PDPA Compliance14 min read12 April 2026

10 PDPA Obligations Every Singapore Business Must Follow

Complete guide to all 10 PDPA obligations for Singapore businesses. Learn each requirement with real examples, compliance tips, and penalties for non-compliance.

ComplyHQ Team

10 PDPA Obligations Every Singapore Business Must Follow

I was sitting with a client last year — a retail chain with about 40 employees — when their marketing manager casually mentioned they had been collecting customer NRIC numbers at their loyalty counter. "We've always done it that way," she said. That single practice was putting them at risk of fines up to S$1 million.

TL;DR: Complete guide to all 10 PDPA obligations for Singapore businesses. Learn each requirement with real examples, compliance tips, and penalties for non-compliance.

Singapore's Personal Data Protection Act is built around 10 core obligations that govern how your business collects, uses, stores, and shares personal data. These are not guidelines or suggestions — they carry real enforcement teeth, and the PDPC has shown it is willing to use them against businesses of every size.

This guide walks through each obligation in depth, with practical examples drawn from real scenarios I have encountered working with Singapore SMEs.

Overview: The 10 Obligations at a Glance

#ObligationPDPA SectionKey Question It Answers
1ConsentPart IV, Div 1 (Ss 13-17)Do I have permission to collect this data?
2Purpose LimitationPart IV, Div 2 (Ss 18-19)Am I using the data only for its stated purpose?
3NotificationPart IV, Div 3 (Ss 20-21)Have I told people why I am collecting their data?
4AccessPart IV, Div 4 (S 21)Can people see what data I have on them?
5CorrectionPart IV, Div 4 (S 22)Can people fix errors in their data?
6AccuracyPart IV, Div 5 (S 23)Is the data I hold accurate and complete?
7ProtectionPart IV, Div 6 (S 24)Am I protecting the data from unauthorised access?
8Retention LimitationPart IV, Div 7 (S 25)Am I keeping data only as long as necessary?
9Transfer LimitationPart IV, Div 8 (S 26)Am I protecting data sent overseas?
10Data Breach NotificationPart VIA (Ss 26A-26E)Am I reporting breaches promptly?

Plus: Every organisation must appoint a Data Protection Officer (DPO) under Section 11(3).

Section: Part IV, Division 1 (Sections 13-17)

The rule: You need consent before collecting, using, or disclosing personal data. And that consent must be informed — the person has to understand what you are collecting and why.

Express consent: The individual actively agrees. They tick a box on a form, sign a consent clause, or verbally confirm after hearing the purpose.

Deemed consent: This one trips up a lot of business owners. Consent can be implied from someone's actions. When a customer fills in your website contact form with their details, they have effectively consented to you using that data to respond to their enquiry. But not for anything else.

Deemed consent by notification: This was introduced by the 2020 amendments, and it is genuinely useful for businesses. You notify the individual that you plan to collect or use their data for a specific purpose and give them a reasonable window to opt out. If they stay silent, consent is deemed given. I have seen this work well for businesses transitioning to new CRM systems — you notify existing customers, give them two weeks to object, and those who do not respond are deemed to have consented.

What You Cannot Do

  • Bundle consent: A common mistake among e-commerce businesses. You cannot force someone to consent to marketing emails as a condition of completing their purchase. Those are separate decisions.
  • Refuse withdrawal: If a customer wants to pull their consent, you must let them. You can explain the consequences — "we will not be able to send you delivery updates" — but you cannot block the withdrawal.
  • Collect beyond purpose: No stockpiling data "just in case." Every piece of data needs a specific, stated reason for being collected.

Practical Example

An online store collects names, addresses, emails, and phone numbers for order fulfilment. Perfectly reasonable — the customer is providing data to complete a transaction. But when that store starts using those phone numbers for marketing SMS without getting separate consent, they have crossed a line.

I worked with a Shopee seller who was doing exactly this. They had thousands of customer numbers and were blasting promotions without any marketing consent. That is a breach waiting to happen.

For a detailed guide, see Understanding Consent Under PDPA.

Obligation 2: Purpose Limitation

Section: Part IV, Division 2 (Sections 18-19)

The rule: You may only collect, use, or disclose personal data for purposes a reasonable person would consider appropriate — and that you have told the individual about.

What This Means in Practice

This obligation forces you to be intentional about your data practices. Collect only what you actually need. Do not repurpose customer data for something unrelated without going back to get fresh consent. If you gathered email addresses for order confirmations, you cannot suddenly pivot those into a marketing mailing list.

