Singapore — Scope & Applicability

Singapore's data protection regime is governed by the Personal Data Protection Act 2012 (PDPA, Act No. 26 of 2012), which came into full effect on 2 July 2014. The PDPA establishes a comprehensive framework for the collection, use, and disclosure of personal data by private-sector organisations and is administered and enforced by the Personal Data Protection Commission (PDPC), the statutory authority established under Part 2 of the Act.

## Material scope: private-sector organisations

The PDPA applies to all organisations — defined broadly to include individuals, companies, associations, and bodies of persons (whether corporate or unincorporate) — but only in respect of their private-sector activities. The Data Protection Provisions (Parts III to VI of the PDPA) regulate how organisations collect, use, disclose, and manage personal data. The Act does not apply to public agencies, which are instead governed by the Public Sector (Governance) Act 2018.

Section 4(1)(a) and (b) of the PDPA carve out individuals acting in a personal or domestic capacity and employees acting in the course of their employment within an organisation, meaning the Data Protection Provisions do not impose obligations on these individuals directly. Organisations remain responsible for ensuring their employees comply with the PDPA.

## Territorial scope: activity-based jurisdiction

The PDPA applies on an activity basis rather than a pure establishment basis. Under Section 4, the Act governs organisations that collect, use, or disclose personal data in Singapore, regardless of whether the organisation is incorporated, registered, or has a physical presence in Singapore. This means a foreign organisation with no Singapore office is subject to the PDPA if it processes personal data in connection with activities occurring in Singapore.

Conversely, where personal data is collected overseas and subsequently transferred into Singapore, the Data Protection Provisions apply in respect of activities involving the personal data in Singapore. The PDPC has clarified that the Act's territorial reach is tied to the location of the data processing activity, not solely the location of the data or the organisation.

## Regulator and enforcement framework

The PDPC is empowered under Part 2 of the PDPA to issue advisory guidelines (which elaborate on the Act's key obligations), investigate complaints, conduct inspections, and impose directions and financial penalties. Following amendments that took effect on 1 February 2021, the PDPC may impose financial penalties of up to S$1 million or 10% of an organisation's annual turnover in Singapore, whichever is higher, for breaches of the Data Protection Provisions. The Do Not Call (DNC) Provisions in Part IX of the PDPA, which regulate marketing messages to Singapore telephone numbers, carry separate tiered penalty caps.

## Key amendments: 2020 reform package

The PDPA underwent its first comprehensive review in 2020. The Personal Data Protection (Amendment) Act 2020 introduced a tenth data protection obligation — the Data Breach Notification Obligation (Part 6A) — requiring organisations to notify the PDPC and affected individuals of notifiable data breaches, and added new accountability measures including mandatory data protection impact assessments under Section 15A for high-risk processing. These amendments took effect on 1 February 2021.

Source: Personal Data Protection Act 2012 Source: PDPC — About

The threshold question for PDPA applicability is whether information constitutes personal data. Section 2 of the PDPA defines "personal data" as:

> data, whether true or not, about an individual who can be identified— > (a) from that data; or > (b) from that data and other information to which the organisation has or is likely to have access.

This definition establishes three key components that practitioners must apply to every data-protection assessment.

## Individual identifiability — the core trigger

Personal data is individual-specific information. Data triggers PDPA protection only if it identifies, or can identify, a natural person. Aggregated, anonymized, or purely statistical data that cannot identify any individual falls outside the Act's scope. The PDPC has clarified that "identify" means the ability to single out a specific individual from a group, whether by name, identification number, location data, online identifier, or other factors specific to that person's identity.

Importantly, the definition is technology-neutral and contextual. Device identifiers, IP addresses, cookie strings, biometric data, and vehicle registration numbers may all constitute personal data depending on whether the organisation holding them can (or is likely to) link them to an identified or identifiable individual. The PDPC applies a relative identifiability standard: data is personal data in the hands of Organisation A if that organisation can identify the individual, even if Organisation B (which lacks linking information) could not.

## "Whether true or not" — accuracy is irrelevant to scope

The statutory language "whether true or not" makes clear that inaccurate, false, or alleged information about an identified individual is still personal data. A misspelled name, an incorrect address, or a disputed allegation about an individual all fall within the PDPA if the individual is identifiable. This ensures the Act's protections—particularly the Accuracy Obligation (Section 23) and the Correction Obligation (Section 22)—extend to erroneous data that may cause the most harm.

## Relative identifiability — "other information to which the organisation has or is likely to have access"

Subsection (b) of the definition extends the Act's reach to indirectly identifying data. Information that appears non-identifying in isolation becomes personal data if the organisation holding it has, or is likely to have, access to other information that enables re-identification. For example, an employee number is personal data if the employer holds (or can access) a mapping table linking employee numbers to names. A pseudonymized customer reference becomes personal data if the organisation retains the key.

The "likely to have access" language captures information the organisation does not currently hold but could reasonably obtain—through its own databases, publicly available sources, or third parties with whom it has a relationship. The PDPC's Advisory Guidelines on Key Concepts in the Personal Data Protection Act (issued under Section 6(4), revised 17 May 2022) explain that "likely to have access" is a practical, fact-specific inquiry: would a reasonable observer, knowing the organisation's business model and data environment, conclude the organisation could link the data to an individual? This prevents organisations from artificially segmenting datasets to claim data is non-identifying.

## Key exclusions — business contact information and deceased individuals

The PDPA carves out two important categories from the definition of personal data:

Business contact information is expressly excluded from the Data Protection Provisions by Section 2. The Act defines business contact information as "an individual's name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his personal purposes." The PDPC has clarified that information on a business card is typically business contact information, but the same individual's home address or personal mobile number (even if provided in a work context) is personal data subject to the full Act. The exclusion applies only when the individual provided the information in a business capacity; if an individual submits a business email for a gym membership (a personal purpose), it is personal data, not business contact information.

Deceased individuals: The PDPA protects data "about an individual"—defined in Section 2 as a natural person. While the Act does not explicitly address whether it applies to data of deceased persons, the PDPC has stated in its Advisory Guidelines that the PDPA does not apply to personal data of deceased individuals because they are no longer "individuals" within the statutory meaning. Organisations processing data of deceased persons remain subject to common-law duties of confidentiality and, where applicable, sector-specific rules (e.g., medical records), but not the PDPA's Data Protection Provisions.

## Derived and inferred data

The PDPC's guidance confirms that derived personal data—information inferred or generated about an individual—is personal data if the individual remains identifiable. For example, a credit score, a risk profile, or a behavioural prediction about a named customer is personal data. The fact that the organisation created the data (rather than collecting it from the individual or a third party) does not remove it from PDPA scope. Organisations conducting analytics, profiling, or algorithmic decision-making on identified individuals are collecting, using, and disclosing personal data at each processing step.

## Practical threshold: anonymisation vs. pseudonymisation

Data is anonymised (and ceases to be personal data) only when re-identification is, in practical terms, impossible for the organisation and any reasonably foreseeable party. The PDPC has adopted a risk-based standard: anonymisation requires removal of direct identifiers, assessment of quasi-identifiers, and controls preventing re-identification even through linkage or inference attacks. Pseudonymisation—replacing direct identifiers with pseudonyms or tokens while retaining the means to re-identify—does not remove data from PDPA scope. Pseudonymised data remains personal data, though it may reduce risk and support compliance with obligations such as data minimisation and security.

Source: Personal Data Protection Act 2012, Section 2 Source: PDPC Advisory Guidelines on Key Concepts in the Personal Data Protection Act (17 May 2022)

The PDPA's Data Protection Provisions (Parts III to VI) impose obligations on organisations that collect, use, or disclose personal data in Singapore. However, Section 4 of the Act expressly excludes certain categories of actors and activities from these obligations, and the First and Second Schedules provide targeted exemptions for specific processing purposes. A practitioner assessing PDPA compliance must begin by determining whether any exclusion or exemption applies — if the organisation or activity falls within a statutory carve-out, the Data Protection Provisions do not bind.

