Singapore — Lawful Bases for Processing

Singapore's Personal Data Protection Act 2012 (PDPA) establishes consent as the default lawful basis for collecting, using, or disclosing personal data. Section 13 of the PDPA prohibits an organisation from collecting, using, or disclosing an individual's personal data unless the individual gives, or is deemed to have given, consent for that specific purpose. This consent-centric architecture differs sharply from GDPR's six alternative lawful bases; under the PDPA, consent is the rule, and all other grounds are enumerated statutory exceptions.

The PDPA regulates any "organisation" — defined to include any individual, company, association, or body of persons (whether or not incorporated) — that collects, uses, or discloses personal data in Singapore, regardless of where the organisation is established. Public agencies are excluded from most PDPA obligations and are instead governed by a separate regime under Part VI of the Public Sector (Governance) Act 2018. The supervisory and enforcement authority is the Personal Data Protection Commission (PDPC), a statutory body under the Info-communications Media Development Authority.

Forms of consent (sections 14, 15, and 15A). Section 14 permits consent to be express or implied; consent is validly given when the individual voluntarily provides the personal data to the organisation for a purpose that a reasonable person would consider appropriate in the circumstances. Section 15 codifies deemed consent: an individual is deemed to consent if he voluntarily provides the personal data for a purpose and it is reasonable in the circumstances that he would do so. The 2020 amendments (effective 1 February 2021) added section 15A, deemed consent by notification, which permits an organisation to notify an individual of a new purpose and deem consent if the individual does not opt out within a reasonable period; this mechanism is hedged by prescribed safeguards and an assessment requirement set out in regulation 14 of the Personal Data Protection Regulations 2021.

Withdrawal of consent (section 16). An individual may withdraw consent at any time by giving reasonable notice in writing to the organisation; upon receipt, the organisation must cease collecting, using, or disclosing the personal data for the consented purpose, though the organisation may continue to rely on any statutory exception. The PDPC's Advisory Guidelines on Key Concepts (revised 17 May 2022) clarify that an organisation must inform the individual, on or before obtaining consent, of the consequences of withdrawal — for example, that withdrawal may prevent the organisation from continuing to provide a service.

Statutory exceptions: the First and Second Schedules (section 17). Section 17, as re-enacted by the Personal Data Protection (Amendment) Act 2020, permits collection, use, or disclosure of personal data without consent if the activity falls within an exception listed in the First or Second Schedule. The First Schedule, introduced in 2021, sets out ten broad exceptions, including:

• Part 1: Legitimate interests (para. 1) — where the organisation has assessed that the purpose would be considered reasonable by a reasonable person, the benefit to the organisation or another person is proportionate to any adverse effect on the individual, and the organisation has implemented measures to eliminate or reduce that effect. This is a qualified balancing test that superficially resembles GDPR Article 6(1)(f) but imposes a mandatory proportionality assessment (regulation 15 of the 2021 Regulations prescribes the assessment framework).
• Part 2: Vital interests (para. 2) — necessary to respond to an emergency that threatens the life, health, or safety of the individual or another individual.
• Part 3: Business improvement purposes (para. 3) — research, analytics, or developing or improving products and services, subject to prescribed assessment requirements and safeguards.
• Part 4: Research purposes (para. 4) — research that will or is likely to produce findings that are in the public interest, where obtaining consent is impracticable and the research purpose cannot reasonably be accomplished unless the data is in an individually identifiable form.
• Part 5: Business asset transactions (para. 5) — due diligence for or completion of a proposed or actual asset sale, merger, acquisition, or financing.

The Second Schedule lists additional narrow exceptions, including collection or disclosure necessary for an investigation or legal proceeding (para. 1(a)), disclosure to a public agency for public-interest purposes (para. 1(b)), disclosure for law-enforcement or national-security purposes (para. 1(d)), and certain evaluative, journalistic, and artistic purposes. A separate set of exceptions applies to employment-related personal data (Second Schedule, para. 1(c)), including data necessary for entering into an employment relationship or managing or terminating the employment relationship.

Interaction with other PDPA obligations. Even when an organisation relies on consent or an exception under section 17, the organisation remains subject to the PDPA's other baseline obligations: the purpose limitation obligation (section 18 — data collected for one purpose may not be used or disclosed for another purpose unless the new purpose is reasonable and the individual would expect such use), the notification obligation (section 20 — the individual must be notified of the purposes on or before collection), the accuracy obligation (section 23), the protection obligation (section 24 — reasonable security arrangements), the retention limitation obligation (section 25), and the transfer limitation obligation (section 26 — cross-border transfers require comparable protection). The consent exception does not exempt the organisation from these downstream obligations, which apply regardless of the lawful basis for collection.

Comparison to other Asia–Pacific regimes. The 2020 amendments represent a deliberate shift from Singapore's original "primarily consent-based" framework to one that permits a wider range of consent-free processing. In a 2023 PDPC publication comparing consent rules across fourteen Asia–Pacific jurisdictions, the PDPC noted that Singapore now "recognises (by far) the most" alternative legal bases to consent in the region — more than Australia's Privacy Act 1988, Japan's APPI, or South Korea's PIPA. The legitimate-interests exception (First Schedule, Part 1) is especially significant: it introduces a GDPR-style balancing test into Singapore law, though the PDPC has emphasised in enforcement guidance that the proportionality assessment and mitigation measures are mandatory, not optional.

Source: Personal Data Protection Act 2012 (current version), sections 13–17 and First and Second Schedules; PDPC Advisory Guidelines on Key Concepts in the Personal Data Protection Act (revised 17 May 2022); PDPC article "Comparing 'Consent' Rules in General Data Protection Laws across Asia-Pacific" (undated, accessed May 2026).

Singapore's Personal Data Protection Act 2012 (PDPA) does not set a statutory age of consent for the collection, use, or disclosure of personal data. Instead, section 14(4) of the PDPA establishes a functional rule: consent may be given either by the individual or by "any person validly acting on behalf of that individual," which includes a parent or legal guardian acting on behalf of a minor who lacks sufficient understanding to consent.

The 13-year practical threshold. Since 2014, the Personal Data Protection Commission (PDPC) has applied a practical rule of thumb that a minor who is at least 13 years of age typically has sufficient understanding to consent on his or her own behalf to the collection, use, or disclosure of personal data. This threshold is not statutory — it appears nowhere in the PDPA text — but has been consistently stated in PDPC advisory guidelines and enforcement guidance as a rebuttable presumption. An organisation may depart from this threshold when it has reason to believe that a particular minor (whether above or below age 13) does not have sufficient understanding of the nature and consequences of giving consent, in which case the organisation should obtain consent from the parent or guardian. Conversely, a minor younger than 13 may validly consent if the organisation has a reasonable basis to conclude that the minor has the requisite understanding.

Reasonable practicability under section 14(4). Section 14(4) does not mandate parental consent for all minors; rather, it permits parental consent when an individual (including a minor) lacks the capacity to give valid consent. The PDPC's approach is to ask whether it is reasonably practicable for an organisation to obtain parental consent. For products or services specifically directed at children — defined in the March 2024 Advisory Guidelines on the PDPA for Children's Personal Data in the Digital Environment as products "designed for and aimed specifically at children, or products and services that children access in reality" — the PDPC expects organisations to implement age-appropriate consent mechanisms. This includes verifying the age of the individual (for example, through self-declaration with spot checks, government-issued identification, or third-party age-verification services) and, where the individual is identified as a child below the 13-year threshold, obtaining consent from a parent or guardian.

Verification of parental authority. When an organisation seeks parental consent on behalf of a child, section 14(4) requires that the person providing consent be "validly acting on behalf of" the individual. The March 2024 Children's Guidelines recommend that organisations implement a verification process to confirm that the person claiming parental authority has legal decision-making rights over the child. Acceptable methods include requiring the parent to provide verifiable identifying information (such as a government-issued ID and proof of relationship to the child), using a credit-card or other financial-account verification (on the theory that a child is unlikely to hold such an account), or requiring the parent to complete a multi-step authentication process. The PDPC has emphasised that a simple checkbox asserting "I am the parent" is insufficient when the organisation has reason to doubt the representation, particularly for high-risk processing such as profiling, geolocation tracking, or the sharing of personal data with third parties for commercial purposes.

Withdrawal of consent by parent or child. Section 16 of the PDPA permits an individual to withdraw consent at any time by giving reasonable notice in writing to the organisation. Where a parent provided consent on behalf of a child, the PDPC's guidance (set out in the Advisory Guidelines on Key Concepts, revised May 2022) is that both the parent and the child may withdraw consent once the child reaches an age of sufficient understanding. This creates a practical complication for organisations: a child who was enrolled in a service by a parent at age 10 may, upon turning 13, independently withdraw consent even if the parent wishes the service to continue. Organisations are expected to implement processes that allow either the original consent-giver (the parent) or the individual whose data is processed (the child, once of sufficient understanding) to exercise withdrawal rights.

