PDPA Complaint to PDPC (Singapore)

A PDPA Complaint to PDPC in Singapore sets out the grievance raised and the remedy the complainant seeks from the authority.

The PDPA 2012 — Singapore's principal data protection legislation — establishes nine main obligations that organisations must comply with when handling personal data: the Consent Obligation (Section 13), the Purpose Limitation Obligation (Section 18), the Notification Obligation (Section 20), the Access Obligation (Section 21), the Correction Obligation (Section 22), the Accuracy Obligation (Section 23), the Protection Obligation (Section 24), the Retention Limitation Obligation (Section 25), and the Transfer Limitation Obligation (Section 26). The Personal Data Protection (Amendment) Act 2020, effective from 1 February 2021, introduced mandatory data breach notification (Section 26D), increased financial penalties (up to S$1 million or 10% of annual turnover for organisations with turnover exceeding S$10 million under Section 48J), and new criminal offences for the misuse of personal data (Section 48B).

Before filing a complaint with the PDPC, an individual must first approach the organisation directly to resolve the matter. The PDPC's case management framework requires complainants to demonstrate that they have contacted the organisation's Data Protection Officer (DPO) — the appointment of a DPO is mandatory under Section 11(3) of the PDPA — and that the organisation has failed to respond or has provided an inadequate response. The PDPC will generally not accept complaints where the complainant has not first attempted to resolve the matter with the organisation.

The PDPC has published Advisory Guidelines on Key Concepts in the PDPA, the Advisory Guidelines on the Do-Not-Call Provisions, and sector-specific guidance for healthcare, telecommunications, and financial services. The PDPC also administers the Do Not Call (DNC) Registry under Part IX of the PDPA, and complaints about unsolicited telemarketing messages may be filed separately under the DNC provisions. The PDPC's enforcement decisions are published on the PDPC website and provide authoritative guidance on the PDPA's interpretation and application.

The PDPC's jurisdiction extends to all organisations in Singapore that collect, use, or disclose personal data, with limited exceptions for public agencies (governed by the Government Instruction Manual rather than the PDPA) and individuals acting in a personal or domestic capacity. A related DPO Registration document formalises the appointment of the mandatory Data Protection Officer, while a Data Protection Policy sets out the organisation's internal PDPA compliance framework.

The PDPC complaint mechanism is distinct from — and operates in parallel with — other enforcement mechanisms available under Singapore law. Individuals affected by data misuse may also file a police report with the Singapore Police Force (SPF) where the conduct involves criminal offences under the Computer Misuse Act (Cap. 50A) or the PDPA's criminal provisions (Section 48B). Individuals who suffer loss or damage from a PDPA breach may also bring a private action for compensation under Section 48O of the PDPA in the District Court or High Court, relying on the PDPC's enforcement decision as prima facie evidence of the breach.

A PDPA Complaint to the PDPC is needed whenever an individual in Singapore believes that an organisation has breached the Personal Data Protection Act 2012 (PDPA) in its handling of the individual's personal data, and the individual has been unable to resolve the matter directly with the organisation.

Individuals whose personal data has been collected without consent need to file a complaint when an organisation has collected their personal data without obtaining valid consent under Section 13 of the PDPA. Common examples include: a retailer collecting NRIC numbers for membership registration without a legitimate purpose (in breach of the PDPC's Advisory Guidelines on NRIC Numbers); an employer disclosing an employee's medical records to a third party without consent; or a company adding an individual's mobile number to a marketing list without consent or in breach of the Do Not Call (DNC) Registry provisions under Part IX of the PDPA.

Individuals affected by a data breach need to file a complaint when an organisation has suffered a data breach resulting in the unauthorised access, collection, use, disclosure, or loss of personal data. Under Section 26D of the PDPA (introduced by the 2020 Amendment Act), organisations must notify the PDPC of a notifiable data breach — defined as a breach that results in, or is likely to result in, significant harm to affected individuals, or that affects 500 or more individuals — within 3 calendar days of assessing that the breach is notifiable. Individuals who discover their data has been breached and who have not received notification from the organisation may file a complaint with the PDPC.