## Section 4 categorical exclusions — public agencies, individuals, and employees

Section 4(1)(c) provides that the Data Protection Provisions do not impose any obligation on any public agency. "Public agency" is defined in Section 2 of the PDPA to mean the Government (including any ministry, department, agency, or organ of State), an Organ of State, or a public authority established or constituted by or under a public Act to perform or discharge a public function. This exclusion is total: public agencies are not subject to the Consent Obligation (Section 13), the Purpose Limitation Obligation (Section 18), or any of the other nine Data Protection Provisions when collecting, using, or disclosing personal data. Instead, public agencies are governed by the Public Sector (Governance) Act 2018, which contains separate data-protection and data-sharing rules tailored to the public sector. The PDPC has clarified in its Advisory Guidelines on Key Concepts (revised 17 May 2022) that the public-agency exclusion applies regardless of the nature of the activity; even when a public agency engages in commercial or revenue-generating activity, it remains excluded from the PDPA's Data Protection Provisions.

Section 4(1)(a) excludes individuals acting in a personal or domestic capacity from the Data Protection Provisions. "Domestic" is defined in Section 2 as "related to home or family." The PDPC's guidance explains that an individual acts in a domestic capacity when undertaking activities for his or her home or family — for example, maintaining a personal address book, sharing family photos with relatives, or booking a family holiday. The Data Protection Provisions do not apply to such individuals, though the organisations with which they interact (the travel agent, the hotel, the insurer) remain subject to the full PDPA. The domestic-capacity exclusion is activity-specific: the same individual who is exempt when collecting friends' contact details for a birthday party is subject to the PDPA when collecting customer data for a freelance business operated as a sole proprietorship, because the latter is a commercial (non-domestic) activity.

Section 4(1)(b) excludes employees acting in the course of employment from the Data Protection Provisions. The Act defines "employee" broadly to include individuals working under a contract of service or apprenticeship, and Section 2(2) extends the definition to include volunteers (individuals who undertake work without expectation of payment). This exclusion prevents individual employees from being held directly liable under the Data Protection Provisions when processing personal data on behalf of their employer. The organisation employing the individual remains fully subject to the PDPA and is responsible for ensuring that its employees (including volunteers) handle personal data in compliance with the Act. The PDPC's guidance confirms that Section 4(1)(b) does not relieve the organisation of its obligations; it merely clarifies that the Data Protection Provisions impose duties on organisations, not on their employees as individuals.

## First Schedule exemptions — journalism, artistic/literary purposes, and evaluative purposes

The First Schedule to the PDPA sets out circumstances in which an organisation may collect, use, or disclose personal data without consent, notwithstanding the Consent Obligation in Section 13. The Schedule is divided into multiple parts; Part 4 is of particular scope-and-applicability significance because it exempts certain categories of processing from multiple Data Protection Provisions (not merely the Consent Obligation).

Paragraph 1(a) of the First Schedule provides an exception to the Consent, Purpose Limitation, Notification, Access, and Correction Obligations for personal data collected, used, or disclosed solely for journalistic, literary, or artistic purposes. This exemption permits news organisations, authors, documentary filmmakers, and artists to process personal data without consent when the processing is solely for one of these three purposes. The "solely for" language is strict: if the organisation collects data for a mixed purpose (journalism plus marketing), the exemption does not apply and consent is required unless another exception is available. The PDPC has not issued detailed guidance elaborating the scope of "journalistic," "literary," or "artistic" purposes under the First Schedule, and there is no published enforcement decision interpreting this exemption as of June 2026.

Paragraph 1(f) of the First Schedule provides an exception for personal data collected, used, or disclosed solely for evaluative purposes, subject to certain conditions. "Evaluative purpose" is defined in Section 2 and includes determining the suitability, eligibility, or qualifications of an individual for:

• admission to an educational institution;
• the awarding of contracts, awards, bursaries, scholarships, honours, or similar benefits;
• selection for athletic or artistic purposes; or
• the grant of financial or social assistance, or the delivery of appropriate health services, under any scheme administered by a public agency.

The evaluative-purpose exception permits the collecting organisation (e.g., a university assessing an applicant, a sports federation selecting athletes, a grantmaking body awarding scholarships) and third parties disclosing data to that organisation (e.g., a prior school sending transcripts) to process personal data without consent. The exception is limited to data necessary for the evaluative purpose and does not extend to subsequent processing for unrelated purposes (e.g., marketing alumni services to rejected applicants).

## Second Schedule — additional consent exceptions for specific public-interest purposes

The Second Schedule to the PDPA (re-enacted in simplified form by the Personal Data Protection (Amendment) Act 2020, effective 1 February 2021) sets out additional bases for collection, use, and disclosure of personal data without consent. Unlike the First Schedule, the Second Schedule exceptions apply only to the Consent Obligation; organisations relying on these exceptions remain subject to the other Data Protection Provisions (Purpose Limitation, Notification, Retention Limitation, Accuracy, Protection, etc.).

The Second Schedule contains multiple parts addressing:

• Part 1: investigations and proceedings (personal data necessary for law-enforcement, legal, or regulatory investigations or proceedings);
• Part 2: emergency circumstances (collection, use, or disclosure necessary to respond to an emergency that threatens the life, health, or safety of an individual);
• Part 3: national-interest purposes (processing authorised or required by law, or in the national interest, subject to a ministerial certification process under Section 15A of the PDPA);
• Part 4: evaluative purposes (mirroring the First Schedule evaluative exception but applying only to the Consent Obligation, not the broader set of obligations exempted under First Schedule paragraph 1(f)); and
• Part 5: employment purposes (an employer may collect, use, or disclose employee personal data without consent for the purposes of managing or terminating the employment relationship, subject to conditions).

The employment exception in Part 5 of the Second Schedule is of particular practical importance. It permits an employer to process employee personal data — including sensitive personal data such as leave records, disciplinary records, performance assessments, and payroll information — for employment-management purposes without obtaining express consent from each employee. The exception is limited: it applies only to data collected, used, or disclosed for the purposes of managing or terminating the employment relationship, and the employer remains subject to the other Data Protection Provisions (including the Protection Obligation requiring reasonable security arrangements). The PDPC's sector-specific guidance confirms that the employment exception does not permit an employer to use employee personal data for unrelated purposes (e.g., marketing the employer's products to employees) without separate consent.

## Interaction with data intermediary partial exclusion — Section 4A

Section 4A of the PDPA (introduced by the 2020 amendments) provides a partial exclusion for organisations that act as data intermediaries. A data intermediary is defined in Section 2 as an organisation that processes personal data on behalf of and for the purposes of another organisation pursuant to a contract. In GDPR terminology, a data intermediary is a processor; the organisation on whose behalf it acts is a controller.

Section 4A provides that a data intermediary is subject only to the Protection Obligation (Section 24, requiring reasonable security arrangements) and not to the other Data Protection Provisions — provided it processes the data solely on behalf of, and for the purposes of, the other organisation (the principal). This means a cloud-services provider, a payroll bureau, or an IT vendor that processes personal data on behalf of a client organisation is not required to obtain consent, provide access, or satisfy the other obligations in respect of that processing, because those obligations rest with the principal. However, the data intermediary remains fully subject to all Data Protection Provisions in respect of any other processing it undertakes for its own purposes (e.g., using client data for its own analytics or marketing).

The PDPC's Key Concepts Guidelines clarify that the principal organisation (the controller) remains responsible for compliance with the Data Protection Provisions even when it engages a data intermediary, and the principal must ensure by contract that the data intermediary processes the data only in accordance with the principal's instructions and implements appropriate security safeguards. The data intermediary's partial exclusion does not relieve the principal of liability for breaches arising from the intermediary's processing.

