Privacy Policy (Singapore)
PRIVACY POLICY
[Organisation Name] (UEN: [Organisation UEN]) | [Website URL]
Effective Date: [Effective Date]
Data Protection Officer: [DPO Name] | Email: [DPO Email]
1. INTRODUCTION
[Organisation Name] is committed to protecting your personal data in accordance with the Personal Data Protection Act 2012 (PDPA). This Privacy Policy explains how we collect, use, disclose, and protect your personal data.
2. PERSONAL DATA WE COLLECT
We collect the following types of personal data: [Data Collected]
We collect personal data through: [Collection Methods]
3. PURPOSES OF COLLECTION AND USE
We collect and use your personal data for the following purposes: [Purposes]
We do not use your personal data for purposes beyond those stated above without your consent, except where permitted by the PDPA.
4. DISCLOSURE TO THIRD PARTIES
[Third Party Disclosure]
Overseas transfers: [Overseas Transfer]
5. RETENTION, COOKIES, AND DATA SECURITY
Retention: [Retention Period]
Cookies: [Cookies]
6. YOUR RIGHTS
- Right to access your personal data (PDPA s.21)
- Right to correct inaccurate personal data (PDPA s.22)
- Right to withdraw consent (with reasonable notice)
- Right to data portability (for certain categories of data)
- Right to lodge a complaint with the PDPC
To exercise your rights, contact our DPO at [DPO Email].
7. DATA BREACH NOTIFICATION
[Data Breach Process]
8. CONTACT US
For any privacy-related queries or to exercise your PDPA rights, contact: [DPO Name], Data Protection Officer, [Organisation Name] — [DPO Email]
This Privacy Policy is governed by the laws of Singapore.
What Is a Privacy Policy (Singapore)?
A Privacy Policy in Singapore documents the organisation's approach and the obligations placed on those it covers.
The PDPA establishes nine main obligations that a privacy policy must address: the Consent Obligation (Section 13 — obtaining consent for collection, use, and disclosure); the Purpose Limitation Obligation (Section 18 — collecting data only for purposes a reasonable person would consider appropriate); the Notification Obligation (Section 20 — notifying individuals of the purposes of collection); the Access and Correction Obligation (Sections 21-22 — allowing individuals to access and correct their data); the Accuracy Obligation (Section 23 — making reasonable efforts to keep data accurate); the Protection Obligation (Section 24 — protecting data with reasonable security arrangements); the Retention Limitation Obligation (Section 25 — ceasing to retain data when no longer needed); the Transfer Limitation Obligation (Section 26 — restricting transfers to overseas recipients); and the Data Breach Notification Obligation (Sections 26A-26E — notifying the PDPC and affected individuals of significant breaches).
The Personal Data Protection (Amendment) Act 2020 introduced significant enhancements effective 1 February 2021, including: mandatory data breach notification (Part VIA); an expanded basis for 'deemed consent' through notification (Section 15A) and contractual necessity (Section 15); new exceptions for legitimate interests (paragraph 1 of the Third Schedule, Part 3); enhanced financial penalties (up to 10% of annual turnover for organisations with revenue exceeding S$10 million); and criminal penalties for individuals who knowingly or recklessly misuse personal data (Section 48B).
The Do Not Call (DNC) Registry, established under the PDPA Part IX and administered by the PDPC, imposes additional obligations on organisations that send marketing messages to Singapore telephone numbers. Organisations must check the DNC Registry before sending marketing messages by voice call, text (SMS/MMS), or fax, and the privacy policy should address DNC compliance.
Sector-specific regulations supplement the PDPA for certain industries. The Banking Act (Cap. 19) and MAS Technology Risk Management Guidelines impose additional data protection requirements on financial institutions regulated by the Monetary Authority of Singapore (MAS). The Healthcare Services Act 2020 and the Ministry of Health's (MOH) guidelines impose specific requirements for healthcare data. The Cybersecurity Act 2018, administered by the Cyber Security Agency of Singapore (CSA), may require Critical Information Infrastructure (CII) owners to implement enhanced data protection measures.
The Spam Control Act 2007 (Cap. 311A) supplements the PDPA by regulating unsolicited commercial electronic messages sent in bulk, and organisations privacy policies should address compliance with both the PDPA and the Spam Control Act where applicable. The Electronic Transactions Act 2010 (Cap. 88) governs the validity of electronic records and signatures, relevant to online consent mechanisms used in privacy policies. The Trustees Act (Cap. 337) may apply where organisations hold personal data in a fiduciary capacity, such as trustee companies regulated by MAS.
