Guides compliance with Singapore's PDPA: nine obligations, consent types (express/deemed), Do Not Call Registry, data intermediaries, breach notification, and 2020-2021 amendments.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-skills-completeThis skill uses the workspace's default tool permissions.
Singapore's Personal Data Protection Act 2012 (PDPA, No. 26 of 2012) was enacted on 15 October 2012 and took effect in phases, with the main data protection provisions effective from 2 July 2014. Significant amendments in 2020 (effective 1 February 2021) introduced mandatory breach notification, deemed consent by notification, a data portability obligation, and enhanced enforcement powers.
Conducts multi-round deep research on GitHub repos via API and web searches, generating markdown reports with executive summaries, timelines, metrics, and Mermaid diagrams.
Dynamically discovers and combines enabled skills into cohesive, unexpected delightful experiences like interactive HTML or themed artifacts. Activates on 'surprise me', inspiration, or boredom cues.
Generates images from structured JSON prompts via Python script execution. Supports reference images and aspect ratios for characters, scenes, products, visuals.
Singapore's Personal Data Protection Act 2012 (PDPA, No. 26 of 2012) was enacted on 15 October 2012 and took effect in phases, with the main data protection provisions effective from 2 July 2014. Significant amendments in 2020 (effective 1 February 2021) introduced mandatory breach notification, deemed consent by notification, a data portability obligation, and enhanced enforcement powers.
The Personal Data Protection Commission (PDPC) is the regulatory authority, operating under the Infocomm Media Development Authority (IMDA). The PDPC issues Advisory Guidelines that provide detailed interpretation of the PDPA.
| Obligation | PDPA Section | Description |
|---|---|---|
| Consent | Part IV, Division 1 | Obtain consent for collection, use, and disclosure; notify of purposes |
| Purpose Limitation | Section 18 | Collect, use, or disclose only for purposes a reasonable person would consider appropriate |
| Notification | Section 20 | Notify individuals of purposes before or at the time of collection |
| Access | Section 21 | Provide individuals access to their personal data upon request |
| Correction | Section 22 | Correct errors or omissions in personal data upon request |
| Accuracy | Section 23 | Make reasonable effort to ensure personal data is accurate and complete |
| Protection | Section 24 | Protect personal data with reasonable security arrangements |
| Retention Limitation | Section 25 | Retain personal data only as long as necessary for business or legal purposes |
| Transfer Limitation | Section 26 | Transfer overseas only to jurisdictions with comparable protection |
| Data Breach Notification | Part VIA | Notify PDPC and affected individuals of notifiable data breaches |
| Consent Type | Provision | Description |
|---|---|---|
| Express consent | Section 14 | Explicit consent given orally, in writing, or electronically |
| Deemed consent by conduct | Section 15 | Consent inferred from voluntary provision of data for a stated purpose |
| Deemed consent by notification | Section 15A (2020 amendment) | Consent deemed after notification with reasonable opt-out period and no opt-out exercised |
| Deemed consent by contractual necessity | Section 15A(2) | Consent deemed for disclosure necessary to perform a contract with the individual |
Requirements for valid deemed consent by notification:
| Exception Category | Examples |
|---|---|
| Business improvement | Using personal data for improving/developing products and services (reasonable expectation standard) |
| Legal and business purposes | Debt recovery, insurance claims, legal proceedings |
| National interest | National security, public health emergencies |
| Publicly available | Data made publicly available by law or the individual |
| Vital interests | Emergency affecting life, health, or safety |
| Research | Research and statistics with anonymisation safeguards |
| Element | Detail |
|---|---|
| Scope | Marketing messages sent to Singapore telephone numbers via voice calls, text messages, or fax |
| Registry types | No Voice Call Register, No Text Message Register, No Fax Message Register |
| Check obligation | Organisations must check the DNC Registry before sending marketing messages to Singapore numbers |
| Check validity | DNC check results valid for 30 days |
| Exemptions | Messages to existing customers regarding similar products/services (with opt-out); messages with express consent documented |
| Penalties | Up to SGD 1 million per breach; financial penalties imposed by the PDPC |
| Element | Detail |
|---|---|
| DNC checking | Automated daily DNC register check before marketing campaign dispatch |
| Marketing channels | Email (not subject to DNC), SMS (DNC checked), phone calls (DNC checked) |
| Existing customer exemption | Applied for freight service-related communications with documented opt-out mechanism |
| Consent records | Documented express consent stored in CRM for opted-in customers |
A data intermediary processes personal data on behalf of another organisation (the data controller) and does not use or disclose the data for its own purposes. Analogous to a "data processor" under GDPR.
| Obligation | Detail |
|---|---|
| Protection (Section 24) | Data intermediary must protect personal data in its possession or control |
| Retention (Section 25) | Must not retain personal data longer than necessary |
| Transfer (Section 26) | Transfer overseas restrictions apply |
| Breach notification (Part VIA) | Must notify the organisation (not the PDPC directly) of a data breach without unreasonable delay |
| No consent obligation | Data intermediary not required to obtain consent (this is the data controller's responsibility) |
| Intermediary | Service | Data Processed | Contract Date |
|---|---|---|---|
| CloudServe Asia Pte Ltd | Cloud hosting | Customer and employee data | 1 March 2025 |
| LogiTech Solutions Pte Ltd | Customs IT platform | Customs clearance data | 15 June 2025 |
| PayGlobal Pte Ltd | Payment processing | Transaction data | 1 January 2025 |
A data breach is notifiable if it results in, or is likely to result in:
| Element | PDPC Notification | Individual Notification |
|---|---|---|
| When required | All notifiable data breaches | Breaches likely to result in significant harm |
| Timeline | As soon as practicable, not later than 3 calendar days of assessment completion | As soon as practicable after assessing the breach |
| Assessment deadline | Must assess within 30 calendar days of becoming aware of the breach | Same assessment period |
| Content | Nature, circumstances, data affected, number of individuals, steps taken, DPO contact | Nature of breach, steps individual can take, DPO contact |
The 2020 amendments introduced a data portability obligation (effective date to be prescribed):
Personal data may only be transferred outside Singapore if:
| Condition | Detail |
|---|---|
| Comparable protection | The recipient country or organisation provides a standard of protection comparable to PDPA (Section 26(1)) |
| Contractual safeguards | Legally enforceable obligations on the overseas recipient to provide comparable protection (PDPC-recommended approach) |
| Individual's consent | Consent with notification of inadequate overseas protection |
| Binding corporate rules | Within a corporate group with binding internal rules |
| PDPC-recognised framework | APEC CBPR certification or other PDPC-recognised mechanism |
| Entity Type | Maximum Penalty |
|---|---|
| Organisations | Up to SGD 1 million or 10% of annual turnover in Singapore (whichever is higher) for serious breaches |
| DNC violations | Up to SGD 1 million per breach |
SingHealth Breach (2019):
GrabCar (2021):
Razer (2022):
| Component | Detail |
|---|---|
| DPO (Singapore) | Tan Wei Lin, Data Protection Manager — Singapore office |
| Contact | dpo-sg@zenithglobal.com.sg |
| Privacy notice | Published at zenithglobal.com.sg/privacy |
| Consent framework | Express consent for marketing; deemed consent by conduct for service provision |
| DNC compliance | Automated DNC register checking; 30-day check validity |
| Breach notification | 30-day assessment + 3-day PDPC notification workflow |
| Data intermediary management | Contractual clauses with all intermediaries per PDPC guidelines |
| Cross-border transfers | Contractual safeguards with overseas recipients |
| Data subject rights | Access and correction within 30 days; fees per PDPC guidelines |