Personal Data Protection Legislation Requirements in Singapore

13 April 2018
This bulletin summarises the implications of current personal data protection regulations that are applicable in Singapore. You may have received a communication from the Personal Data Protection Commission (“PDPC”) on this topic recently.

Key Legislation

On 2 January 2013, the PDPC commenced its operations to administer and enforce the Personal Data Protection Act (“PDPA”) in Singapore. The PDPA is a data protection law that sets out standards governing the collection, use, disclosure and care of personal data.

The General Data Protection Regulation (“GDPR”) is a European Union (“EU”) legislation that sets out similar standards for organisations that process the personal data of EU natural persons (“Individuals”). The GDPR was approved by the EU Parliament in 14 April 2016 and expected to come into enforcement on 25th May 2018.

For more details on PDPA and GDPR, please refer to the Factsheet here.

On a related but separate note, click here  to view our Privacy Notice that explains how our Group is managing your own data, as required by the GDPR.

Implications for Singapore Entities

All Singapore entities, including sole proprietorships, are now required to ensure compliance with the PDPA. This includes designating at least one person, a Data Protection Officer (“DPO”), to be responsible for ensuring that the entity complies with the PDPA.

The GDPR applies globally. Singapore entities that deal with the personal data of EU Individuals will need to ensure compliance with the GDPR.

It is essential that Singapore entities review their current data protection situation and appoint a DPO to ensure compliance with the PDPA and GDPR (if applicable).


The maximum penalties for non-compliance with the regulations are harsh. In Singapore, a fine of up to SGD1 million, and/or imprisonment for up to 12 months, can be imposed for non-compliance with PDPA provisions.

Non-compliance with GDPR can result in administrative fines of up to EUR20 million, or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

How Vistra can help

The enactment of this legislation underlines the increasing global concern about the collection and control of the personal data of individuals. Companies that routinely process personal data for individuals, including staff, clients and other third-party individuals, should take steps to ensure compliance with the regulations.   

Vistra has broadened its service offering to provide services to support compliance with the PDPA and GDPR. Details of the services are set out in the attached factsheet.

Please contact your usual Vistra representative or email [email protected] if you would like to enquire further about our data protection services.