PDPA Compliance12 min read26 April 2026

PDPC Enforcement Cases: Real Fines and What Singapore SMEs Can Learn

Breakdown of real PDPC enforcement cases and fines in Singapore. Learn from actual data breaches, what went wrong, and how SMEs can avoid the same mistakes.

ComplyHQ Team

PDPC Enforcement Cases: Real Fines and What Singapore SMEs Can Learn

The PDPC's enforcement record is one of the most useful compliance resources available — and almost nobody reads it. Every published decision is a detailed case study: what went wrong, what the PDPC found, and what it cost. I make it a point to review new decisions when they come out, and the patterns are remarkably consistent.

TL;DR: Real PDPC enforcement cases broken down by pattern. The same five mistakes account for the vast majority of fines: weak security measures, vendor management failures, consent violations, excessive data collection, and slow breach response. None of them require technical sophistication to avoid — they require process, documentation, and someone paying attention.

Reading enforcement cases is more instructive than reading the PDPA itself. The law tells you what the obligations are. The cases show you how those obligations are interpreted in practice, what "reasonable" security actually means, and how the PDPC decides what to fine.

How Investigations Get Started

Before diving into the patterns, it helps to understand how the PDPC ends up at your door.

Self-reported breaches. Since the 2020 amendments, you must notify the PDPC of breaches meeting notification thresholds within 3 calendar days. This self-report almost always triggers an investigation into whether you had adequate protections. See our data breach notification guide.

Individual complaints. Anyone can file a complaint — about breaches, unsolicited marketing, ignored access requests, excessive data collection.

Own-motion investigations. The PDPC can investigate based on news reports, social media, or its own intelligence. No complaint needed.

Referrals from other agencies. Other government bodies sometimes flag potential PDPA issues they encounter.

What the PDPC Can Do

Issue directions requiring remedial action. Impose financial penalties up to S$1 million (or 10% of Singapore turnover for larger organisations). Accept binding undertakings. Pursue criminal prosecution for serious offences. Most enforcement actions result in a combination of directions and financial penalties.

Pattern 1: Weak Security Measures

This is the single most common violation across all PDPC decisions. Failure to implement reasonable security under the Protection Obligation (Section 24).

What "Reasonable" Actually Means in Practice

Based on consistent PDPC interpretation, "reasonable" includes: strong authentication (password policies, MFA for systems with significant personal data), regular security testing and vulnerability management, network segmentation, need-to-know access controls, encryption at rest and in transit, patch management, and access logging.

The Failures That Keep Showing Up

Unpatched systems. Multiple decisions involve organisations running outdated software with known vulnerabilities. The PDPC's position: if a patch existed before the breach and you hadn't applied it within a reasonable timeframe, that's a Protection Obligation failure. One case I reviewed involved a company that hadn't updated their web server in over 14 months. The vulnerability that was exploited had been public for 11 of those months.

No MFA. Organisations with customer data behind nothing but username and password have been found in violation after credential-based breaches. MFA is now a baseline expectation for any system holding personal data beyond internal-only use.

Everyone has access to everything. Several decisions found organisations where customer service staff could access data they had no business seeing. When those accounts got compromised, the attacker had a much larger blast radius than necessary.

Takeaway: Treat patch management as a compliance activity, not just an IT chore. Enable MFA on everything with personal data. Audit who has access and apply least-privilege. Document your access control policy.

For a structured approach, our PDPA compliance checklist covers the specific security measures the PDPC expects.

Pattern 2: Third-Party Vendor Failures

A theme that keeps repeating: organisations held responsible for breaches caused by their vendors.

The Principle

The PDPA doesn't reduce your accountability when you outsource data processing. If your vendor handles customer data and fails to protect it, the PDPC holds you responsible. I've explained this to clients who genuinely believed that if their cloud provider got breached, it was the provider's problem. It's not.

Where It Goes Wrong

No data protection clauses in contracts. Organisations without contractual data protection requirements for their vendors were found to have failed their obligations. Every vendor contract needs PDPA compliance requirements, audit rights, breach notification obligations, and data destruction terms.