Interaction with the First Schedule legitimate-interests exception. The 2020 PDPA amendments introduced the First Schedule, Part 1 legitimate-interests exception, which permits processing without consent if an organisation conducts a mandatory proportionality assessment and implements measures to mitigate adverse effects on the individual. The March 2024 Children's Guidelines clarify that this exception does apply to children's personal data but that the assessment must account for the heightened vulnerability of children. Specifically, the PDPC expects organisations to consider whether the processing involves profiling for advertising, sharing with third parties, or geolocation tracking — all of which are identified as higher-risk activities when applied to children. The proportionality assessment framework (set out in regulation 15 of the Personal Data Protection Regulations 2021) requires the organisation to evaluate whether "a reasonable person in the position of the individual" would consider the purpose reasonable; the PDPC has stated in enforcement decisions (notably Singapore Taekwondo Federation [2018] SGPDPC 17) that minors' personal data is "typically of a more sensitive nature" and that a reasonable person in a child's position would apply a more protective standard.

2024 Advisory Guidelines on Children's Personal Data in the Digital Environment. On 28 March 2024, the PDPC published comprehensive guidance specifically addressing online services, social-media platforms, smart toys, and digital education tools accessed by children. Key prescriptive measures include:

• Default privacy settings for children: account information and profiles of children must not be made public and searchable by default.
• Data minimisation: organisations should limit the collection of children's personal data to what is strictly necessary for the service and should not collect geolocation data, biometric data, or GNSS (Global Navigation Satellite System) positioning data unless essential and with explicit parental consent.
• Prohibition on profiling for commercial purposes: organisations are discouraged from using children's personal data for online profiling to serve targeted advertisements or to create commercial profiles of children's interests and habits.
• Data Protection Impact Assessments (DPIAs): organisations handling children's personal data for products or services that pose heightened risk (social-media services, connected toys, wearable devices with tracking capabilities) are expected to conduct a DPIA before commencing processing, assessing the risks to children's privacy and implementing safeguards to mitigate those risks.
• Notification of data breaches to parents: when a notifiable data breach affects a child's personal data and the child is below the age of sufficient understanding, the organisation should notify the parent or guardian in addition to (or instead of) the child, to enable the parent to take steps to mitigate harm.

The 2024 Guidelines represent a significant strengthening of Singapore's child-protection posture relative to the PDPC's earlier guidance. While the 13-year threshold remains, the Guidelines impose a higher substantive standard of care for all processing of children's personal data, effectively requiring organisations to demonstrate that they have assessed and mitigated the specific risks to children regardless of whether they rely on consent or on a statutory exception.

Comparison to other Asia–Pacific regimes. Singapore's approach is more flexible than the statutory age-of-consent rules in the European Union (GDPR Article 8, which permits Member States to set a threshold between 13 and 16, with most choosing 16) and Australia (where the draft Privacy Act reforms proposed a default age of 16). Singapore's rule is also more flexible than South Korea's PIPA, which requires parental consent for all processing of personal data of children under 14. The trade-off is that Singapore places the burden on organisations to make a fact-specific assessment of each minor's understanding, which the PDPC views as more consistent with the PDPA's general principle that consent must be a "voluntary agreement" by an individual with the capacity to understand the consequences.

Source: Personal Data Protection Act 2012, section 14(4); PDPC Advisory Guidelines on the PDPA for Children's Personal Data in the Digital Environment (28 March 2024); PDPC Advisory Guidelines on Key Concepts in the Personal Data Protection Act (revised 17 May 2022); Singapore Taekwondo Federation [2018] SGPDPC 17.

The legitimate interests exception introduced by the Personal Data Protection (Amendment) Act 2020 permits an organisation to collect, use, or disclose personal data without consent when the processing serves a legitimate interest of the organisation or another person, the benefit of that interest outweighs any adverse effect on the individual, and the organisation has conducted a mandatory proportionality assessment and implemented mitigation measures. This exception, codified in Part 1 of the First Schedule to the Personal Data Protection Act 2012 (PDPA), is the closest Singapore analog to GDPR Article 6(1)(f) legitimate interests, though the PDPC has emphasised that the two legal bases are not identical in scope or application.

The First Schedule divides the legitimate interests exception into two categories: a closed list of specific legitimate interests (paragraphs 1(a)–(d)) that do not require a proportionality assessment, and a general legitimate interests exception (paragraph 1(e)) that applies to any other purpose not covered by the closed list. The general exception (paragraph 1(e)) is the broader and more operationally significant ground; it requires the organisation to satisfy a three-part test and a mandatory assessment procedure prescribed by regulation 15 of the Personal Data Protection Regulations 2021 before relying on the exception.

The specific legitimate interests (closed list, no assessment required). Paragraph 1 of Part 1 of the First Schedule permits collection, use, or disclosure without consent for the following purposes, without requiring a proportionality assessment:

• (a) Evaluative purposes — evaluating an individual for an award, scholarship, honour, or similar benefit, determining compliance with any certification scheme, evaluating an individual's suitability for employment or appointment to an office or as a volunteer, or evaluating an individual's performance or conduct in employment or office.
• (b) Investigation or proceedings — for the purposes of any investigation or proceedings (including anticipated proceedings).
• (c) Debt recovery — for the purpose of recovering or paying a debt owed by the individual to the organisation or by the organisation to the individual.
• (d) Intra-group sharing under binding corporate rules — disclosure of an individual's personal data by the organisation to a related corporation that is bound by legally enforceable obligations (via contract, other written law, or binding corporate rules) to provide a standard of protection comparable to the PDPA.

These four purposes are the "specific legitimate interests" and are available to all organisations without further process requirements beyond the baseline notification and purpose-limitation obligations under sections 20 and 18 of the PDPA. The PDPC's Advisory Guidelines on Key Concepts (revised 17 May 2022) note that these purposes were previously enumerated in the old Second to Fourth Schedules and have been retained as a safe harbour because the PDPC views them as inherently justified by the organisation's operational needs.

The general legitimate interests exception: three-part test (paragraph 1(e)). For any purpose not covered by the closed list, an organisation may rely on the general legitimate interests exception under paragraph 1(e) if it satisfies the following conditions:

1. Legitimate interest: the collection, use, or disclosure is in the legitimate interests of the organisation or another person (including another organisation).
2. Balancing test: the purpose would be considered reasonable by a reasonable person in the circumstances.
3. Proportionality: the benefit to the organisation or the other person is proportionate to any probable adverse effect on the individual; and the organisation has implemented measures to eliminate, reduce the likelihood of, or mitigate that adverse effect.

The balancing test under paragraph 1(e) is more prescriptive than GDPR Article 6(1)(f). The PDPC has stated in enforcement decisions (notably the first application of this exception in Re Organisation X [2022] SGPDPC, an unpublished decision involving a food security contractor) that the organisation must conduct a documented assessment before processing begins, identify all probable adverse effects on the individual (such as unauthorised disclosure, privacy intrusion, reputational harm, or diminished control over personal data), implement concrete mitigation measures (such as access controls, encryption, data minimisation, pseudonymisation, or time-limited retention), and demonstrate that the residual adverse effect is proportionate to the benefit.

Mandatory assessment framework: regulation 15 of the Personal Data Protection Regulations 2021. Regulation 15, titled "Assessment of effect of proposed collection, use or disclosure of personal data for purposes of Part 3 of First Schedule to Act," prescribes the specific information that an organisation's assessment must include when relying on the general legitimate interests exception under paragraph 1(e). The regulation requires the organisation to:

• (a) Identify and articulate the legitimate interest that the organisation or another person has in the collection, use, or disclosure of the personal data.
• (b) Identify and describe every probable adverse effect that the proposed processing is likely to have on the individual, including unauthorised access, use, disclosure, copying, modification, or disposal of the personal data; loss of the individual's autonomy over the data; and any other effect that would be considered adverse by a reasonable person in the individual's position.
• (c) Identify and implement reasonable measures to eliminate the adverse effect, reduce the likelihood that the adverse effect will occur, or mitigate the adverse effect. Regulation 15 provides a non-exhaustive list of acceptable measures: using anonymised or pseudonymised data when individually identifiable data is not necessary; implementing technical and organisational safeguards (encryption, access controls, audit logs); limiting the retention period; and limiting the scope of data collected to the minimum necessary for the purpose.
• (d) Assess whether the legitimate interest and the benefit to the organisation or another person outweighs the probable adverse effect on the individual, taking into account the measures implemented under (c).
• (e) Document the assessment in writing and retain it for the period during which the personal data is processed under the exception plus a reasonable period thereafter to demonstrate compliance with the PDPA if the PDPC requests the assessment during an investigation.

The PDPC has published an Assessment Checklist for Legitimate Interests Exception (Annex C to the Advisory Guidelines on Key Concepts, February 2021) that provides a step-by-step template for organisations to document the regulation 15 assessment. The Checklist includes prompts for identifying the data categories, the specific purpose, the legitimate interest, the individuals affected, the adverse effects (categorised by likelihood and severity), the mitigation measures, and the proportionality conclusion. The PDPC has indicated in public statements (including the 2020 parliamentary debates on the Amendment Bill) that the Checklist is not mandatory but represents best practice and will be used by PDPC enforcement officers as a reference when reviewing an organisation's compliance.

