How to Write a PDPA-Compliant Privacy Policy for Your Singapore Business

If you run a business in Singapore that collects even a single customer's email address, the Personal Data Protection Act 2012 (PDPA) applies to you. Yet many SME owners either skip the privacy policy entirely, copy one from a foreign website, or paste together a generic template that doesn't reflect how they actually handle data — and none of those approaches will hold up under a PDPC investigation.

This guide walks you through exactly what your privacy policy needs to say, why each section matters, and how to keep it current as your business grows.

What the PDPA Actually Requires

The PDPA governs how organisations in Singapore collect, use, disclose, and care for personal data. "Personal data" means any data that can identify an individual — names, NRIC numbers, email addresses, phone numbers, photos, IP addresses, and even combinations of data that together make someone identifiable.

Under the Accountability Obligation (one of eleven obligations in the Act), your organisation must:

• Develop and implement data protection policies
• Make those policies available to individuals upon request
• Designate a Data Protection Officer (DPO) — a role that can be held by an existing employee

The PDPC's Advisory Guidelines on Key Concepts in the PDPA make clear that a published privacy policy is the baseline expectation. It is not optional goodwill — it is how you demonstrate accountability.

The 2020 Amendments Changed the Stakes

The PDPA was significantly strengthened by amendments that came into force on 1 February 2021. Key changes relevant to your privacy policy:

• Mandatory data breach notification: You must notify the PDPC and affected individuals within 3 calendar days of discovering a notifiable breach
• Deemed consent by contractual necessity: Contracts can now create implied consent in some situations, but this must be reflected in your policy
• Enhanced financial penalties: Up to S$1 million, or 10% of annual Singapore turnover for larger organisations
• New legitimate interests exception: Organisations can process data without consent in limited circumstances — but only if documented

If your existing privacy policy was written before 2021, it almost certainly needs to be updated.

The Eight Sections Every Singapore Privacy Policy Needs

1. Who You Are and How to Contact Your DPO

Start with a clear statement of your organisation's full legal name, business registration number, registered address, and the contact details of your DPO. The PDPA requires that individuals can reach your DPO easily — a generic "contact us" form is not sufficient.

What to include:

• Organisation name and UEN (Unique Entity Number)
• DPO name or title (e.g., "Data Protection Officer")
• DPO email address dedicated to data protection queries
• Physical address for written requests

2. What Personal Data You Collect

Be specific. Vague language like "we may collect various types of information" is a red flag during PDPC audits. List the categories of data you actually collect, segmented by how you collect them.

Common categories for Singapore SMEs:

• Direct collection: Name, email, phone, NRIC/passport number, payment details
• Automated collection: IP addresses, cookies, device identifiers, browsing behaviour
• Third-party collection: Data received from referral partners, social logins, or marketing platforms
• Sensitive data: Health information, race, religion — these require explicit handling disclosures

3. Why You Collect It (Purposes)

This is the most scrutinised section in PDPC enforcement decisions. The Purpose Limitation Obligation requires that personal data is collected for a specific purpose, and only used or disclosed for that purpose or a directly related one.

List every purpose clearly and link each type of data to it. Do not write catch-all purposes like "to improve our services" without explaining what that means in practice.

Examples of clearly stated purposes:

• "We collect your email address to send order confirmation and delivery updates"
• "We collect your IP address to detect fraudulent login attempts and comply with our anti-fraud obligations"
• "We collect your payment card details solely to process your transaction via [Payment Gateway Name] — we do not store full card numbers"

4. Legal Basis for Collection (Consent and Exceptions)

Singapore's PDPA is primarily consent-based. Your policy must explain how you obtain consent and what happens when individuals withdraw it.

Under Section 15 of the PDPA, consent must be voluntary, informed, and specific. Bundled consent (where agreeing to terms of service also constitutes blanket data consent) is generally not valid for sensitive processing.

Also disclose any legitimate interests exceptions you rely on. The 2020 amendments introduced a formal legitimate interests framework — if you use it, your policy must state what those interests are and confirm you have conducted a balancing test.

5. Who You Share Data With

Name your third-party data processors and explain why you share data with them. If you use cloud services, payment gateways, email marketing platforms, or analytics tools — these are all data sharing arrangements that must be disclosed.

Required disclosures:

• Name or category of third party (e.g., "Stripe, for payment processing")
• Purpose of the sharing
• Whether the third party is located outside Singapore (triggers the Transfer Limitation Obligation)

6. Overseas Data Transfers

The PDPA's Transfer Limitation Obligation requires that personal data transferred outside Singapore is protected to a comparable standard. This applies to any cloud service, SaaS tool, or partner with servers outside Singapore.