Never assessing vendor security. Cases where organisations had never reviewed their vendors' security practices despite those vendors holding substantial customer data. For significant vendors, conduct at least a basic assessment — check their privacy policy, look for ISO 27001 or SOC 2, ask for data handling procedures.

Invisible subcontractors. Data being passed to subprocessors the original organisation didn't know about. Require vendors to notify you before engaging subcontractors and flow down data protection requirements.

See our data breach response guide for how to handle vendor-caused breaches.

Pattern 3: Consent and Marketing Violations

The second most common category after security failures. Almost always involves marketing.

Marketing without valid consent. Organisations penalised for sending messages to people who hadn't consented, or whose consent was obtained improperly — buried in terms and conditions, bundled with unrelated consent, or obtained after collection.

Marketing consent must be informed, specific, prior, and recorded. See our PDPA consent requirements guide.

DNC Registry non-compliance. Penalties for sending telemarketing messages to numbers registered on the Do Not Call Registry without performing a DNC check first. If you send any marketing by phone or SMS, you must check the registry before each campaign. See our DNC Registry guide.

Pattern 4: Excessive Data Collection

The Purpose Limitation and Consent Obligations together prohibit collecting more data than you need.

NRIC collection. One of the most publicised areas. The PDPC has progressively tightened rules on NRIC use, with new restrictions effective December 2026. Don't collect NRIC numbers as a general verification measure. See our NRIC collection rules guide.

Collecting "just in case." Organisations that collected data without a clear current purpose — "it might be useful later" — have been found in breach. Before collecting any personal data, ask: what specific business purpose does this serve right now? If you can't articulate one, don't collect it.

Pattern 5: Ignoring Access Requests

Individuals have the right to request access to their data and to request corrections. Organisations that failed to respond within the statutory timeframe or denied requests without valid grounds have been penalised.

Common failures: no process for receiving requests, requests going to unmonitored email addresses, staff unaware they needed to process requests, and organisations refusing on grounds of "administrative inconvenience."

Fix: Designate a specific contact for access requests. Include it in your privacy policy. Train staff. Keep a log of all requests and responses.

Pattern 6: Botched Breach Response

Several organisations faced additional enforcement not for the breach itself, but for how they responded.

Delayed assessment — taking weeks to determine if a breach was notifiable when the PDPC expects days. Late notification — missing the 3-calendar-day window without valid reason. Inadequate notification content — omitting what data was affected, what risks individuals face, or what they should do. No remediation — continuing to operate with the same security gaps that caused the breach.

Fix: Have a breach response plan before you need one. Our breach response plan guide covers what it must include.

What Reduces Penalties

Understanding what the PDPC weighs helps you manage worst-case scenarios:

Prompt self-reporting — reporting before the PDPC finds out through other means consistently results in more favourable treatment. Genuine cooperation — providing requested information promptly, being transparent about what happened. Proactive remediation — having already implemented substantial fixes before the investigation concludes. Clean record — first-time violations draw lower penalties than repeat offenders. Limited actual harm — low-sensitivity data (names and emails) with no evidence of misuse results in lower penalties than financial data, medical records, or identity documents.

Using Enforcement Cases as a Compliance Tool

The PDPC publishes decision summaries on its website. Use them:

Annual review. Once a year, read through recent decisions. Note new themes or targeted sectors.

Sector patterns. Check if your industry is over-represented. Healthcare, financial services, e-commerce, and real estate have historically seen more enforcement.

Gap identification. When you read about a violation, ask: could this happen in my business? Use our free gap assessment to check systematically.

Vendor conversations. Use PDPC cases to have informed discussions with your vendors. "The PDPC has penalised organisations for vendor breaches — can you show me your SOC 2 report?" is a perfectly legitimate question.