Notification to individuals: transparency requirement. Paragraph 1(f) of Part 1 of the First Schedule imposes an additional procedural obligation on organisations relying on the general legitimate interests exception (paragraph 1(e)): the organisation must provide the individual with reasonable access to information about the collection, use, or disclosure of the individual's personal data in reliance on the exception. This is separate from the baseline notification obligation under section 20 of the PDPA (which requires notification of the purpose on or before collection). The PDPC's Key Concepts Guidelines clarify that "reasonable access to information" can be satisfied by including a statement in the organisation's privacy policy (if the policy is accessible to the individual at or before the time of processing) or by providing a layered notice that tells the individual where to find the detailed explanation. The notice should state:

• that the organisation is relying on the legitimate interests exception (not consent);
• the specific legitimate interest being pursued;
• a summary of the adverse-effects assessment; and
• the mitigation measures implemented.

The PDPC has stated in the Key Concepts Guidelines (paragraph 12.45) that an organisation that fails to provide this transparency notice may be found to have improperly relied on the exception, even if the substantive balancing test under regulation 15 was satisfied.

Excluded purposes: direct marketing. Section 17(2) of the PDPA, as amended in 2020, provides that the First Schedule exceptions (including the legitimate interests exception) do not apply to the sending of a marketing message to an individual's Singapore telephone number if the number is listed on the Do Not Call (DNC) Registry. The PDPC has further clarified in the Key Concepts Guidelines (paragraph 12.36) that organisations cannot rely on the legitimate interests exception to send direct marketing messages to individuals, even when the telephone number is not on the DNC Registry and even when the organisation can demonstrate a legitimate interest (such as customer retention or cross-selling to existing customers). The PDPC's rationale is that Parliament intended direct marketing to remain consent-based, and the legitimate interests exception (like GDPR Article 6(1)(f)) is not a valid ground for unsolicited marketing communications. This is a significant departure from some European supervisory authorities' approach to GDPR Article 6(1)(f) and soft opt-in for existing customers.

Comparison to GDPR Article 6(1)(f). The Singapore legitimate interests exception is modelled on GDPR Article 6(1)(f) but imposes higher process requirements. Key differences include:

• Mandatory ex ante assessment: GDPR Article 6(1)(f) requires a balancing test but does not prescribe the format or content of the assessment; regulation 15 of the Singapore Regulations mandates specific written documentation and retention. The PDPC has stated that this difference reflects Parliament's intent to impose "strict process safeguards to foreclose potential abuse" (2020 Second Reading speech by Minister S Iswaran).
• Prescribed mitigation measures: Regulation 15(c) requires the organisation to implement and document reasonable measures to eliminate, reduce, or mitigate adverse effects. GDPR Article 6(1)(f) permits the controller to weigh unmitigated adverse effects against the legitimate interest; Singapore does not — the proportionality balancing under regulation 15(d) is applied after mitigation measures have been implemented.
• Transparency obligation: Paragraph 1(f) of Part 1 requires "reasonable access to information" about reliance on the exception; GDPR Article 13/14 transparency obligations apply regardless of the lawful basis. Singapore's rule is additive to the baseline section 20 notification obligation.
• Direct marketing prohibition: Singapore categorically excludes direct marketing from the legitimate interests exception; GDPR Recital 47 suggests legitimate interests "could" be relied on for direct marketing to existing customers, though the Article 29 Working Party (now EDPB) has been sceptical. Singapore has eliminated the ambiguity by statute.

First enforcement decision: food security contractor (2022). The first published PDPC decision applying the legitimate interests exception involved a food security contractor that collected photographs of suppliers' government-issued identification documents to implement enhanced access controls to high-risk food storage areas following a series of food contamination incidents. The PDPC accepted that the organisation had a legitimate interest in deterring food security incidents and that the collection promoted that interest. The PDPC further accepted that the organisation had conducted the regulation 15 assessment, identified the adverse effects (risk of unauthorised access to identity documents), implemented mitigation measures (encrypted storage, role-based access controls, audit logs, 30-day retention limit), and documented the proportionality conclusion. The PDPC found that the organisation had properly relied on the exception and did not impose a financial penalty for the collection. However, the PDPC also found that the organisation had failed to notify the suppliers that it was relying on the legitimate interests exception (as required by paragraph 1(f)), and issued a warning for breach of the transparency obligation.

Interaction with other PDPA obligations. The legitimate interests exception permits collection, use, or disclosure without consent, but the organisation remains subject to all other PDPA obligations, including the purpose limitation obligation (section 18 — data collected under the exception for one purpose may not be used or disclosed for a different purpose unless the new purpose falls within another consent exception or is reasonable and expected by the individual), the notification obligation (section 20 — the individual must be notified of the purpose on or before collection, plus the paragraph 1(f) transparency obligation), the accuracy obligation (section 23), the protection obligation (section 24 — reasonable security arrangements), the retention limitation obligation (section 25 — data must be destroyed or anonymised when no longer needed for the purpose or when retention is no longer required by law), and the transfer limitation obligation (section 26 — cross-border transfers require comparable protection). The legitimate interests exception is a lawful basis for the initial collection, use, or disclosure, not a blanket exemption from downstream accountability obligations.

Source: Personal Data Protection Act 2012, First Schedule Part 1; Personal Data Protection Regulations 2021, regulation 15; PDPC Advisory Guidelines on Key Concepts in the Personal Data Protection Act (revised 17 May 2022), paragraphs 12.31–12.58 and Annex C

Section 20 of Singapore's Personal Data Protection Act 2012 (PDPA) imposes a notification obligation that requires an organisation to inform an individual of the purposes for which the organisation intends to collect, use, or disclose the individual's personal data on or before such collection, use, or disclosure occurs. This obligation applies regardless of the lawful basis for processing: an organisation must notify purposes whether it relies on consent (sections 13–16), a statutory exception (section 17 and the First or Second Schedule), or deemed consent by notification (section 15A). The notification obligation is a foundational requirement that precedes and enables consent — an individual cannot meaningfully consent to processing if the individual does not know the purposes for which the data will be used.

Statutory requirements: section 20(1) and (4). Section 20(1) requires an organisation to inform the individual of three matters when collecting personal data:

• (a) Purposes for collection, use, or disclosure — the purposes for which the organisation intends to collect, use, or disclose the individual's personal data, stated on or before the personal data is collected.
• (b) New purposes for use or disclosure — any purpose for the use or disclosure of personal data that has not been previously notified under paragraph (a), stated before such use or disclosure for the new purpose.
• (c) Business contact information — the business contact details of a person who is able to answer, on behalf of the organisation, any question that the individual has relating to the collection, use, or disclosure of the individual's personal data by the organisation.

Section 20(4) extends the notification requirement to uses and disclosures of previously collected personal data: if an organisation intends to use or disclose personal data that it already holds for a purpose not previously notified, the organisation must inform the individual of the new purpose before the new use or disclosure occurs. This prevents organisations from repurposing data without transparency.

Timing: on or before collection, use, or disclosure. The PDPC's Advisory Guidelines on Key Concepts in the PDPA (revised 17 May 2022, paragraphs 14.7–14.9) clarify that "on or before" means the individual must receive the notification at a point in time when the individual can still decide whether to provide the personal data (if consent is the lawful basis) or, at minimum, be aware of the purposes before the data is processed. Acceptable timing scenarios include:

• At the point of collection: a web form displays the purposes in a privacy notice immediately above the "Submit" button; an individual signing a contract is handed a data-protection notice as part of the contract documents; a retail customer is informed verbally by a sales representative of the purposes for which the customer's contact details will be used.
• Before collection: an organisation mails a privacy notice to individuals before conducting a survey; a mobile app displays a pop-up notification of purposes when the app is first launched, before any data is collected.
• Embedded in the interaction: an organisation collecting personal data by telephone informs the individual of the purposes during the call, before the individual provides the data.

The PDPC has stated in enforcement decisions (notably Re LJ International Pte Ltd [2016] SGPDPC 5) that notification after collection does not satisfy section 20, even if the organisation obtains retroactive consent afterward. In that case, the PDPC found that a property agent had collected prospective buyers' contact details at an open house and only emailed a privacy policy several days later; the PDPC imposed a financial penalty of SGD 5,000 for breach of the notification obligation, finding that the individuals had no opportunity to know the purposes at the time they provided their data.