One F&B client of mine had built a massive customer database through their reservation system. When they wanted to use it for a new loyalty programme, they had to go back and get specific consent for that new purpose. It was the right thing to do, and it actually improved their opt-in rates because customers appreciated the transparency.

The DNC Connection

Section 19 specifically targets marketing. You must not send voice calls, SMS, or fax messages to numbers on the Do Not Call (DNC) Registry unless you have clear, unambiguous consent. The number of businesses that still ignore this is astonishing.

Obligation 3: Notification

Section: Part IV, Division 3 (Sections 20-21)

The rule: Before or at the time of collection, you must tell people what data you are collecting and why.

How to Notify

The standard approach is a privacy policy on your website (see our free privacy policy template). But a privacy policy alone is not enough. You should also have:

  • Point-of-collection notices on every form and sign-up page
  • Verbal explanations when collecting data over the phone or in person
  • Visible signage wherever CCTV is operating

Here is the key requirement the PDPC emphasises: the notification must be understandable. Plain language, not legal jargon wrapped in impenetrable paragraphs. If your privacy notice reads like a contract drafted by committee, it is not meeting the standard.

For guidance, see Do I Need a Privacy Policy for My Singapore Website?.

Obligation 4: Access

Section: Part IV, Division 4 (Section 21)

The rule: When someone asks, you must give them access to their personal data that you hold, plus information about how you have used or disclosed it in the past year.

Key Requirements

  • Respond within 30 calendar days (you can extend to 60 days with notice if the request is complex)
  • You may charge a reasonable fee for processing
  • Provide the data in a readable format
  • You can refuse if the request threatens someone's safety, would reveal another person's data, or is clearly frivolous

Practical Tip

The businesses that struggle with access requests are the ones that have no idea where all their personal data sits. I have watched companies spend days tracking down data scattered across spreadsheets, email inboxes, and legacy systems. Having a proper data inventory saves enormous pain when that 30-day clock starts ticking.

Obligation 5: Correction

Section: Part IV, Division 4 (Section 22)

The rule: When someone points out that their data is wrong, you need to fix it as soon as practicable.

Key Requirements

  • Correct errors promptly once you are satisfied they exist
  • If you decide not to make a correction, annotate the record with what the person requested
  • Send corrected data to any organisations you shared it with in the past year (unless the individual says otherwise)

This sounds straightforward, but it can get complicated when data flows through multiple systems. If you correct a customer's address in your CRM but not in your billing system, you have only half-fixed the problem.

Obligation 6: Accuracy

Section: Part IV, Division 5 (Section 23)

The rule: Make reasonable efforts to keep personal data accurate and complete — especially when it affects decisions about someone or gets shared with other organisations.

Practical Measures

  • Validate data at collection (email format checks, address lookups)
  • Let people update their own details through self-service portals
  • Run periodic data quality reviews
  • Flag issues before making decisions based on potentially stale data

One of my clients — an insurance agency — was making renewal decisions based on customer records that had not been updated in three years. Addresses were wrong, ages were wrong, and the premium calculations were off. Getting accuracy right is not just about compliance; it protects your business decisions.

Obligation 7: Protection

Section: Part IV, Division 6 (Section 24)

The rule: You must make reasonable security arrangements to protect personal data from unauthorised access, use, disclosure, copying, modification, disposal, or loss.

This is the obligation that generates the most enforcement actions. By a wide margin.

What "Reasonable" Means

The PDPC uses a proportionality test, weighing factors like:

  • How sensitive the data is (medical records demand more protection than business emails)
  • How much data you process
  • What harm a breach could cause
  • Your organisation's size and resources
  • What others in your industry are doing

Minimum Security Measures

Regardless of your business size, you should have:

  • Access controls: Not everyone in the company needs access to every customer record
  • Strong passwords and MFA: On every system that holds personal data
  • Encryption: For sensitive data, both when stored and when transmitted
  • Patching: Keep all software updated. Unpatched systems are the lowest-hanging fruit for attackers
  • Secure disposal: Shred paper documents. Properly wipe hard drives. Do not just throw them in the recycling
  • Physical security: Lock the filing cabinet. Secure the server room
  • Staff training: Your people are your weakest link and your first line of defence

Enforcement Spotlight

The SingHealth breach — which resulted in a combined S$1 million penalty — is the landmark case, but the PDPC regularly goes after smaller organisations for the same kinds of failures: unpatched systems, weak passwords, no access controls, insufficient monitoring. A clinic in Bukit Timah got fined S$15,000 for storing patient data in an unencrypted spreadsheet accessible to every staff member. These are avoidable mistakes.

