Singapore’s Enhanced Personal Data Protection Act 2020: What’s New?

13 Jul 2021
The Personal Data Protection (Amendment) Act 2020, also known as the Enhanced PDPA, seeks to strengthen organisational accountability and consumer protection while encouraging companies to optimise the use of personal data for innovation.

The Enhanced PDPA took effect from 1 February 2021 with the following three key amendments:

  1. Mandatory Data Breach Notification
  2. Introducing Criminal Offences
  3. Expansion of Consent Framework

1. Mandatory Data Breach Notification


What constitutes a notifiable data breach?

A notifiable data breach is one that results in or is likely to result in significant harm to an affected individual involving prescribed personal data; OR is likely to be of a significant scale (usually involving 500 or more individuals).



Who must be notified?

The Personal Data Protection Commission (PDPC) must be notified as soon as is practicable, and in any event within three calendar days of the organisation’s assessment; AND affected individuals must also be notified if the data breach is likely to cause them significant harm.

2. Introducing Criminal Offences

What are the offences?

Knowingly or recklessly committing any unauthorised disclosure of personal data, use of personal data for wrongful gain or causing a wrongful loss to any person, or re-identification of anonymised data.



What are the penalties?

Maximum fine of SGD5,000 or maximum 2 years imprisonment, or both.

3. Expansion of Consent Framework

New ways that consent can be deemed as given:

Contract Necessity 

  • Where an organisation has a reasonable need to disclose to other organisations the personal data originally disclosed by an individual, to perform a transaction between the individual and the original organisation.


  • If the individual has been adequately notified by an organisation and given a reasonable opt-out period, but has not taken any action to opt out of the collection, use, or disclosure of their personal data, their consent can be deemed as given.


New exceptions that remove the need for consent:

Legitimate Interests

  • Lawful interests of an organisation or another person, which the organisation has assessed to clearly outweigh any likely adverse effect to the individual. (E.g. for evaluations, investigations or proceedings, or for recovering debts)

Business Improvements

  • Includes helping the organisation improve its products and services, or to help it understand existing or prospective customers, so it can offer more personalised products and services.
  • Can be used by entities in a group of companies who intend to share customer data within the group. However, it cannot be used for sending direct marketing messages for which individuals’ consent must be obtained. 

Research Purposes

  • To enable organisations (e.g. commercial laboratories, institutes of higher learning, and market research companies) to conduct broader research and development that may not have any immediate application to their products, services, business operations or market.



Recent changes to the Singapore Personal Data Protection Act

Amendments to the Personal Data Protection Act In Force