10 PDPA Obligations Every Singapore Business Must Follow
Complete guide to all 10 PDPA obligations for Singapore businesses. Learn each requirement with real examples, compliance tips, and penalties for non-compliance.
10 PDPA Obligations Every Singapore Business Must Follow
I was sitting with a client last year — a retail chain with about 40 employees — when their marketing manager casually mentioned they had been collecting customer NRIC numbers at their loyalty counter. "We've always done it that way," she said. That single practice was putting them at risk of fines up to S$1 million.
TL;DR: Complete guide to all 10 PDPA obligations for Singapore businesses. Learn each requirement with real examples, compliance tips, and penalties for non-compliance.
Singapore's Personal Data Protection Act is built around 10 core obligations that govern how your business collects, uses, stores, and shares personal data. These are not guidelines or suggestions — they carry real enforcement teeth, and the PDPC has shown it is willing to use them against businesses of every size.
This guide walks through each obligation in depth, with practical examples drawn from real scenarios I have encountered working with Singapore SMEs.
Overview: The 10 Obligations at a Glance
| # | Obligation | PDPA Section | Key Question It Answers |
|---|---|---|---|
| 1 | Consent | Part IV, Div 1 (Ss 13-17) | Do I have permission to collect this data? |
| 2 | Purpose Limitation | Part IV, Div 2 (Ss 18-19) | Am I using the data only for its stated purpose? |
| 3 | Notification | Part IV, Div 3 (Ss 20-21) | Have I told people why I am collecting their data? |
| 4 | Access | Part IV, Div 4 (S 21) | Can people see what data I have on them? |
| 5 | Correction | Part IV, Div 4 (S 22) | Can people fix errors in their data? |
| 6 | Accuracy | Part IV, Div 5 (S 23) | Is the data I hold accurate and complete? |
| 7 | Protection | Part IV, Div 6 (S 24) | Am I protecting the data from unauthorised access? |
| 8 | Retention Limitation | Part IV, Div 7 (S 25) | Am I keeping data only as long as necessary? |
| 9 | Transfer Limitation | Part IV, Div 8 (S 26) | Am I protecting data sent overseas? |
| 10 | Data Breach Notification | Part VIA (Ss 26A-26E) | Am I reporting breaches promptly? |
Plus: Every organisation must appoint a Data Protection Officer (DPO) under Section 11(3).
Obligation 1: Consent
Section: Part IV, Division 1 (Sections 13-17)
The rule: You need consent before collecting, using, or disclosing personal data. And that consent must be informed — the person has to understand what you are collecting and why.
Types of Consent
Express consent: The individual actively agrees. They tick a box on a form, sign a consent clause, or verbally confirm after hearing the purpose.
Deemed consent: This one trips up a lot of business owners. Consent can be implied from someone's actions. When a customer fills in your website contact form with their details, they have effectively consented to you using that data to respond to their enquiry. But not for anything else.
Deemed consent by notification: This was introduced by the 2020 amendments, and it is genuinely useful for businesses. You notify the individual that you plan to collect or use their data for a specific purpose and give them a reasonable window to opt out. If they stay silent, consent is deemed given. I have seen this work well for businesses transitioning to new CRM systems — you notify existing customers, give them two weeks to object, and those who do not respond are deemed to have consented.
What You Cannot Do
- Bundle consent: A common mistake among e-commerce businesses. You cannot force someone to consent to marketing emails as a condition of completing their purchase. Those are separate decisions.
- Refuse withdrawal: If a customer wants to pull their consent, you must let them. You can explain the consequences — "we will not be able to send you delivery updates" — but you cannot block the withdrawal.
- Collect beyond purpose: No stockpiling data "just in case." Every piece of data needs a specific, stated reason for being collected.
Practical Example
An online store collects names, addresses, emails, and phone numbers for order fulfilment. Perfectly reasonable — the customer is providing data to complete a transaction. But when that store starts using those phone numbers for marketing SMS without getting separate consent, they have crossed a line.
