tools-processes7 min read13 July 2026

Consent Form Templates: Marketing, Events and Employment

Free PDPA consent form templates for Singapore SMEs covering marketing, events and employment. Learn what valid consent requires under the PDPA 2012.

ComplyHQ Team

Consent Form Templates: Marketing, Events and Employment

Consent Form Templates: Marketing, Events and Employment

If your business collects names, emails, NRIC-adjacent details or photographs from customers, guests or staff, you need valid consent — and well-drafted consent form templates are the simplest way to get it right the first time. Under Singapore's Personal Data Protection Act 2012 (PDPA), consent is one of the central obligations governing how your organisation collects, uses and discloses personal data. This guide breaks down what makes consent legally valid, then gives you practical, ready-to-adapt consent form templates for three of the most common scenarios Singapore SMEs face: marketing, events, and employment.

TL;DR — Key Takeaways

  • Valid PDPA consent must be informed, specific and freely given — no pre-ticked boxes, no bundled purposes.
  • You need separate consent forms for marketing, events and employment because each serves a different purpose (PDPA Section 18, Purpose Limitation).
  • Every marketing message must include an opt-out/unsubscribe mechanism.
  • PDPC has issued financial penalties of up to S$1 million (and higher for serious breaches under 2022 amendments) for consent and protection failures.
  • Keep written proof of consent for as long as you rely on it, plus a buffer.

Under the PDPA, consent is valid only when the individual is notified of the purpose of collection, understands it, and agrees voluntarily. Sections 13 to 17 of the Act set out the Consent Obligation, while Section 20 requires you to notify individuals of your purposes on or before collecting their data. In practice, this means a consent form must be clear, specific and free of deceptive practices.

The PDPC's Advisory Guidelines on Key Concepts are explicit on three points. First, consent cannot be bundled — you cannot require someone to consent to marketing as a condition of buying a product (Section 14(2)(a) prohibits making consent a condition of providing a service beyond what is reasonable). Second, deemed consent applies only in narrow circumstances, such as when an individual voluntarily provides data for an obvious purpose. Third, individuals have the right to withdraw consent at any time under Section 16, and you must honour that withdrawal.

Definitive statement: A consent form that uses a pre-ticked checkbox, hides the purpose in fine print, or bundles unrelated purposes together does not constitute valid consent under the PDPA — regardless of whether the individual signed it.

Good consent form templates therefore share four features: a plain-language statement of purpose, a clear affirmative action (an unticked box or signature), the identity and contact of your Data Protection Officer (DPO), and a note on how to withdraw consent. If you are still building the underlying process, our PDPA compliance checklist for Singapore SMEs walks through the foundational obligations first.

For marketing, valid consent means the individual has affirmatively agreed to receive promotional messages and understands which channels you will use. Singapore's rules are stricter here because both the PDPA and the Spam Control Act apply. Roughly speaking, you need consent to collect and use data for marketing, plus a working opt-out in every message you send.

A compliant marketing consent statement should specify the channels (email, SMS, WhatsApp, phone), the type of content, and the withdrawal method. Here is a template you can adapt:

Marketing Consent ☐ I consent to [Your Company Pte Ltd] collecting and using my personal data (name, email address and mobile number) to send me marketing and promotional information about its products, services and events via email, SMS and WhatsApp.

I understand that I may withdraw this consent at any time by emailing [dpo@yourcompany.sg] or clicking "unsubscribe" in any message. Withdrawal will take effect within 10 business days.

Three rules make these consent form templates defensible. One, the box must be unticked by default. Two, if you use phone numbers registered on the national Do Not Call (DNC) Registry, you must either check the register before sending telemarketing messages or rely on clear and unambiguous consent in written form — the DNC provisions (Part IX of the PDPA) carry their own penalties. Three, retain the timestamp and source of each consent so you can prove it later. For sector-specific nuances, our guides on PDPA compliance for e-commerce and PDPA for F&B and restaurants show how marketing consent works alongside loyalty programmes and online orders.

For events, consent must cover both the collection of registration data and — critically — the taking and publishing of photographs or video that identify attendees. A person's image is personal data under the PDPA when they are identifiable from it, so event consent forms need a distinct photography clause.

Event organisers routinely collect names, company details, dietary requirements and emergency contacts. Each of these should be tied to a stated purpose. Here is a two-part event consent template:

Event Registration & Media Consent Part A — Registration: I consent to [Your Company Pte Ltd] using my registration details (name, organisation, email, dietary needs) to manage my attendance at [Event Name] on [Date].

Part B — Photography & Media: ☐ I consent to being photographed and/or filmed at this event, and to [Your Company Pte Ltd] using such images on its website, social media and marketing materials.

I understand I may decline Part B and still attend, and may request removal of published images by contacting [dpo@yourcompany.sg].

Notice that Part B is separable — attendees can join the event without agreeing to appear in your marketing. This respects the PDPA's prohibition on making unrelated consent a condition of service. For large events, display prominent signage stating that photography is taking place and how to opt out; the PDPC accepts notification-based approaches for crowd photography where individual consent is impractical, provided a reasonable opt-out exists.

Data point: PDPC enforcement decisions consistently cite the Protection Obligation (Section 24) alongside consent failures. Between 2019 and 2023, the majority of financial penalties issued by the Commission related to inadequate protection of personal data — a reminder that collecting consent is only half the job; you must also secure the data you gather. Real cases are analysed in our guide to PDPA penalties and enforcement.