Form and manner: flexibility with accessibility. Section 20 does not prescribe the form or medium of the notification. The PDPC's Key Concepts Guidelines (paragraphs 14.10–14.15) state that an organisation may notify purposes orally, in writing (on paper or electronically), via a website privacy policy, via a mobile-app pop-up, via signage, or via any other method that effectively communicates the purposes to the individual in the circumstances. The test is whether a reasonable person in the individual's position would have had a realistic opportunity to be aware of the purposes before providing the data. Factors the PDPC considers when assessing compliance include:

• Accessibility: Is the privacy notice accessible to the individual at the relevant time? A hyperlink to a privacy policy satisfies the notification obligation only if the link is prominently displayed at or before the point of collection and the individual can reasonably be expected to see it. A privacy policy buried in a footer link on a different page of a website, with no reference to it on the data-collection form, does not satisfy section 20.
• Clarity and prominence: Is the notification presented in a manner that draws the individual's attention to the purposes? The PDPC has endorsed the use of layered notices: a short, prominent summary of the key purposes at the point of collection, with a link to a full privacy policy for additional details. For example, a web form might state "We collect your email address to send you order confirmations and promotional offers. [Read our full privacy policy here]." The short summary satisfies section 20; the full policy provides additional transparency.
• Language and readability: Is the notification stated in language that the individual can reasonably be expected to understand? The PDPC's Key Concepts Guidelines (paragraph 14.18) recommend that organisations avoid overly technical or legalistic language and tailor the notification to the expected audience. For services targeted at Mandarin-speaking customers, the organisation should consider providing the notice in Mandarin in addition to or instead of English.

The PDPC has expressly rejected the practice of relying solely on post-collection privacy policies (such as a privacy policy emailed to an individual after the individual has already submitted a form). In Re Orchard Turn Developments Pte Ltd [2018] SGPDPC 23, a property developer collected personal data via physical forms at a sales gallery but only provided a privacy policy by email several days later. The PDPC found that this did not satisfy the "on or before" timing requirement and imposed a financial penalty of SGD 8,000, noting that the individuals had no meaningful notice of the purposes at the time they filled out the forms.

Content: specificity of purposes. The PDPC's Key Concepts Guidelines (paragraphs 14.19–14.27) emphasise that the purposes stated in the notification must be sufficiently specific to inform the individual of the organisation's actual intended uses. The test is whether a reasonable person in the individual's position would understand, from the stated purposes, what the organisation intends to do with the personal data. Acceptable and unacceptable formulations include:

• Acceptable: "We collect your telephone number to send you appointment reminders via SMS and to contact you if we need to reschedule your appointment." This is specific and describes the organisation's actual use.
• Acceptable: "We collect your residential address to deliver purchased goods to your home and to verify your identity for anti-fraud purposes." Two distinct purposes, both stated specifically.
• Unacceptable: "We collect your personal data for business purposes." This is vague and does not inform the individual of any specific use.
• Unacceptable: "We collect your personal data to provide you with services and for marketing." The "services" formulation is overly broad; the individual cannot tell which services or what types of marketing. The PDPC has stated in the Key Concepts Guidelines (paragraph 14.24) that organisations must specify the nature of the services (e.g., "to process your loan application," "to manage your gym membership") and the nature of marketing (e.g., "to send you promotional offers for our products by email," "to share your contact details with our affiliated companies for their marketing purposes").

The PDPC has also clarified that stating purposes at a high level of generality (such as "for our legitimate business interests" or "to comply with legal obligations") does not satisfy section 20 unless the organisation elaborates on what those interests or obligations are. In Re Singapore Health Services Pte Ltd [2019] SGPDPC 3, a healthcare provider's privacy policy stated that patient data would be used "for healthcare operations and to comply with legal requirements." The PDPC accepted this formulation because the policy went on to specify examples of healthcare operations (clinical care, billing, appointment scheduling, quality improvement) and examples of legal requirements (reporting infectious diseases to the Ministry of Health, responding to court orders). The PDPC noted that the combination of the general statement and the specific examples satisfied section 20.

Disclosure to third parties: section 20(1)(a) notification requirement. When an organisation intends to disclose an individual's personal data to a third party, the organisation must notify the individual of that disclosure purpose on or before collection. The PDPC's Key Concepts Guidelines (paragraph 14.26) state that the notification should identify the class of third parties (e.g., "payment processors," "courier companies," "affiliated companies in our corporate group," "government agencies as required by law") and the purpose of the disclosure (e.g., "to process your credit card payment," "to deliver your purchased goods," "to offer you products and services from our affiliates," "to comply with tax reporting requirements"). The organisation is not required to name every specific third party in the notification, but the individual must have a reasonable understanding of the types of entities that will receive the data and why.

In Re Ninja Logistics Pte Ltd [2019] SGPDPC 29, a food-delivery platform collected customers' personal data (name, telephone number, delivery address) and disclosed it to restaurant partners and delivery riders. The platform's privacy policy stated that customer data would be "shared with our partners to fulfil your orders." The PDPC found that this was sufficiently specific because a reasonable customer would understand that "partners" in this context meant the restaurant preparing the food and the rider delivering it, and that the purpose ("to fulfil your orders") was clear and appropriate. By contrast, if the policy had stated only "we may share your data with third parties," without specifying the class of third parties or the purpose, the PDPC would have found the notification inadequate.

Cross-border transfers: additional notification under section 26. When an organisation intends to transfer personal data outside Singapore, the organisation must comply with section 26 (the transfer limitation obligation) in addition to section 20. Section 26(2) requires the organisation to take reasonable steps to ensure that the foreign recipient provides a standard of protection to the personal data that is comparable to the protection under the PDPA. The PDPC's Advisory Guidelines on the Transfer Limitation Obligation (revised 9 September 2021, paragraph 9.6) recommend that organisations notify individuals, as part of the section 20 notification, when the data will be transferred overseas and to which countries or regions. While section 20 does not expressly require this additional detail, the PDPC has stated in enforcement decisions that failing to notify individuals of overseas transfers can breach section 20 if the individual would reasonably expect the data to remain in Singapore and the overseas transfer is material to the individual's decision whether to provide the data. For example, an organisation collecting health data from Singapore residents for storage and processing in a data center in the United States should notify individuals that the data will be transferred to and stored in the US, and should explain what safeguards (such as contractual protections or reliance on APEC CBPR certification) are in place to protect the data.

Interaction with consent (sections 13–15). Section 20 and the consent obligation (section 13) are separate but interdependent requirements. To obtain valid consent under section 14, an organisation must ensure that the individual's consent is based on an understanding of the purposes for which the data will be used; section 20 requires the organisation to provide that understanding by notifying the purposes on or before collection. The PDPC's Key Concepts Guidelines (paragraphs 11.18–11.20) explain that an organisation cannot satisfy the consent obligation if it has not first satisfied the notification obligation — consent without notification is not meaningful consent. Conversely, satisfying the notification obligation does not automatically mean that consent has been obtained; the organisation must still ensure that the individual has voluntarily provided the data for the notified purposes (express or implied consent under section 14) or that the individual is deemed to have consented (section 15 or 15A) or that the organisation is relying on a statutory exception (section 17).

Interaction with statutory exceptions (section 17 and the Schedules). When an organisation relies on a statutory exception to collect, use, or disclose personal data without consent, the organisation remains subject to the notification obligation under section 20. For example, if an organisation relies on the legitimate interests exception (First Schedule, Part 1, paragraph 1(e)), the organisation must notify the individual of the purposes for the collection, use, or disclosure on or before the processing occurs. In addition, paragraph 1(f) of Part 1 of the First Schedule imposes an additional transparency obligation specific to the legitimate interests exception: the organisation must provide the individual with "reasonable access to information" about the fact that the organisation is relying on the exception, the legitimate interest being pursued, and the adverse-effects assessment conducted. The PDPC has stated in the Key Concepts Guidelines (paragraph 12.45) that this additional transparency requirement should be satisfied by including a statement in the section 20 notification or in the privacy policy, informing the individual that the organisation is relying on the legitimate interests exception and where to find further details about the assessment.

Similarly, if an organisation relies on the business improvement exception (First Schedule, Part 2, paragraph 1) or the research exception (First Schedule, Part 3, paragraph 1), the organisation must notify the individual of the purposes under section 20 even though consent is not required. The PDPC's Advisory Guidelines on the Personal Data Protection (Amendment) Act 2020 (published 1 February 2021, paragraph 5.18) clarify that section 20 applies to all processing, whether consent-based or exception-based, unless a specific provision in the PDPA expressly exempts the organisation from the notification obligation (for example, section 20(3) provides limited exceptions when notification is not reasonably practicable, such as when the data is collected from a public source and the individual would not reasonably expect notification).

Exceptions to the notification obligation: section 20(3) and (5). Section 20(3) provides that the notification obligation does not apply if:

• (a) The individual has, or would reasonably be expected to have, knowledge of the purposes for which the personal data is collected, used, or disclosed (for example, an individual filling out a government tax form would reasonably expect that the data will be used by the tax authority to assess and collect taxes, even if the form does not include a separate privacy notice).
• (b) Providing the notification would defeat the purpose for which the personal data is collected (for example, a law-enforcement agency collecting data as part of an investigation of suspected criminal activity; notifying the suspect of the purpose would undermine the investigation).
• (c) The personal data is collected, used, or disclosed without the knowledge or consent of the individual under an exception in the Second Schedule (for example, data collected under a legal compulsion or for an investigation).

Section 20(5) also provides that the notification obligation does not apply when the organisation collects personal data from a source other than the individual and either (a) the organisation does not use or disclose the personal data in a form that identifies the individual, or (b) the organisation does not have contact information for the individual and it is not reasonably practicable to notify the individual. The PDPC has emphasised in the Key Concepts Guidelines (paragraph 14.33) that organisations should not rely on section 20(5) as a blanket exemption; the exception is narrow and applies only when direct notification is genuinely impracticable, not merely inconvenient.

