Singapore PDPA

Singapore

12 domains

33 controls

Singapore Personal Data Protection Act (2012, as amended including 2020 Data Portability Amendment).

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (12)

Access/Correction

4 controls

Controls in the Access/Correction domain of Singapore PDPA — 4 controls
Code	Title	Description
s.21	Security Measures Regarding Information Processed by Operator	Operators must process personal information only with the responsible party's knowledge or authorisation, and must estab...
s.22	Notification of Security Compromises	Where there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised...
s.22A	Preservation of Copies of Personal Data	Where an access request is refused, the organisation must preserve a complete copy of the requested data for at least th...
s.26F	Data Portability Obligation	On request, an organisation must transmit an individual's applicable data in its possession or control to another organi...

Accountability

4 controls

Controls in the Accountability domain of Singapore PDPA — 4 controls
Code	Title	Description
PDPC AG-DPbD	Data Protection by Design (PDPC Guidance)	PDPC Advisory Guidelines require organisations to embed data protection considerations into product, service and system...
s.11	Consent, Justification and Objection	Processing must be supported by consent, contractual necessity, legal obligation, protection of a legitimate interest, p...
s.12	Collection Directly from Data Subject	Personal information must be collected directly from the data subject except in defined circumstances such as public rec...
s.4(2)	Application to Data Intermediaries	A data intermediary that processes personal data on behalf of and for the purposes of another organisation pursuant to a...

Accuracy

1 controls

Controls in the Accuracy domain of Singapore PDPA — 1 controls
Code	Title	Description
s.23	Access to Personal Information	A data subject is entitled to request confirmation of whether the responsible party holds their personal information, an...

Consent

6 controls

Controls in the Consent domain of Singapore PDPA — 6 controls
Code	Title	Description
s.13	Collection for Specific Purpose	Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or ac...
s.14	Retention and Restriction of Records	Records of personal information must not be retained longer than necessary for the purpose, unless required by law, cont...
s.15	Further Processing to be Compatible with Purpose of Collection	Further processing of personal information must be in accordance with or compatible with the purpose for which it was co...
s.15A	Deemed Consent by Notification	An organisation may rely on deemed consent by notification after conducting a risk assessment, notifying the individual...
s.16	Quality of Information	The responsible party must take reasonably practicable steps to ensure that personal information is complete, accurate,...
s.17	Documentation	The responsible party must maintain documentation of all processing operations under its responsibility as required by t...

Data Breach Notification

5 controls

Controls in the Data Breach Notification domain of Singapore PDPA — 5 controls
Code	Title	Description
s.26A	Notification of Data Breach (Definition)	A notifiable data breach is one that results in, or is likely to result in, significant harm to affected individuals, or...
s.26C	Duty to Conduct Breach Assessment	Where an organisation has reason to believe a data breach has occurred, it must conduct, in a reasonable and expeditious...
s.26D	Notification to PDPC of Data Breach	Where a breach is assessed as notifiable, the organisation must notify the Personal Data Protection Commission as soon a...
s.26D(2)	Notification to Affected Individuals	Where a breach is likely to result in significant harm to an individual, the organisation must notify the affected indiv...
s.26E	Data Intermediary Breach Notification	A data intermediary that has reason to believe a breach has occurred in relation to personal data processed on behalf of...

Do Not Call

3 controls

Controls in the Do Not Call domain of Singapore PDPA — 3 controls
Code	Title	Description
Part IX (s.43-48)	Do Not Call Provisions - Specified Message	Before sending a specified marketing message (voice call, SMS, fax) to a Singapore telephone number, organisations must...
s.36	Do Not Call Registry Maintenance	The Commission maintains three DNC registers (No Voice Call, No Text Message, No Fax Message). Organisations must valida...
s.43A	Identifying Sender Information	Specified messages must include clear and accurate information identifying the sender and contact details enabling the r...

Notification

1 controls

Controls in the Notification domain of Singapore PDPA — 1 controls
Code	Title	Description
s.20	Information Processed by Operator or Person Acting Under Authority	Operators and persons acting under the authority of the responsible party who have access to personal information must p...

Other

5 controls

Controls in the Other domain of Singapore PDPA — 5 controls
Code	Title	Description
PDPC AG-AI	Use of Personal Data in AI Systems (PDPC Guidance)	PDPC Advisory Guidelines on the use of personal data in AI recommendation/decision systems require organisations to asse...
s.48B	Prohibition Against Unauthorised Disclosure	It is an offence for an individual (including employees and former employees) to knowingly or recklessly disclose person...
s.48C	Prohibition Against Improper Use of Personal Data	It is an offence for an individual to knowingly or recklessly use personal data without the organisation's authority and...
s.48D	Prohibition Against Re-identification of Anonymised Data	It is an offence for an individual to knowingly or recklessly re-identify, or cause re-identification of, information th...
s.48I	Financial Penalties (2020 Amendments)	PDPC may impose financial penalties up to S$1,000,000 or 10 percent of annual turnover in Singapore (whichever is higher...

Protection

1 controls

Controls in the Protection domain of Singapore PDPA — 1 controls
Code	Title	Description
s.24	Correction of Personal Information	A data subject may request correction or deletion of personal information that is inaccurate, irrelevant, excessive, out...

Purpose Limitation

1 controls

Controls in the Purpose Limitation domain of Singapore PDPA — 1 controls
Code	Title	Description
s.18	Notification to Data Subject When Collecting Personal Information	When collecting personal information the responsible party must ensure the data subject is aware of the information bein...

Retention

1 controls

Controls in the Retention domain of Singapore PDPA — 1 controls
Code	Title	Description
s.25	Manner of Access	The provisions of PAIA sections 18 and 53 apply to requests for access to personal information, including the prescribed...

Transfer

1 controls

Controls in the Transfer domain of Singapore PDPA — 1 controls
Code	Title	Description
s.26	Transfer Limitation Obligation	Organisations must not transfer personal data outside Singapore except in accordance with prescribed requirements ensuri...

Frequently Asked Questions

What is Singapore PDPA?

Singapore PDPA is a compliance framework from Singapore with 12 domains and 33 controls. Singapore Personal Data Protection Act (2012, as amended including 2020 Data Portability Amendment). It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does Singapore PDPA have?

Singapore PDPA has 33 controls organised across 12 domains. The largest domains are Consent (6 controls), Data Breach Notification (5 controls), Other (5 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does Singapore PDPA map to?

Singapore PDPA does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with Singapore PDPA compliance?

Start your Singapore PDPA compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Singapore PDPA requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 33 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 769 frameworks.

Get Started Free →

Free forever — no credit card required