PDPA Privacy Policy Requirements: What Every Singapore Website Must Include

If you run a business in Singapore—whether you sell online, collect email addresses, or process customer payments—you legally need a PDPA-compliant privacy policy. Yet many SME owners either skip this entirely or cobble together a template that doesn't actually reflect how their business handles data.

The consequences are real: the Personal Data Protection Commission (PDPC) has issued correction notices to Singapore companies, fined organisations up to SGD 1 million for egregious breaches, and damaged countless reputations through enforcement actions.

This guide walks you through exactly what the PDPA (Personal Data Protection Act 2012) requires in a privacy policy, why each element matters, and how to build one that protects your customers and your business.

What is a Privacy Policy Under PDPA?

A privacy policy is a legal document that explains how your organisation collects, uses, discloses, and protects personal data. Under PDPA, it's not optional—it's a mandatory accountability measure.

The PDPC's Advisory Guidelines on Key Concepts state that organisations must make their data protection policies and practices transparent and easily accessible to individuals. A privacy policy is your primary tool for doing this.

Why This Matters for Singapore SMEs

Singapore's Personal Data Protection Act covers every organisation that collects personal data of individuals in Singapore, regardless of company size. A freelancer with an email list, a hawker stall with a loyalty program, or an e-commerce site all need PDPA compliance.

PDPC enforcement has increased. In recent years, the commission has:

• Issued correction notices to fintech companies for inadequate data protection notices
• Fined retail chains for failing to implement consent mechanisms
• Required hospitality businesses to overhaul their data handling practices

The common thread: incomplete or unclear privacy policies that didn't explain data practices honestly.

Core Requirements: What PDPA Says Your Privacy Policy Must Include

The PDPA doesn't prescribe a single format for privacy policies, but it does mandate specific information. Under the Personal Data Protection Act 2012 and the PDPC Advisory Guidelines, your privacy policy must address these eight core areas:

1. Identification and Contact Details of Your Organisation

Your policy must clearly identify:

• Your organisation's name
• Your office address in Singapore
• Contact information (email, phone, or both)
• Your Data Protection Officer (if you have one), or the person responsible for data protection queries

Why this matters: Individuals must know exactly who is collecting their data and how to reach you with concerns. Vague language like "our company" without a legal entity name isn't sufficient.

Example for an SME:

"Personal data collected through this website is handled by TechHub Singapore Pte Ltd, located at 50 Bras Basah Road, Singapore 189558. For data protection inquiries, contact dpo@techhubsg.com or call +65 6234 5678."

2. Purpose of Collection and Use

You must clearly state why you're collecting each type of data. Generic purposes don't comply.

Common legitimate purposes include:

• Fulfilling a service or transaction (e.g., shipping an order)
• Sending marketing communications (with consent)
• Fraud prevention and security
• Legal compliance (e.g., accounting records for tax purposes)
• Improving products or services
• Customer support

Why this matters: PDPA requires that you collect data for a "reasonable purpose" related to your functions. Collecting phone numbers "for any purpose we deem necessary" is too vague and won't hold up in a PDPC audit.

Red flags that PDPC enforcement has targeted:

• Undefined "marketing" without specifying what type
• "Analytics purposes" without explaining what you analyse
• Collecting data "for future use" without specifying what use

Example for an SME:

"We collect your email address to: (a) send you a confirmation of your purchase, (b) notify you of order updates, (c) send you promotional offers if you've opted in, and (d) respond to customer support requests. We collect your phone number solely to arrange delivery of your order and contact you if we need clarification on your address."

3. Categories of Personal Data Collected

List the types of personal data you collect:

• Name, email, phone number
• Mailing address
• Payment information (with a note that you may not store full credit card details)
• Browsing behaviour (via cookies/analytics)
• Location data
• Device information
• Purchase history

Why this matters: Specificity builds trust and transparency. Saying "we collect information about you" is vague; listing "name, email, order history, and shipping address" is clear.

Example:

"We collect the following categories of personal data:

• Contact information: name, email address, phone number, mailing address
• Transaction data: order history, payment method (processed securely; full card details not stored)
• Device and usage data: IP address, browser type, pages visited, time spent on site (via cookies)
• Communication data: messages you send via our contact form or customer support"

4. Consent and Legal Basis

PDPA requires consent for most data collection, with some exceptions.

You must explain:

• How consent is obtained (tick boxes, explicit agreement, etc.)
• That consent is voluntary and can be withdrawn
• Any consequences of refusing consent
• What data processing happens without explicit consent (e.g., for contract fulfilment)

Why this matters: PDPC enforcement has specifically targeted businesses that don't clearly obtain opt-in consent for marketing. Pre-ticked boxes violate PDPA; you need active, affirmative consent.

