In Singapore, the Personal Data Protection Act 2012 (PDPA) is the main legislation governing data protection and privacy. It establishes a baseline data protection framework which applies across all private-sector organisations. The PDPA is administered and enforced by Singapore’s data protection authority, the Personal Data Protection Commission (PDPC).

In 2020, the PDPA underwent its first comprehensive review since its enactment. The amendments are set out in the Personal Data Protection (Amendment) Act 2020 (the “Amendment Act”), which was passed by Parliament on 2 November 2020. Most of the significant amendments introduced by the Act came into force on 1 February 2021.

Parts 3 to 6A of the PDPA set out core data protection obligations, including those related to the collection, use, disclosure, access, correction, care, protection, retention, transfer of personal data and notification of data breaches (collectively, the “Data Protection Provisions”). Part 9 of the PDPA sets out provisions pertaining to Singapore’s national Do Not Call (DNC) Registry, regulating the sending of marketing messages to Singapore telephone numbers (the “DNC Provisions”).

Subsidiary regulations issued under the PDPA include the following:

• Personal Data Protection Regulations 2021 (the “PDP Regulations”), which govern matters such as overseas data transfers and procedures for access and correction requests;
• Personal Data Protection (Notification of Data Breaches) Regulations 2021 (the “Breach Notification Regulations”);
• Personal Data Protection (Composition of Offences) Regulations 2021;
• Personal Data Protection (Do Not Call Registry) Regulations 2013;
• Personal Data Protection (Enforcement) Regulations 2021 (the “Enforcement Regulations”); and
• Personal Data Protection (Appeal) Regulations 2021.

In addition, the PDPC has issued several advisory guidelines which, while not legally binding on any party, provide greater clarity on how the PDPC may interpret the provisions of the PDPA. Some examples include:

• Advisory Guidelines on Key Concepts in the Personal Data Protection Act (revised on 16 May 2022) (the “Key Concepts Guidelines”);
• Advisory Guidelines on the Personal Data Protection Act for Selected Topics (revised on 23 May 2024) (the “Selected Topics Guidelines”);
• Advisory Guidelines on Enforcement of Data Protection Provisions (revised on 1 October 2022) (the “Enforcement Guidelines”);
• Advisory Guidelines on the PDPA for Children’s Personal Data in the Digital Environment;
• Advisory Guidelines on Use of Personal Data in AI Recommendation and Decision Systems (the “AI Guidelines”); and
• Advisory Guidelines on the Personal Data Protection Act for NRIC and Other National Identification Numbers (the “NRIC Guidelines”).

The PDPC is the key regulator responsible for administering and enforcing the PDPA. It is part of the Info-communications Media Development Authority (IMDA), which is a statutory board under the purview of the Ministry of Communications and Information.

The PDPC’s jurisdiction covers private sector organisations. The main powers, duties and responsibilities of the PDPC are as follows:

• to promote awareness of data protection in Singapore;
• to provide consultancy, advisory, technical, managerial or other specialist services relating to data protection;
• to advise the Government of Singapore (the “government”) on all matters relating to data protection;
• to represent the government internationally on matters relating to data protection;
• to conduct research and studies, promote educational activities relating to data protection, including organising and conducting seminars, workshops and symposia relating thereto, and support other organisations conducting such activities;
• to manage technical co-operation and exchange in the area of data protection with other organisations, including foreign data protection authorities and international or intergovernmental organisations, on its behalf or on behalf of the government;
• to administer and enforce the PDPA;
• to carry out functions conferred on the PDPC under any other written law; and
• to engage in such other activities and perform such functions as the relevant Minister may permit or assign to the PDPC by order published in the Electronic Gazette.