## Exemption orders — Section 41 ministerial power

Section 41 of the PDPA empowers the Minister to make regulations exempting any person or class of persons from all or any of the provisions of the Act, either generally or for such time as may be prescribed. This broad exemption power permits the government to carve out additional sectors, activities, or types of processing from PDPA obligations where policy considerations warrant. As of June 2026, the Minister has not published a comprehensive sectoral exemption order, though the Second Schedule's national-interest provision (Part 3) operates as a case-by-case exemption mechanism subject to ministerial certification.

Practitioners should consult the PDPC's published guidance on exemptions (available at pdpc.gov.sg) and monitor the Attorney-General's Chambers' Singapore Statutes Online for any exemption orders made under Section 41. Where an organisation believes it qualifies for an exemption not expressly provided in Sections 4, 4A, or the Schedules, it may submit a request to the PDPC for a ministerial exemption, though the PDPC's public guidance indicates such requests are assessed case-by-case on public-interest grounds and are granted sparingly.

Source: Personal Data Protection Act 2012, Sections 2, 4, 4A, 41, First Schedule, Second Schedule Source: PDPC Advisory Guidelines on Key Concepts in the Personal Data Protection Act (17 May 2022)

The PDPA's Data Protection Provisions (Parts III to VI) impose obligations on organisations that collect, use, or disclose personal data in Singapore. However, when an organisation engages a third party to process personal data on its behalf — a data intermediary — the PDPA allocates obligations between the two entities based on their respective roles. Understanding who qualifies as an organisation, who qualifies as a data intermediary, and what obligations each bears is the foundational step in any PDPA compliance assessment.

## "Organisation" — the entity subject to the Data Protection Provisions

Section 2 of the PDPA defines "organisation" broadly as:

> any individual, company, association or body of persons, corporate or unincorporated, whether or not— > (a) formed or recognised under the law of Singapore; or > (b) resident, or having an office or a place of business, in Singapore.

This definition is comprehensive and entity-neutral. An organisation includes:

• individuals operating as sole proprietors;
• Singapore-incorporated companies and foreign companies;
• partnerships, limited liability partnerships, and associations (whether incorporated or unincorporated);
• non-profit organisations, societies, charities, and clubs; and
• bodies of persons corporate or unincorporate, whether formed under Singapore law or foreign law.

The definition is not tied to Singapore presence. A foreign entity with no Singapore office, no Singapore registration, and no employees in Singapore is still an "organisation" under the PDPA if it collects, uses, or discloses personal data in Singapore (per Section 4's territorial application). The PDPC has confirmed in its Advisory Guidelines on Key Concepts in the Personal Data Protection Act (revised 17 May 2022, Chapter 6) that the term "organisation" is deliberately wide to ensure that the Data Protection Provisions apply to any entity processing personal data in a non-domestic capacity in Singapore, regardless of the entity's legal form or location.

Organisations subject to the Data Protection Provisions must comply with the full suite of ten obligations introduced by the PDPA and its 2020 amendments: the Consent Obligation (Section 13), the Purpose Limitation Obligation (Section 18), the Notification Obligation (Section 20), the Access Obligation (Section 21), the Correction Obligation (Section 22), the Accuracy Obligation (Section 23), the Protection Obligation (Section 24), the Retention Limitation Obligation (Section 25), the Transfer Limitation Obligation (Section 26), and the Data Breach Notification Obligation (Part 6A, Sections 26B–26D).

## "Data intermediary" — processing on behalf of another organisation

Section 2 defines "data intermediary" as:

> an organisation which processes personal data on behalf of another organisation but does not include an employee of that other organisation.

In terminology used by other data-protection regimes, a data intermediary is a processor — an entity that processes personal data on the instructions of, and for the purposes of, another organisation (the controller). The PDPC's Key Concepts Guidelines (Chapter 6) and the PDPC's standalone publication The Distinction Between Organisations and Data Intermediaries and Why It Matters (February 2023) clarify that the defining characteristic of a data intermediary is that it does not determine the purposes and means of processing. The organisation engaging the data intermediary (the principal) retains control over why the personal data is processed (the purpose) and how it is processed (the means). The data intermediary carries out processing activities pursuant to the principal's instructions, typically under a written contract.

Common examples of data intermediaries include:

• Cloud service providers hosting personal data on behalf of a client organisation;
• Payroll bureaus processing employee personal data on behalf of an employer;
• IT vendors and managed-service providers performing data-processing operations (e.g., database administration, software maintenance, backup services) under contract to a client;
• Third-party printers or mail-merge vendors processing customer names and addresses to produce mailings on behalf of a business;
• Customer-service outsourcers or call centres handling customer inquiries and processing customer data on behalf of the principal organisation; and
• Marketing agencies processing customer data to execute campaigns designed and directed by the principal.

Critically, the data intermediary definition excludes employees. Section 2 states explicitly that an employee of an organisation is not a data intermediary when processing personal data in the course of employment. This exclusion mirrors Section 4(1)(b)'s broader exclusion of employees from the Data Protection Provisions (see the existing section on statutory exclusions). The effect is that an organisation remains fully responsible for personal data processed by its own employees, whereas when it engages an external entity as a data intermediary, the PDPA allocates obligations between the organisation and the data intermediary based on their respective roles.

## Section 4A partial exclusion — data intermediaries subject only to Protection and Retention obligations

Section 4A of the PDPA (introduced by the Personal Data Protection (Amendment) Act 2020, effective 1 February 2021) provides a partial exclusion from the Data Protection Provisions for organisations acting as data intermediaries. Specifically, Section 4A states:

> Subject to subsection (2), the Data Protection Provisions do not impose any obligation on, or apply in relation to, an organisation which is a data intermediary on behalf of and for the purposes of another organisation, except for— > (a) the Protection Obligation [Section 24]; and > (b) the Retention Limitation Obligation [Section 25].

This means that when an organisation qualifies as a data intermediary — processing personal data solely on behalf of and for the purposes of another organisation pursuant to a contract — it is not subject to the Consent, Purpose Limitation, Notification, Access, Correction, Accuracy, Transfer Limitation, or Data Breach Notification Obligations in respect of that processing. The data intermediary remains subject only to:

• Section 24, the Protection Obligation, requiring the data intermediary to implement reasonable security arrangements to protect the personal data in its possession or under its control against unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks; and
• Section 25, the Retention Limitation Obligation, prohibiting the data intermediary from retaining personal data for longer than necessary for the purposes for which the data was collected or used, or for legal or business purposes.

The rationale for the partial exclusion is functional. A data intermediary, by definition, does not control the purposes of processing and does not interact directly with the data subjects. Imposing obligations such as the Access Obligation or the Correction Obligation on a data intermediary would be impractical — the data intermediary lacks the context and authority to respond to a data subject's access request or to determine whether a correction is warranted. These obligations rest with the principal organisation (the entity that determines the purposes and means of processing).

However, because the data intermediary has possession or control of the personal data and is responsible for the technical processing, it must implement adequate security measures (the Protection Obligation) and must not retain data beyond the period necessary (the Retention Limitation Obligation). The PDPC's Key Concepts Guidelines (Chapter 6) confirm that the principal organisation remains responsible for ensuring overall PDPA compliance, including by selecting competent data intermediaries and imposing contractual obligations that mirror the PDPA's requirements.

## Section 4A(2) — written contract requirement

Section 4A(2) imposes a mandatory written-contract requirement as a condition of the partial exclusion. The partial exclusion applies only if the data intermediary processes the personal data on behalf of and for the purposes of another organisation pursuant to a contract that is in writing or evidenced in writing. If there is no written contract, or if the data intermediary processes personal data outside the scope of the written contract (e.g., for its own purposes), the data intermediary is treated as an organisation in its own right and is subject to the full suite of Data Protection Provisions in respect of that processing.