Example:

"We collect and use your personal data only with your consent, except where permitted by law. For marketing communications, you must actively tick the box 'Yes, send me special offers and updates.' You can withdraw consent at any time by clicking the unsubscribe link in emails or contacting us directly. If you don't consent to marketing, you'll still receive transactional emails (order confirmations, shipping updates)."

5. Recipients and Disclosure Practices

You must disclose:

• Who has access to personal data (your employees)
• Whether you share data with third parties (vendors, payment processors, delivery partners)
• Whether you transfer data overseas (this is critical—PDPC requires explicit notice)
• Any legal obligations requiring disclosure (e.g., court orders, police requests)

Why this matters: Many SMEs use third-party vendors (e.g., Stripe for payments, Mailchimp for email, Shopify for hosting) but don't disclose this to customers. PDPC views this as a breach of transparency.

Important note on cross-border transfers: If you use cloud services hosted outside Singapore, you must disclose this. You don't need permission to do so (under PDPA 2012), but you must inform individuals.

Example:

"We may disclose your personal data to:

• Our team members who need access to provide services
• Third-party service providers: Stripe (payment processing, USA), SendGrid (email delivery, USA), Shopify (website hosting, Canada), GrabExpress (deliveries, Singapore)
• Government agencies if required by law (e.g., ACRA, police)

We ensure all third parties sign data processing agreements and maintain adequate security. For details on how each vendor handles your data, see their respective privacy policies."

6. Data Security and Protection Measures

You must outline the technical, organisational, and administrative safeguards you use:

• Encryption (in transit and at rest)
• Access controls (who can access data)
• Regular backups
• Employee training on data protection
• Incident response procedures
• Retention and deletion policies

Why this matters: PDPC audits include specific questions about how data is protected. Vague language ("we take security seriously") doesn't meet the standard. Specific measures do.

Example:

"We protect your personal data through:

• SSL encryption for all data transmitted to our servers
• Password-protected access controls; only authorised staff can view customer data
• Regular backups stored securely
• Annual data protection training for all employees
• Incident response plan: we notify affected individuals within 5 business days of discovering any breach
• Data retention: we delete customer data 2 years after the last transaction, unless required to retain by law"

7. Individual Rights (Access, Correction, Withdrawal of Consent)

PDPA grants individuals the right to:

• Access their personal data held by your organisation
• Correct inaccurate data
• Withdraw consent for future use
• Opt out of marketing communications
• Request deletion (in limited circumstances)

You must explain how they exercise these rights and your timeline for response.

Why this matters: PDPC expects organisations to have clear, simple processes for individuals to exercise rights. If someone emails asking to see their data and you never respond, that's a violation.

Example:

"You have the right to:

• Access your data: Email us at dpo@techhubsg.com with your request. We'll provide a copy within 5 business days.
• Correct inaccurate data: Login to your account and update information, or contact us for assistance.
• Withdraw marketing consent: Click 'unsubscribe' in any marketing email, or reply to us with 'unsubscribe.'
• Request deletion: For data no longer needed for our business relationship, contact dpo@techhubsg.com. Some data may be retained for legal compliance.

We won't charge for reasonable requests, but may decline excessive or repetitive requests."

8. Cookie and Tracking Policy

If your website uses cookies, analytics tools, or pixel tracking, you must disclose:

• What cookies you use (session cookies, persistent cookies, third-party cookies)
• Why you use them (analytics, personalisation, advertising)
• How users can disable cookies (browser settings)
• Any analytics platforms (Google Analytics, Hotjar, etc.)

Why this matters: PDPC has advised that analytics and tracking tools collect personal data. If you don't disclose their use, you're not being transparent.

Example:

"Our website uses cookies and analytics tools:

• Session cookies: Keep you logged in while browsing
• Google Analytics: Tracks page views, user behaviour, and device type to improve our website (non-identifying)
• Hotjar heatmaps: Record mouse movements and clicks to understand user experience

These tools are governed by their own privacy policies. You can disable cookies in your browser settings, though some features may not work. View Google's privacy practices at google.com/policies/privacy."

Common Mistakes Singapore SMEs Make (And How to Avoid Them)

Mistake 1: Using a Generic Template Without Customisation

Many SME owners download a privacy policy template from overseas (often US-centric) and use it as-is. This fails PDPA compliance because:

• It may reference laws that don't apply in Singapore
• It may not address PDPC-specific requirements
• It won't accurately reflect your actual data practices

Fix: Use a Singapore-specific template as a starting point, then customise every section to match your actual business operations.

Mistake 2: Being Vague About Third Parties

Phrases like "we may share data with trusted partners" don't comply. PDPC expects specificity.