When Do You Need a Privacy Policy (Singapore)?
A Privacy Policy is needed whenever an organisation in Singapore collects, uses, or discloses personal data of individuals and must comply with the PDPA 2012. The PDPA applies to all organisations in Singapore — defined broadly to include any individual, company, association, or body of persons operating in Singapore — with limited exceptions for public agencies and individuals acting in a personal or domestic capacity.
Businesses with websites or mobile applications that collect personal data from users — including names, email addresses, telephone numbers, payment information, IP addresses, and device identifiers — must publish a privacy policy accessible to users before or at the point of data collection. The PDPC expects all organisations with an online presence to maintain a clear and prominent privacy policy on their websites.
E-commerce businesses registered with ACRA and operating in Singapore must maintain privacy policies that address the collection of customer data during transactions, payment processing through payment service providers licensed by MAS under the Payment Services Act 2019, and the use of cookies and tracking technologies on their platforms. The Competition and Consumer Commission of Singapore (CCCS) also monitors unfair data practices under the Consumer Protection (Fair Trading) Act 2003 (CPFTA).
Organisations engaging in direct marketing — sending promotional messages by phone, SMS, email, or fax — must address DNC Registry compliance in their privacy policies. The PDPA Part IX requires organisations to check the DNC Registry (maintained by the PDPC) before sending marketing messages to Singapore telephone numbers, with financial penalties of up to S$1 million per breach.
Organisations transferring personal data outside Singapore — to overseas headquarters, cloud computing providers, data processors, or partner organisations — must address cross-border data transfer provisions (PDPA Section 26) in their privacy policies. The PDPC's Guide on Data Protection Clauses for Agreements Relating to the Processing of Personal Data provides model contractual clauses for cross-border transfers.
Organisations processing personal data of European Union residents must consider the interaction between the PDPA and the EU General Data Protection Regulation (GDPR), as the GDPR has extraterritorial reach. The PDPC and the European Commission have engaged in mutual recognition discussions, and organisations operating across both jurisdictions should maintain privacy policies that address both frameworks.
Startups, SMEs, and nonprofit organisations are not exempt from the PDPA. The PDPC's Data Protection Trustmark (DPTM) certification scheme provides SMEs with a framework for demonstrating PDPA compliance, and maintaining a clear privacy policy is a baseline requirement for DPTM certification.
What to Include in Your Privacy Policy (Singapore)
A Privacy Policy compliant with the Personal Data Protection Act 2012 (PDPA) and the PDPC's published guidelines must include the following elements. The forms-legal.com Privacy Policy template for Singapore covers all mandatory and recommended provisions for PDPA compliance.
Organisation identification requires the organisation's full registered name, Unique Entity Number (UEN) as registered with ACRA, registered address, and website URL. The privacy policy should identify the organisation as the entity responsible for the personal data collected.
Types of personal data collected must list all categories of personal data the organisation collects, including: identification data (name, NRIC/FIN, date of birth); contact data (address, email, telephone); financial data (credit card numbers, bank account details); technical data (IP address, browser type, device identifiers, cookies); usage data (website browsing history, transaction history); and any special categories relevant to the organisation's business (health data, biometric data).
Purposes of collection, use, and disclosure must clearly state all purposes for which personal data is collected and used — responding to inquiries, processing transactions, providing services, marketing, analytics, compliance with legal obligations, and any other specific purposes. Each purpose must be one that a reasonable person would consider appropriate under Section 18 of the PDPA.
Consent framework must explain how the organisation obtains consent for data collection — whether express consent (affirmative opt-in), deemed consent (through notification under Section 15A or contractual necessity under Section 15), or reliance on exceptions under the First, Second, and Third Schedules (such as vital interests, publicly available data, or legitimate interests). The policy must explain how individuals can withdraw consent and the consequences of withdrawal.
Disclosure to third parties must identify the categories of third parties to whom personal data may be disclosed — service providers, payment processors, marketing partners, government agencies (IRAS, MOM, CPF Board), overseas affiliates, and professional advisers. For each category, the privacy policy should state the purpose of disclosure.
Cross-border data transfer provisions must address transfers of personal data outside Singapore under Section 26, identifying the countries or regions to which data may be transferred and the safeguards in place — contractual clauses, binding corporate rules, or the recipient country's comparable data protection standard.
Data retention policy must state the organisation's retention periods for different categories of personal data and the criteria used to determine retention periods. Section 25 of the PDPA requires organisations to cease retaining personal data when it is no longer necessary for any business or legal purpose.
