Personal Data Protection Commission (PDPC) · 2012 / 2020 amendment / 2021 mandatory breach notification

PDPA 2012 + Amendments 2020

Singapore's baseline data protection law. Mandatory data breach notification regime active since 1 Feb 2021. Maximum penalty raised to 10% of annual turnover from Oct 2022.

Scope

Who must comply

All organisations in Singapore (private sector)

Key controls & obligations

The control catalogue

01
9 PDPA obligations (Consent, Purpose, Notification, Access & Correction, Accuracy, Protection, Retention, Transfer Limitation, Openness)
02
Data Protection Officer (DPO) appointment
03
Mandatory breach notification — 72 hours to PDPC if significant scale (≥500) or significant harm
04
Do Not Call Registry compliance
05
Financial penalty up to S$1 million or 10% of annual turnover (whichever higher)

Educational disclaimer

RiskPedia content is for educational purposes only. Not legal or regulatory advice. Refer to the Personal Data Protection Commission (PDPC) for binding text.