In practice, the PDPC may initiate an investigation to determine whether an organisation complies with the PDPA upon receipt of a complaint or on its own motion. Its enforcement approach is guided by the Enforcement Guidelines, which outline several factors the PDPC considers when deciding whether to commence an investigation. These include:

• whether the organisation may have failed to comply with all or a significant part of its obligations under the PDPA;
• whether the organisation’s conduct indicates a systemic failure by the organisation to comply with the PDPA or to establish and maintain the necessary policies and procedures to ensure its compliance;
• the number of individuals who are, or may be, affected by the organisation’s conduct;
• the impact of the organisation’s conduct on the complainant or any individual who may be affected;
• whether the organisation had previously contravened the PDPA or may have failed to implement the necessary corrective measures to prevent the recurrence of a previous contravention;
• where the complainant had previously approached the organisation to seek a resolution of the issues but failed to reach a resolution;
• where the PDPC has sought to facilitate dispute resolution between the complainant and the organisation, whether the complainant and the organisation agreed to participate in the dispute resolution process, their conduct during the dispute resolution process and the outcome of the dispute resolution process;
• where a review has been commenced by the PDPC, whether the organisation has complied with its obligations under the Enforcement Regulations in relation to a review, the organisation’s conduct during the review and the outcome of the review; and
• public interest considerations.

In the course of its investigation, the PDPC’s powers include:

• requiring any organisation to produce any specified document or to provide any specified information;
• compelling the attendance of witnesses, the provision of information and the production of documents;
• entering an organisation’s premises without a warrant (by giving at least two working days’ advance notice of intended entry); and
• obtaining a search warrant to enter an organisation’s premises and search the premises or any person on the premises (if there are reasonable grounds for believing that they have in their possession any document, equipment or article relevant to the investigation), and take possession of, or remove, any document, equipment or article relevant to an investigation.

The PDPC is also empowered to review complaints concerning access and correction requests.

The PDPC is responsible for enforcing the PDPA. The PDPC’s approach to enforcement is detailed in its Guide to Active Enforcement (revised on 1 October 2022).

When considering whether to take enforcement action, the PDPC is guided by three key objectives:

• to respond effectively to breaches of the PDPA where the focus is on those that adversely affect large groups of individuals and where the data involved is likely to cause harm or loss to the affected individuals;
• to be proportionate and consistent in the application of enforcement action on organisations that are found in breach of the PDPA; where penalties imposed serve as an effective deterrent to those that risk non-compliance with the PDPA; and
• to ensure that organisations that are found in breach take proper steps to correct gaps in the protection of personal data.

When a potential personal data incident is surfaced to the PDPC (via complaint, self-notification or otherwise), the PDPC will first consider whether it should open an investigation into the matter. The Commissioner may not conduct an investigation into the matter if they are of the view that:

• the case is better referred to facilitation and/or mediation for resolution;
• there does not appear to be a breach of the data protection obligations on the facts of the case; or
• the organisation allegedly in breach is regulated by a sectoral regulator, and the matter would be best handled by the other regulator.

If the PDPC is of the view, however, that an investigation should be conducted, the PDPC will officially open a detailed investigation into the matter, and the investigation process will include the PDPC:

• issuing notices to produce documents and information to the relevant organisations;
• conducting interviews and taking statements from the relevant organisations and individuals; and
• potentially conducting site visits to glean a full view of the facts.

The organisation allegedly in breach will also be given the opportunity to make representations to the PDPC.

After having considered the facts of the case as well as the representations made, the PDPC will then issue its decision on whether the organisation has breached any of the data protection obligations under the PDPA, as well directions (if appropriate), which may include a financial penalty of up to a maximum of 10% of the organisation’s annual turnover in Singapore, or SGD1 million, whichever is higher.

Under the PDPA, the PDPC must, in determining the amount of a financial penalty imposed, have regard and give such weight as it considers appropriate to, all of the following factors:

• the nature, gravity and duration of the non-compliance by the organisation or person, as the case may be;
• the type and nature of the personal data affected by the non-compliance by the organisation or person, as the case may be;
• whether the organisation or person (as the case may be), as a result of the non-compliance, gained any financial benefit or avoided any financial loss;
• whether the organisation or person (as the case may be) took any action to mitigate the effects and consequences of the non‑compliance, and the timeliness and effectiveness of that action;
• whether the organisation or person (as the case may be) had, despite the non‑compliance, implemented adequate and appropriate measures for compliance with the requirements under the PDPA;
• whether the organisation or person (as the case may be) had previously failed to comply with the PDPA;
• the compliance of the organisation or person (as the case may be) with any direction given under Section 48I or 48L(4) in relation to remedying or mitigating the effect of the non‑compliance;
• whether the financial penalty to be imposed is proportionate and effective, having regard to achieving compliance and deterring non‑compliance with the PDPA;
• the likely impact of the imposition of the financial penalty on the organisation or person (as the case may be), including the ability of the organisation or person to continue the usual activities of the organisation or person; and
• any other matter that may be relevant.

In practice, financial penalties depend on the specific Data Protection Provision that was breached and the severity of the breach. A notable example of an egregious breach involving multiple aggravating factors is the case of Re Singapore Health Services Pte Ltd and Another [2019] SGPDPC 3. In that case, the Commissioner, noting that this was the “largest data breach suffered by any organisation in Singapore with the number of affected individuals amounting to almost 1.5 million unique individuals”, imposed financial penalties on the organisation and its data intermediary of SGD250,000 and SGD750,000 respectively, due to their failure to implement reasonable security measures to protect personal data.

To date, the highest financial penalties issued by the PDPC were SGD250,000 and SGD750,000, imposed on SingHealth Services Pte Ltd and Integrated Health Information Systems Pte Ltd in the same case respectively. These penalties were for violations of their data protection obligations under the PDPA (see Re Singapore Health Services Pte Ltd and Another [2019] SGPDPC 3). The case involved a major cyber-attack on SingHealth’s patient database system, which led to the personal data of approximately 1.5 million individuals being compromised.

At present, Singapore does not have legislation specifically addressing the use of AI and is not currently looking to enact regulations for AI. However, the government has enacted laws in relation to specific applications of AI technology (eg, the Computer Misuse Act, Online Criminal Harms Act, Protection from Online Falsehoods and Manipulation Act, Elections (Integrity of Online Advertising) (Amendment) Bill and the PDPA), which, together with existing laws that are technology-agnostic and voluntary guidelines issued by sectoral regulators, make up the legal and regulatory framework around AI and GenAI.

Model Artificial Intelligence Governance Framework

The Model AI Governance Framework was published by the IMDA and PDPC as a set of voluntary, non-binding guidelines that set out ethical and governance principles for the use of AI and translate them into practical recommendations for organisations to adopt. To support adoption, the Implementation and Self-Assessment Guide for Organisations (ISAGO) was also introduced, offering guiding questions and examples to help organisations self-evaluate their AI governance practices.

On 25 May 2022, the AI Verify framework was launched as part of an international pilot. Developed by the IMDA and the PDPC, AI Verify is a toolkit for assessing AI systems against 11 AI ethics principles which are consistent with internationally recognised AI frameworks. Organisations may validate the performance of their AI systems through standardised tests. The international piloting was completed on 7 June 2023.

Building on the success of the Model AI Governance Framework, the Model Framework for GenAI sets out actions to be taken across nine dimensions to address the risks posed by GenAI, while supporting innovation. These include the following.

• Accountability – responsibility should be allocated based on the level of control each person has in the GenAI development chain.
• Data used in model training – policymakers should foster open dialogue with relevant stakeholders and provide guidance on how personal data laws and copyright laws apply to data used in model training.
• Trusted development and deployment – the industry should adopt common safety practices and standardise disclosure about GenAI models to facilitate comparability across models and incentivise safer model use.
• Incident reporting – AI developers should have reporting channels to report safety vulnerabilities in their AI systems and then act pre-emptively to patch the system. Organisations should also report to regulators incidents of a certain severity arising from their use of AI systems.
• Testing and assurance – policymakers and international standards organisations (eg, International Organisation for Standardisation) should develop common standards for AI testing to ensure quality and consistency.
• Security – new testing tools must be developed to address the risks specific to GenAI.
• Content provenance – users should be aware that they are interacting with AI-generated content to reduce the risk of misinformation, so technical solutions such as digital watermarking and cryptographic provenance should be explored, in tandem with public education on verifying the authenticity of content.
• Safety and alignment Research & Development (R&D) – there should be investment in R&D, with more AI safety R&D institutes set up to conduct alignment research in tandem with AI companies. AI safety R&D institutes should co-operate globally to optimise limited resources and keep pace with commercial developments.
• AI for public good – responsible use of AI should go beyond risk mitigation and actively seek to improve people’s lives. Governments should partner companies and communities on digital literacy initiatives, drive innovation in the industry (especially among SMEs), upskill the workforce and redesign jobs, and ensure AI is environmentally sustainable.