Data protection measures must describe the security measures the organisation implements to protect personal data under the Protection Obligation (Section 24) — encryption, access controls, secure storage, regular security audits, and employee training. The PDPC's Guide on Data Protection Practices for ICT Systems provides technical guidance.
Data breach notification clause must inform individuals that, in the event of a notifiable data breach under PDPA Sections 26A-26E, the organisation will notify affected individuals and the PDPC within the prescribed timeframes.
Individual rights section must inform individuals of their rights under the PDPA: the right to access personal data (Section 21), the right to correct personal data (Section 22), the right to withdraw consent (Section 16), and the right to complain to the PDPC. The section should provide the Data Protection Officer's (DPO) contact details for exercising these rights.
Do Not Call Registry compliance section must address the organisation's obligations regarding the DNC Registry under PDPA Part IX, including the organisation's commitment to check the registry before sending marketing messages and the individual's right to register on the DNC Registry.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Privacy Policy (Singapore) (Singapore) [Legal document template]. Forms Legal. https://forms-legal.com/singapore/business/policies/privacy-policy-singapore
"Privacy Policy (Singapore) (Singapore)." Forms Legal, 2026, https://forms-legal.com/singapore/business/policies/privacy-policy-singapore.
@misc{formslegal-privacy-policy-singapore,
author = {{Forms Legal}},
title = {Privacy Policy (Singapore) (Singapore)},
year = {2026},
howpublished = {\url{https://forms-legal.com/singapore/business/policies/privacy-policy-singapore}},
note = {Free legal document template. Based on Personal Data Protection Act 2012 (PDPA)}
}
Frequently Asked Questions
While the PDPA does not use the specific term 'privacy policy,' the Act's combined obligations effectively require organisations to maintain a documented privacy policy. Section 12 of the PDPA requires every organisation to develop and implement policies and practices necessary to meet its PDPA obligations, and Section 12(b) requires organisations to make information about these policies and practices available to the public. The PDPC expects all organisations — particularly those with websites or digital platforms — to publish a clear and accessible privacy policy. The PDPC's published enforcement decisions have cited the absence or inadequacy of privacy policies as a factor in non-compliance findings. In multiple enforcement decisions, the PDPC has directed organisations to develop or revise their privacy policies as part of remedial actions. The PDPC's Advisory Guidelines on Key Concepts in the PDPA (revised 2021) state that organisations should develop and communicate their data protection policies to individuals. The PDPC's Data Protection Trustmark (DPTM) certification scheme — a voluntary certification demonstrating data protection good practices — requires organisations to maintain detailed privacy policies as a baseline requirement. Financial institutions regulated by the Monetary Authority of Singapore (MAS) have additional requirements under the MAS Technology Risk Management Guidelines to maintain privacy policies addressing customer data protection.
The Personal Data Protection Commission (PDPC) has significant enforcement powers under the PDPA for organisations that fail to comply with their data protection obligations, including maintaining adequate privacy policies. Financial penalties: the PDPC can impose financial penalties of up to S$1 million per breach. Following the 2020 amendments, organisations with annual turnover in Singapore exceeding S$10 million face enhanced penalties of up to 10% of their annual turnover. The PDPC has imposed financial penalties in numerous published enforcement decisions — ranging from S$10,000 for minor breaches to S$750,000 for serious data security failures. Directions: the PDPC can issue binding directions requiring organisations to stop processing data, destroy improperly collected data, implement specific technical and organisational measures, appoint or replace a Data Protection Officer, or take any other remedial steps. Non-compliance with a PDPC direction is a criminal offence. Criminal penalties: individuals who knowingly or recklessly misuse personal data may face criminal prosecution under PDPA Section 48B, with penalties including fines and imprisonment of up to two years for egregious violations involving intent to cause harm or for personal gain. Private actions: individuals who suffer loss or damage from PDPA breaches can bring private civil actions under Section 48O for damages. Singapore courts can award compensation for financial loss and distress caused by PDPA non-compliance.
The Do Not Call (DNC) Registry is a national registry established under Part IX of the PDPA, administered by the Personal Data Protection Commission (PDPC), that allows individuals in Singapore to register their telephone numbers to opt out of receiving unsolicited marketing messages. The DNC Registry has three lists: the No Voice Call list, the No Text Message list, and the No Fax Message list. Organisations that send marketing messages — promotional calls, SMS/MMS messages, or faxes — to Singapore telephone numbers must check the DNC Registry before sending each marketing message. Sending a marketing message to a number registered on the relevant DNC list without the individual's clear and unambiguous consent is a breach of the PDPA, carrying financial penalties of up to S$1 million per breach. A privacy policy must address DNC compliance by: informing individuals that the organisation may send marketing messages and the channels through which messages may be sent; explaining how the organisation obtains consent for marketing communications (separate from general consent for data collection); providing a clear and easy opt-out mechanism for marketing messages; and confirming that the organisation checks the DNC Registry before sending marketing messages. Organisations should also address the PDPA's provisions on 'clear and unambiguous consent' for marketing — consent must be obtained affirmatively (opt-in rather than pre-ticked boxes) and must specify the types of marketing messages and the channels through which they will be sent.