The PDPC's Guide on Data Protection Clauses for Agreements Relating to the Processing of Personal Data (issued 1 February 2021) provides model contractual clauses that organisations and data intermediaries should incorporate into their agreements to satisfy Section 4A(2) and to allocate data-protection responsibilities. Key clauses typically include:

• a description of the permitted processing activities (scope, purposes, duration);
• an obligation on the data intermediary to process personal data only in accordance with the principal's documented instructions;
• confidentiality obligations binding the data intermediary and its personnel;
• security obligations implementing the Protection Obligation (including sub-processor controls);
• assistance obligations requiring the data intermediary to cooperate with the principal in responding to data-subject rights requests and data-breach incidents;
• audit and inspection rights permitting the principal to verify the data intermediary's compliance; and
• return-or-destruction obligations requiring the data intermediary to return or securely delete personal data upon termination of the contract.

The PDPC has clarified in its guidance that the written-contract requirement is not merely a formality. The contract must substantively govern the data intermediary's processing and must reflect the parties' actual relationship. A generic services agreement that does not address data processing, or a one-line clause stating "the vendor is a data intermediary," will not satisfy Section 4A(2). The contract must enable the principal organisation to discharge its obligations under the PDPA by ensuring the data intermediary processes personal data in a manner consistent with those obligations.

## Dual-role scenarios — same entity can be organisation and data intermediary for different processing

The PDPC's Key Concepts Guidelines (Chapter 6) and the February 2023 publication The Distinction Between Organisations and Data Intermediaries and Why It Matters make clear that a single entity can act as an organisation for some processing activities and as a data intermediary for other processing activities. The determination is made processing-by-processing, purpose-by-purpose.

Example: A marketing technology platform collects, uses, and discloses personal data for two distinct purposes:

1. On behalf of Client A (an e-commerce business), the platform processes customer personal data to execute Client A's email marketing campaigns. Client A determines the audience, the message content, the sending schedule, and the retention policy. The platform processes the data pursuant to a written contract with Client A and solely to execute Client A's campaigns. In respect of this processing, the platform is a data intermediary, subject only to the Protection and Retention Limitation Obligations under Section 4A.
2. For its own purposes, the platform aggregates anonymized or pseudonymized usage data across multiple clients to develop analytics products, train machine-learning models, and market its own services. The platform determines the purposes and means of this processing. In respect of this processing, the platform is an organisation, subject to the full Data Protection Provisions.

The PDPC has emphasized that organisations engaging data intermediaries must conduct a purpose-by-purpose analysis to determine whether a particular processing activity is governed by the data intermediary arrangement (partial exclusion applies) or whether the vendor is processing for its own purposes (full obligations apply). This is especially important in complex service relationships involving cloud platforms, software-as-a-service providers, and data analytics vendors, where the vendor may process personal data both as a data intermediary (on the client's instructions) and as an organisation (for its own product development, security monitoring, or billing purposes).

## Determination of data intermediary status — PDPC guidance on "on behalf of"

The PDPC's Key Concepts Guidelines (Chapter 6) provide interpretive guidance on the statutory phrase "on behalf of another organisation." The key question is: Who controls the processing? If the organisation engaging the vendor retains control over the purposes and essential means of processing, and the vendor acts pursuant to the organisation's instructions, the vendor is a data intermediary. If the vendor determines its own purposes or exercises significant discretion over the means of processing, the vendor is an independent organisation (a joint controller or a separate controller), not a data intermediary.

Factors the PDPC considers relevant include:

• Purpose: Did the principal organisation define the purpose for which the personal data is to be processed, or did the vendor define its own purpose?
• Means: Did the principal organisation specify (or approve) the technical and organisational measures for processing, or did the vendor design the processing environment and methods independently?
• Instructions: Does the vendor process the data strictly in accordance with documented instructions from the principal, or does the vendor have broad discretion to decide how (and how much) personal data to collect, use, or disclose?
• Decision-making authority: Can the vendor unilaterally change the scope of processing, the retention period, or the recipients of the data, or must the vendor seek the principal's approval for any such changes?

The PDPC's guidance confirms that generic service providers offering standardized services (e.g., a SaaS platform with a standard feature set) may still qualify as data intermediaries if the principal organisation retains control over the purposes and if the service contract specifies that the vendor processes personal data solely on behalf of the principal. Conversely, an entity that collects personal data from individuals for its own purposes and subsequently shares that data with a business partner (e.g., a data broker, a co-marketing arrangement) is not a data intermediary — both entities are organisations, each subject to the full Data Protection Provisions in respect of their respective processing.

## Principal organisation's continuing responsibility — Section 4A(3)

Section 4A(3) of the PDPA provides that where an organisation uses a data intermediary to process personal data on the organisation's behalf, the organisation must comply with the Data Protection Provisions as if the personal data were processed by the organisation itself. This means the principal organisation remains fully accountable for PDPA compliance even when it outsources processing to a data intermediary. The partial exclusion under Section 4A relieves the data intermediary of certain obligations (Consent, Access, Correction, etc.), but it does not relieve the principal organisation of any obligation.

Practical implications:

• If a data breach occurs in the data intermediary's environment, the principal organisation bears the Section 26B obligation to assess the breach and the Section 26C obligation to notify the PDPC and affected individuals if the breach is notifiable.
• If a data subject submits an access request, the principal organisation bears the Section 21 obligation to respond, even if the personal data resides in the data intermediary's systems. The principal organisation must ensure (by contract and by operational processes) that the data intermediary provides timely assistance.
• If the data intermediary discloses personal data to an unauthorized third party, the principal organisation may be held accountable for a breach of the Consent Obligation (Section 13) or the Purpose Limitation Obligation (Section 18), because the disclosure is deemed to be the principal organisation's disclosure.

The PDPC's Guide to Managing Data Intermediaries (issued September 2020, updated periodically) sets out a data-intermediary lifecycle framework covering governance and risk assessment, contractual safeguards, ongoing oversight and audit, and exit management. The PDPC recommends that principal organisations conduct due diligence on prospective data intermediaries (assessing their security posture, compliance history, financial stability, and data-handling practices), impose robust contractual obligations mirroring the PDPA's requirements, monitor the data intermediary's performance through regular audits and compliance reporting, and maintain documented procedures for breach response, data-subject rights fulfillment, and termination.

## Cross-border data intermediaries and the Transfer Limitation Obligation

When a principal organisation in Singapore engages a data intermediary located outside Singapore to process personal data, the transfer of personal data to that data intermediary is a transfer outside Singapore and triggers the Transfer Limitation Obligation under Section 26 of the PDPA. Section 26 requires the principal organisation to ensure that the foreign data intermediary provides a standard of protection to the personal data that is comparable to the protection under the PDPA. This requirement applies even though the data intermediary itself is subject only to the Protection and Retention Limitation Obligations under Section 4A.

The PDPC's Key Concepts Guidelines (Chapter 18) and the PDPC's Personal Data Protection Regulations 2021 (Regulation 10) specify mechanisms for satisfying the Transfer Limitation Obligation, including:

• obtaining consent from the individual for the transfer;
• transferring pursuant to a contract incorporating legally enforceable obligations on the foreign recipient to provide comparable protection;
• transferring to a recipient that holds a recognized data-protection certification (e.g., APEC CBPR certification); or
• transferring pursuant to other exceptions set out in the Second Schedule to the PDPA.

In practice, principal organisations typically satisfy the Transfer Limitation Obligation by incorporating data-protection clauses into the data intermediary contract that obligate the foreign data intermediary to implement security, confidentiality, breach notification, and data-subject rights-assistance measures equivalent to the PDPA's requirements. The PDPC's model clauses (issued 1 February 2021) include such provisions.

