🇸🇬 Live Medical Devices & Diagnostics

Singapore Personal Data Protection Act 2012 (PDPA)

Governs the collection, use, disclosure, and care of personal data by organisations in Singapore.

View official source document

20

Rules extracted

184

Obligations decomposed

9.2x

Avg obligations per rule

🇸🇬 Singapore

Jurisdiction

About this regulation

The PDPA governs the collection, use, disclosure and care of personal data by organisations in Singapore. It establishes ten data protection obligations: Consent, Purpose Limitation, Notification, Access, Correction, Accuracy, Protection, Retention Limitation, Transfer Limitation, and Data Breach Notification (added 2021). It also establishes the Do Not Call Registry for telemarketing. Enforced by the Personal Data Protection Commission (PDPC). Amended significantly in 2020 (Act 40 of 2020) with mandatory breach notification, deemed consent by notification, and enhanced enforcement powers.

What AuditDSS covers

Source

1

Regulation

Extracted

20

Rules

Decomposed

184

Obligations

9.2x

Decomposition ratio

Each rule is decomposed into an average of 9.2 atomic obligations — the smallest testable units that can be independently violated.

Fully extracted & scored

All 184 obligations have been decomposed, titled, risk-scored, and embedded for semantic matching.

Risk scoring

Every obligation in PDPA is scored across independent risk dimensions:

W

Obligation Weight

How critical within the regulatory framework

L

Violation Likelihood

How often breached in practice

E

Enforcement Evidence

Regulator enforcement history and penalties

C

Cascade Dependency

How many obligations depend on this one

Regulatory details

Full title
Singapore Personal Data Protection Act 2012 (PDPA)
Regulatory body
Personal Data Protection Commission
Jurisdiction
🇸🇬 Singapore
Document type
statute
Effective date
July 2, 2014
Issuing authority
Parliament of the Republic of Singapore
Industry
Medical Devices & Diagnostics
Official source
View source document ↗

Who this applies to

organisationsdata intermediariesdirect marketers

Key requirements

  • consent obligation
  • purpose limitation
  • notification
  • access and correction
  • accuracy
  • protection (security)
  • retention limitation
  • transfer limitation
  • data breach notification
  • Do Not Call Registry

Frequently asked questions about PDPA

What is PDPA?
The PDPA governs the collection, use, disclosure and care of personal data by organisations in Singapore. It establishes ten data protection obligations: Consent, Purpose Limitation, Notification, Access, Correction, Accuracy, Protection, Retention Limitation, Transfer Limitation, and Data Breach Notification (added 2021). It also establishes the Do Not Call Registry for telemarketing. Enforced by the Personal Data Protection Commission (PDPC). Amended significantly in 2020 (Act 40 of 2020) with mandatory breach notification, deemed consent by notification, and enhanced enforcement powers.

Who does PDPA apply to?
PDPA applies to organisations, data intermediaries, direct marketers.

How many obligations does PDPA contain?
AuditDSS has decomposed PDPA into 184 atomic obligations from 20 rules. Each obligation is independently testable and risk-scored.

What are the key requirements of PDPA?
The key requirements include: consent obligation, purpose limitation, notification, access and correction, accuracy, protection (security), retention limitation, transfer limitation, data breach notification, Do Not Call Registry.

How can I assess my PDPA compliance?
Upload your compliance policy to AuditDSS. The platform maps your document against all 184 PDPA obligations using deterministic AI scoring — not checklists or LLM summaries. You get a risk-scored gap analysis showing exactly which obligations are covered, partially covered, or missing.

Which jurisdiction enforces PDPA?
PDPA is enforced in Singapore by Personal Data Protection Commission.

When did PDPA come into effect?
PDPA became effective on July 2, 2014.

What industry does PDPA apply to?
PDPA is primarily relevant to the Medical Devices & Diagnostics industry. AuditDSS covers 64 regulations in this industry sector.

Build a PDPA compliance pack

Don't have a compliance policy yet? AuditDSS generates a complete compliance pack for PDPA — alone or combined with other regulations your business needs. Every clause is mapped to specific obligations.

Policy

High-level commitments and governance framework covering PDPA requirements.

Procedures

Step-by-step operational procedures to implement each policy commitment.

Forms & checklists

Ready-to-use forms, registers, and checklists for day-to-day compliance operations.

Multi-regulation

Combine PDPA with other regulations into a single unified compliance pack for your business.

Build PDPA compliance pack

Already have a policy? Assess it against PDPA

1

Upload your document

Upload your compliance policy, program manual, or operational document. AuditDSS accepts any text-based document.

2

AI maps against 184 obligations

Your document is scored against every obligation in PDPA. Each claim is mapped to the obligation tree and evaluated for coverage.

3

Risk-scored gap report

Receive every gap ranked by risk priority with remediation guidance, enforcement evidence, and cascade impact analysis.

Related regulations in Medical Devices & Diagnostics

🇺🇸 Live

Anti-Kickback Statute

38 rules, 1,238 obligations
🇦🇺 Live

ACL

13 rules, 211 obligations
🇦🇺 Live

AU Climate Disclosure

10 rules, 52 obligations
🇦🇺 Live

Fair Work Act 2009

16 rules, 260 obligations
🇦🇺 Live

Modern Slavery Act 2018

9 rules, 135 obligations
🇦🇺 Live

Privacy Act 1988

29 rules, 203 obligations
🇦🇺 Live

SOCI Act 2018

10 rules, 32 obligations
🇦🇺 Live

TGA Act 1989

13 rules, 199 obligations

Assess your PDPA compliance

Upload your document and get a risk-scored gap analysis against 184 PDPA obligations in under 5 minutes.

Start assessment Browse all regulations