What are the 11 obligations of PDPA?

What are the 11 obligations of PDPA?

If you are a business owner, it is essential to know your obligations under the Personal Data Protection Act (PDPA) of Singapore. The PDPA is a comprehensive data protection law that sets out the obligations of organizations that collect, use, and disclose personal data in Singapore. In this article, we will explore the 11 obligations of PDPA and what they mean for your business.

Introduction to PDPA

The PDPA came into effect on July 2, 2014, and applies to all organizations, regardless of size, that collect, use, and disclose personal data in Singapore. The act has 11 obligations that organizations must comply with to ensure that they protect the personal data they handle.

1. Accountability Obligation

Organizations must take responsibility for complying with the PDPA and have policies and practices in place to ensure compliance.

2. Consent Obligation

Under the PDPA, organizations must obtain the individual’s consent before collecting, using, or disclosing their personal data. The consent must be voluntary, informed, and specific to the purpose for which the data is collected.

3. Purpose Limitation Obligation

Organizations must collect, use, or disclose personal data only for purposes that a reasonable person would consider appropriate in the circumstances and must notify individuals of the purpose for which their data is collected.

4. Notification Obligation

Organizations must notify individuals of the purposes for which their personal data is collected and obtain their consent before using or disclosing the data for a purpose other than that for which it was collected.

5. Access and Correction Obligation

Organizations must provide individuals with access to their personal data and correct any errors or omissions in the data upon request.

6. Accuracy Obligation

Organizations must make reasonable efforts to ensure that the personal data they collect is accurate and complete, taking into account the purposes for which the data is collected.

7. Protection Obligation

Organizations must protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks.

8. Retention Limitation Obligation

Organizations must not retain personal data longer than is necessary for the purpose for which it was collected, taking into account legal, business, or other relevant purposes.

9. Transfer Limitation Obligation

Organizations must ensure that personal data transferred to another organization is protected by comparable data protection standards to those under the PDPA.

10. Data Breach Notification Obligation

Organizations must evaluate whether a data breach is notifiable. If the breach could cause significant harm to individuals or is of significant magnitude, organizations are obligated to promptly notify both the PDPC and affected individuals.

11. Data Portability Obligation

Organizations must ensure that any data intermediary they engage complies with the PDPA when handling personal data on their behalf.


Compliance with the PDPA is essential for all businesses that handle personal data in Singapore. The act’s 11 obligations are designed to ensure that organizations collect, use, and disclose personal data in a responsible and transparent manner, while protecting individuals’ privacy rights. By complying with these obligations, businesses can build trust with their customers and avoid potential legal and reputational risks.