Do Not Call Registry Compliance (Singapore)

A Do Not Call Registry Compliance in Singapore records the facts of the complaint and the action the complainant asks be taken.

The DNC Registry was established on 2 January 2014 under Part IX of the PDPA 2012, creating three separate registers: the No Voice Call Register; the No Text Message Register; and the No Fax Message Register. Individuals who register their Singapore telephone numbers on any of these registers are protected from receiving specified messages (marketing messages) from organisations that have not obtained their consent. Under Section 43 of the PDPA, an organisation must not send a specified message to a Singapore telephone number that is listed on the applicable DNC register, unless the organisation has obtained the individual's clear and unambiguous consent to receive such messages.

Section 44 of the PDPA imposes a checking obligation on organisations — before sending a specified message to a Singapore telephone number, the organisation must check the applicable DNC register to determine whether the number is listed. The PDPC provides an online checking service through the DNC Registry website (www.dnc.gov.sg) and an Application Programming Interface (API) for organisations that need to check numbers in bulk. The results of DNC checks are valid for a period specified by the PDPC — currently 30 days from the date of the check.

The Personal Data Protection (Amendment) Act 2020 significantly strengthened the enforcement framework for DNC violations. Under Section 48J of the PDPA (as amended), the PDPC may impose financial penalties of up to S$1 million on organisations that breach the DNC provisions — or, for organisations with annual turnover exceeding S$10 million in Singapore, up to 10% of the organisation's annual turnover. The PDPC has published numerous enforcement decisions involving DNC violations, imposing financial penalties ranging from S$6,000 to S$200,000 on organisations that sent unsolicited marketing messages without checking the DNC Registry or obtaining valid consent.

The Competition and Consumer Commission of Singapore (CCCS) may also be relevant where DNC-non-compliant marketing practices are part of broader unfair trade practices under the Consumer Protection (Fair Trading) Act (Cap. 52A). Organisations should also be aware that the Spam Control Act (Cap. 311A) imposes additional requirements on commercial electronic messages, including the inclusion of an unsubscribe mechanism and sender identification.

The Do Not Call Registry operates alongside other PDPA obligations that affect marketing communications. The PDPA consent obligation under Section 13 requires organisations to obtain consent before collecting, using, or disclosing personal data (including telephone numbers) for marketing purposes. The notification obligation under Section 20 requires organisations to inform individuals of the purposes for which their personal data will be used. The data protection obligation under Section 24 requires organisations to protect personal data in their possession against unauthorised access, collection, use, disclosure, copying, modification, or disposal. These obligations apply to all personal data processed in connection with marketing campaigns, not just to the telephone numbers checked against the DNC Registry. The PDPC Advisory Guidelines on the PDPA for Selected Topics provide detailed guidance on the interaction between the DNC provisions and the broader PDPA obligations.

A Do Not Call Registry Compliance document is needed in Singapore whenever an organisation sends or intends to send marketing messages — whether by voice call, text message, or fax — to Singapore telephone numbers, and must document its compliance procedures to meet the requirements of the PDPA 2012 (Part IX) and avoid financial penalties from the PDPC.

Any organisation conducting telemarketing must have DNC compliance procedures. Businesses that use outbound voice calls to market products or services to Singapore telephone numbers must check the No Voice Call Register before each campaign and maintain records of the checks performed. The PDPC's enforcement decisions show that telemarketing companies are among the most frequently penalised organisations for DNC violations, with penalties reflecting the volume of non-compliant calls made.

Organisations sending SMS or MMS marketing messages — including promotional offers, sale announcements, event invitations, and loyalty programme communications — must check the No Text Message Register before sending. Real estate agencies, financial institutions, beauty and wellness businesses, and food and beverage operators are among the sectors most commonly associated with text message marketing in Singapore, and the PDPC has published enforcement decisions against organisations in each of these sectors.

