Personal Data Protection Regulations 2021

Statute Details

• Title: Personal Data Protection Regulations 2021
• Act Code: PDPA2012-S63-2021
• Type: Subsidiary legislation (SL)
• Authorising Act: Personal Data Protection Act 2012 (PDPA)
• Enacting Authority: Personal Data Protection Commission (PDPC), with approval of the Minister for Communications and Information
• Commencement: 1 February 2021
• Made Date: 28 January 2021
• Status / Version: Current version as at 27 March 2026
• Key Parts: Part 1 (Preliminary); Part 1A (Business contact information); Part 2 (Requests for access and correction); Part 3 (Transfer outside Singapore); Part 4 (Deemed consent by notification and legitimate interests); Part 4A (Defences to offences under Part IXB of the PDPA); Part 5 (Miscellaneous)
• Schedules: First Schedule (Determination of nearest relative); Second Schedule (Symbol of Commission)

What Is This Legislation About?

The Personal Data Protection Regulations 2021 (“PDPR 2021”) are subsidiary rules made under the Personal Data Protection Act 2012 (“PDPA”). While the PDPA sets out the core data protection framework—such as obligations relating to consent, access and correction rights, and cross-border transfers—the PDPR 2021 fills in the operational details. In practice, the Regulations tell organisations how to comply with specific PDPA provisions, including procedural steps, timelines, and certain technical or definitional requirements.

Broadly, the PDPR 2021 focuses on four compliance “workstreams”. First, it governs how individuals can request access to and correction of their personal data, including how requests must be made and how the organisation must respond. Second, it sets out requirements for transferring personal data outside Singapore, including what conditions must be met and what contractual or certification-based safeguards may be relied upon. Third, it addresses “deemed consent” mechanisms—situations where consent may be treated as given under the PDPA through notification and legitimate interests, subject to exclusions and assessment requirements. Fourth, it provides defences to certain offences under the PDPA’s offence provisions (Part IXB), as well as miscellaneous rules such as how rights may be exercised for deceased individuals and formal matters like the PDPC’s symbol.

For practitioners, the key point is that the PDPR 2021 is not a standalone privacy code. It is best read alongside the PDPA, because many of its provisions are expressly linked to specific PDPA sections (for example, references to section 21(1), section 15A, and the offence provisions in Part IXB). The Regulations therefore function as the “how-to” layer that makes the PDPA enforceable in day-to-day compliance.

What Are the Key Provisions?

Preliminary and commencement (Part 1). The Regulations are cited as the Personal Data Protection Regulations 2021 and come into operation on 1 February 2021. This matters for compliance planning and for determining which procedural rules apply to requests, transfers, and notifications made after commencement.

Business contact information of designated individuals (Part 1A). Part 1A introduces rules relating to “business contact information” of “designated individuals”. In Singapore’s PDPA scheme, business contact information is often treated differently from other personal data, particularly in relation to consent requirements for certain purposes. The Regulations’ role is to specify the relevant category and how the concept operates for designated individuals. For legal advisers, this is important when assessing whether an organisation can rely on the PDPA’s special treatment for business contact information, and whether the individual qualifies as “designated” under the applicable framework.

Requests for access and correction (Part 2). Part 2 is one of the most practically significant sections for organisations. It contains definitions for this Part, explains how to make a request, imposes a duty to respond under section 21(1) of the PDPA, and sets out additional procedural requirements. The Regulations also address: (i) notification of the timeframe for response; (ii) circumstances where an organisation may refuse to confirm or deny the existence, use, or disclosure of personal data; (iii) fees; and (iv) preservation of copies of personal data.

From a practitioner’s perspective, the “duty to respond” and the “notification of timeframe” provisions are central to avoiding procedural non-compliance. Even where an organisation intends to grant access or correction, it must follow the required process for acknowledging and responding to requests. The provisions on refusal to confirm or deny existence are also critical: they define the boundaries within which an organisation may refuse, and therefore affect both risk management and litigation posture if a request is disputed. The fee provisions require careful calibration—organisations must ensure that any charges are lawful and consistent with the Regulations. Finally, the preservation of copies requirement is a compliance safeguard: it ensures that organisations retain relevant records so that access and correction can be meaningfully processed, rather than being frustrated by inadequate record-keeping.

Transfer of personal data outside Singapore (Part 3). Part 3 addresses cross-border transfers. It begins with definitions for this Part, then sets out “requirements for transfer”. It also specifies two key compliance pathways: (i) legally enforceable obligations (for example, contractual terms that impose obligations on the recipient comparable to the PDPA requirements); and (ii) recipients holding specified certifications (a certification-based route that may be available where the recipient has certain credentials recognised under the PDPR framework).

For counsel advising on international data flows, Part 3 is often the most heavily negotiated area in vendor contracting and privacy impact assessments. The “legally enforceable obligations” requirement typically means that the organisation must ensure that the overseas recipient is bound by enforceable commitments—often through data processing agreements, standard contractual clauses, or equivalent instruments. The certification pathway, where available, can reduce the need for extensive contractual drafting, but it still requires careful verification that the certification is “specified” and applicable to the relevant transfer scenario. Practitioners should also consider how Part 3 interacts with the PDPA’s overarching transfer conditions and the organisation’s accountability obligations.

