PDPC Enforcement Cases: Real Fines and What Singapore SMEs Can Learn

The PDPC's enforcement record is one of the most useful — and underused — compliance resources available to Singapore businesses. Every published decision is a detailed case study: what went wrong, what the PDPC found, and what it cost.

Reading enforcement cases is more effective than reading the PDPA itself. The law tells you what the obligations are. The cases show you how those obligations are interpreted in practice, what level of security is actually expected, and how the PDPC decides what to fine.

This guide summarises key enforcement themes from PDPC decisions, with practical lessons for Singapore SMEs.

How PDPC Investigations Work

Before getting into case patterns, it helps to understand how investigations are triggered and conducted.

How Investigations Are Triggered

Self-reported data breaches: Since the 2020 amendments, organisations must notify the PDPC of breaches that meet notification thresholds within 3 calendar days. This self-report almost always triggers an investigation into whether the Protection Obligation was met. For more on notification requirements, see our PDPA data breach notification guide.

Complaints from individuals: Any individual can file a complaint with the PDPC about a suspected PDPA violation. Complaints can relate to data breaches, unsolicited marketing, failure to respond to access requests, or excessive data collection.

Own-motion investigations: The PDPC can investigate any organisation based on publicly available information — news reports, social media, regulatory filings — without a complaint being filed.

Referrals from other agencies: Other government agencies may refer matters to the PDPC when they encounter potential PDPA violations in the course of their own work.

What the PDPC Can Do

The PDPC has broad enforcement powers:

• Issue directions requiring remedial action (most common outcome)
• Issue financial penalties up to S$1 million (or 10% of Singapore annual turnover for large organisations)
• Issue undertakings — binding commitments to implement specific measures
• Pursue criminal prosecution for certain serious offences

Most enforcement actions result in a combination of directions and financial penalties. Pure directions without a financial penalty are common for first-time violations where the organisation cooperates and remediation is prompt.

Pattern 1: Inadequate Security Measures

The most common PDPA violation — across all PDPC enforcement decisions — is failure to implement reasonable security measures under the Protection Obligation (Section 24).

What the PDPC Expects

The Protection Obligation requires organisations to protect personal data with reasonable security arrangements. "Reasonable" is context-dependent but consistently interpreted by the PDPC to include:

• Strong authentication controls (password policies, multi-factor authentication for systems containing significant personal data)
• Regular security testing and vulnerability management
• Network segmentation to limit the blast radius of a breach
• Access controls on a need-to-know basis
• Encryption for sensitive data at rest and in transit
• Patch management for software and systems
• Logging and monitoring of access to personal data systems

Common Failures

Case pattern — unpatched systems: Multiple decisions have involved organisations running outdated software with known vulnerabilities. The PDPC's consistent position: if a patch was publicly available before the breach, and the organisation had not applied it within a reasonable timeframe, this constitutes a failure of the Protection Obligation.

Lesson: Treat patch management as a compliance activity, not just an IT activity. Keep a log of when you apply critical patches — this documentation is your evidence.

Case pattern — weak authentication: Organisations that stored customer data in systems protected only by username/password combinations (no MFA) and suffered credential-based breaches have been found in violation of Section 24.

Lesson: Enable MFA for any system or application that contains personal data for more than internal-only use. This is now a baseline expectation.

Case pattern — excessive access privileges: Several decisions found organisations had failed to implement role-based access controls. Customer service staff had access to data they did not need. When those accounts were compromised, the attacker could access data far beyond what was necessary.

Lesson: Audit who has access to personal data systems and apply the principle of least privilege. Document the access control policy.

For a structured approach to implementing the Protection Obligation, our PDPA compliance checklist covers the specific security measures the PDPC expects.

Pattern 2: Third-Party Vendor Failures

A recurring theme in PDPC decisions is organisations being held responsible for data breaches caused by third-party vendors or service providers.

The Key Principle

The PDPA does not reduce an organisation's accountability when it outsources data processing to a third party. If a vendor handles your customers' personal data and fails to protect it, the PDPC holds you — the data controller — responsible for the breach.

Common Failure Points

Inadequate vendor contracts: Organisations that lacked data protection clauses in their contracts with vendors were found to have failed to ensure the vendor's protection measures were adequate.

Lesson: Every contract with a vendor who handles personal data must include data protection requirements. At minimum: a requirement to comply with the PDPA, the right to audit, notification obligations in the event of a breach, and requirements to destroy data on termination.

No vendor assessment: Several cases involved organisations that had never assessed their vendors' security practices despite those vendors holding significant volumes of customer data.

Lesson: For significant vendors (cloud providers, payment processors, email marketing platforms, HR software), conduct at least a basic security assessment — review their privacy policy, check for ISO 27001 or SOC 2 certifications, and ask for their data handling procedures.

No visibility into subcontractors: Some cases involved data being passed to subcontractors that the original organisation did not know about.

Lesson: Require your vendors to notify you before engaging subprocessors, and require them to flow down data protection requirements to subcontractors.

See our data breach response guide for how to handle a vendor-caused breach.

Pattern 3: Consent and Marketing Violations

Consent violations are the second most common category after protection failures. They most frequently arise in marketing contexts.

Case Pattern — Marketing Without Valid Consent

The PDPC has investigated and penalised organisations for sending marketing messages to individuals who had not consented, or whose consent was obtained in an invalid manner (buried in terms and conditions, bundled with consent to unrelated purposes, or obtained after the data was already collected).