Fix: Name exact vendors and their purposes (e.g., "Stripe for payment processing," "Mailchimp for newsletters").

Mistake 3: Not Addressing Consent Clearly

Many policies bury consent requirements or use pre-ticked checkboxes. PDPA requires explicit, affirmative consent.

Fix: Use clear, unticked checkboxes with straightforward language: "Yes, I want to receive marketing emails from TechHub."

Mistake 4: Forgetting About Cross-Border Data Transfers

If you use cloud hosting, CRM systems, or email tools not based in Singapore, you must disclose this. Many SMEs don't realise this is required.

Fix: List every third-party vendor and their location. Transparency is your legal protection.

Mistake 5: Not Updating the Policy

A privacy policy written in 2020 that doesn't reflect current tools or practices is non-compliant.

Fix: Review and update annually, or whenever you implement new tools or change data practices.

PDPA Penalties: What's at Stake

If your privacy policy doesn't meet PDPA standards, PDPC can:

• Issue a correction notice requiring you to fix practices within a deadline
• Issue financial penalties: Up to SGD 1,000,000 for organisations, up to SGD 100,000 per violation
• Publicise the violation (which damages reputation and customer trust)
• Require remediation such as customer notifications, training, or system overhauls

Real Singapore examples:

• A fintech company fined for failing to clearly disclose data sharing with third parties
• A retail chain fined for collecting data without clear consent mechanisms
• A healthcare provider ordered to overhaul its privacy practices after audit

The good news: Most PDPC enforcement actions stem from negligence, not malice. A well-written, regularly updated privacy policy puts you in the clear.

How to Build Your PDPA-Compliant Privacy Policy

Step 1: Document Your Data Practices

Before writing, list:

• What personal data you actually collect (and from where)
• How you use it
• Who has access
• Which third parties you share it with
• Where data is stored (geographically)
• How long you retain it
• How you secure it

Step 2: Write in Clear, Plain Language

PDPC Advisory Guidelines emphasise clarity. Avoid:

• Legalese or overly technical language
• Vague phrases ("for business purposes")
• Buried important information

Use short sentences, bullet points, and clear headings.

Step 3: Address Each Required Element

Map your privacy policy against the eight requirements above. Ensure every section is covered.

Step 4: Get Legal Review

Ideally, have a Singapore-based data protection lawyer review your policy. This costs less than a PDPC correction notice.

Step 5: Publish and Link Clearly

Your privacy policy must be:

• Easily accessible (footer link on every page)
• Visible before data collection (e.g., before a form submission)
• Available in plain text (not a PDF buried on a page)

Step 6: Review Annually

Set a calendar reminder to review your policy every 12 months, especially if you:

• Add new data types
• Implement new tools or vendors
• Change how you use data
• Update security measures

Tools to Streamline PDPA Compliance

Building a privacy policy from scratch is time-consuming. Many Singapore SME owners find it quicker to use tools specifically designed for PDPA compliance.

ComplyHQ (complyhq.app), for instance, is an AI-powered compliance platform that guides you through PDPA requirements, generates a customised privacy policy based on your actual business practices, and sends reminders for annual reviews. Rather than spending weeks researching PDPC guidelines, you input your data practices and get a compliant policy in minutes.

Tools like this are particularly useful for SMEs with limited legal resources, ensuring compliance doesn't become a burden.

Checklist: Is Your Privacy Policy PDPA-Compliant?

Use this checklist to audit your current policy:

• ☐ Clearly identifies your organisation (legal name, address, contact details)
• ☐ Explains purpose(s) for collecting each data type
• ☐ Lists all categories of personal data collected
• ☐ Explains how and when consent is obtained (and that it's voluntary)
• ☐ Names all third parties who receive data, including overseas vendors
• ☐ Describes security and protection measures
• ☐ Explains individual rights (access, correction, withdrawal) and how to exercise them
• ☐ Discloses use of cookies and analytics tools
• ☐ Uses plain, clear language (not overly legal)
• ☐ Is easily accessible on your website
• ☐ Has been reviewed within the last 12 months
• ☐ Matches your actual data practices (not outdated)

If you check all boxes, you're compliant. If you miss any, prioritise those sections.

Final Thoughts: Privacy Policy as a Competitive Advantage

In Singapore, where data protection is taken seriously, a clear, comprehensive privacy policy signals to customers that you're trustworthy and professional. It's not just a legal requirement—it's good business.

Take time to get it right. Your customers will appreciate the transparency, and the PDPC won't come knocking with correction notices.

Have questions about PDPA compliance for your SME? ComplyHQ offers free assessments for Singapore businesses. Start here: complyhq.app