Enforcement of the Act


The Personal Data Protection Act 2012 (PDPA) empowers the PDPC to investigate and enforce the Do Not Call (DNC) provisions.

The PDPA was enforced in phases. The provisions relating to the DNC Registry came into effect on 2 January 2014 and the provisions relating to the main data protection on 2 July 2014. After the transition period, the PDPC may conduct investigations – upon complaint or on its own accord – to determine whether an organisation is complying with the Act.

Enforcement of the Do Not Call Registry Provisions

The aim of the DNC Registry is to reduce the number of unwanted telemarketing calls, marketing text messages and faxes. Registering your number on the registry does not stop non-telemarketing calls, text messages and faxes and some types of telemarketing calls, text messages and faxes, which may include:

  • Calls, text messages and faxes from businesses to which you have given your consent to receive telemarketing calls, text messages and/or faxes;

  • Calls, text messages and faxes solely to provide you with periodic updates on your account statement, to notify you of a change in the terms or features of your ongoing commercial relationship with them or otherwise, text or fax messages from organisations with whom you have an ongoing relationship, and the purpose of the text or fax message is related to the subject of the ongoing relationship;

  • An individual acting in a personal or domestic capacity;

  • An organisation which is delivering goods or services, including product updates or upgrades, that the recipient of the message is entitled to receive under the terms of a transaction that the recipient had previously entered into with the sender;

  • An organisation which is facilitating, completing or confirming a transaction that the recipient of the message has previously agreed to enter into with the sender; and

  • Public agencies promoting any programme carried out by any public agency which is not for commercial purpose.

For the list of messages that are excluded under the DNC Registry Provisions, please refer to the Eighth Schedule of the Act. You may also wish to refer to the Advisory Guidelines on the Do Not Call Provisions for further information.

An organisation that breaches any of its duties under the DNC provisions in the Act commits an offence and is liable on conviction to a fine of an amount not exceeding $10,000 for each offence. In appropriate cases, the PDPC has the power to compound the offence for a sum of up to $1,000. In brief, these duties include the following:

  • Duty to check the DNC Registers — before a person sends a telemarketing message to a Singapore telephone number, the person must check with the DNC Registers established by the PDPC under the Act to confirm that the number is not listed on a DNC Register, unless the person has obtained clear and unambiguous consent in evidential form from the user or subscriber of the number (section 43 of the Act); and

  • Duty to identify the sender of a message — when sending a specified message to a Singapore telephone number, the person must:

    • i. include information identifying the sender and how the recipient can contact the sender (section 44 of the Act); 
    • ii. for voice calls, not conceal or withhold from the recipient the sender’s calling line identity (section 45 of the Act).

Find out more about your organisation’s obligations here.

Enforcement of the Data Protection Provisions

If the PDPC finds that an organisation is in breach of any of the data protection provisions in the PDPA, it may give the organisation such directions that it thinks appropriate to ensure compliance. These directions may include requiring the organisation to:

  • Stop collecting, using or disclosing personal data in contravention of the Act;
  • Destroy personal data collected in contravention of the Act;
  • Provide access to or correct the personal data; and/or
  • Pay a financial penalty of an amount not exceeding $1 million.

Find out more about your organisation’s obligations here.

Data Protection Appeal Panel

The Data Protection Appeal Panel is an independent body established under the PDPA to hear appeals against directions or decisions of the PDPC, for matters relating to the data protection provisions (namely, Parts IV to VI) of the PDPA. For more information on the process and procedures for appeals, please click here.

Offences Related to the PDPC's Powers of Investigation 

An organisation or a person is also guilty of an offence if any of the following is committed:

  • If the organisation or person with an intent to evade a request for access or correction under the Act, disposes of, alters, falsifies, conceals or destroys, or directs another person to dispose of, alter, falsify, conceal or destroy, a record containing –

    • i. Personal data; or
    • ii. Information about the collection, use or disclosure of personal data
  • If the organisation or person obstructs the PDPC or an authorised officer in the performance of their duties or exercise of their powers under the Act;

  • If the organisation or person knowingly or recklessly makes a false statement to the PDPC, or knowingly misleads or attempts to mislead the PDPC, in the course of the performance of its duties or powers under the Act; and

  • If a person makes a request for access or correction under the Act to obtain access to or to change the personal data of another individual without that individual’s authority.