For employment, consent form templates should distinguish between data your organisation needs to run the employment relationship and data used for secondary purposes such as internal directories, CCTV, or performance monitoring. Much employment data can be collected under deemed consent or the legitimate interests exception, but transparency is still mandatory.

Under the PDPA, employers may rely on the legitimate interests exception for activities such as workplace security and internal investigations, without express consent — but only after a documented assessment that the benefit outweighs any adverse effect on the employee. For everything else, a clear notification-and-consent form remains best practice. A sample employment data clause:

Employee Personal Data Notice & Consent [Your Company Pte Ltd] collects and uses your personal data (NRIC/FIN, bank details, CPF number, next-of-kin) to administer payroll, statutory contributions, benefits and workplace safety. This data may be disclosed to CPF Board, IRAS, MOM and our appointed insurers and payroll vendors.

☐ I additionally consent to my name, photograph and role being published in the internal staff directory and on the company website.

Note that the payroll and statutory portion is a notification, not an optional consent — you cannot run employment without it, and disclosures to CPF, IRAS and MOM are legally required. The photograph and directory portion, by contrast, is a genuine choice. Monitoring employees adds further obligations; see our dedicated guide on employee monitoring and the PDPA before you deploy CCTV or productivity tracking.

Whatever forms you adopt, your staff need to understand why consent matters and how to handle withdrawal requests. Building that awareness is covered in our guide to PDPA staff training requirements.

A template is a starting point, not a compliance programme. Every form must connect to a live process: a place to store signed consents, a way to action withdrawals, and a DPO who can respond to queries within the PDPC's expected timelines. This is where many SMEs stall — drafting forms is easy, but maintaining consent records across marketing lists, event archives and HR files is where gaps appear.

This is exactly the kind of administrative burden ComplyHQ was built to remove. ComplyHQ offers AI-powered compliance that handles your PDPA obligations in minutes, not weeks — generating tailored consent forms, tracking consent records, and mapping your obligations to the relevant PDPA sections so nothing slips through. If your needs extend to custom-built systems or integrations, Adaptels provides digital solutions for Singapore SMEs that can connect consent capture directly into your CRM or booking tools.

Definitive statement: The organisations that avoid PDPC penalties are rarely the ones with the fanciest forms — they are the ones that can produce proof of valid consent and action a withdrawal quickly when asked.

If you also need to prepare for the worst case, our step-by-step data breach response guide explains your notification duties under the mandatory Data Breach Notification obligation introduced in 2021.

  • Selling or promoting? Use a marketing consent form with channel-specific opt-in and an unsubscribe link.
  • Running an event? Use a registration form plus a separable photography/media consent.
  • Hiring or managing staff? Use an employment notice for statutory data, plus optional consent for directories and images.
  • Collecting anything else? Notify the purpose first (Section 20), then obtain affirmative consent.

Each of these consent form templates should carry your organisation's name, your DPO's contact details, and a clear withdrawal route. Adapt the wording to your actual purposes — copying a template without matching it to what you really do with the data is one of the fastest ways to end up with consent that does not hold up.

Sources & References

  1. PDPC — Personal Data Protection Act Overview
  2. PDPC — Advisory Guidelines on Key Concepts in the PDPA
  3. PDPC — Do Not Call Registry
  4. PDPC — Guide to Managing Data Breaches
  5. Ministry of Manpower — Employment Practices

Simplify Your Compliance

ComplyHQ's AI can assess your PDPA compliance gaps in under 15 minutes and generate the policies you need.

Try Free Assessment

Frequently Asked Questions

Do I need written consent for every marketing email I send in Singapore?
Not always. Under the PDPA and the Spam Control Act, you need clear consent to collect and use personal data for marketing, but consent can be given through a checkbox, a signed form, or another affirmative action. What matters is that consent is informed and freely given, and that every marketing message includes an unsubscribe option. Pre-ticked boxes and 'bundled' consent do not meet PDPC standards.
Can I use one consent form for both marketing and employment purposes?
No. The PDPA's Purpose Limitation Obligation (Section 18) requires that personal data be used only for purposes a reasonable person would consider appropriate, and that were notified at collection. Marketing consent and employment data collection serve very different purposes, so combining them into one blanket form risks invalidating the consent. Use separate, purpose-specific consent forms for each context.
How long should I keep signed consent records?
The PDPA does not set a fixed retention period, but under the Retention Limitation Obligation (Section 25) you must keep records only as long as there is a legal or business need. As a practical rule, retain proof of consent for as long as you rely on it, plus a reasonable buffer to defend against complaints. Many Singapore SMEs keep consent records for the duration of the relationship plus three years.
Tags:PDPASingapore complianceSMEdata protectionPDPC

Ready to get PDPA compliant?

Stop guessing about compliance. ComplyHQ uses AI to assess your gaps, generate policies, and guide you through every PDPA obligation.

Gap AssessmentPolicy GeneratorAI Compliance Chat
10 July 20267 min read

Data Protection Policy Template for Singapore SMEs

A practical data protection policy template for Singapore SMEs, with PDPA-aligned clauses, PDPC guidance and step-by-step instructions to draft your own in minutes.

Read more
7 July 20267 min read

Employee Data Protection Training: Building Awareness

Employee data protection training is the front line of PDPA compliance for Singapore SMEs. Learn how to build staff awareness, cut breach risk, and meet PDPC rules.

Read more
5 July 20267 min read

Cookie Consent Implementation Guide for Singapore

A practical cookie consent guide for Singapore SMEs. Learn PDPA-compliant consent banners, cookie categories, and PDPC requirements for your website.

Read more