Skip to main content




Singapore's Personal Data Protection Act (PDPA) regulates the collection, use and disclosure of personal data in Singapore by giving enforceable rights to users, placing the responsibility of lawful data processing on the shoulders of websites, companies and organizations. The version used in this section is PDPA 2020.


3_12. Policies and practices331. Guarantee legal compliance
4_13. Consent required189. Specify the purpose of data collection
310. Request user consent
4_14. Provision of consent189. Specify the purpose of data collection
4_16. Withdrawal of consent312. Allow user consent revocation
4_20. Notification of purpose189. Specify the purpose of data collection
315. Provide processed data information
5_21. Access to personal data185. Encrypt sensitive information
229. Request access credentials
5_22. Correction of personal data316. Allow rectification requests
6A_26B. Notifiable data breaches301. Notify configuration changes
313. Inform inability to identify users
6A_26D. Duty to notify occurrence of notifiable data breach301. Notify configuration changes
376. Register severity level
6A_26E. Obligations of data intermediary of public agency318. Notify third parties of changes
6_24. Protection of personal data185. Encrypt sensitive information
261. Avoid exposing sensitive information
329. Keep client-side storage without sensitive data
339. Avoid storing sensitive files in the web root
360. Remove unnecessary sensitive information
6_25. Retention of personal data-
9B_48D. Unauthorised disclosure of personal data176. Restrict system objects
9B_48E. Improper use of personal data046. Manage the integrity of critical files
062. Define standard configurations
178. Use digital signatures
9B_48F. Unauthorised re‑identification of anonymised information030. Avoid object reutilization