Individuals who have been denied access to their personal data need to file a complaint when an organisation refuses or fails to respond to an access request under Section 21 of the PDPA. Organisations must respond to access requests within 30 days and provide the individual with their personal data in a reasonable format. Failure to comply with an access request is a breach of the PDPA.

Individuals receiving unsolicited marketing messages need to file a DNC complaint when they have registered their Singapore telephone number on the Do Not Call Registry and continue to receive unsolicited telemarketing messages, calls, or faxes in breach of Section 43 of the PDPA. The DNC provisions apply to all Singapore telephone numbers registered on the DNC Registry, and organisations that send marketing messages to DNC-registered numbers without valid consent face financial penalties of up to S$1 million. A related Statutory Declaration may be needed to formalise the complainant's account of events.

A PDPA Complaint to the PDPC that meets the PDPC's procedural requirements under the Personal Data Protection Act 2012 (PDPA) and the Personal Data Protection (Composition of Offences) Regulations must include the following elements. The forms-legal.com PDPA Complaint template covers all information required by the PDPC's online complaint form and complaint handling framework.

Complainant identification requires the complainant's full name, NRIC or FIN number (or passport number for non-residents), residential address, email address, and contact telephone number. The PDPC uses this information to verify the complainant's identity, to correspond with the complainant during the investigation, and to confirm that the complainant is the individual whose personal data has been affected.

Organisation identification requires the full name of the organisation complained against, its registered address, UEN (if known — organisations registered with ACRA can be verified through the BizFile portal), and the name and contact details of the organisation's Data Protection Officer (DPO) if known. Identifying the specific business unit, department, or subsidiary responsible for the alleged breach helps the PDPC target its investigation.

Complaint details must set out a clear, chronological account of the facts giving rise to the complaint — including: the nature of the personal data involved (name, NRIC, contact details, financial information, health data, or other personal data as defined in Section 2 of the PDPA); the specific PDPA obligation alleged to have been breached (consent, purpose limitation, notification, access, correction, accuracy, protection, retention, or transfer limitation); the dates on which the breach occurred or was discovered; how the complainant became aware of the breach; and the impact of the breach on the complainant.

Prior attempts to resolve must describe the complainant's efforts to resolve the matter directly with the organisation before filing with the PDPC. The description should include: the date on which the complainant contacted the organisation; the mode of contact (email, letter, telephone, or in-person); the person or department contacted (ideally the DPO); the organisation's response (if any); and the reason why the complainant considers the organisation's response inadequate. The PDPC generally requires evidence of at least one written communication to the organisation before accepting a complaint.

Supporting evidence should include copies of: the complainant's written communication to the organisation and the organisation's response; any consent forms or terms and conditions relevant to the complaint; screenshots or records of the personal data collection, use, or disclosure in question; data breach notifications received from the organisation; and any other documentary evidence supporting the complaint.

Declaration must include the complainant's confirmation that the information provided is true and accurate, and that the complainant consents to the PDPC sharing necessary information with the respondent organisation during the investigation process. The PDPC may disclose the complainant's identity and complaint details to the organisation as part of the investigation, and the complainant should be aware of this. A related ACRA Annual Return may be relevant where the complaint relates to a company's data handling practices.

Relief sought should clearly state what outcome the complainant is seeking from the PDPC investigation. Common relief sought includes: a direction that the organisation cease the offending data processing activity; a direction that the organisation destroy improperly collected personal data; a direction that the organisation provide access to or correct personal data; and the imposition of a financial penalty. While the PDPC has discretion to determine the appropriate remedy regardless of the complainant's request, clearly articulating the desired outcome helps the PDPC understand the complainant's priorities and the practical impact of the breach.

Timeline of events should present the facts in chronological order with specific dates, making the sequence of events clear to the PDPC investigator. Each key event — the data collection, the discovery of the breach, the complaint to the organisation, the organisation's response, and the filing of the PDPC complaint — should be dated and described in a separate paragraph.