Your policy must disclose:

• Which countries or regions data may be transferred to
• The mechanism ensuring adequate protection (e.g., PDPC-approved contractual clauses, or the recipient country's comparable law)

Many Singapore SMEs unknowingly breach this obligation by using US-based tools like Mailchimp, HubSpot, or Google Analytics without disclosing the transfer or implementing adequate safeguards.

7. How Long You Keep Data (Retention)

The Retention Limitation Obligation requires that personal data is not kept longer than necessary for its purpose. Your policy should specify retention periods for each category of data, or at minimum describe the criteria you use to determine retention.

Practical guidance:

• Customer transaction records: typically 5–7 years to comply with IRAS and accounting requirements
• Marketing data: until opt-out, plus a reasonable suppression period
• Job application records: PDPC guidance suggests 1–2 years for unsuccessful applicants
• CCTV footage: PDPC recommends no longer than 30 days unless there is a specific reason

8. Individual Rights and How to Exercise Them

Individuals have the right under the PDPA to:

• Access personal data held about them
• Correct inaccurate data Withdraw consent at any time (with effect going forward)
• Port their data (for certain types of data, under the data portability obligation)

Your policy must explain how to submit these requests, your response timeline (the PDPA requires you to respond within 30 calendar days unless an extension is agreed), and any fees that may apply (capped under PDPC guidelines).

Common Mistakes That Attract PDPC Scrutiny

Copying a Foreign Privacy Policy

GDPR-compliant policies written for European businesses frequently appear on Singapore SME websites. GDPR and PDPA are different laws with different concepts, legal bases, and terminology. A GDPR policy will reference "data controllers", "data processors", "lawful basis", and "supervisory authorities" — none of which are PDPA concepts. It signals to the PDPC that you have not actually thought about your obligations.

Using a Template That Doesn't Match Your Practices

The PDPC's enforcement decisions repeatedly cite organisations whose privacy policies described data practices that bore no resemblance to what they actually did. A privacy policy is not just a legal formality — it is a representation of fact. If your policy says you anonymise data within 90 days but you don't, that inconsistency itself becomes an aggravating factor.

Burying the Policy Where No One Can Find It

The Accountability Obligation requires that your policy is "available" — which the PDPC interprets as reasonably easy to find. It should be linked from your website footer, your sign-up forms, and any place where you collect personal data. A policy that exists but is hidden in a PDF three clicks deep is treated as effectively non-existent.

Never Updating It

A privacy policy written in 2019 that still references your old payment processor, a cloud tool you stopped using, or data practices you changed is a liability. Each discrepancy is a potential finding during a PDPC investigation.

Building Your Policy: Practical Next Steps

Getting a PDPA-compliant privacy policy in place doesn't have to be a legal project that takes months. The process breaks down into three phases:

Phase 1 — Data mapping: Before you write a single word of policy, map what personal data you actually collect, where it comes from, where it goes, and how long you keep it. Your policy can only be accurate if you know the ground truth.

Phase 2 — Drafting: Use your data map to populate each of the eight sections above. Write in plain English — the PDPC has published guidance encouraging clear language that customers can actually understand. Avoid legalese where everyday language works just as well.

Phase 3 — Maintain it: Schedule a quarterly review and establish an internal process for flagging when new tools or workflows require a policy update.

For Singapore SMEs that want to get this right quickly — without hiring a law firm or spending weeks on internal workshops — platforms like ComplyHQ offer AI-powered compliance that handles your PDPA obligations in minutes, not weeks, including privacy policy generation that reflects your actual data practices.

A Note on the PDPC's Enforcement Approach

The PDPC does not only investigate breaches reported to it. It conducts proactive audits, responds to complaints from individuals, and monitors organisations in high-risk sectors (healthcare, financial services, retail, F&B with loyalty programmes). Smaller organisations are not immune — the PDPC has published enforcement decisions against businesses ranging from a single-outlet F&B operator to a one-person recruitment firm.

The presence of a well-maintained, accurate privacy policy is consistently cited as a mitigating factor in enforcement decisions. It signals that the organisation takes its obligations seriously, which can reduce the severity of directions or penalties.

Conversely, the absence of any policy — or a policy that clearly does not reflect the organisation's actual practices — is routinely cited as an aggravating factor.

Key Takeaways

• The PDPA applies to every Singapore business that handles personal data, regardless of size
• Your privacy policy must cover: who you are, what data you collect, why, who you share it with, overseas transfers, retention periods, and individual rights
• Copy-pasting a GDPR or foreign template is one of the most common compliance mistakes Singapore SMEs make
• The 2020 amendments increased penalties significantly and added mandatory breach notification
• Keep your policy accurate and update it whenever your data practices change — the policy-to-practice gap is a primary finding in PDPC enforcement actions

A clear, honest, up-to-date privacy policy is the foundation of PDPA compliance. It protects your customers, builds trust, and demonstrates to the PDPC that your organisation takes data protection seriously. Start with your data map, build out each section methodically, and schedule regular reviews to keep it current.