While the PDPA does not contain specific cookie legislation equivalent to the EU's ePrivacy Directive, the PDPC's guidance and the general principles of the PDPA require organisations to address cookies and tracking technologies in their privacy policies. Cookies, pixels, web beacons, and similar tracking technologies that collect personal data — including IP addresses, device identifiers, browsing history, and user preferences — fall within the PDPA's definition of personal data where they can be linked to an identifiable individual. The PDPC's Advisory Guidelines confirm that IP addresses and device identifiers may constitute personal data where they can be used to identify an individual. A privacy policy should address: the types of cookies and tracking technologies used (session cookies, persistent cookies, analytics cookies, advertising cookies); the purposes of each type (website functionality, analytics, advertising, personalisation); the personal data collected through cookies; whether third-party cookies are used (e.g., Google Analytics, Facebook Pixel) and the data sharing implications; how users can manage cookie preferences (browser settings, cookie consent tools); and the retention period for cookie data. Best practice in Singapore — influenced by the GDPR's stricter approach and the PDPC's general guidance on transparency — is to implement a cookie consent banner on the organisation's website, allowing users to accept or reject non-essential cookies.
Following the Personal Data Protection (Amendment) Act 2020, which introduced mandatory data breach notification under Part VIA of the PDPA (Sections 26A-26E) effective 1 February 2021, a Singapore privacy policy should address the organisation's data breach notification practices. A data breach is 'notifiable' under the PDPA if it: (1) results in, or is likely to result in, significant harm to any affected individual (e.g., financial loss, identity theft, physical harm, reputational damage); or (2) is of a significant scale, affecting 500 or more individuals. For notifiable breaches, the organisation must notify the PDPC within three calendar days of completing its assessment and notify affected individuals as soon as practicable. The privacy policy should: inform individuals that the organisation has implemented data breach response procedures; describe the organisation's commitment to notifying affected individuals in the event of a notifiable data breach; specify the channels through which breach notifications will be communicated (email, SMS, letter, public notice); and provide the Data Protection Officer's contact details for individuals to report suspected breaches. The PDPC's Guide on Managing and Notifying Data Breaches under the PDPA provides detailed guidance on breach assessment, containment, notification content, and remediation. Organisations should maintain a data breach response plan and conduct regular tabletop exercises to test their notification procedures.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Terms of Service (Singapore)
Website and app terms of service governed by Singapore law for businesses offering digital services in Singapore. Covers user obligations, intellectual property, limitation of liability under the Unfair Contract Terms Act, dispute resolution, and compliance with the Electronic Transactions Act 2010 and Computer Misuse Act. Suitable for SaaS platforms, marketplaces, and content websites.
Data Protection Policy (Singapore)
An internal PDPA 2012 compliance policy for Singapore organisations covering the nine data protection obligations, DPO appointment and responsibilities, data inventory, consent management, breach response, and staff training requirements. Demonstrates the organisation's accountability to the PDPC and provides the internal governance framework for handling personal data responsibly.
Data Breach Notification (Singapore)
A mandatory data breach notification document for reporting notifiable data breaches to the Personal Data Protection Commission (PDPC) under Section 26D of the PDPA 2012. Covers breach assessment, notification thresholds (500 or more individuals or significant harm), 3-calendar-day reporting deadline, required content, and simultaneous notification to affected individuals.
Do Not Call Registry Compliance (Singapore)
A compliance documentation package for Singapore businesses required to check the Do Not Call (DNC) Registry before sending specified messages to Singapore telephone numbers under Part IX of the PDPA 2012. Covers DNC Registry checking obligations, consent exceptions, record-keeping requirements, and penalties for DNC violations enforced by the PDPC.
Data Processing Agreement (Singapore)
A Data Processing Agreement (DPA) governing the processing of personal data by a third-party processor on behalf of an organisation, compliant with the Personal Data Protection Act 2012 (PDPA). Establishes processor obligations, data handling standards, and breach notification requirements under the PDPA as amended by the Personal Data Protection (Amendment) Act 2020.