Enforcement: penalties for breach of section 20. Breach of the notification obligation is a breach of the PDPA's data protection provisions and may result in a financial penalty of up to SGD 1 million under section 48P(2)(a) of the PDPA (as amended in 2020). The PDPC's enforcement approach, set out in its Guide to Active Enforcement (revised April 2021), is to assess penalties based on the harm caused, the number of individuals affected, whether the breach was systemic or isolated, whether the organisation had policies and training in place, and whether the organisation took prompt remedial action. In practice, financial penalties for notification-obligation breaches have ranged from SGD 3,000 to SGD 10,000 for small-scale breaches involving dozens or hundreds of individuals, to SGD 30,000 or more for large-scale or egregious breaches involving thousands of individuals or breaches that also implicated other PDPA obligations (such as failure to obtain consent or failure to implement reasonable security).

Comparison to GDPR transparency obligations (Articles 13 and 14). Singapore's section 20 notification obligation shares the same underlying policy goal as GDPR Articles 13 and 14 (transparency about processing), but differs in scope and detail. Key differences include:

• Prescribed content: GDPR Articles 13(1) and 14(1) prescribe a detailed list of information that must be provided to data subjects (identity of the controller, contact details of the DPO, purposes, lawful basis, legitimate interests, recipients, retention periods, data subject rights, right to lodge a complaint, whether provision of data is statutory or contractual, existence of automated decision-making). Section 20 of the PDPA requires only the purposes, any new purposes, and business contact information; it does not mandate disclosure of the lawful basis, retention periods, or data subject rights. The PDPC's position is that organisations should voluntarily provide this additional information as a matter of good practice and accountability (see section 12 of the PDPA, which requires organisations to develop policies and practices necessary to comply with the PDPA), but section 20 does not make it a legal requirement.
• Timing for indirect collection: GDPR Article 14(3) requires notification within a reasonable period (not more than one month) after obtaining the data, or at the time of first communication with the data subject. Singapore's section 20(4) and (5) apply when data is collected from a third-party source, but the timing obligation is tied to the point of use or disclosure, not a fixed period after collection.
• Exceptions: GDPR Article 13(4) permits Member States to adopt laws that restrict transparency obligations for purposes such as national security, defense, public security, and prevention of crime. Singapore's section 20(3)(b) and the Second Schedule exceptions serve a similar function but are more narrowly scoped to specific investigative and legal-compulsion scenarios.

Source: Personal Data Protection Act 2012, section 20; PDPC Advisory Guidelines on Key Concepts in the Personal Data Protection Act (revised 17 May 2022), Chapter 14

Section 15A of Singapore's Personal Data Protection Act 2012 (PDPA), effective 1 February 2021, introduced a deemed consent by notification mechanism that permits an organisation to repurpose personal data it already holds for a new purpose by notifying the individual and deeming consent if the individual does not opt out within a specified period. This is a procedural alternative to obtaining fresh express or implied consent (sections 14 and 15) and is particularly useful when an organisation wishes to use existing data for secondary purposes that differ from the original collection purpose and cannot rely on a statutory exception under section 17 or the First and Second Schedules.

Section 15A is a balancing mechanism that trades convenience for the organisation (no need to obtain fresh affirmative consent) against enhanced individual autonomy (the individual retains the right to opt out and the organisation must conduct a mandatory assessment of adverse effects before relying on the mechanism). The Personal Data Protection Commission (PDPC) has emphasised in its Advisory Guidelines on Key Concepts (revised 17 May 2022, paragraph 12.23) that deemed consent by notification is not a blanket permission to repurpose data — the organisation must satisfy strict procedural safeguards and substantive assessment requirements prescribed by regulation 14 of the Personal Data Protection Regulations 2021 before relying on the mechanism.

Statutory framework: section 15A(1)–(4). Section 15A(1) provides that the mechanism applies to the collection, use, or disclosure of personal data on or after 1 February 2021. Section 15A(2) establishes the core rule: an individual is deemed to consent to the collection, use, or disclosure of personal data if (a) the organisation satisfies the notification and process requirements in section 15A(4), and (b) the individual does not notify the organisation, before the expiry of the opt-out period specified in the notification, that the individual does not consent to the proposed processing.

Section 15A(4) prescribes four mandatory requirements that the organisation must satisfy before relying on deemed consent by notification:

• (a) Assessment of adverse effects: the organisation must assess the effect of the proposed collection, use, or disclosure on the individual in accordance with regulation 14 of the Personal Data Protection Regulations 2021. This assessment must identify every probable adverse effect on the individual, implement measures to eliminate, reduce the likelihood of, or mitigate those adverse effects, and demonstrate that any residual adverse effect is reasonable in the circumstances (regulation 14(2)).

• (b) Notification to the individual: the organisation must notify the individual in writing (which includes electronic notification) of the proposed collection, use, or disclosure of the individual's personal data, the purpose of the proposed processing, the assessment conducted under regulation 14, and reasonable access to information about the organisation's assessment. The notification must be provided to the individual in a manner that ensures the individual has a realistic opportunity to read and understand it before the opt-out period expires (PDPC Key Concepts Guidelines, paragraph 12.31).

• (c) Opt-out period: the organisation must specify in the notification a reasonable period during which the individual may notify the organisation that the individual does not consent to the proposed processing. Section 15A(4)(b)(iii) requires that the period be reasonable, but does not prescribe a minimum or maximum duration. The PDPC's Key Concepts Guidelines (paragraph 12.38) state that what is reasonable depends on the nature and sensitivity of the personal data, the nature of the proposed new purpose, the adverse effects identified in the assessment, and the practical ability of the individual to opt out. The PDPC has indicated that in most cases, a period of at least 14 days is appropriate, though longer periods (21 or 30 days) should be considered for sensitive personal data or high-risk processing. A period shorter than 14 days may be reasonable only in exceptional circumstances where the organisation can demonstrate that a shorter period is sufficient for the individual to make an informed decision.

• (d) Contact information: the organisation must provide the individual with the business contact details of a person who is able to answer the individual's questions about the proposed collection, use, or disclosure. This is the same transparency requirement as section 20(1)(c) for the baseline notification obligation, and is intended to enable the individual to seek clarification or additional information before deciding whether to opt out.

Excluded purposes: section 15A(3) and regulation 13. Section 15A(3) provides that deemed consent by notification does not apply to the collection, use, or disclosure of personal data for any purpose prescribed in the regulations. Regulation 13 of the Personal Data Protection Regulations 2021 prescribes two excluded purposes:

1. Sending marketing messages to Singapore telephone numbers listed on the Do Not Call (DNC) Registry (regulation 13(a)). The PDPC has clarified that organisations cannot rely on deemed consent by notification to send direct marketing messages to individuals who have registered on the DNC Registry; such messages require express consent or must fall within one of the narrow exceptions in Part IX of the PDPA (such as an ongoing relationship exception). This exclusion reflects Parliament's intent to preserve the DNC regime as a consent-based framework and to prevent organisations from using deemed consent to circumvent individuals' marketing preferences.

1. Any purpose where the individual has previously withdrawn consent for that purpose (regulation 13(b)). If an individual has previously given consent (express, implied, or deemed) for a particular purpose and has subsequently withdrawn that consent under section 16 of the PDPA, the organisation cannot rely on deemed consent by notification to re-establish consent for the same purpose. The PDPC's rationale, set out in the Key Concepts Guidelines (paragraph 12.25), is that permitting deemed consent after a withdrawal would undermine the individual's autonomy and the efficacy of the withdrawal right under section 16. The organisation must obtain fresh express or implied consent if it wishes to resume processing for a purpose for which the individual has withdrawn consent.

Regulation 14 assessment framework: adverse-effects analysis and mitigation. Regulation 14 of the Personal Data Protection Regulations 2021, titled "Assessment of effect of proposed collection, use or disclosure of personal data for purposes of section 15A of Act," prescribes the specific information that the organisation's assessment must include. Regulation 14(2) requires the organisation to:

• (a) Identify every probable adverse effect on the individual arising from the proposed collection, use, or disclosure of the individual's personal data. Regulation 14(3) provides a non-exhaustive list of adverse effects that the organisation must consider, including: unauthorised access to, use, disclosure, copying, modification, or disposal of the personal data; loss of the individual's autonomy or control over the personal data; and any other effect that would be considered adverse by a reasonable person in the individual's position. The PDPC's Key Concepts Guidelines (paragraph 12.30) state that organisations should assess both the likelihood and the severity of each adverse effect, considering factors such as the sensitivity of the personal data (for example, health data, financial data, children's data), the nature of the proposed new purpose (for example, profiling, sharing with third parties, cross-border transfers), and the existing security and access controls in place.