Obligation 8: Retention Limitation

Section: Part IV, Division 7 (Section 25)

The rule: Do not keep personal data longer than necessary. When it has served its purpose and no legal requirement compels you to hold on, destroy it or strip out the identifying information.

How to Comply

  1. Define retention periods for each category of personal data you collect
  2. Write them down in a data retention policy — the PDPC expects documentation
  3. Schedule annual reviews to identify data that has overstayed its welcome
  4. Destroy securely: Shredding for paper, certified wiping for digital storage
  5. Consider anonymisation: If you need historical trends for analytics, remove the identifying details

Common Retention Periods in Singapore

  • Financial records: 5 years (IRAS requirement)
  • Employment records: Up to 2 years after employment ends
  • Customer transaction records: Typically 5-7 years
  • Marketing consent records: As long as consent remains active
  • CCTV recordings: Typically 30-90 days unless an incident occurred

I find that most SMEs have never purged a single record. Everything from their first customer in 2015 is still sitting in a folder somewhere. That is a compliance risk and a breach liability.

Obligation 9: Transfer Limitation

Section: Part IV, Division 8 (Section 26)

The rule: You cannot send personal data outside Singapore unless you ensure the overseas recipient provides comparable protection.

When This Applies

More often than you think. Any time personal data leaves Singapore — including:

  • Cloud servers located overseas (your AWS or Google Cloud setup likely qualifies)
  • Sharing data with overseas business partners or subsidiaries
  • Using SaaS tools hosted in the US or Europe (that CRM, email marketing platform, or accounting tool)
  • Sending employee data to a head office abroad

How to Comply

You can transfer data overseas if:

  1. The recipient country has comparable data protection laws
  2. You have contractual clauses binding the recipient to PDPA-equivalent standards
  3. The individual consents after being told about the risks
  4. The transfer is necessary for a contract between you and the individual

Practical tip: Check your cloud service agreements. Most major providers offer data processing agreements with adequate safeguards — but you need to actually sign them, not just assume they exist.

For businesses operating across borders, see PDPA vs GDPR: Key Differences.

Obligation 10: Data Breach Notification

Section: Part VIA (Sections 26A-26E)

The rule: Since February 2021, you must notify the PDPC within 3 calendar days of concluding that a breach is notifiable. If the breach could cause significant harm, you must also tell the affected individuals.

Notifiable Thresholds

A breach triggers notification if:

  1. It results in or is likely to result in significant harm to anyone affected, OR
  2. It affects or is likely to affect 500 or more individuals

Key Actions

  • Have a documented Data Breach Response Plan before anything goes wrong
  • Contain breaches the moment you discover them
  • Assess notifiability as fast as practicable
  • Notify the PDPC within 3 calendar days of your assessment
  • Notify affected individuals if significant harm is on the table
  • Fix the root cause and prevent recurrence

Three calendar days is tight. I have seen organisations scramble because they had no incident response plan and wasted the first two days figuring out who was in charge. Do not be that company.

For a comprehensive guide, see PDPA Data Breach Notification: Step-by-Step Guide.

The DPO Requirement: Obligation Zero

While it is not one of the numbered 10, Section 11(3) requires every organisation to designate a Data Protection Officer (DPO). In my experience, this is the foundation everything else rests on. Without someone actually driving compliance day-to-day, the other nine obligations tend to gather dust.

For details, see How to Appoint a Data Protection Officer in Singapore.

How the Obligations Work Together

These 10 obligations are not independent items to tick off a list. They form an interconnected system:

  • Consent and Notification operate in tandem: you need consent for collection, and notification tells people what they are agreeing to.
  • Purpose Limitation constrains what you do with data after you have collected it.
  • Access and Correction put control back in the hands of individuals.
  • Accuracy ensures the data you hold is trustworthy enough for decision-making.
  • Protection guards data throughout its lifecycle.
  • Retention Limitation ensures data does not linger indefinitely.
  • Transfer Limitation extends safeguards to data that crosses borders.
  • Data Breach Notification provides a safety net when protection measures fail.

The businesses that do compliance well treat it as a system, not a checklist. They think about how data flows through their organisation from collection to disposal and make sure each obligation is addressed at every stage.