Lesson: Review your consent collection mechanisms. Marketing consent must be:

• Informed: the individual knows what they are consenting to
• Specific: separate from other consents (e.g., separate checkbox for marketing)
• Prior: obtained before sending marketing communications
• Recorded: you must be able to demonstrate that consent was given

For the full breakdown of PDPA consent rules, see our guide to PDPA consent requirements.

Case Pattern — Do Not Call Registry Non-Compliance

The PDPC has issued penalties for organisations that sent telemarketing messages (calls, texts, faxes) to numbers on the Do Not Call (DNC) Registry without first performing a DNC check, or without a valid exemption.

Lesson: If you send any marketing by phone or SMS, you must check the DNC Registry before each campaign. Exemptions apply if the individual has given clear and specific consent. See our DNC Registry guide for the full requirements.

Pattern 4: Excessive Data Collection

The Purpose Limitation and Consent Obligations together prohibit collecting more data than you need for your stated purpose. Several PDPC decisions have targeted organisations that routinely collected excessive personal data.

Landmark Case Pattern — NRIC Collection

One of the most publicised areas of PDPC guidance involves the collection of NRIC numbers. The PDPC clarified — and then strengthened — rules on when organisations can collect and use NRIC numbers, culminating in new rules effective December 2026.

Lesson: Do not collect NRIC numbers as a general verification measure. They can only be collected when legally required or when necessary for a specific permitted purpose. See our guide on NRIC collection rules in Singapore for the updated rules.

Case Pattern — Collecting Data "Just in Case"

Organisations that collected data without a clear purpose — reasoning that it might be useful later — were found to have breached the Purpose Limitation Obligation.

Lesson: Before collecting any personal data, ask: what specific business purpose does this serve? If you cannot articulate a clear, current purpose, do not collect the data.

Pattern 5: Failure to Respond to Access Requests

Individuals have the right under the PDPA to request access to personal data your organisation holds about them and to request corrections. Organisations that failed to respond within the statutory timeframe (20 business days) or that denied requests without valid grounds have been penalised.

Common Failures

• No process for receiving and managing access requests
• Requests directed to generic email addresses that were not monitored
• Staff unaware that they needed to process access requests under the PDPA
• Organisations refusing requests citing administrative inconvenience

Lesson: Designate a specific point of contact for data access requests. Include the contact method in your privacy policy. Train staff on how to handle requests. Maintain a log of all requests and responses.

Pattern 6: Post-Breach Failures

Several organisations have faced additional enforcement action not for the breach itself, but for how they responded to it.

What Gets Organisations in Trouble

Delayed breach assessment: Taking weeks or months to determine whether a breach was notifiable, when the PDPC's expectation is that assessment should be completed within days.

Delayed notification: Notifying the PDPC after the 3-calendar-day window without a valid reason for the delay.

Inadequate notification content: Notifications to affected individuals that omitted required information — what data was affected, what risks they face, what they should do.

No post-breach remediation: Organisations that continued operating with the same security gaps that caused the breach, without implementing fixes.

Lesson: Have a breach response plan before you need it. Our PDPA data breach response plan guide covers what the plan must include and the exact steps to follow.

Factors That Reduce Penalties

Understanding what the PDPC weighs in setting penalties helps you manage the worst-case scenario.

Prompt self-reporting: Organisations that self-reported a breach before the PDPC became aware through other means consistently received more favourable treatment.

Genuine cooperation: Promptly providing information requested, not obstructing the investigation, and being transparent about what happened.

Proactive remediation: Organisations that had already implemented substantial fixes before the investigation concluded faced lower penalties.

No prior history: First-time violations typically result in lower penalties than repeat offenders.

Limited harm caused: Breaches involving low-sensitivity data (names and email addresses) with no evidence of actual misuse have resulted in lower penalties than breaches involving financial data, medical records, or identity documents.

How to Use Enforcement Cases as a Compliance Tool

The PDPC publishes decision summaries on its website. Use them as a practical compliance resource:

Annual review: Once a year, read through the PDPC's recent decisions. Note any new themes or sectors targeted.

Sector-specific patterns: Check if your industry is over-represented in PDPC cases. Healthcare, financial services, e-commerce, and real estate have historically seen more enforcement activity.

Gap identification: When you read a decision about a violation, ask: could this happen in my business? Use our free gap assessment to systematically check your exposure across all 10 obligations.

Vendor conversations: Use PDPC cases to have informed conversations with your vendors about their security practices. "The PDPC has penalised organisations for vendor breaches — can you show me your SOC 2 report?" is a legitimate and well-grounded question.

Key Takeaways

The PDPC's enforcement record is consistent. These are the obligations most likely to attract regulatory action:

1. Protection Obligation (Section 24) — inadequate security measures, especially unpatched systems and weak authentication
2. Consent Obligation — marketing without valid consent, DNC Registry non-compliance
3. Third-party liability — failing to contractually bind vendors and assess their security
4. Access and correction rights — no process to handle data access requests
5. Breach response — delayed notification, inadequate investigation

None of these failures require technical sophistication to avoid. They require process, documentation, and management attention — exactly what a structured compliance programme provides.

Use ComplyHQ's free PDPA gap assessment to check your exposure across all 10 obligations. The assessment takes 15 minutes and generates a prioritised action list based on the real-world compliance gaps most commonly exploited in PDPC enforcement cases.