• (b) Implement reasonable measures to eliminate the adverse effect, reduce the likelihood that the adverse effect will occur, or mitigate the adverse effect. Regulation 14(4) provides a non-exhaustive list of acceptable measures, including: using anonymised or pseudonymised data when individually identifiable data is not necessary for the proposed purpose; implementing technical and organisational safeguards (such as encryption, access controls, audit logs, or role-based permissions); limiting the retention period for the personal data to the minimum necessary for the new purpose; limiting the scope of personal data collected, used, or disclosed to the minimum necessary; and providing additional transparency to the individual (such as enhanced privacy notices or periodic reminders of the individual's right to opt out).

• (c) Demonstrate that any residual adverse effect (the adverse effect remaining after mitigation measures have been implemented) is reasonable in the circumstances. Regulation 14(5) states that in determining whether the residual adverse effect is reasonable, the organisation must consider: the legitimate interests of the organisation and any other person in the proposed collection, use, or disclosure; the benefit of the proposed processing to the organisation, another person, or the individual; the nature and sensitivity of the personal data; the reasonable expectations of the individual; and the measures implemented under regulation 14(4).

The PDPC has published an Assessment Checklist for Deemed Consent by Notification (Annex B to the Advisory Guidelines on Key Concepts, published 1 February 2021) that provides a step-by-step template for organisations to document the regulation 14 assessment. The Checklist includes prompts for: identifying the data categories and individuals affected; describing the original purpose for which the data was collected and the new secondary purpose; identifying the probable adverse effects and rating their likelihood and severity; documenting the mitigation measures implemented and explaining how they eliminate, reduce, or mitigate each adverse effect; assessing the residual adverse effect and demonstrating that it is reasonable; and recording the decision whether to proceed with relying on deemed consent by notification. The PDPC has indicated in public statements (including the parliamentary debates on the 2020 Amendment Bill) that the Checklist is not mandatory but represents best practice and will be reviewed by PDPC enforcement officers when investigating complaints or conducting audits.

Notification content and form: transparency and accessibility. Section 15A(4)(b) requires the organisation to notify the individual in writing of the proposed processing and the regulation 14 assessment. The PDPC's Key Concepts Guidelines (paragraphs 12.31–12.37) clarify that the notification must include the following information:

• Identification of the personal data: a description of the categories of personal data that will be collected, used, or disclosed (for example, "your name, email address, and purchase history").
• The new purpose: a specific statement of the purpose for which the organisation intends to use or disclose the data, stated clearly enough that a reasonable person in the individual's position would understand what the organisation intends to do (for example, "to analyse your purchasing patterns and send you personalised product recommendations," or "to share your contact details with our affiliated companies so they can send you promotional offers for their products").
• The original purpose: a statement of the purpose for which the data was originally collected, to enable the individual to understand that this is a new use (for example, "We originally collected your email address to send you order confirmations; we now wish to use it to send you marketing offers").
• Summary of the adverse-effects assessment: a description of the adverse effects identified in the regulation 14 assessment, the measures the organisation has implemented to mitigate those effects, and the organisation's conclusion that the residual adverse effect is reasonable. The PDPC has stated that this summary need not reproduce the entire regulation 14 assessment in detail, but must give the individual a meaningful understanding of the risks and safeguards. For example: "We have identified that sharing your contact details with our affiliated companies may result in you receiving marketing messages from third parties. To mitigate this risk, we will only share your data with companies in our corporate group that have agreed to comply with our data-protection standards, and you will be able to opt out of receiving marketing messages from each affiliate individually."
• The opt-out mechanism: clear instructions on how the individual can notify the organisation that the individual does not consent, including the contact method (email address, postal address, online opt-out form, telephone number), the information the individual must provide in the opt-out notice (such as name and account number to enable the organisation to identify the individual), and the deadline by which the opt-out notice must be received (the expiry of the reasonable period specified in section 15A(4)(b)(iii)).
• Business contact information: the contact details of a person who can answer questions about the proposed processing, as required by section 15A(4)(d).

The notification may be provided in any written form that is accessible to the individual in the circumstances. Acceptable methods include email, SMS, postal mail, in-app notification, a pop-up on a website or mobile application when the individual next logs in, or a notice displayed prominently in the organisation's premises (if the individual is expected to visit the premises). The PDPC has stated in the Key Concepts Guidelines (paragraph 12.34) that the organisation should tailor the notification method to the individual's expected mode of interaction with the organisation. For example, an organisation that primarily interacts with customers via a mobile app should provide the notification via an in-app message or push notification; an organisation that primarily interacts with customers via postal mail (such as a utility company or a bank) may provide the notification via a letter mailed to the individual's registered address.

The PDPC has also clarified (paragraph 12.35) that the notification must be presented in a manner that draws the individual's attention to the fact that the organisation is proposing to use the individual's data for a new purpose and that the individual has the right to opt out. A layered notice is permissible: a short, prominent summary of the key facts (the new purpose, the opt-out right, the deadline) presented at the point of first contact, with a link to a full privacy notice containing the detailed regulation 14 assessment summary and contact information. However, the short summary must be sufficient to alert a reasonable person that the organisation is seeking deemed consent and that action is required if the individual wishes to opt out.

Opt-out procedure: individual's right to refuse deemed consent. Section 15A(2)(b) provides that deemed consent arises only if the individual does not notify the organisation that the individual does not consent before the expiry of the opt-out period. The individual's right to opt out is absolute — the individual does not need to provide a reason for opting out, and the organisation cannot impose conditions on the exercise of the opt-out right. The PDPC's Key Concepts Guidelines (paragraph 12.40) state that the organisation must make the opt-out process as easy and accessible as the original data-collection process. If the organisation collected the data via an online form, the organisation should provide an online opt-out mechanism (such as a clickable link in the notification email that takes the individual to an opt-out form). If the organisation collected the data via a paper form, the organisation should accept opt-out notices submitted by postal mail or at a physical counter.

The organisation must process opt-out notices promptly and must not collect, use, or disclose the individual's personal data for the proposed new purpose if the individual has opted out. The PDPC has stated in enforcement decisions (notably Re Institute of Mental Health [2025] SGPDPC 1, a decision involving deemed consent by notification in a healthcare context) that an organisation that proceeds with the proposed processing after receiving an opt-out notice is in breach of the consent obligation under section 13 of the PDPA and may face a financial penalty.

If the individual does not opt out within the specified period, the individual is deemed to have consented to the proposed processing, and the organisation may proceed with the collection, use, or disclosure for the new purpose. However, the individual retains the right to withdraw consent at any time under section 16 of the PDPA by giving reasonable notice in writing to the organisation. The PDPC's Key Concepts Guidelines (paragraph 12.43) clarify that deemed consent under section 15A is subject to the same withdrawal right as express or implied consent under sections 14 and 15, and the organisation must inform the individual (in the section 15A notification or in the organisation's privacy policy) of the individual's right to withdraw consent in the future.

Documentation and retention: accountability obligation. Although section 15A does not expressly require the organisation to retain documentation of the regulation 14 assessment, the PDPC has stated in the Key Concepts Guidelines (paragraph 12.44) and in enforcement guidance that organisations should retain the assessment and the notification for the period during which the personal data is processed under the deemed consent plus a reasonable period thereafter (typically 12 to 24 months) to demonstrate compliance with section 15A if the PDPC requests the documentation during an investigation or audit. The accountability obligation under section 12 of the PDPA requires organisations to develop and implement policies and practices necessary to comply with the PDPA, and the PDPC interprets this to include maintaining a documented record of deemed-consent assessments and the individuals to whom notifications were sent.

**First published enforcement decision: Re Institute of Mental Health [2025] SGPDPC 1.** On 21 May 2025, the PDPC published its first enforcement decision applying section 15A. The case involved the Institute of Mental Health (IMH), a public healthcare institution that had originally collected patients' personal data for medical treatment purposes and subsequently wished to use the data for a secondary purpose: recruiting patients to participate in a research study on mental health outcomes. IMH displayed a notification at its registration counters informing patients that their data might be used to contact them for research participation, and that patients who did not wish to be contacted should notify the registration staff.

The PDPC found that IMH had properly relied on deemed consent by notification for the recruitment purpose. IMH had conducted a regulation 14 assessment identifying the adverse effects (unsolicited contact from researchers; privacy intrusion; potential distress if the research topic was sensitive), had implemented mitigation measures (limiting the categories of data disclosed to researchers to contact details only; requiring researchers to obtain separate express consent before enrolling patients in any study; implementing access controls to ensure that only authorised research staff could access the contact list), and had assessed that the residual adverse effect was reasonable given the public-interest value of the research and the patients' reasonable expectations that a public healthcare institution would use their data for healthcare-related research.

The PDPC also found that IMH's notification process satisfied section 15A(4): the notification was displayed prominently at registration counters where patients would see it before providing their updated contact details; the notification stated the new purpose (research recruitment), the opt-out mechanism (verbal notification to the registration staff), and the contact person for questions (the IMH data protection officer); and the opt-out period was immediate (patients could opt out at the point of registration), which the PDPC accepted as reasonable in the circumstances because the notification was provided at the moment of data collection and patients had a realistic opportunity to read and understand it before deciding whether to opt out.