Source: Personal Data Protection Act 2012, Sections 2, 4A Source: PDPC Advisory Guidelines on Key Concepts in the Personal Data Protection Act, Chapter 6 (revised 17 May 2022) Source: PDPC — The Distinction Between Organisations and Data Intermediaries and Why It Matters (17 February 2023) Source: PDPC Guide on Data Protection Clauses for Agreements Relating to the Processing of Personal Data (1 February 2021)

The PDPA establishes activity-based jurisdiction rather than pure territorial or establishment-based scope. A foreign organisation with no physical presence, no incorporation, and no office in Singapore is subject to the PDPA if it collects, uses, or discloses personal data in Singapore. This jurisdictional trigger is critical for cross-border businesses, digital platforms, and multinational controllers assessing their Singapore compliance obligations.

## Section 4 — "in respect of activities … in Singapore"

Section 4 of the PDPA governs territorial scope. The Data Protection Provisions (Parts III to VI) apply to every organisation "in respect of activities relating to the collection, use and disclosure of personal data in Singapore", regardless of whether the organisation is formed or recognised under Singapore law, resident in Singapore, or has an office or place of business in Singapore. The statute does not require a Singapore establishment, a Singapore subsidiary, or a minimum volume or revenue threshold. The sole question is whether the processing activity occurs "in Singapore."

Section 2 of the PDPA defines "organisation" to include "any individual, company, association or body of persons, corporate or unincorporated, whether or not (a) formed or recognised under the law of Singapore; or (b) resident, or having an office or a place of business, in Singapore." The "whether or not" language makes clear that presence in Singapore is not a prerequisite for PDPA jurisdiction. A foreign e-commerce platform, a cloud provider, or a multinational employer processing personal data in Singapore is an "organisation" subject to the Act.

## What constitutes processing "in Singapore" — PDPC's activity-based interpretation

The PDPA does not define "in Singapore." The Personal Data Protection Commission (PDPC) has provided interpretive guidance in its Advisory Guidelines on Key Concepts in the Personal Data Protection Act (revised 17 May 2022, Chapter 2). The PDPC applies a functional, activity-based test: processing occurs "in Singapore" when the collection, use, or disclosure activity takes place within Singapore, even if the organisation, the data subject, the servers, or the downstream recipients are located elsewhere.

Key principles from the PDPC's guidance:

1. Location of the data-processing activity, not the data or the organisation. The PDPC has clarified that the "in Singapore" trigger is tied to where the processing activity occurs, not where the personal data is stored, where the organisation is headquartered, or where the individual resides. An organisation that collects personal data from individuals physically in Singapore (e.g., a foreign retailer collecting names and addresses from customers browsing in a Singapore store, a conference organiser collecting attendee data at a Singapore event) is collecting personal data "in Singapore" and is subject to the PDPA in respect of that collection.

2. Data collected overseas and subsequently transferred into Singapore. When personal data is initially collected outside Singapore and subsequently transferred into Singapore, the Data Protection Provisions apply in respect of activities involving the personal data in Singapore. For example, a multinational employer that collects employee data in Country A and subsequently transfers that data to its Singapore office for payroll processing or HR analytics is using and disclosing personal data "in Singapore" in respect of the Singapore-based processing activities, and must comply with the PDPA's Purpose Limitation Obligation (Section 18), Notification Obligation (Section 20), and other applicable provisions for those activities.

3. Remote collection targeting Singapore individuals or the Singapore market. The PDPC's guidance does not expressly address whether an organisation that remotely collects personal data from individuals located in Singapore (e.g., a foreign website or mobile app collecting data from users physically in Singapore) is collecting data "in Singapore." However, the activity-based language of Section 4 — "activities relating to the collection … of personal data in Singapore" — supports the interpretation that remote collection from Singapore-based individuals constitutes collection "in Singapore" if the collection activity is connected to Singapore. This interpretation aligns with the enforcement posture of analogous regimes (EU GDPR Article 3(2)'s targeting test, California CCPA's business-doing threshold). Practitioners advising foreign digital platforms should assume that offering goods or services to individuals in Singapore, or monitoring the behaviour of individuals in Singapore, creates "in Singapore" processing exposure, particularly if the organisation's website, app, or service is accessible in Singapore, accepts Singapore payment methods, displays prices in Singapore dollars, or advertises in Singapore.

4. Servers located in Singapore. If an organisation processes personal data through servers or infrastructure physically located in Singapore, that processing occurs "in Singapore" even if the organisation itself has no Singapore office and the data subjects are located outside Singapore. A foreign SaaS provider that hosts customer data on AWS Singapore Region or Google Cloud Singapore servers is processing personal data "in Singapore" in respect of the hosting activity. The organisation must comply with the PDPA's Protection Obligation (Section 24) requiring reasonable security arrangements, the Retention Limitation Obligation (Section 25), and other applicable provisions.

5. Employees or agents acting in Singapore. If an organisation's employees or agents undertake data-processing activities while physically in Singapore — even if the organisation has no Singapore office — those activities occur "in Singapore." For example, a foreign sales team visiting Singapore for a trade show and collecting business cards from prospective customers is collecting personal data "in Singapore." A foreign consultant conducting interviews in Singapore and recording personal data of interviewees is collecting and using personal data "in Singapore."

## Practical application — foreign organisations with Singapore exposure

The following scenarios illustrate when a foreign organisation with no Singapore presence is subject to the PDPA:

E-commerce and digital services. A foreign e-commerce platform ships goods to Singapore customers. Customers create accounts by providing names, email addresses, delivery addresses, and payment details. The platform collects, uses, and discloses this personal data in Singapore (the individuals are located in Singapore when they submit the data, and the collection activity is directed at the Singapore market). The platform is subject to the PDPA's Consent Obligation (Section 13), Purpose Limitation Obligation (Section 18), Notification Obligation (Section 20), Access Obligation (Section 21), Protection Obligation (Section 24), and all other Data Protection Provisions in respect of the Singapore customers' data. The platform's lack of a Singapore entity, Singapore office, or Singapore-incorporated subsidiary is irrelevant.

Cloud infrastructure. A foreign cloud provider offers infrastructure-as-a-service (IaaS) to clients worldwide, including clients in Singapore. A Singapore-based business engages the cloud provider to host its customer database on the provider's Singapore data center. The cloud provider processes personal data in Singapore (through its Singapore servers) on behalf of the Singapore client. The cloud provider is a data intermediary under Section 2 (processing on behalf of the Singapore client) and is subject to the Protection Obligation and Retention Limitation Obligation under Section 4A's partial exclusion (see the existing section on organisation and data intermediary definitions). The cloud provider must implement reasonable security arrangements for the personal data hosted in its Singapore infrastructure.

Multinational employer. A foreign corporation employs individuals who work in Singapore. The corporation's global HR system (administered from the corporation's headquarters in Country B) collects, uses, and discloses personal data of the Singapore-based employees for payroll, benefits administration, performance management, and other employment purposes. The corporation processes personal data in Singapore in respect of the Singapore employees. The corporation is subject to the PDPA's Data Protection Provisions, though it may rely on the employment exception in Part 5 of the Second Schedule to the PDPA, which permits employers to collect, use, and disclose employee personal data without consent for employment-management purposes (subject to other obligations including the Protection Obligation and Purpose Limitation Obligation).

Marketing and analytics. A foreign marketing analytics firm collects behavioural data from users who visit websites operated by the firm's clients. The firm places tracking pixels and cookies on client websites. Users located in Singapore visit these websites; the firm collects IP addresses, device identifiers, browsing histories, and click-stream data from these Singapore-based users. The firm processes personal data in Singapore (the individuals are in Singapore when the data is collected). The firm is subject to the PDPA's Consent Obligation unless an exception applies (the PDPC has taken the position that cookie-based tracking typically requires consent unless the data is truly anonymized or falls within a statutory exception).

