are not independent checkboxes. They form an interconnected system:

  • Consent and Notification work together: you need consent for collection, and notification tells people what they are consenting to.
  • Purpose Limitation constrains what you can do with data after collection.
  • Access and Correction give individuals control over their data.
  • Accuracy ensures the data you hold is reliable for decision-making.
  • Protection safeguards data throughout its lifecycle.
  • Retention Limitation ensures data does not persist indefinitely.
  • Transfer Limitation extends protection to data sent overseas.
  • Data Breach Notification provides a safety net when protection fails.

Compliance is not about perfecting one obligation in isolation. It requires a systematic approach across all ten.

Assess your compliance across all 10 obligations in minutes. ComplyHQ's AI-powered gap assessment evaluates your current practices against each PDPA obligation and provides a prioritised action plan. Start a free assessment

Penalties for Non-Compliance

The PDPC has enforcement powers including:

  • Financial penalties: Up to S$1 million per breach (or 10% of annual turnover for organisations above S$10 million)
  • Directions: Orders to stop processing, destroy data, or implement specific measures
  • Public decisions: Enforcement decisions are published, naming the organisation
  • Criminal liability: In severe cases, directors and officers may face personal liability

For details and examples, see PDPA Penalties and Fines: What You Risk for Non-Compliance.

Getting Started

The most practical approach for SMEs is to work through the obligations systematically using a checklist. See our PDPA Compliance Checklist for Singapore SMEs (2026 Edition) for a step-by-step guide.

Track your compliance progress with a clear dashboard. ComplyHQ shows you exactly where you stand on each obligation, what you have completed, and what needs attention. Get started free

Related Resources

Simplify Your Compliance

ComplyHQ's AI can assess your PDPA compliance gaps in under 15 minutes and generate the policies you need.

Try Free Assessment

Frequently Asked Questions

What are the 10 PDPA obligations?
The 10 PDPA obligations are: (1) Consent, (2) Purpose Limitation, (3) Notification, (4) Access, (5) Correction, (6) Accuracy, (7) Protection, (8) Retention Limitation, (9) Transfer Limitation, and (10) Data Breach Notification. Additionally, every organisation must appoint a Data Protection Officer (DPO).
Do all 10 obligations apply to every business?
Yes. All 10 obligations apply to every private sector organisation in Singapore that collects, uses, or discloses personal data, regardless of size or industry. However, the PDPC applies a proportionality principle — the extent of measures required depends on your organisation's size, the volume of data processed, and the sensitivity of the data.
Which PDPA obligation do businesses most commonly breach?
Based on published PDPC enforcement decisions, the Protection Obligation (Section 24) is the most commonly breached. Organisations frequently fail to implement adequate security measures, leading to data breaches. The Consent Obligation is the second most common area of breach, often through over-collection of personal data or collecting data without a proper legal basis.
Are there any exemptions to the PDPA obligations?
There are limited exemptions. Government agencies are fully exempt. Business contact information used for business purposes is generally exempt. The PDPA also provides specific exemptions for personal or domestic purposes, investigative purposes, and certain legal proceedings. However, there is no general exemption based on business size, revenue, or number of employees.
What is the maximum penalty for breaching PDPA obligations?
The PDPC can impose financial penalties of up to S$1 million per breach. For organisations with annual turnover exceeding S$10 million in Singapore, the penalty can be up to 10% of annual turnover. The PDPC can also issue directions requiring organisations to stop data processing, destroy data, or implement specific compliance measures.

Ready to get PDPA compliant?

Stop guessing about compliance. ComplyHQ uses AI to assess your gaps, generate policies, and guide you through every PDPA obligation.

Start Free AssessmentView Pricing
Gap AssessmentPolicy GeneratorAI Compliance Chat

Related Articles

12 April 20268 min read

Do I Need a Privacy Policy for My Singapore Website?

Yes, if you collect personal data. Learn what your Singapore website's privacy policy must include under PDPA, common mistakes, and how to create one quickly.

Read more
12 April 20268 min read

How to Appoint a Data Protection Officer in Singapore

Step-by-step guide to appointing a DPO under PDPA. Learn requirements, responsibilities, in-house vs outsourced options, and costs for Singapore businesses.

Read more
12 April 202610 min read

NRIC Collection Rules in Singapore: What Changes by December 2026

New PDPC rules ban NRIC for authentication by Dec 2026. Learn what's changing, who's affected, and how Singapore businesses must comply to avoid penalties.

Read more