Singapore

The PDPC oversees enforcement, issues advisory guidelines, and handles complaints. Known for practical approach and extensive guidance including sector-specific advisories.

Consent required with exceptions. 2020 amendments introduced deemed consent by notification and legitimate interests exception, aligning closer to GDPR.

Access and correction rights. Data portability obligation introduced in 2020 amendments. No explicit erasure right but retention limitation applies.

Transfers permitted with comparable protection in recipient country, consent, binding corporate rules, or contractual arrangements.

Mandatory 3-day notification to PDPC for significant breaches (500+ individuals or significant harm). Notification to affected individuals also required.

Every organisation must designate at least one DPO. Contact details must be publicly available.

No specific age threshold. Consent from parent/guardian required for minors. PDPC advisory guidelines provide sector-specific guidance.

Up to SGD 1 million or 10% of annual Singapore turnover (2020 amendment). PDPC can issue directions, financial penalties, and accept undertakings.

MAS guidelines for financial sector, MOH for healthcare, IMDA for telecom. Do Not Call Registry for marketing.

No specific cookie legislation. General consent requirements under PDPA apply to online tracking that involves personal data collection.

Model AI Governance Framework (voluntary). No specific legislation. PDPC guidance on AI and personal data. Singapore is positioning as AI-friendly jurisdiction.

No data localisation requirements. Singapore promotes itself as a data hub with free flow of data subject to transfer safeguards.

No equivalent concept. All organisations processing personal data are subject to the same obligations regardless of size.

Government agencies exempt from PDPA but subject to Government Instruction Manual on ICT. Public sector data governance framework applies separately.