The former aims to help organisations assess the alignment of their AI governance practices with the Model AI Framework, while the latter provides case studies as to how local and international organisations across different sectors and sizes have implemented or aligned their AI governance practices with all sections of the Model AI Framework.

New PDPC Guides Concerning AI

On 1 March 2024, the PDPC published its AI Guidelines. The guidelines provide guidance on how the PDPA applies when personal data is used to train or develop AI systems and offer best practices for service providers (eg, systems integrators) that support the implementation of AI solutions. Although the Guidelines released by the PDPC are not binding, the PDPC has often cited them in their decisions, therefore, it would be prudent to adopt the Guidelines on the use of personal data in AI recommendation and decision systems.

Under these guidelines, the PDPC encourages the use of anonymised data, as far as possible, in relation to AI systems. Once data is properly anonymised, the data is no longer personal data (and therefore not governed by the PDPA). According to the PDPC’s Advisory Guidelines on the PDPA for Selected Topics, data would be considered anonymised if there is no serious possibility that an individual could be re-identified, taking into consideration both: (i) the data itself, or the data combined with other information to which the organisation has or is likely to have access; and (ii) the measures and safeguards implemented by the organisation to mitigate the risk of re-identification.

In this regard, the PDPA makes unauthorised re-identification of anonymised information a criminal offence. Under Section 48F of the PDPA, an individual that takes any unauthorised action to re-identify or cause re-identification of the person to whom anonymised information in the possession or under the control of an organisation or a public agency relates shall be guilty of an offence and shall be liable on conviction to a fine not exceeding SGD5,000, imprisonment for a term not exceeding two years, or both.

To further reduce the risk of data leakage in certain use cases, the use of synthetic data is being encouraged by both academia and the government as an alternative to using anonymised data. For example, in July 2024, the PDPC released the Proposed Guide on Synthetic Data Generation, which aims to help organisations understand the methods and potential applications of synthetic data generation in AI systems.

Please see 1.5 AI Regulation.

In Singapore, privacy litigation remains relatively nascent, with most enforcement of data protection obligations taking place through administrative action by PDPC rather than through civil proceedings in the courts.

On 19 February 2019, the State Courts of Singapore dismissed a claim brought against the Singapore Swimming Club for defamation and breach of the PDPA. Although written grounds of judgment are unavailable, this case is noteworthy as it appears to mark the first instance in which the Singapore courts were invited to consider an alleged breach of the PDPA, absent any prior finding by the PDPC.

Subsequently, in IP Investment Management Pte Ltd and Others v Alex Bellingham [2019] SGDC 207, the District Court considered a claim brought under the right of private action available to individuals previously found in Section 32 of the PDPA (now Section 48O of the PDPA). See 2.2 Recent Case Law.

While supranational and international developments continue to shape Singapore’s broader approach to privacy and data protection, their direct influence on domestic litigation remains relatively limited.

In IP Investment Management Pte Ltd and Others v Alex Bellingham [2019] SGDC 207, the District Court, in a decision delivered on 3 October 2019, considered a claim brought under the right of private action available to individuals, previously found under Section 32 of the PDPA (now Section 48O of the PDPA). The District Court found that the defendant had breached certain Data Protection Provisions and that the third plaintiff had suffered loss and damage because of the defendant’s misuse of their personal information. Consequently, the District Court granted an injunction restraining the defendant from using, disclosing or communicating any personal data of the third plaintiff and ordered the defendant to destroy all such personal data in their possession.