I worked with a Shopee seller who was doing exactly this. They had thousands of customer numbers and were blasting promotions without any marketing consent. That is a breach waiting to happen.
For a detailed guide, see Understanding Consent Under PDPA.
Obligation 2: Purpose Limitation
Section: Part IV, Division 2 (Sections 18-19)
The rule: You may only collect, use, or disclose personal data for purposes a reasonable person would consider appropriate — and that you have told the individual about.
What This Means in Practice
This obligation forces you to be intentional about your data practices. Collect only what you actually need. Do not repurpose customer data for something unrelated without going back to get fresh consent. If you gathered email addresses for order confirmations, you cannot suddenly pivot those into a marketing mailing list.
One F&B client of mine had built a massive customer database through their reservation system. When they wanted to use it for a new loyalty programme, they had to go back and get specific consent for that new purpose. It was the right thing to do, and it actually improved their opt-in rates because customers appreciated the transparency.
The DNC Connection
Section 19 specifically targets marketing. You must not send voice calls, SMS, or fax messages to numbers on the Do Not Call (DNC) Registry unless you have clear, unambiguous consent. The number of businesses that still ignore this is astonishing.
Obligation 3: Notification
Section: Part IV, Division 3 (Sections 20-21)
The rule: Before or at the time of collection, you must tell people what data you are collecting and why.
How to Notify
The standard approach is a privacy policy on your website (see our free privacy policy template). But a privacy policy alone is not enough. You should also have:
- Point-of-collection notices on every form and sign-up page
- Verbal explanations when collecting data over the phone or in person
- Visible signage wherever CCTV is operating
Here is the key requirement the PDPC emphasises: the notification must be understandable. Plain language, not legal jargon wrapped in impenetrable paragraphs. If your privacy notice reads like a contract drafted by committee, it is not meeting the standard.
For guidance, see Do I Need a Privacy Policy for My Singapore Website?.
Obligation 4: Access
Section: Part IV, Division 4 (Section 21)
The rule: When someone asks, you must give them access to their personal data that you hold, plus information about how you have used or disclosed it in the past year.
Key Requirements
- Respond within 30 calendar days (you can extend to 60 days with notice if the request is complex)
- You may charge a reasonable fee for processing
- Provide the data in a readable format
- You can refuse if the request threatens someone's safety, would reveal another person's data, or is clearly frivolous
Practical Tip
The businesses that struggle with access requests are the ones that have no idea where all their personal data sits. I have watched companies spend days tracking down data scattered across spreadsheets, email inboxes, and legacy systems. Having a proper data inventory saves enormous pain when that 30-day clock starts ticking.
Obligation 5: Correction
Section: Part IV, Division 4 (Section 22)
The rule: When someone points out that their data is wrong, you need to fix it as soon as practicable.
Key Requirements
- Correct errors promptly once you are satisfied they exist
- If you decide not to make a correction, annotate the record with what the person requested
- Send corrected data to any organisations you shared it with in the past year (unless the individual says otherwise)
This sounds straightforward, but it can get complicated when data flows through multiple systems. If you correct a customer's address in your CRM but not in your billing system, you have only half-fixed the problem.
Obligation 6: Accuracy
Section: Part IV, Division 5 (Section 23)
The rule: Make reasonable efforts to keep personal data accurate and complete — especially when it affects decisions about someone or gets shared with other organisations.
Practical Measures
- Validate data at collection (email format checks, address lookups)
- Let people update their own details through self-service portals
- Run periodic data quality reviews
- Flag issues before making decisions based on potentially stale data
One of my clients — an insurance agency — was making renewal decisions based on customer records that had not been updated in three years. Addresses were wrong, ages were wrong, and the premium calculations were off. Getting accuracy right is not just about compliance; it protects your business decisions.
Obligation 7: Protection
Section: Part IV, Division 6 (Section 24)
The rule: You must make reasonable security arrangements to protect personal data from unauthorised access, use, disclosure, copying, modification, disposal, or loss.
This is the obligation that generates the most enforcement actions. By a wide margin.