The complainant in the case had argued that IMH should have obtained express affirmative consent (such as a checkbox on the registration form) rather than relying on deemed consent by notification. The PDPC rejected this argument, holding that section 15A permits deemed consent by notification when the statutory requirements are satisfied, and that Parliament had deliberately introduced the mechanism as an alternative to express consent in order to reduce the administrative burden on organisations and individuals while preserving individual autonomy through the opt-out right. The PDPC emphasised, however, that deemed consent by notification is not appropriate for all purposes — organisations should consider the sensitivity of the data, the nature of the new purpose, and the expectations of individuals when deciding whether to rely on the mechanism or to seek express consent instead.

Comparison to other deemed-consent mechanisms under the PDPA. Section 15A deemed consent by notification is one of three forms of deemed consent under the PDPA:

• Section 15 deemed consent by conduct (section 15(1)(a)): an individual is deemed to consent when the individual voluntarily provides personal data to the organisation for a purpose, and it is reasonable that the individual would do so in the circumstances. This is passive deemed consent — no notification or opt-out process is required — and is appropriate for routine, expected data collection (such as providing a delivery address when ordering goods online).

• Section 15 deemed consent by contractual necessity (section 15(1)(b)): an individual is deemed to consent when the individual, through an agent acting on the individual's behalf, enters into an agreement with the organisation under which the provision of the personal data is necessary for the performance of the agreement. This applies, for example, when an employer provides an employee's contact details to a payroll service provider; the employee is deemed to consent because the provision of the data is necessary for the employee to receive salary payments.

• Section 15A deemed consent by notification (section 15A(2)): an individual is deemed to consent when the organisation notifies the individual of a new purpose, conducts a regulation 14 assessment, provides an opt-out period, and the individual does not opt out. This is active deemed consent — the organisation must take affirmative steps to notify and assess — and is appropriate for secondary uses of data that the organisation already holds.

The PDPC has stated in the Key Concepts Guidelines (paragraph 12.24) that organisations should select the deemed-consent mechanism that is most appropriate to the circumstances. Section 15 deemed consent by conduct is appropriate for primary data collection when the individual is voluntarily providing the data and a reasonable person would expect the data to be used for the stated purpose. Section 15A deemed consent by notification is appropriate for secondary uses of data already held, when the organisation cannot rely on a statutory exception and wishes to avoid the burden of obtaining fresh express consent from every individual.

Interaction with statutory exceptions: when section 15A is not necessary. Organisations should assess whether they can rely on a statutory exception under section 17 and the First or Second Schedules before resorting to deemed consent by notification under section 15A. If the proposed new use falls within an exception — such as the legitimate interests exception (First Schedule, Part 1, paragraph 1(e)), the business improvement exception (First Schedule, Part 2, paragraph 1), or the research exception (First Schedule, Part 3, paragraph 1) — the organisation does not need consent (deemed or otherwise) and should rely on the exception instead. The PDPC's Key Concepts Guidelines (paragraph 12.26) note that deemed consent by notification is "particularly useful" when the organisation wishes to use existing data for secondary purposes and is unable to rely on any of the exceptions to consent. In practice, this means that section 15A is most commonly used for purposes such as cross-selling to existing customers (sharing customer data with affiliated companies to offer related products), targeted advertising (using purchase history or browsing behaviour to serve personalised ads), or sharing data with third-party service providers for purposes not strictly necessary for the original service (such as sharing customer contact details with a survey company to solicit feedback on products unrelated to the original purchase).

Source: Personal Data Protection Act 2012, section 15A; Personal Data Protection Regulations 2021, regulation 14; PDPC Advisory Guidelines on Key Concepts in the Personal Data Protection Act (revised 17 May 2022), Chapter 12 paragraphs 12.23–12.44; Annex B: Assessment Checklist for Deemed Consent by Notification; Re Institute of Mental Health [2025] SGPDPC 1.

Section 14 of Singapore's Personal Data Protection Act 2012 (PDPA) establishes that an individual may give consent to the collection, use, or disclosure of personal data in two forms: express consent or implied consent. Both forms are equally valid under the PDPA, and an organisation may rely on either form depending on the circumstances of the data collection, the sensitivity of the personal data, and the reasonable expectations of the individual. The Personal Data Protection Commission (PDPC) has emphasised in its Advisory Guidelines on Key Concepts (revised 17 May 2022, paragraphs 11.14–11.30) that the touchstone for both forms is the voluntary nature of the consent — the individual must have a meaningful choice whether to provide the personal data and must understand the purposes for which it will be used.

Section 14(1) requires that consent be given knowingly and voluntarily. The PDPC interprets "knowingly" to mean that the individual is aware of the purposes for which the data will be collected, used, or disclosed (which is why the notification obligation under section 20 must be satisfied on or before obtaining consent). "Voluntarily" means that the individual has a genuine choice in the matter and is not coerced, misled, or placed under duress. Consent is not voluntary if the organisation uses deceptive or misleading language, buries consent terms in fine print without drawing the individual's attention to them, or imposes unreasonable consequences on the individual for refusing consent (section 14(3), discussed below).

Express consent: affirmative action by the individual (section 14(2)). Express consent is consent that is clearly and explicitly communicated by the individual through an affirmative action. Section 14 does not define "express consent" by using that specific term, but the PDPC's Key Concepts Guidelines (paragraph 11.15) state that express consent is evidenced by the individual's words (written or oral) or by an affirmative act (such as ticking a checkbox, signing a consent form, clicking an "I agree" button, or responding "yes" to a verbal request for consent). The individual must take a positive step to indicate agreement; silence, pre-ticked boxes, or inactivity do not constitute express consent.

Acceptable forms of express consent identified by the PDPC include:

• Written consent: the individual signs a consent form, completes and submits a registration form that includes a consent statement, or responds to an email or letter by replying "I consent."
• Checkbox or radio-button consent: a web form or mobile app presents an unticked checkbox with a consent statement (for example, "I consent to Company ABC using my email address to send me promotional offers"), and the individual actively ticks the checkbox before submitting the form. Pre-ticked checkboxes do not constitute express consent; the individual must take the affirmative step of ticking the box.
• Click-through or click-wrap consent: the individual clicks a button labeled "I agree," "I accept," or "Submit" after being presented with the purposes for which the data will be used, provided that the individual has a realistic opportunity to review the purposes before clicking.
• Oral consent: the individual verbally states "yes" or "I consent" in response to a request for consent (for example, during a telephone conversation with a customer-service representative). The PDPC recommends that organisations record or document oral consent (such as by keeping a log of the date, time, and substance of the conversation, or by audio-recording the call with the individual's knowledge) to demonstrate compliance if a dispute arises.

The PDPC has stated in enforcement decisions (notably Re Singapore Turf Club [2017] SGPDPC 5) that the organisation bears the burden of proving that it obtained valid consent. An organisation that relies on express consent must be able to produce evidence — such as a signed consent form, a server log showing that the individual ticked a consent checkbox and clicked "Submit," or a recorded telephone conversation — demonstrating that the individual gave consent for the specific purposes in question. If the organisation cannot produce such evidence, the PDPC may find that consent was not validly obtained.

Implied consent: voluntary provision of data for an expected purpose (section 14(3)). Section 14(3) provides that consent may be implied when an individual voluntarily provides personal data to the organisation for a purpose, and it is reasonable in the circumstances that the individual would do so. This is a fact-specific inquiry that turns on whether a reasonable person in the individual's position would understand that providing the data carries with it an agreement to the organisation's use of the data for the stated purpose.

The PDPC's Key Concepts Guidelines (paragraphs 11.18–11.24) explain that implied consent arises from the individual's conduct rather than from explicit words or affirmative acts. The individual's action of providing the data — in the context of the circumstances, including the notification of purposes under section 20 — implies agreement to the collection, use, or disclosure for those purposes. Implied consent is appropriate when the purpose is obvious or reasonably expected by the individual, such that requiring an explicit "I consent" statement would be unnecessarily burdensome or contrary to normal practice.

Examples of implied consent from the PDPC's Guidelines and enforcement decisions include:

• Providing contact details to receive a service: an individual fills out a form to request a home-delivery service, providing name, address, and telephone number. By voluntarily providing this data in the context of a delivery request, the individual impliedly consents to the organisation using the data to deliver the goods and to contact the individual if there is a delivery issue. The purpose is obvious and the individual's conduct (submitting the form) implies agreement.

• Business-card exchange at a networking event: an individual hands his business card to a representative of an organisation at a trade show or conference. By voluntarily providing the card, the individual impliedly consents to the organisation collecting and using the contact details to follow up on the business discussion or to send business-related information, provided that the context of the exchange (a professional networking event) makes this purpose reasonably expected. However, the individual does not impliedly consent to the organisation using the business-card details to add the individual to a general marketing mailing list unrelated to the discussion, unless the organisation notified the individual of that broader purpose at the time of the exchange.