The above decision was subsequently appealed against before the High Court in Bellingham, Alex v Reed, Michael [2021] SGHC 125. On appeal, the High Court held that the claim under Section 32 could not be sustained as the respondent had not suffered any “loss or damage” within the meaning of the previous Section 32 of the PDPA. Specifically, the High Court held that a loss of control over personal data does not constitute “loss or damage” for an actionable claim under the previous Section 32 of the PDPA. The court also addressed the scope of “publicly available information” exception under Section 17 read with Part 2(1) of the First Schedule to the PDPA. It held that organisations are not required to obtain consent for the collection, use and disclosure of publicly available personal data under the PDPA. However, the High Court clarified that organisations cannot rely on Section 17 of the PDPA where personal data that is publicly available is obtained only through the unlawful use of other personal data.

The High Court ruling was eventually partially reversed by the Court of Appeal in Reed Michael v Bellingham, Alex (Attorney-General, intervener) [2022] SGCA 60. The Court of Appeal held that “loss or damage” includes emotional distress, though it does not include mere loss of control over personal data. On the facts, the Court of Appeal found that the plaintiff had suffered emotional distress that was significant enough to be actionable. Additionally, the Court of Appeal clarified the application of Section 4(1)(b) of the PDPA, which provides that the data protection obligations in the PDPA do not impose obligations on an employee acting in the course of their employment with an organisation. The Court of Appeal clarified that this section serves as a defence for employees and that the burden lies on a defendant to prove on a balance of probabilities that they were “an employee acting in the course of employment”.

There are no collective redress mechanisms for the protection of the collective interest of individuals in Singapore.

In Singapore, the regulation of Internet of Things (IoT) services primarily falls within the broader legal framework governing the protection of personal data and cybersecurity. While there is no specific statute that regulates IoT technologies alone, key regulatory objectives are addressed through the PDPA, the Cybersecurity Act 2018, and sector-specific or industry guidelines issued by agencies such as the IMDA.

Similar to the objectives found under the PDPA, the main objective of regulating IoT services is to govern the collection, use and disclosure of personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.

Under the PDPA, organisations that deploy or manage IoT devices are collecting personal data. These data controllers are therefore subject to the following key obligations.

• Consent Obligation – An organisation must obtain an individual’s consent before collecting, using or disclosing their personal data for a purpose (Sections 13 to 17 of the PDPA).
• Purpose Limitation Obligation – An organisation may only collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances (Section 18 of the PDPA).
• Notification Obligation – An organisation must notify the individual of the purpose(s) for which it intends to collect, use or disclose their personal data on or before such collection, use or disclosure, and may only collect, use and disclose personal data for such purposes (Sections 18 and 20 of the PDPA).
• Access and Correction Obligation – An organisation must, upon request, allow an individual to access and/or correct their personal data in its possession or under its control. In addition, the organisation is obliged to provide the individual with information about the ways in which personal data may have been used or disclosed during the past year (Sections 21 and 22 of the PDPA).
• Accuracy Obligation – An organisation must make a reasonable effort to ensure that personal data collected by it is accurate and complete, if it is likely to use such personal data to make a decision that affects the individual concerned or disclose such personal data to another organisation (Section 23 of the PDPA).
• Protection Obligation – An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent: (i) unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks; and (ii) the loss of any storage medium or device on which personal data is stored (Section 24 of the PDPA).
• Retention Limitation Obligation – An organisation must cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that the retention of such personal data no longer serves the purpose for which it was collected and is no longer necessary for legal or business purposes (Section 25 of the PDPA).
• Transfer Limitation Obligation – An organisation must not transfer personal data to a country or territory outside Singapore except in accordance with requirements prescribed under the PDPA to ensure that the transferred personal data will be accorded a standard of protection that is comparable to that under the PDPA (Section 26 of the PDPA).
• Accountability Obligation – An organisation must appoint a person to be responsible for ensuring that it complies with the PDPA, typically referred to as a Data Protection Officer (DPO), and develop and implement policies and practices that are necessary to meet its obligations under the PDPA, including a process to receive complaints. In addition, the organisation is required to communicate to its staff information about such policies and practices and make information available upon request to individuals about such policies and practices (Sections 11 and 12 of the PDPA).
• Data Breach Notification Obligation – An organisation must assess data breaches that have occurred affecting personal data in their possession or under their control, and are required to notify the PDPC, as well as affected individuals, of the occurrence of certain data breaches (notifiable data breaches) (Sections 26A to 26E of the PDPA).