## Interaction with the Transfer Limitation Obligation — onward transfers by foreign organisations

When a foreign organisation subject to the PDPA (because it processes personal data "in Singapore") subsequently transfers personal data outside Singapore, the organisation must comply with the Transfer Limitation Obligation under Section 26 of the PDPA. Section 26 requires the transferring organisation to ensure that the personal data transferred to a recipient outside Singapore is protected to a standard comparable to the protection under the PDPA.

This creates layered compliance obligations for foreign organisations. A foreign platform that collects personal data from Singapore users "in Singapore" and subsequently discloses that data to a foreign affiliate, a foreign data analytics vendor, or a foreign cloud provider must:

1. Comply with the Consent Obligation (Section 13) or an applicable exception when collecting the data from the Singapore users;
2. Comply with the Purpose Limitation Obligation (Section 18) ensuring the onward disclosure is for a purpose consistent with the original collection purpose;
3. Comply with the Transfer Limitation Obligation (Section 26) ensuring the foreign recipient provides comparable protection (typically by obtaining the recipient's contractual commitment to implement data-protection safeguards, or by relying on the recipient's APEC Cross-Border Privacy Rules (CBPR) certification or other recognized mechanism specified in the Personal Data Protection Regulations 2021, Regulation 10).

## Enforcement and jurisdictional reach

As of June 2026, the PDPC has not published a comprehensive enforcement decision interpreting the "in Singapore" jurisdictional trigger or addressing whether and how it would enforce PDPA obligations against a purely foreign organisation with no Singapore assets or presence. However, the PDPC's statutory enforcement powers under Part IXC of the PDPA (Sections 48H–48O) include:

• the power to investigate any act or practice that may constitute a contravention of the Data Protection Provisions (Section 48H);
• the power to issue directions requiring an organisation to cease the contravention, destroy personal data collected in contravention of the Act, or take specified steps to remedy the contravention (Section 48I);
• the power to impose financial penalties of up to S$1 million or 10% of the organisation's annual turnover in Singapore (whichever is higher) for breaches of specified obligations (Section 48J, as amended effective 1 February 2021); and
• a right of private action permitting individuals to bring civil claims in the Singapore courts for breaches causing loss or damage (Section 48O).

The private right of action under Section 48O is enforceable in the District Court (which has jurisdiction over claims up to S$250,000) or the General Division of the High Court (for larger claims). A Singapore-based data subject who suffers loss or damage from a foreign organisation's breach of the PDPA can file suit in Singapore. Enforcement of a Singapore judgment against a foreign defendant with no Singapore assets would depend on whether the defendant's home jurisdiction recognizes and enforces Singapore civil judgments (reciprocal enforcement treaties, common-law recognition doctrines).

In practice, foreign organisations that derive significant revenue from Singapore customers, that have Singapore bank accounts or payment processors, or that maintain business relationships with Singapore entities face meaningful enforcement risk. The PDPC has stated in public speeches and guidance documents that it will take a pragmatic, risk-based approach to enforcement, prioritizing cases involving significant harm, egregious conduct, or systemic non-compliance over technical or low-impact violations.

## Comparison with other regimes — GDPR targeting, CCPA business threshold, LGPD establishment

Singapore's "in Singapore" activity-based jurisdictional trigger differs in structure from other major data-protection regimes:

EU GDPR Article 3(2) applies to controllers and processors not established in the EU if they process personal data of EU data subjects in the context of (a) offering goods or services to data subjects in the EU (irrespective of whether payment is required), or (b) monitoring the behaviour of data subjects in the EU. The GDPR's targeting test focuses on the data subject's location and the controller's intent to target the EU market. Singapore's "in Singapore" test, by contrast, focuses on the location of the processing activity, though in practice the two tests often yield the same result (a foreign platform targeting Singapore users is likely processing personal data "in Singapore").

California CCPA applies to for-profit entities that do business in California and meet one of three thresholds (annual gross revenues over $25 million, or buy/sell/share personal information of 100,000+ California residents/households, or derive 50%+ of annual revenues from selling or sharing California residents' personal information). The CCPA requires a business nexus (doing business in California) plus a data-volume or revenue threshold. Singapore's PDPA contains no revenue, volume, or size threshold; any organisation processing personal data "in Singapore" is subject to the Act.

Brazil LGPD Article 3 applies to processing operations carried out in Brazil, or where the processing involves personal data of individuals located in Brazil and the processing activity relates to (a) offering goods or services in Brazil, or (b) processing data collected in Brazil. The LGPD's territorial scope thus combines location of processing, location of data subjects, and targeting. Singapore's PDPA focuses more narrowly on location of the processing activity.

## Unresolved questions and compliance recommendations

The PDPA's "in Singapore" jurisdictional trigger leaves several questions unresolved as of June 2026:

Remote collection from Singapore-based individuals. Does a foreign website accessible in Singapore, collecting personal data from a user physically in Singapore, trigger "in Singapore" jurisdiction even if the website operator has no Singapore presence, no Singapore servers, and does not specifically target Singapore? The statutory language ("activities relating to the collection … of personal data in Singapore") and the PDPC's activity-based approach support jurisdiction, but the PDPC has not published enforcement precedent confirming this interpretation.

Data in transit. If personal data transits through Singapore network infrastructure or subsea cables en route from Country A to Country B, does that constitute processing "in Singapore"? The PDPC's Key Concepts Guidelines state that the Transfer Limitation Obligation (Section 26) does not apply to "data in transit" (personal data merely routed through Singapore without being accessed or processed by an organisation in Singapore). This suggests that mere transit does not trigger "in Singapore" jurisdiction, but the PDPC has not elaborated the boundaries of the transit exception.

Aggregated or anonymized data derived from Singapore sources. If an organisation collects personal data from Singapore individuals, anonymizes or aggregates that data, and subsequently processes the anonymized data outside Singapore, is the anonymization activity subject to the PDPA? The PDPC's position is that anonymized data (data from which individuals cannot be re-identified) is not "personal data" and falls outside PDPA scope. However, the anonymization process itself — which involves the use of personal data to produce anonymized outputs — is processing of personal data "in Singapore" if conducted in Singapore, and is subject to the PDPA's Purpose Limitation, Protection, and other obligations during the anonymization workflow.

## Compliance recommendations for foreign organisations

Foreign organisations assessing Singapore PDPA exposure should:

1. Map data flows. Identify all activities that involve collecting, using, or disclosing personal data in Singapore — including data collected from Singapore-based individuals, data processed on Singapore servers, data processed by Singapore-based employees or contractors, and data transferred into Singapore for processing.

1. Apply the activity-based test. For each processing activity, ask: Where does the collection, use, or disclosure occur? If any part of the processing takes place in Singapore, assume "in Singapore" jurisdiction and evaluate PDPA compliance for that activity.

1. Assess targeting and market presence. If the organisation offers goods or services to individuals in Singapore (e.g., website ships to Singapore, accepts SGD, advertises in Singapore, has a .sg domain or Singapore localization), assume that personal data collected from Singapore users is collected "in Singapore."

1. Implement PDPA-compliant processes. Even without a Singapore entity, foreign organisations subject to "in Singapore" processing must implement: (a) consent mechanisms (or reliance on statutory exceptions); (b) privacy notices satisfying the Notification Obligation (Section 20); (c) access and correction request procedures (Sections 21–22); (d) data security safeguards (Section 24); (e) data breach notification procedures (Sections 26B–26D); (f) cross-border transfer safeguards (Section 26).

1. Contractual allocation for data intermediaries. Foreign cloud providers, payroll vendors, and other service providers processing personal data on behalf of Singapore clients should ensure written contracts satisfying Section 4A(2) and allocate data-protection responsibilities consistent with the PDPA's data intermediary framework (see the existing section on organisation and data intermediary definitions).

