Law: Personal Data Protection Act 2012 (No. 26 of 2012) ('PDPA')
Regulator: Personal Data Protection Commission ('PDPC')
Summary: The PDPA provides for general personal data protection requirements and contains provisions on data subject rights, the appointment of a data protection officer, as well as obligations for organisations and data intermediaries. Furthermore, amendments to the PDPA entered into force on 1 February 2021, introducing a number of key reforms, including mandatory data breach notification requirements, amendments to the consent obligation, offences for egregious mishandling of personal data, prohibitions relating to the use of dictionary attacks and address-harvesting software, and the PDPC's power to accept voluntary undertakings as part of its enforcement regime.
In addition to the PDPA, the Cybersecurity Act 2018 (No. 9 of 2018) sets out the regulatory framework governing cybersecurity in Singapore and stipulates requirements for operators of critical information infrastructure. The PDPC has also released a number of advisory guidelines which provide clarification on its interpretation of the PDPA and is active in its enforcement activities.