• Providing data to participate in a loyalty program: an individual signs up for a retail store's loyalty program, providing name, telephone number, and purchase history. The individual impliedly consents to the store collecting and using this data to administer the program (for example, tracking points, sending account statements, redeeming rewards). However, implied consent does not extend to uses that are not reasonably expected in the context of a loyalty program, such as sharing the data with third-party advertisers or using the purchase history for unrelated market research, unless the organisation separately notified the individual of those purposes under section 20 and obtained consent (express or implied) for those purposes.

• Class photo-taking with advance notification: the PDPC's Advisory Guidelines for the Education Sector (revised April 2024, paragraph 3.13) provide an example involving a school that notifies graduating students in advance that class photos will be taken and published in a graduation book, and then proceeds with the photo session. Students who participate in the photo session without objecting are deemed to have given implied consent to the publication of their photos in the graduation book, because they voluntarily participated after being notified of the purpose and a reasonable person in their position would understand that participation implies agreement.

The key distinction between express and implied consent is the degree of explicitness required. Express consent requires an affirmative "yes" or an equivalent act; implied consent is inferred from the individual's voluntary conduct in the circumstances. Both forms require that the individual be notified of the purposes under section 20 and that the individual's agreement be voluntary.

When express consent is required instead of implied consent. The PDPA does not mandate express consent for all processing; implied consent is sufficient if the conditions in section 14(3) are met. However, the PDPC has stated in its Key Concepts Guidelines (paragraph 11.17) and in enforcement decisions that organisations should seek express consent rather than relying on implied consent in the following circumstances:

1. Sensitive personal data: when the personal data is inherently sensitive (such as health data, financial data, racial or ethnic origin, religious or political beliefs, biometric data, or data concerning a child), the PDPC expects organisations to obtain express consent to ensure that the individual is fully aware of and agrees to the collection, use, or disclosure. The PDPC has emphasised that while the PDPA does not create a statutory category of "sensitive personal data" (unlike GDPR Article 9), organisations should apply a higher standard of care when handling data that individuals would reasonably regard as private or sensitive, and express consent is the clearest way to demonstrate that the individual knowingly agreed.

1. Non-obvious or unexpected purposes: when the purpose for which the data will be used is not obvious from the context of the collection, or when the organisation intends to use the data for a purpose that the individual would not reasonably expect, express consent should be obtained. For example, if an organisation collecting customer data for order fulfillment also intends to share the data with affiliated companies for their marketing purposes, the sharing purpose is not obvious and express consent (such as a separate checkbox or a signed consent clause) should be obtained.

1. Disclosure to third parties: when the organisation intends to disclose the individual's personal data to a third party (other than a service provider acting on the organisation's instructions), the PDPC recommends that express consent be obtained unless the disclosure is clearly expected by the individual in the circumstances. For example, a bank sharing a loan applicant's financial data with a credit bureau is reasonably expected and implied consent may suffice; a retail store sharing a customer's email address with an unrelated marketing company is not expected and express consent should be obtained.

1. High-risk processing: when the processing involves profiling, automated decision-making with legal or similarly significant effects, geolocation tracking, or biometric authentication, the PDPC expects organisations to obtain express consent and to provide enhanced transparency (including a description of the logic, significance, and consequences of the processing) to enable the individual to make an informed decision.

In practice, many organisations adopt a conservative approach and seek express consent in all situations, particularly for marketing purposes, to avoid disputes about whether implied consent was valid in the circumstances. The PDPC has noted in public statements that express consent is always a safe harbour — if an organisation has documented express consent, there is no ambiguity about whether the individual agreed.

Section 14(2): conditioning supply of a product or service on consent. Section 14(2) addresses the question of when an organisation may require an individual to consent to the collection, use, or disclosure of personal data as a condition of supplying a product or service. This provision limits the organisation's ability to bundle unreasonable consent requests with the supply of a service, in order to protect the voluntary nature of consent.

Section 14(2)(a) provides that an organisation may require an individual to consent to the collection, use, or disclosure of personal data as a condition of supplying a product or service only if (i) the personal data is necessary for the organisation to provide the product or service, or (ii) the individual is given the option to consent to the collection, use, or disclosure of other personal data that is not necessary for the provision of the product or service, and the individual is informed that the refusal to give consent will not affect the supply of the product or service.

Section 14(3) provides that any consent given in circumstances where the organisation has breached section 14(2)(a) — that is, where the organisation has required consent as a condition of supply for personal data that is not necessary and has not offered the individual an opt-in option — is not valid consent. In other words, consent obtained by improperly conditioning supply of a service is deemed involuntary and cannot be relied upon by the organisation.

The PDPC's Key Concepts Guidelines (paragraphs 11.32–11.43) explain that the necessity test is objective and context-specific. The question is whether the organisation needs the personal data in order to provide the specific product or service that the individual is requesting. The test is not whether the data would be useful to the organisation, or whether the organisation's business model depends on collecting the data, but whether the individual can receive the product or service without providing the data. Examples from the Guidelines include:

• Necessary data: an individual applying for a credit card must provide name, identification number, address, employment details, and income information because the bank needs this data to assess creditworthiness, comply with regulatory requirements, and issue the card. Consent to the collection and use of this data may be required as a condition of issuing the card.

• Not necessary data (opt-in required): the same bank wishes to collect the applicant's telephone number to send promotional offers for investment products. The telephone number for marketing purposes is not necessary to issue the credit card. Under section 14(2)(a)(ii), the bank may collect the telephone number only if it provides the applicant with an opt-in option (such as a separate checkbox labeled "I consent to receiving marketing offers by phone") and informs the applicant that refusing this consent will not affect the approval or issuance of the credit card. If the bank makes the marketing consent a mandatory condition of issuing the card, any consent given is not valid under section 14(3).

The PDPC has imposed financial penalties on organisations that have breached section 14(2) by bundling unreasonable consent requirements. In Re SingTel [2016] SGPDPC 3, the PDPC found that a telecommunications provider had required customers to consent to the collection and use of browsing data for targeted advertising as a condition of providing broadband service, without offering an opt-in option and without demonstrating that the browsing data was necessary to provide the broadband service itself. The PDPC found that this breached section 14(2)(a), and any consent obtained under these terms was not valid under section 14(3). The PDPC imposed a warning and directed SingTel to revise its consent processes to comply with the necessity test.

Withdrawal of consent: section 16 applies equally to express and implied consent. Section 16 of the PDPA permits an individual to withdraw consent at any time by giving reasonable notice in writing to the organisation. The withdrawal right applies regardless of whether the original consent was express or implied. Once consent is withdrawn, the organisation must cease collecting, using, or disclosing the individual's personal data for the purpose for which consent was withdrawn, unless the organisation can rely on a statutory exception under section 17 or the First or Second Schedules (such as the legitimate interests exception or a legal-obligation exception).

The PDPC has clarified in the Key Concepts Guidelines (paragraphs 12.62–12.77) that the method and ease of withdrawing consent should be comparable to the method and ease of giving consent. If the organisation obtained consent via an online checkbox, the organisation should provide an online withdrawal mechanism (such as an account-settings page with a checkbox to opt out, or a one-click unsubscribe link in marketing emails). If the organisation obtained consent via a signed paper form, the organisation should accept withdrawal requests submitted by postal mail, email, or at a service counter. The organisation must not impose barriers to withdrawal (such as requiring the individual to call a premium-rate telephone number, attend a physical office during limited hours, or provide extensive justification for the withdrawal).

Comparison to GDPR consent requirements (GDPR Article 4(11) and Article 7). The PDPA's express and implied consent framework shares the same foundational principle as GDPR consent — consent must be freely given, specific, informed, and unambiguous — but differs in structure and terminology. Key differences include:

• GDPR Article 4(11) defines consent as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data." This definition requires a clear affirmative action for all consent (which is equivalent to Singapore's "express consent"), and does not recognise implied consent inferred from passive conduct. The European Data Protection Board (EDPB) has stated in Guidelines 05/2020 on consent that pre-ticked boxes, silence, and inactivity do not constitute valid consent under GDPR.

• Section 14(3) of the PDPA permits implied consent based on the individual's voluntary provision of data in circumstances where it is reasonable for the individual to do so. This is more flexible than GDPR and reflects Singapore's pragmatic approach to routine, low-risk data collection (such as providing a delivery address when ordering goods online). The PDPC has stated in public consultations that requiring affirmative express consent for every data collection would be impractical and burdensome for both organisations and individuals, and that implied consent is appropriate when the purpose is obvious and expected.

• GDPR Article 7(4) provides that when assessing whether consent is freely given, "utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract." This is similar to section 14(2)(a) of the PDPA, though the GDPR formulation is a rebuttable presumption rather than a bright-line invalidity rule as in section 14(3).

• GDPR Article 7(3) provides that withdrawal of consent must be "as easy as" giving consent. Section 16 of the PDPA requires "reasonable notice in writing" but does not expressly codify the "as easy as" rule; however, the PDPC has adopted this principle in its Guidelines and enforcement decisions as a matter of interpretation of the "voluntary" and "reasonable" requirements in sections 14(1) and 16(2).

Source: Personal Data Protection Act 2012, section 14; PDPC Advisory Guidelines on Key Concepts in the Personal Data Protection Act (revised 17 May 2022), Chapter 11