1. Monitor PDPC guidance and enforcement. The PDPC periodically updates its Advisory Guidelines and publishes enforcement decisions. Foreign organisations should monitor pdpc.gov.sg for sector-specific guidance, new exemptions, and enforcement precedent clarifying the "in Singapore" jurisdictional boundaries.

Source: Personal Data Protection Act 2012, Sections 2, 4 Source: PDPC Advisory Guidelines on Key Concepts in the Personal Data Protection Act, Chapter 2 (revised 17 May 2022)

The Personal Data Protection Act 2012 contains two distinct regulatory regimes: the Data Protection Provisions (Parts III to VI, as amended by Part 6A) governing the collection, use, and disclosure of personal data, and the Do Not Call Provisions (Part IX, Sections 36–48) regulating unsolicited marketing messages to Singapore telephone numbers. Each regime has its own scope, its own obligations, and its own penalty structure. A practitioner assessing PDPA compliance must determine whether the activity in question triggers the Data Protection Provisions, the Do Not Call (DNC) Provisions, or both.

## Two parallel regimes within one statute

The PDPA's DNC Provisions came into force on 2 January 2014, six months ahead of the Data Protection Provisions (which took effect on 2 July 2014). The DNC regime is structurally independent: it applies based on the sending of specified messages to Singapore telephone numbers, regardless of whether the sender holds personal data about the recipient and regardless of whether the Data Protection Provisions separately apply to the sender's activities. An organisation sending marketing SMS messages to Singapore mobile numbers must comply with the DNC Provisions (check the DNC Registry, provide opt-out mechanisms, include contact information, etc.) in addition to any obligations it bears under the Data Protection Provisions if it is also collecting, using, or disclosing personal data.

The Personal Data Protection Commission's Advisory Guidelines on the Do Not Call Provisions (issued 26 December 2013, revised 1 February 2021) confirm that "the DNC Provisions operate in conjunction with the Data Protection Provisions" but that the two regimes "apply independently." Compliance with one does not guarantee compliance with the other. For example, an organisation that obtains valid consent under the Data Protection Provisions (Section 13) to collect and use an individual's personal data is not automatically exempt from the DNC Provisions when sending marketing messages to that individual's Singapore telephone number — the organisation must either obtain separate clear and unambiguous consent in evidential form to send specified messages (Section 46 of Part IX), or check the DNC Registry to confirm the number is not listed (Section 43), or demonstrate that the message falls within one of the exclusions set out in the Eighth Schedule.

## Material scope — "specified messages" to Singapore telephone numbers

The DNC Provisions apply to specified messages sent to Singapore telephone numbers. Section 36(1) defines "Singapore telephone number" as a telephone number beginning with the digit 3, 6, 8, or 9 that is in accordance with the National Numbering Plan issued by the Infocomm Media Development Authority (IMDA) under the Telecommunications (Class Licence) Regulations. This definition captures mobile numbers (beginning with 8 or 9), fixed-line residential and business numbers (beginning with 6), and Voice over Internet Protocol (VoIP) numbers (beginning with 3). The DNC Provisions apply regardless of the medium used to send the message — voice calls, SMS, MMS, fax, instant messaging services, or any other telecommunications channel — as long as the message is addressed to a Singapore telephone number.

Section 37(1) and the Tenth Schedule define "specified message" as a message (whether voice, text, or fax) that:

• offers to supply, or advertises or promotes, goods or services;
• advertises or promotes a supplier or prospective supplier of goods or services; or
• offers to supply, or advertises or promotes, land or an interest in land, or a business opportunity or investment opportunity.

The definition is purpose-based: a message is a specified message if it has a marketing or promotional purpose, regardless of its content or format. The PDPC's DNC Guidelines clarify that a "promotional" message is one designed to encourage the recipient to purchase goods or services, engage with a supplier, or take advantage of a business or investment opportunity. Transactional, service, informational, or relationship messages that do not have a marketing purpose are not specified messages. For example:

• a bank's SMS confirming a successful funds transfer is not a specified message;
• a retail store's SMS offering a 20% discount on a new product line is a specified message;
• a doctor's clinic sending an appointment reminder to a patient is not a specified message; but
• the same clinic sending an SMS promoting a new cosmetic treatment to past patients is a specified message.

Section 37(5) and the Eighth Schedule set out a comprehensive list of messages that are excluded from the definition of "specified message" even if they would otherwise meet the promotional-purpose test. Key exclusions include:

• messages sent at the request or with the express consent of the recipient;
• messages sent in connection with an existing transaction or relationship between the sender and the recipient (e.g., servicing an account, fulfilling a contract, providing product support or warranty information);
• messages sent to a telephone number used solely for business purposes (true business-to-business messages where the number is not used by an individual for personal purposes);
• messages related to emergencies, public safety, or law enforcement;
• messages sent by or on behalf of a registered charity for charitable fundraising purposes (subject to conditions in paragraph 1(c) of the Eighth Schedule); and
• messages sent in connection with political campaigns during a prescribed election period (paragraph 1(d) of the Eighth Schedule, as amended).

The excluded-message categories are narrowly construed. The PDPC's DNC Guidelines emphasize that the ongoing-transaction exception (paragraph 1(a) of the Eighth Schedule) applies only to messages that relate to an existing contractual relationship and are necessary to service that relationship. A message that cross-sells a different product or service, or that markets to a past customer whose transaction has concluded, does not fall within the ongoing-transaction exception and is subject to the DNC Provisions. For example, if a telecommunications provider sends an SMS to a current subscriber offering an upgrade to a higher-tier plan as part of servicing the existing subscription, the message may qualify for the ongoing-transaction exception. However, if the provider sends an SMS to a former subscriber (whose service was terminated) offering to re-activate service, the message is a specified message subject to the DNC Provisions.

## Territorial scope — message sent "to a Singapore telephone number"

The DNC Provisions apply to any message sent to a Singapore telephone number, regardless of the sender's location, the sender's incorporation or registration, or the sender's physical presence in Singapore. Section 36(1) defines the relevant territorial nexus as the destination of the message — if the message is addressed to a Singapore telephone number, the DNC Provisions apply. The PDPC's DNC Guidelines confirm that "as long as a specified message is addressed to a Singapore telephone number, the relevant provisions in Part IX PDPA could apply, regardless of how the message was sent." This means:

• a foreign e-commerce platform with no Singapore office that sends promotional SMS messages to Singapore mobile numbers is subject to the DNC Provisions;
• a Singapore-based marketing agency sending specified messages on behalf of a foreign principal to Singapore telephone numbers is subject to the DNC Provisions (as is the foreign principal if it authorised the sending);
• a regional call centre located outside Singapore that places telemarketing calls to Singapore fixed-line numbers is subject to the DNC Provisions.

The DNC regime's extraterritorial reach mirrors the activity-based jurisdictional approach in Section 4 of the PDPA for the Data Protection Provisions. The critical factor is the location of the recipient (a Singapore telephone number), not the location of the sender.

## Key obligations under the DNC Provisions — checklist for senders of specified messages

Organisations and individuals sending specified messages to Singapore telephone numbers must comply with four core obligations under Part IX:

1. Duty to check the DNC Register (Section 43): Before sending a specified message to a Singapore telephone number, the sender must check the DNC Registry (maintained by the PDPC under Section 39) to confirm that the number is not listed in the relevant register (there are three separate registers: one for voice calls, one for text messages, and one for fax messages). The check must be performed within the prescribed period — currently 30 days before the message is sent (per the Personal Data Protection (Do Not Call Registry) Regulations 2013, as amended). If the number is listed in the register, the sender must not send the specified message unless one of the statutory exceptions applies (e.g., the sender has obtained clear and unambiguous consent in evidential form under Section 46, or the message falls within the Eighth Schedule exclusions).