In addition, the Amendment Act will also further introduce one more data protection obligation (which has yet to come into effect).

• Data Portability Obligation – Upon an organisation’s receipt of a data porting request from an individual, the porting organisation must transmit the applicable data specified in the data porting request to the receiving organisation in accordance with any prescribed requirements, such as requirements relating to technical, user experience and consumer protection matters.

Organisations that process personal data on behalf of an organisation (eg, data processing services) are known as data intermediaries under the PDPA. Data intermediaries are subject to a limited scope of obligations under the PDPA, specifically the following.

• Protection Obligation.
• Retention Limitation Obligation.
• Data Breach Notification Obligation – If a data intermediary has reason to believe that a data breach has occurred in relation to personal data that it is processing on behalf of and for the purposes of another organisation, it must notify that other organisation without undue delay.

See 1.1 Overview of Data and Privacy-Related Laws.

There is currently no legislation in Singapore that specifically governs the use of IoT services, other than the PDPA, which regulates the collection, use and disclosure of personal data. Accordingly, there are no additional IoT specific statutory obligations, beyond those that already set out under the Data Protection Provisions discussed in 3.1 Objectives and Scope of Data Regulation.

Separately, the IMDA has published the Internet of Things Cyber Security Guide (published March 2020), which is targeted at IoT developers, providers and users. This is the only IoT specific guide issued by the IMDA to date. However, this guide also explicitly excludes privacy-related matters from its scope. The guide provides practical baseline recommendations, key security principles, and checklists for organisations – particularly enterprise users (and their vendors) – that intend to deploy IoT solutions. It provides baseline recommendations to ensure security aspects for the acquisition, development, operations and maintenance of IoT systems.

Data processing activities carried out by data intermediaries (the equivalent of data processors) are governed by the PDPA. Specifically, data intermediaries must ensure that they comply with their obligations under the PDPA. See 3.1 Objectives and Scope of Data Regulation for details of a data intermediary’s PDPA obligations.

See 1.2 Regulators.

The PDPC has clarified that any personal data collected via cookies is subject to the same treatment as other forms of personal data, and organisations that collect personal data using cookies would equally be subject to the requirements of the PDPA. Accordingly, organisations using cookies to collect personal data must comply with the PDPA’s requirements. Organisations do not need to obtain consent for cookies that do not collect personal data (eg, session cookies may only collect and store technical data needed to play back a video on a website).

The Selected Topics Guidelines explain that consent may not be necessary where cookies are used to collect, use or disclose personal data for internet activities that the user has clearly requested, where the individual is aware of the purposes for such collection, use or disclosure and voluntarily provides their personal data for such purposes. Such activities include transmitting personal data for effecting online communications and storing information that the user enters in a web form to facilitate an online purchase.

Further, for activities that cannot take place without cookies that collect, use or disclose personal data, deemed consent may apply if the individual voluntarily provides the personal data for that purpose of the activity, and it is reasonable that they would do so.

In instances where the individual configures their browser to selectively accept or reject certain cookies, they may be deemed to have consented to the collection, use and disclosure of the personal data by the cookies that they have chosen to accept. However, the mere failure of an individual to actively manage their browser settings does not imply that they have consented to the collection, use and disclosure of personal data by all websites for their stated purpose.

Finally, the Selected Topics Guidelines make clear that where organisations use cookies for personalised advertisement targeting that involves the collection and use of an individual’s personal data, express consent from the individual is required.