What "Reasonable" Means
The PDPC uses a proportionality test, weighing factors like:
- How sensitive the data is (medical records demand more protection than business emails)
- How much data you process
- What harm a breach could cause
- Your organisation's size and resources
- What others in your industry are doing
Minimum Security Measures
Regardless of your business size, you should have:
- Access controls: Not everyone in the company needs access to every customer record
- Strong passwords and MFA: On every system that holds personal data
- Encryption: For sensitive data, both when stored and when transmitted
- Patching: Keep all software updated. Unpatched systems are the lowest-hanging fruit for attackers
- Secure disposal: Shred paper documents. Properly wipe hard drives. Do not just throw them in the recycling
- Physical security: Lock the filing cabinet. Secure the server room
- Staff training: Your people are your weakest link and your first line of defence
Enforcement Spotlight
The SingHealth breach — which resulted in a combined S$1 million penalty — is the landmark case, but the PDPC regularly goes after smaller organisations for the same kinds of failures: unpatched systems, weak passwords, no access controls, insufficient monitoring. A clinic in Bukit Timah got fined S$15,000 for storing patient data in an unencrypted spreadsheet accessible to every staff member. These are avoidable mistakes.
Obligation 8: Retention Limitation
Section: Part IV, Division 7 (Section 25)
The rule: Do not keep personal data longer than necessary. When it has served its purpose and no legal requirement compels you to hold on, destroy it or strip out the identifying information.
How to Comply
- Define retention periods for each category of personal data you collect
- Write them down in a data retention policy — the PDPC expects documentation
- Schedule annual reviews to identify data that has overstayed its welcome
- Destroy securely: Shredding for paper, certified wiping for digital storage
- Consider anonymisation: If you need historical trends for analytics, remove the identifying details
Common Retention Periods in Singapore
- Financial records: 5 years (IRAS requirement)
- Employment records: Up to 2 years after employment ends
- Customer transaction records: Typically 5-7 years
- Marketing consent records: As long as consent remains active
- CCTV recordings: Typically 30-90 days unless an incident occurred
I find that most SMEs have never purged a single record. Everything from their first customer in 2015 is still sitting in a folder somewhere. That is a compliance risk and a breach liability.
Obligation 9: Transfer Limitation
Section: Part IV, Division 8 (Section 26)
The rule: You cannot send personal data outside Singapore unless you ensure the overseas recipient provides comparable protection.
When This Applies
More often than you think. Any time personal data leaves Singapore — including:
- Cloud servers located overseas (your AWS or Google Cloud setup likely qualifies)
- Sharing data with overseas business partners or subsidiaries
- Using SaaS tools hosted in the US or Europe (that CRM, email marketing platform, or accounting tool)
- Sending employee data to a head office abroad
How to Comply
You can transfer data overseas if:
- The recipient country has comparable data protection laws
- You have contractual clauses binding the recipient to PDPA-equivalent standards
- The individual consents after being told about the risks
- The transfer is necessary for a contract between you and the individual
Practical tip: Check your cloud service agreements. Most major providers offer data processing agreements with adequate safeguards — but you need to actually sign them, not just assume they exist.
For businesses operating across borders, see PDPA vs GDPR: Key Differences.
Obligation 10: Data Breach Notification
Section: Part VIA (Sections 26A-26E)
The rule: Since February 2021, you must notify the PDPC within 3 calendar days of concluding that a breach is notifiable. If the breach could cause significant harm, you must also tell the affected individuals.
Notifiable Thresholds
A breach triggers notification if:
- It results in or is likely to result in significant harm to anyone affected, OR
- It affects or is likely to affect 500 or more individuals
Key Actions
- Have a documented Data Breach Response Plan before anything goes wrong
- Contain breaches the moment you discover them
- Assess notifiability as fast as practicable
- Notify the PDPC within 3 calendar days of your assessment
- Notify affected individuals if significant harm is on the table
- Fix the root cause and prevent recurrence
Three calendar days is tight. I have seen organisations scramble because they had no incident response plan and wasted the first two days figuring out who was in charge. Do not be that company.
