Data & Privacy

You can stop unsolicited marketing calls in Singapore by registering your number on the Do Not Call (DNC) Registry and reporting violations to the Personal Data Protection Commission (PDPC).

No, a debt collector generally cannot contact your family about your debt without your consent, as it likely breaches the Personal Data Protection Act 2012.

Yes, sending unsolicited commercial emails (spam) is illegal in Singapore under the Personal Data Protection Act 2012, which prohibits such messages without consent and requires clear unsubscribe mechanisms.

Yes, you can opt out of receiving marketing messages in Singapore under the Personal Data Protection Act 2012.

Yes, you can ask a company in Singapore to delete your personal data if it is no longer necessary for the purpose for which it was collected, and the company has no legal obligation to retain it — under section 25 of the Personal Data Protection Act 2012.

Under Singapore law, a company must obtain your consent and ensure comparable protection before transferring your personal data overseas.

Yes, you have the right to request access to your personal data held by a company in Singapore under the Personal Data Protection Act 2012.

If a company refuses your data access request in Singapore, you may file a complaint with the Personal Data Protection Commission (PDPC) — they can investigate and order the company to comply.

Yes, it may be a violation if the school shared your child's personal data without your consent and without meeting an exception under the Personal Data Protection Act 2012.

Yes, your employer can monitor your work computer activity in Singapore, but only if it complies with the Personal Data Protection Act 2012 — meaning monitoring must be reasonable, notified to you, and limited to legitimate business purposes.

Yes, CCTV in your condo can record you without your consent if it’s for legitimate purposes like security and complies with the Personal Data Protection Act 2012.

The Computer Misuse Act applies — unauthorised access to your computer is a criminal offence punishable by up to 2 years’ jail and/or a $5,000 fine.

A critical information infrastructure (CII) under the Cybersecurity Act 2018 is a computer system or network whose disruption or compromise would have a debilitating impact on Singapore’s national security, economy, public health, safety, or essential services.

Unauthorized computer access in Singapore is punishable by up to 2 years’ imprisonment, a fine of up to $5,000, or both.

If your photo was used online without permission in Singapore, it may breach the Personal Data Protection Act 2012 if the photo identifies you and was collected or disclosed without your consent.

In Singapore, personal data can be collected without consent under specific exceptions in the PDPA, such as when required by law, necessary for legal proceedings, or for legitimate interests that outweigh the individual’s privacy rights.

Yes, private businesses in Singapore can collect your NRIC number only if it is necessary for their purpose and they comply with the Personal Data Protection Act 2012.

The Personal Data Protection Commission (PDPC) is Singapore’s national authority responsible for administering and enforcing the Personal Data Protection Act 2012, promoting data protection awareness, and advising the government on data protection matters.

Impersonating someone online in Singapore may constitute the offence of unauthorised access to computer material under section 3 of the Computer Misuse Act.

The maximum fine for a PDPA violation in Singapore is S$1 million.

Companies in Singapore must implement reasonable security arrangements to protect personal data from unauthorized access, collection, use, disclosure, copying, modification, or disposal, as required by the Personal Data Protection Act 2012.

Yes, organisations in Singapore must notify the PDPC of a data breach that poses a risk of significant harm to affected individuals or is likely to materially affect the public interest.