Fax marketing, though declining in prevalence, remains subject to the No Fax Message Register provisions. Organisations that send fax advertisements — common in the business-to-business context for industries such as printing, office supplies, and logistics — must check the No Fax Message Register before transmission.

Organisations relying on consent exceptions must document their consent collection procedures. Under Section 43(2) of the PDPA, an organisation may send a specified message to a DNC-registered number if the individual has given clear and unambiguous consent to receiving that type of message from that organisation. Consent may be obtained in writing, electronically (through a website or app), or orally — but the organisation must maintain evidence of the consent, including the date, the manner in which consent was given, and the scope of the consent. A DNC compliance document that records the organisation's consent collection and record-keeping procedures is essential for demonstrating compliance to the PDPC.

Related documents that complement a DNC compliance policy include a Privacy Policy (documenting the organisation's broader PDPA compliance), a Data Protection Policy (addressing internal data handling procedures), a Data Breach Notification (for responding to personal data breaches under the PDPA's mandatory breach notification regime), and Terms of Service (governing the organisation's relationship with customers and users).

A properly drafted Singapore Do Not Call Registry Compliance document must address all mandatory requirements of the PDPA 2012 (Part IX, Sections 43 to 48I) and the PDPC's enforcement guidelines.

Organisation details must state the organisation's full registered name, Unique Entity Number (UEN) as registered with ACRA, registered address, and the name and contact details of the Data Protection Officer (DPO) appointed under Section 11(3) of the PDPA. The PDPC requires all organisations to appoint at least one DPO responsible for confirming PDPA compliance.

Types of specified messages sent must identify each type of marketing message the organisation sends — voice calls, text messages (SMS/MMS), and fax messages — and the purpose of each type (product promotion, service offers, event invitations, loyalty programme communications, etc.). The PDPA defines "specified message" as a message sent to a Singapore telephone number that offers, advertises, or promotes the supply of goods, services, land, or business or investment opportunities. Messages sent for non-marketing purposes (appointment reminders, service notifications, transactional confirmations) are not specified messages and are not subject to the DNC provisions.

DNC Registry checking procedures must describe the organisation's process for checking Singapore telephone numbers against the applicable DNC register before sending specified messages. The procedure should specify: who is responsible for performing the checks; how frequently checks are performed (at a minimum, before each marketing campaign, and within the validity period specified by the PDPC — currently 30 days); the technical method used (the PDPC's online checking service at www.dnc.gov.sg or the DNC Registry API); and the process for excluding DNC-registered numbers from marketing lists.

Consent exceptions must document the circumstances in which the organisation sends specified messages to DNC-registered numbers based on the individual's consent under Section 43(2) of the PDPA. The document should describe: how consent is collected (written forms, electronic opt-in, oral consent with recording); what the individual is told about the types of messages they will receive and the channels through which messages will be sent; how consent records are stored and maintained; and the process for handling consent withdrawal requests.

Record-keeping requirements must describe the organisation's procedures for maintaining records of: DNC Registry checks (date, numbers checked, results); consent obtained from individuals (date, method, scope); and specified messages sent (date, recipient, content, channel). The PDPC requires organisations to maintain these records as evidence of compliance, and has imposed penalties on organisations that could not produce adequate records during investigations. The forms-legal.com Singapore Do Not Call Registry Compliance template includes a record-keeping schedule aligned with PDPC enforcement guidelines.

Penalties section should inform the organisation's staff and management of the consequences of non-compliance. Under Section 48J of the PDPA (as amended by the Personal Data Protection (Amendment) Act 2020), financial penalties of up to S$1 million — or up to 10% of the organisation's annual turnover in Singapore for organisations with turnover exceeding S$10 million — may be imposed by the PDPC for breach of the DNC provisions. Criminal sanctions under Section 48B apply to the knowing or reckless misuse of personal data.

Approval and review section should record the date on which the compliance document was approved by the organisation's management, the DPO's endorsement, and the schedule for periodic review (at least annually, or whenever there are material changes to the PDPA, PDPC guidelines, or the organisation's marketing practices).