For a comprehensive guide, see PDPA Data Breach Notification: Step-by-Step Guide.
The DPO Requirement: Obligation Zero
While it is not one of the numbered 10, Section 11(3) requires every organisation to designate a Data Protection Officer (DPO). In my experience, this is the foundation everything else rests on. Without someone actually driving compliance day-to-day, the other nine obligations tend to gather dust.
For details, see How to Appoint a Data Protection Officer in Singapore.
How the Obligations Work Together
These 10 obligations are not independent items to tick off a list. They form an interconnected system:
- Consent and Notification operate in tandem: you need consent for collection, and notification tells people what they are agreeing to.
- Purpose Limitation constrains what you do with data after you have collected it.
- Access and Correction put control back in the hands of individuals.
- Accuracy ensures the data you hold is trustworthy enough for decision-making.
- Protection guards data throughout its lifecycle.
- Retention Limitation ensures data does not linger indefinitely.
- Transfer Limitation extends safeguards to data that crosses borders.
- Data Breach Notification provides a safety net when protection measures fail.
The businesses that do compliance well treat it as a system, not a checklist. They think about how data flows through their organisation from collection to disposal and make sure each obligation is addressed at every stage.
Assess your compliance across all 10 obligations in minutes. ComplyHQ's AI-powered gap assessment evaluates your current practices against each PDPA obligation and provides a prioritised action plan. Start a free assessment
Penalties for Non-Compliance
The PDPC's enforcement powers include:
- Financial penalties: Up to S$1 million per breach (or 10% of annual turnover for organisations exceeding S$10 million revenue)
- Directions: Orders to stop processing, destroy data, or implement specific measures
- Public decisions: Every enforcement decision gets published with the organisation named
- Criminal liability: In severe cases, individual directors and officers can face personal liability
The reputational damage from a published enforcement decision often stings more than the fine. When your company name shows up on the PDPC website linked to a data protection failure, it stays there permanently and shows up in Google searches.
For details and examples, see PDPA Penalties and Fines: What You Risk for Non-Compliance.
Getting Started
If the idea of addressing all 10 obligations feels overwhelming, start with the basics and build from there. The most practical approach is to work through them systematically using a checklist — see our PDPA Compliance Checklist for Singapore SMEs (2026 Edition) for a step-by-step guide.
From what I have seen working with dozens of Singapore SMEs, the businesses that fare best are not the ones with perfect compliance on day one. They are the ones that have a documented plan, are making genuine progress, and can demonstrate they take data protection seriously when the PDPC comes asking.
Track your compliance progress with a clear dashboard. ComplyHQ shows you exactly where you stand on each obligation, what you have completed, and what needs attention. Get started free
Related Resources
- PDPA Compliance Checklist for Singapore SMEs (2026 Edition)
- PDPA Penalties and Fines: What You Risk for Non-Compliance
- How to Appoint a Data Protection Officer in Singapore
- PDPA Data Breach Notification: Step-by-Step Guide
- Understanding Consent Under PDPA
- PDPA vs GDPR: Key Differences
- PDPA and Employee Data: What Employers Must Know
- PDPA Compliance for E-Commerce Businesses
- PDPC Enforcement Cases: Real Fines and Lessons for SMEs
- Best PDPA Compliance Software for Singapore SMEs (2026)
- PDPC Official Website
Sources
- PDPC — Personal Data Protection Commission
- Personal Data Protection Act 2012
- CSA — Cyber Security Agency of Singapore
Looking for more? Check out Adaptels.
Simplify Your Compliance
ComplyHQ's AI can assess your PDPA compliance gaps in under 15 minutes and generate the policies you need.
Try Free AssessmentFrequently Asked Questions
What are the 10 PDPA obligations?
Do all 10 obligations apply to every business?
Which PDPA obligation do businesses most commonly breach?
Are there any exemptions to the PDPA obligations?
What is the maximum penalty for breaching PDPA obligations?
Ready to get PDPA compliant?
Stop guessing about compliance. ComplyHQ uses AI to assess your gaps, generate policies, and guide you through every PDPA obligation.