The Bottom Line

The PDPC's enforcement record is consistent. These are the obligations most likely to get you in trouble:

  1. Protection Obligation (Section 24) — weak security, especially unpatched systems and no MFA
  2. Consent Obligation — marketing without valid consent, DNC Registry non-compliance
  3. Third-party liability — failing to bind vendors contractually and assess their security
  4. Access and correction rights — no process for handling data requests
  5. Breach response — delayed notification, inadequate investigation

None of these require technical wizardry to avoid. They require process, documentation, and management attention — exactly what a structured compliance programme provides.

Use ComplyHQ's free PDPA gap assessment to check your exposure across all 10 obligations. Takes 15 minutes, generates a prioritised action list based on the real-world gaps that show up most often in PDPC enforcement.

Sources

  1. PDPC — Personal Data Protection Commission
  2. Personal Data Protection Act 2012
  3. CSA — Cyber Security Agency of Singapore

Looking for more? Check out Adaptels.

Simplify Your Compliance

ComplyHQ's AI can assess your PDPA compliance gaps in under 15 minutes and generate the policies you need.

Try Free Assessment

Frequently Asked Questions

How many PDPA enforcement cases has the PDPC handled?
As of early 2026, the PDPC has issued over 100 published enforcement decisions since the PDPA came into force in 2014. The volume of investigations has increased significantly following the 2020 PDPA amendments, which raised maximum penalties and introduced mandatory breach notification. The PDPC publishes summaries of all cases on its website, providing a valuable learning resource for businesses.
What is the highest fine the PDPC has ever issued?
The highest financial penalty imposed by the PDPC under the PDPA was S$1 million, the statutory maximum at the time. Following the 2020 amendments, the cap was raised to S$1 million or 10% of annual Singapore turnover (whichever is higher) for organisations with turnover exceeding S$10 million. Several large organisations have received fines in the S$50,000 to S$750,000 range.
Can the PDPC investigate my business without a complaint being filed?
Yes. The PDPC has powers to conduct own-motion investigations — meaning it can investigate an organisation based on media reports, publicly disclosed data breaches, or its own intelligence, without any individual filing a complaint. Notifiable data breaches (which must be self-reported to the PDPC) frequently trigger follow-on investigations.
What factors does the PDPC consider when determining the fine amount?
The PDPC considers: (1) the number of individuals affected, (2) the nature and sensitivity of the data involved, (3) the organisation's cooperation during investigation, (4) whether the breach was deliberate or negligent, (5) the harm caused to affected individuals, (6) the organisation's prior compliance record, and (7) remedial actions taken after the breach. Prompt self-reporting, cooperation, and remediation consistently result in lower penalties.
Does the PDPC only investigate data breaches, or other PDPA violations too?
The PDPC investigates all types of PDPA violations, not just data breaches. Common non-breach investigations include: unlawful collection of personal data without consent, failure to respond to data access requests, sending marketing messages to individuals on the Do Not Call Registry, excessive data collection, and failure to appoint a Data Protection Officer. Breaches are the most visible because they require self-reporting, but non-breach violations are also regularly investigated and penalised.
Tags:PDPA enforcementPDPCdata breachcompliance lessonsSingapore SME

Ready to get PDPA compliant?

Stop guessing about compliance. ComplyHQ uses AI to assess your gaps, generate policies, and guide you through every PDPA obligation.

Start Free AssessmentView Pricing
Gap AssessmentPolicy GeneratorAI Compliance Chat

Related Articles

11 May 202610 min read

PDPA Compliance for Clinics and Healthcare Providers in Singapore: A Practical Guide

How Singapore clinics, dental practices, and healthcare providers can comply with the PDPA. Covers patient data, consent, NRIC rules, breach notification, and common mistakes.

Read more
10 May 202611 min read

Data Protection Impact Assessment (DPIA) Singapore Guide for SMEs

Learn how to conduct a Data Protection Impact Assessment (DPIA) for your Singapore business. Step-by-step process, PDPA requirements, templates, and common mistakes.

Read more
26 April 202611 min read

Best PDPA Compliance Software for Singapore SMEs (2026 Comparison)

Compare the best PDPA compliance software for Singapore SMEs in 2026. Features, pricing, PSG eligibility, and which tool is right for your business size and budget.

Read more