PDPA Correction Requests: How Singapore Businesses Should Respond
Learn how to handle a PDPA correction request in Singapore: legal timelines, valid exceptions, and a step-by-step process to keep your SME compliant with the PDPC.

PDPA Correction Requests: How Singapore Businesses Should Respond
Every Singapore organisation that collects personal data will eventually receive a PDPA correction request — a formal ask from an individual to fix inaccurate or incomplete data your business holds about them. Under Singapore's Personal Data Protection Act 2012 (PDPA), how you respond is not optional courtesy; it is a legal obligation under Section 22. Getting the process wrong exposes your business to complaints, directions, and financial penalties from the Personal Data Protection Commission (PDPC). This guide breaks the requirement into a clear, actionable workflow so your organisation can respond correctly, on time, and with confidence.
TL;DR — Key Takeaways
- A PDPA correction request is an individual's legal right under Section 22 of the PDPA to have inaccurate or incomplete personal data corrected.
- You should respond as soon as practicable — or notify the individual in writing of the expected timeline if you need longer.
- You cannot charge a fee for a correction request (unlike access requests).
- When you make a correction, you must send the corrected data to every other organisation you disclosed it to in the past year, unless they don't need it.
- Refusing without valid grounds under the Sixth Schedule can lead to PDPC directions and financial penalties of up to S$1 million (or 10% of annual turnover for larger organisations).
What Is a PDPA Correction Request?
A PDPA correction request is a request made by an individual, under Section 22 of the PDPA, asking your organisation to correct an error or omission in the personal data you hold about them. In practice, it means a customer, employee, or member of the public writing to say "the information you have about me is wrong — please fix it." Your organisation is legally required to consider and act on that request.
The right to correction sits alongside the right of access under Part V of the PDPA. Common examples include a customer asking you to update a misspelled name on records, an employee correcting an outdated address, or a client fixing an incorrect date of birth used for identity verification. These are not edge cases — the PDPC has consistently identified accuracy and correction as core data protection obligations for Singapore SMEs.
Definitive statement: Under Section 22 of the PDPA, if an individual requests a correction of an error or omission in their personal data, your organisation must correct it as soon as practicable — unless a specific legal exception applies.
How does a correction request differ from an access request?
An access request (Section 21) asks what data you hold and how it has been used; a correction request (Section 22) asks you to change data that is wrong. The two are often made together. A crucial practical difference: you may charge a reasonable fee for an access request, but you are prohibited from charging any fee for a correction request.
How Should Your Business Respond to a PDPA Correction Request?
When your business receives a PDPA correction request, you should verify the requester's identity, assess whether the correction is valid, make the correction as soon as practicable, and notify relevant third parties. The PDPC expects a documented, timely process — not an ad-hoc reply. The safest approach is a repeatable internal workflow that any staff member can follow.
Here is a step-by-step process aligned with the PDPC Advisory Guidelines on Key Concepts:
- Acknowledge and log the request. Record the date received, the requester, and what data they want corrected. This timestamp starts your compliance clock.
- Verify the requester's identity. Confirm the person making the request is the individual the data relates to (or an authorised agent). Do not over-collect new personal data during verification.
- Assess the request. Determine whether the data is genuinely inaccurate or incomplete, and whether any Sixth Schedule exception applies.
- Make the correction as soon as practicable. Update the record across all systems where the data lives.
- Notify other organisations. Under Section 22(2), send the corrected data to every other organisation to which the personal data was disclosed within a year before the correction — unless that organisation no longer needs it for any legal or business purpose.
- Respond in writing to the individual. Confirm the correction, or if you are refusing, explain and annotate the record accordingly.
- Document everything. Keep an audit trail; this is your evidence of compliance if the PDPC ever investigates.
Definitive statement: If your organisation cannot complete a PDPA correction request promptly, you must inform the individual in writing of the date by which you will respond.
This is exactly the kind of recurring obligation where tooling saves hours. ComplyHQ offers AI-powered compliance that handles your PDPA obligations in minutes, not weeks — generating correction-request response templates, tracking your correction-request deadline, and logging the audit trail automatically so nothing slips through.
When Can Your Business Refuse a PDPA Correction Request?
Your organisation can refuse a PDPA correction request only on the limited grounds set out in Section 22(6) and the Sixth Schedule of the PDPA. You are not obliged to correct data if you are not satisfied on reasonable grounds that the correction should be made. However, even when you refuse, you must annotate the personal data with the correction that was requested.