The PDPA does not explicitly define or refer to the terms “targeted advertising” and “cross-contextual behavioural advertising”. However, where such advertising entails the collection or use of personal data, the individual’s express, opt-in consent should be obtained in accordance with the PDPA.

First, under Section 4(1)(a), (b) of the PDPA, the Data Protection Provisions do not apply to an employee acting in the course of their employment within an organisation.

Second, employers are generally required to provide suitable notices and obtain consent, before collecting, using or disclosing the personal data of their employees.

Employers may, however, rely on the concepts of deemed consent (as set out in Sections 15 and 15A of the PDPA) or process personal data without consent in specific situations under Section 17. The First and Second Schedules to the PDPA outline the circumstances under which consent is not required for the collection, use and disclosure of their personal data. In such cases, the requirement to notify the individual typically does not apply.

An exception to this general position is found in Section 20(4) of the PDPA. Where an organisation intends to collect, use or disclose personal data for the purpose of, or in relation to, the organisation:

• entering into an employment relationship with the individual or appointing them to any office, or
• managing or terminating an employment relationship with, or appointment of, the individual,

the organisation must notify the individual of that purpose on or before such collection, use or disclosure (despite the fact that there is no requirement to seek consent).

Further, if the organisation relies on this exception, it must provide the individual with the purpose of processing and, upon request by the individual, the contact information of a person who can address any queries regarding the processing of the individual’s personal data.

The “legitimate interests” exception to consent may also apply in certain cases. However, similar notification requirements would apply, and the organisation must meet other conditions prescribed under the PDPA.

Under the PDPA, personal data may be collected, used and disclosed without consent in the context of a business asset transaction, subject to the following requirements under Part 4 of the First Schedule to the PDPA being fulfilled.

Applicability of the Exception

The exception applies where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y), and personal data about an applicable individual of Y:

• is collected from Y by X for the purposes of the business asset transaction;
• is used or disclosed by X in relation to the business asset transaction; or
• is disclosed by Y to X for the purposes of the business transaction.

Where the business asset transaction concerns any part of Y or Y’s business assets, the personal data mentioned above (Part 4, sub‑paragraph (1) of the First Schedule to the PDPA) must relate directly to that part of Y or Y’s business assets, as the case may be.

Requirements Where X is a Prospective Party

If X is a prospective party to the business asset transaction, the following conditions apply:

• X may collect, and Y may disclose, only personal data that is necessary for X to determine whether to proceed with the business asset transaction; and
• X and Y must have entered into an agreement that requires X to use or disclose the personal data solely for purposes related to the business asset transaction.

Requirements Where X Enters Into a Transaction

If X enters into the business asset transaction, the following conditions apply:

• X may use or disclose the personal data X collected from Y only for the same purposes for which Y would have been permitted to use or disclose the personal data;
• if any personal data X collects from Y does not relate directly to the part of Y or Y’s business assets with which the business asset transaction entered into is concerned, X must destroy, or return to Y, that personal data; and
• X or Y must notify the applicable individuals of Y whose personal data is disclosed that —
1. the business asset transaction has taken place; and
2. the personal data about them has been disclosed to X.

If the Transaction Does Not Proceed or Is Not Completed

If the business asset transaction does not proceed or is not completed, X must destroy, or return to Y, all personal data collected.

Transaction Involving Y’s Interest in a Third Organisation

Paragraph 2, Part 4 of the First Schedule to the PDPA details the situation if the transaction involves Y’s interest in a third organisation Z (eg, selling shares or an interest to Z) – similar principles apply.

Under Section 26 of the PDPA, organisations may only transfer personal data overseas in accordance with the requirements prescribed under the PDPA to ensure that the recipients provide the transferred personal data a standard of protection that is comparable to the PDPA.

In particular, under the PDP Regulations, the transferring organisation must, before transferring the personal data outside Singapore, take appropriate steps to ascertain whether, and to ensure that, the recipient is bound by legally enforceable obligations to provide the transferred personal data with a standard of protection comparable to that under the PDPA.