Deemed consent by notification and legitimate interests (Part 4). Part 4 deals with deemed consent mechanisms under section 15A of the PDPA. It includes: (i) excluded purposes under section 15A(3); (ii) an assessment of effect for proposed collection, use, or disclosure for purposes under section 15A; and (iii) a further assessment of effect for proposed collection, use, or disclosure for purposes of Part 3 of the First Schedule to the PDPA.

This is a nuanced area. Deemed consent is not a blanket substitute for consent; it is conditional. The Regulations’ assessment requirements signal that organisations must evaluate the likely impact of the proposed data handling on individuals, including whether the proposed use or disclosure is reasonable in the circumstances. The “excluded purposes” list is equally important: if a purpose falls within an exclusion, the organisation cannot rely on deemed consent and must instead obtain consent or use another lawful basis under the PDPA. For legal teams, these provisions typically drive internal governance: documenting the assessment, ensuring the notification is properly made, and confirming that the intended purpose is not excluded.

Defences to offences under Part IXB (Part 4A). Part 4A provides defences to offences under specified PDPA provisions (references to sections 48D(1) and 48E(1)). While the extracted text lists the defence provisions by heading (15A and 15B), the practical takeaway is that the Regulations define circumstances in which an organisation or responsible person may avoid liability for certain offences. In enforcement contexts, defences can be decisive; they often require proof of compliance steps taken, diligence, or other statutory conditions. Practitioners should therefore treat Part 4A as part of the “litigation-ready” compliance framework—ensuring that evidence is preserved and that internal controls align with the defence criteria.

Miscellaneous (Part 5). Part 5 includes rules on exercising rights under the PDPA in respect of a deceased individual, the symbol of the Commission, revocation, and saving and transitional provisions. The deceased-individual provision is particularly relevant for estates, next-of-kin requests, and disputes about access to personal data after death. The First Schedule’s “determination of nearest relative” supports this by providing a structured approach to identifying the appropriate person to exercise rights. The symbol provisions are formalities, but they can matter for official notices and regulatory communications.

How Is This Legislation Structured?

The PDPR 2021 is organised into Parts that mirror the PDPA’s compliance themes. It begins with a preliminary Part establishing citation and commencement. It then adds a dedicated Part 1A for business contact information of designated individuals. Part 2 is devoted to procedural rules for access and correction requests. Part 3 addresses cross-border transfers and the mechanisms for ensuring adequate protection. Part 4 focuses on deemed consent through notification and legitimate interests, including exclusions and required assessments. Part 4A provides defences to certain offences under the PDPA’s offence provisions. Part 5 contains miscellaneous matters, including rights for deceased individuals and formal regulatory elements.

Two Schedules supplement the main text: the First Schedule relates to determining the nearest relative, and the Second Schedule relates to the symbol of the Commission. Together, these schedules support the operational and administrative aspects of the PDPR 2021.

Who Does This Legislation Apply To?

The PDPR 2021 applies primarily to organisations that are subject to the PDPA. In Singapore’s PDPA framework, “organisations” include entities that collect, use, or disclose personal data in the course of commercial or other activities. The Regulations therefore affect organisations’ operational practices—especially those handling access/correction requests, making cross-border transfers, and relying on deemed consent mechanisms.

In addition, the Regulations’ provisions can indirectly affect individuals and their representatives. For example, the deceased-individual provisions and the nearest-relative determination in the First Schedule influence who may exercise rights on behalf of a deceased person. Organisations should therefore anticipate requests coming from next of kin or other authorised persons and ensure that their verification and response processes align with the Regulations.

Why Is This Legislation Important?

Although the PDPR 2021 is subsidiary legislation, it has significant compliance and enforcement consequences. Many PDPA obligations are broad and principle-based; the Regulations convert those principles into concrete procedural and substantive requirements. For example, Part 2’s rules on how to make requests, response duties, timeframes, fees, and preservation of copies directly affect an organisation’s ability to respond lawfully and efficiently to individual rights requests. Non-compliance can lead to regulatory action and reputational harm, even where the underlying data handling might otherwise be defensible.

Cross-border transfers are another major risk area. Part 3 provides the compliance “routes” for international data flows. In practice, organisations often rely on these routes in vendor contracting, cloud services procurement, and group company data sharing. A failure to meet the legally enforceable obligations standard, or an incorrect reliance on certification, can undermine the legality of transfers and expose the organisation to enforcement.

Finally, the deemed consent and defence provisions underscore that compliance is not only about having policies, but also about performing required assessments and maintaining evidence. Part 4’s assessment requirements and Part 4A’s defences to offences mean that documentation, governance, and internal controls are essential. For practitioners, the PDPR 2021 therefore informs both advisory work (designing compliant processes) and litigation strategy (preserving evidence and aligning conduct with statutory defence criteria).

Related Legislation

• Personal Data Protection Act 2012 (PDPA) (Act 26 of 2012)
• Personal Data Protection Regulations 2021 (this subsidiary legislation; including amendments such as S 734/2021 and S 86/2026)

Source Documents

• Official Text — Singapore Statutes Online
• Archived Copy — Litt Law CDN

This article provides an overview of the Personal Data Protection Regulations 2021 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the official text for authoritative provisions.