The main exceptions where you are not required to correct data include:
- Opinion data kept solely for an evaluative purpose — for example, a manager's performance assessment of an employee.
- Examination scripts and examination results before their release.
- The personal data of the beneficiaries of a private trust kept only for administering that trust.
- Data related to a prosecution if any related proceedings have not been completed.
- Data that is not to be corrected because a specified exception applies under the Schedule.
Importantly, refusal is not a blanket right. If you decline, you must still record the requested correction as an annotation, and you should be prepared to justify your reasoning if the individual complains to the PDPC. A poorly justified refusal is one of the more common triggers for enforcement scrutiny — you can see how disputes escalate in our review of real PDPA penalties and enforcement cases.
What happens if a correction affects other organisations?
If you have shared the individual's data with vendors, partners, or credit agencies, Section 22(2) requires you to send the corrected version to each of them (from the past year), unless they genuinely no longer need it. This is why keeping a clear data flow map matters — you cannot notify third parties you have not tracked. A structured PDPA compliance checklist for Singapore SMEs helps you maintain that visibility year-round.
Why PDPA Correction Requests Matter: Penalties and Enforcement
Mishandling a PDPA correction request is a genuine legal risk, not a technicality. Since the PDPA amendments took effect, the PDPC can impose financial penalties of up to S$1 million, or, for organisations with annual turnover exceeding S$10 million, up to 10% of annual turnover in Singapore — whichever is higher. The correction obligation is enforceable, and ignoring valid requests can lead to directions requiring you to comply, plus reputational damage.
Beyond fines, the accuracy obligation under Section 23 requires you to make a reasonable effort to ensure personal data is accurate and complete when it will be used to make a decision affecting the individual or disclosed to another organisation. Correction requests are one of the main mechanisms through which that accuracy is maintained. Treat them as a signal that your data quality process needs attention.
Definitive statement: Failing to respond to a valid PDPA correction request can be treated as a breach of Sections 22 and 23 of the PDPA, exposing your business to PDPC directions and financial penalties of up to S$1 million.
The organisations that handle these requests smoothly are the ones that have trained their staff in advance. Building that internal capability is covered in our guide to PDPA staff training requirements, which shows how to embed a data protection culture across your team.
Building a Repeatable Correction-Request Process
The most reliable way to stay compliant is to standardise how your organisation handles every PDPA correction request before one arrives. A written procedure, a designated Data Protection Officer (DPO), response templates, and a deadline-tracking system turn a stressful ad-hoc scramble into a routine 15-minute task. This is a low-cost investment that materially reduces your enforcement risk.
At minimum, your correction-request process should include:
- A single intake channel (for example, a dedicated email or web form) so requests are never missed.
- A verification protocol to confirm identity without over-collecting data.
- Pre-approved response templates for correction, refusal, and time-extension notifications.
- A deadline tracker that monitors your response timeline.
- An audit log capturing who did what and when.
For businesses that lack in-house legal resources, technology and expert partners close the gap. Purpose-built platforms such as ComplyHQ automate the deadline tracking and documentation, while specialist consultancies like Adaptels can help design the custom digital workflows and integrations that connect your CRM, HR, and support systems — so a corrected record updates everywhere at once. If your business handles customer data across online orders or storefronts, our sector guides on PDPA for e-commerce and PDPA for F&B and restaurants show how correction obligations apply in context.
Key Takeaways for Singapore Businesses
- A PDPA correction request is a legal right under Section 22 — respond as soon as practicable, or notify the individual in writing of a longer timeline.
- Never charge a fee for correction requests.
- You may refuse only on Sixth Schedule grounds, and you must still annotate the record with the requested correction.
- Notify third parties you shared the data with in the past year.
- Document every step — your audit trail is your defence if the PDPC investigates.
Handled well, a correction request is simply good data hygiene. Handled poorly, it is an avoidable compliance failure. Put a clear process in place now, and your organisation will respond to every future request with confidence.
Sources & References
Simplify Your Compliance
ComplyHQ's AI can assess your PDPA compliance gaps in under 15 minutes and generate the policies you need.
Try Free AssessmentFrequently Asked Questions
How long does my business have to respond to a PDPA correction request?
Can my business refuse a PDPA correction request?
Do I need to charge a fee for a PDPA correction request?
Ready to get PDPA compliant?
Stop guessing about compliance. ComplyHQ uses AI to assess your gaps, generate policies, and guide you through every PDPA obligation.