2. Duty to provide contact information (Section 44): Every specified message must include clear and accurate information identifying the individual or organisation that sent or authorised the sending of the message, and must include clear and accurate information about how the recipient can readily contact that sender. For text or fax messages, this typically means including the sender's name, business name, and a contact telephone number or email address in the message body. For voice calls, the caller must provide accurate calling-line identity (see Section 45 below) and must, upon request, provide the recipient with contact information.

3. Calling-line identity not to be concealed (Section 45): For voice calls that are specified messages, the sender must not conceal or withhold the calling-line identity (the telephone number from which the call originates). The sender must ensure that the recipient's caller-ID display shows a valid callback number. Messages sent using technology that deliberately suppresses or falsifies the calling-line identity breach Section 45.

4. Duty to honour opt-out requests (Sections 46 and 47): If a recipient withdraws consent to receive specified messages from a particular sender (e.g., by replying "STOP" to an SMS, or by requesting removal during a voice call), the sender must cease sending specified messages to that telephone number within 21 days of the withdrawal (the "prescribed period" under Section 47(3)). The sender must provide a readily accessible opt-out mechanism in or with each specified message, using the same medium as the message (e.g., an SMS opt-out for SMS messages, a voice opt-out procedure for voice calls).

## Exceptions — consent and the business-purpose telephone number carve-out

An organisation may send a specified message to a Singapore telephone number without checking the DNC Registry if it has obtained the recipient's clear and unambiguous consent in evidential form to send specified messages to that telephone number (Section 46). The PDPC's DNC Guidelines define "clear and unambiguous consent in evidential form" as consent that:

• is express (not implied or inferred from silence or inaction);
• clearly identifies the purpose for which consent is sought (i.e., to receive marketing messages from the organisation);
• is documented in a form that the organisation can produce as evidence (e.g., a signed form, a recorded opt-in via SMS or email, a website checkbox with audit logs); and
• is specific to the sending of specified messages to the particular telephone number (consent to use personal data under the Data Protection Provisions does not automatically constitute consent to send DNC-regulated messages).

The PDPC's DNC Guidelines provide multiple illustrative examples of consent forms that do and do not meet the "clear and unambiguous in evidential form" standard. Pre-ticked checkboxes, generic terms-and-conditions clauses, and opt-out (rather than opt-in) mechanisms do not constitute valid consent under Section 46.

Additionally, if a telephone number is used solely for business purposes (and not for the personal purposes of any individual), messages sent to that number are not "specified messages" within the meaning of Section 37 and the Tenth Schedule, and the DNC Provisions do not apply. The PDPC's DNC Guidelines clarify that "business purposes" means the number is a dedicated business line (e.g., a company's main switchboard, a customer-service hotline, a business fax line) and is not also used by an individual for personal communications. A mobile number that an individual uses for both work and personal calls does not qualify as a "business purposes only" number, and marketing messages to that number are subject to the DNC Provisions.

## Relationship to the Data Protection Provisions — obligations can stack

Because the DNC Provisions and the Data Protection Provisions apply independently, an organisation may be subject to both regimes simultaneously in respect of the same activity. Common dual-compliance scenarios include:

• Marketing SMS to a customer database: If an e-commerce business collects customers' mobile numbers (personal data) and sends promotional SMS messages to those numbers, the business must comply with:
• the Data Protection Provisions (obtain consent under Section 13 for collection and use of the mobile number; satisfy the Purpose Limitation Obligation under Section 18; provide access and correction rights under Sections 21–22; implement security under Section 24; etc.); and
• the DNC Provisions (either check the DNC Registry under Section 43, or obtain separate clear and unambiguous consent in evidential form under Section 46; include contact information under Section 44; honour opt-outs under Section 47).

• Telemarketing to purchased lead lists: If a telemarketing firm purchases a database of telephone numbers from a third party and uses those numbers to place marketing calls, the firm must comply with:
• the Data Protection Provisions (ensure the third party had valid consent or another lawful basis to disclose the numbers under Sections 13 and 18; the firm must also have a lawful basis to use the numbers, and must comply with the Protection, Retention Limitation, and other obligations); and
• the DNC Provisions (check the DNC Register for each number before calling; do not conceal calling-line identity; include contact information; honour opt-outs).

The PDPC's model guidance documents — including the Guide on Data Protection Clauses for Agreements Relating to the Processing of Personal Data (1 February 2021) — confirm that organisations remain subject to the DNC Provisions even when they engage a data intermediary to send specified messages on their behalf. The principal organisation (the entity that authorises the sending of the specified message) is responsible for ensuring DNC compliance, though the data intermediary (as the entity that technically sends the message) also bears direct obligations under Part IX.

## Enforcement and penalties — separate tiered financial-penalty structure

The PDPC enforces the DNC Provisions through investigations, directions, and financial penalties imposed under Section 48J of the PDPA (as amended by the Personal Data Protection (Amendment) Act 2020, effective 1 February 2021). The penalty structure for DNC violations is distinct from and lower than the penalty structure for Data Protection Provisions violations:

• DNC financial penalty cap: For breaches of the DNC Provisions (Part IX), the PDPC may impose a financial penalty of up to S$10,000 per contravention (Section 48J(4)(a), as amended). The PDPC has issued enforcement decisions imposing DNC penalties ranging from S$2,000 to the statutory maximum, depending on the scale of the breach (number of non-compliant messages sent), the organisation's compliance posture, and any aggravating or mitigating factors.

• Data Protection Provisions penalty cap: For comparison, breaches of the Data Protection Provisions carry a financial penalty cap of up to S$1 million or 10% of the organisation's annual turnover in Singapore, whichever is higher (Section 48J(4)(b), introduced by the 2020 amendments effective 1 February 2021). The two-tier penalty structure reflects the different severity profiles: DNC violations typically involve consumer annoyance and marketing-practice harms, whereas Data Protection Provisions violations (especially data breaches, unauthorised disclosures, or systematic failures to protect personal data) can cause significant individual harm and systemic privacy erosion.

The PDPC's enforcement approach for DNC violations is risk-based and complaint-driven. The PDPC investigates complaints from individuals who receive non-compliant specified messages, audits organisations' DNC checking and opt-out procedures, and may issue directions requiring an organisation to cease sending specified messages, implement compliance training, or pay a financial penalty. Repeated or systematic DNC violations, use of dictionary attacks or address-harvesting software (prohibited under Part 9A, Sections 48A–48B), or deliberate concealment of calling-line identity typically attract higher penalties.

## Practical delineation — when each regime applies

The Data Protection Provisions apply when an organisation collects, uses, or discloses personal data (data about an identified or identifiable individual) in Singapore, regardless of the medium or purpose. The trigger is the processing of personal data.

The DNC Provisions apply when an organisation sends a specified message (a marketing or promotional message) to a Singapore telephone number, regardless of whether the sender holds personal data about the recipient. The trigger is the sending of a promotional message to a Singapore number.

The two regimes overlap when an organisation both (a) processes personal data (e.g., collects a customer's mobile number and name) and (b) sends marketing messages to that customer's Singapore mobile number. In that scenario, the organisation must comply with both regimes. The regimes do not overlap (and only one applies) when:

• an organisation sends a specified message to a Singapore telephone number it obtained from a public directory or purchased list, without collecting or using any other personal data about the recipient (DNC Provisions apply; Data Protection Provisions may also apply depending on whether the telephone number constitutes personal data in the sender's hands and whether the sender has a lawful basis for use);
• an organisation collects and uses personal data (e.g., processes customer orders, maintains employee records) but does not send any marketing messages (Data Protection Provisions apply; DNC Provisions do not apply).

Source: Personal Data Protection Act 2012, Part IX (Sections 36–48), Eighth Schedule, Tenth Schedule Source: PDPC Advisory Guidelines on the Do Not Call Provisions (revised 1 February 2021) Source: Personal Data Protection (Do Not Call Registry) Regulations 2013