Assess your compliance across all 10 obligations in minutes. ComplyHQ's AI-powered gap assessment evaluates your current practices against each PDPA obligation and provides a prioritised action plan. Start a free assessment

Penalties for Non-Compliance

The PDPC's enforcement powers include:

  • Financial penalties: Up to S$1 million per breach (or 10% of annual turnover for organisations exceeding S$10 million revenue)
  • Directions: Orders to stop processing, destroy data, or implement specific measures
  • Public decisions: Every enforcement decision gets published with the organisation named
  • Criminal liability: In severe cases, individual directors and officers can face personal liability

The reputational damage from a published enforcement decision often stings more than the fine. When your company name shows up on the PDPC website linked to a data protection failure, it stays there permanently and shows up in Google searches.

For details and examples, see PDPA Penalties and Fines: What You Risk for Non-Compliance.

Getting Started

If the idea of addressing all 10 obligations feels overwhelming, start with the basics and build from there. The most practical approach is to work through them systematically using a checklist — see our PDPA Compliance Checklist for Singapore SMEs (2026 Edition) for a step-by-step guide.

From what I have seen working with dozens of Singapore SMEs, the businesses that fare best are not the ones with perfect compliance on day one. They are the ones that have a documented plan, are making genuine progress, and can demonstrate they take data protection seriously when the PDPC comes asking.

Track your compliance progress with a clear dashboard. ComplyHQ shows you exactly where you stand on each obligation, what you have completed, and what needs attention. Get started free

Sources

  1. PDPC — Personal Data Protection Commission
  2. Personal Data Protection Act 2012
  3. CSA — Cyber Security Agency of Singapore

Looking for more? Check out Adaptels.

Simplify Your Compliance

ComplyHQ's AI can assess your PDPA compliance gaps in under 15 minutes and generate the policies you need.

Try Free Assessment

Frequently Asked Questions

What are the 10 PDPA obligations?
The 10 PDPA obligations are: (1) Consent, (2) Purpose Limitation, (3) Notification, (4) Access, (5) Correction, (6) Accuracy, (7) Protection, (8) Retention Limitation, (9) Transfer Limitation, and (10) Data Breach Notification. Additionally, every organisation must appoint a Data Protection Officer (DPO).
Do all 10 obligations apply to every business?
Yes. All 10 obligations apply to every private sector organisation in Singapore that collects, uses, or discloses personal data, regardless of size or industry. However, the PDPC applies a proportionality principle — the extent of measures required depends on your organisation's size, the volume of data processed, and the sensitivity of the data.
Which PDPA obligation do businesses most commonly breach?
Based on published PDPC enforcement decisions, the Protection Obligation (Section 24) is the most commonly breached. Organisations frequently fail to implement adequate security measures, leading to data breaches. The Consent Obligation is the second most common area of breach, often through over-collection of personal data or collecting data without a proper legal basis.
Are there any exemptions to the PDPA obligations?
There are limited exemptions. Government agencies are fully exempt. Business contact information used for business purposes is generally exempt. The PDPA also provides specific exemptions for personal or domestic purposes, investigative purposes, and certain legal proceedings. However, there is no general exemption based on business size, revenue, or number of employees.
What is the maximum penalty for breaching PDPA obligations?
The PDPC can impose financial penalties of up to S$1 million per breach. For organisations with annual turnover exceeding S$10 million in Singapore, the penalty can be up to 10% of annual turnover. The PDPC can also issue directions requiring organisations to stop data processing, destroy data, or implement specific compliance measures.

Ready to get PDPA compliant?

Stop guessing about compliance. ComplyHQ uses AI to assess your gaps, generate policies, and guide you through every PDPA obligation.

Gap AssessmentPolicy GeneratorAI Compliance Chat
5 July 202616 min read

PDPA Compliance Checklist for Singapore SMEs (2026)

A practical, step-by-step PDPA compliance checklist for Singapore SMEs — all core obligations, what to do first, and the penalties for getting it wrong. Free to use and reference.

Read more
11 May 202610 min read

PDPA Compliance for Clinics and Healthcare Providers in Singapore: A Practical Guide

How Singapore clinics, dental practices, and healthcare providers can comply with the PDPA. Covers patient data, consent, NRIC rules, breach notification, and common mistakes.

Read more
10 May 202611 min read

Data Protection Impact Assessment (DPIA) Singapore Guide for SMEs

Learn how to conduct a Data Protection Impact Assessment (DPIA) for your Singapore business. Step-by-step process, PDPA requirements, templates, and common mistakes.

Read more