“Legally enforceable obligations” is defined in the PDP Regulations to include obligations imposed on the recipient under:

• any law;
• any contract that requires the recipient to provide to the transferred personal data a standard of protection that is at least comparable to the protection under the PDPA, and which specifies the countries and territories to which the personal data may be transferred under the contract;
• any binding corporate rules (in cases where a recipient is an organisation related to the transferring organisation) that require every recipient to provide to the transferred personal data a standard of protection that is at least comparable to the protection under the PDPA, and which specify:
1. the recipients of the transferred personal data to which the binding corporate rules apply;
2. the countries and territories to which the personal data may be transferred under the binding corporate rules; and
3. the rights and obligations provided by the binding corporate rules; or
• any other legally binding instrument.

In relation to binding corporate rules, the PDP Regulations define a recipient as being related to the transferring organisation if:

• the recipient, directly or indirectly, controls the transferring organisation;
• the recipient is, directly or indirectly, controlled by the transferring organisation; or
• the recipient and the transferring organisation are, directly or indirectly, under the control of a common person.

For completeness, the PDP Regulations set out specific situations whereby the transfer limitation obligation is taken to be satisfied, and it is not necessary to impose legal enforcement obligations (eg, where the personal data is publicly available in Singapore or where the personal data is data in transit).

Additionally, the PDP Regulations recognise the certification systems under the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) System and the Privacy Recognition for Processors (PRP) System as a valid mechanism for cross-border data transfers. Where the recipient holds a recognised certification (ie, certification under the APEC CBPR or PRP) that is granted or recognised under the law of that country or territory to which the personal data is transferred, the recipient is taken to be bound by legally enforceable obligations to provide a standard of protection for the transferred personal data that is at least comparable to the protection under the PDPA.

There are no government notifications or approvals required to transfer data internationally.

There are no express data localisation requirements under the PDPA. Organisations are not required to retain personal data or copies of such data within Singapore, even if the data is transferred overseas or accessed from outside the jurisdiction.

Accordingly, personal data may be stored overseas, and the same data may also be transferred internationally, provided that the transfer complies with the PDPA’s transfer limitation obligation (see 5.1 Restrictions on International Data Transfers), including ensuring a comparable standard of protection in the receiving jurisdiction.

Section 26 of the PDPA provides that an organisation must not transfer any personal data to a country or territory outside Singapore except in accordance with requirements prescribed under the Act to ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection under the Act. Apart from the foregoing, the Official Secrets Act and Statutory Bodies and Government Companies (Protection of Secrecy) Act 1983 prevent the disclosure of official government documents and information.

During the 5th ASEAN Digital Ministers Meeting (ADGMIN) held in Bangkok, Thailand on 16 and 17 January 2025, the following measures were announced to support the regulation and facilitation of cross-border data transfers.

• A Joint Guide to ASEAN Model Contractual Clauses (MCCs) and Ibero-American Data Protection Network’s MCCs (RIPD MCCs) was released. This guide offers a comparison between ASEAN MCCs and RIPD MCCs. It aims to help businesses, particularly companies already familiar with the ASEAN MCCs, to navigate contractual negotiations for international data transfers with their RIPD business partners.
• The meeting also endorsed the ASEAN-China 2025 Digital Work Plan, which includes a Joint Guide on the Mapping of the ASEAN MCCs and China’s SCCs for Cross-Border Data Flows in 2025. Although these guides are not legally binding, they are expected to support businesses operating across different regions to navigate compliance challenges more efficiently by clarifying how different regional frameworks interact.
• The ASEAN Working Group on Digital Data Governance was recognised for its ongoing work to promote adoption and interoperability of the ASEAN MCCs. This includes the development of the Joint Mapping Guide with the Ibero-American Data Protection Network. It also welcomed the Operational Framework for Global CBPR and PRP, encouraging ASEAN member states to adopt these certifications to build trust, facilitate cross-border data flows, and strengthen the region’s digital services market.