logo imc

A Member Firm of Andersen Global

Contact Us
imc new logo

GDPR Compliance in Singapore Organisations

The European Union General Data Protection Regulation (EU GDPR) was first published in April 2016 and then put into force on 25 May 2018.
Talk to an Expert

Overseas business organisations either supplying goods and services to individual consumers in the EU or identifying and monitoring their behaviour, either directly or indirectly within the EU come under the ambit of this regulation. The organisations may or may not have any physical presence in the EU.

Singapore is the largest trading partner of the EU in ASEAN and many organisations in Singapore come under the jurisdiction of EU GDPR.

When does a Singaporean organisation come under the jurisdiction of EU GDPR?

GDPR is a European regulatory standard and its applicability extends far beyond its borders. Companies must opt for GDPR compliance in Singapore if they are involved in some of the following activities
  • Personal data processing of individuals in the EU in the context of offers and supplies of goods and services made to the individuals in the EU
  • Identifying and monitoring the behaviour of the individuals in the EU
  • Publishing the price of products or services in Euros or the currency of an EU Member State
  • Using online identifiers including IP address, unique IDs, cookies, RFID tags, search & browser history and many more
  • Making business websites in the vernacular language of an EU Member State
If a Singaporean organisation’s target audience includes individuals in the EU for business purposes, it needs to engage a European representative if
  • Personal data processing is carried out on a large scale or
  • Special categories of personal data as defined in Articles 9(1) and 10 of the GDPR are processed
There are sensitive data that can not be processed as per EU GDPR subject to certain exceptions and include
  • Racial or Ethnicity data
  • Data relating to sexual orientation
  • Data relating to trade union membership
  • Data relating to religious, political or philosophical beliefs
  • Genetic or biometric data

Does compliance with Singapore's Personal Data Protection Act (PDPA) mean EU GDPR compliance?

No, because the two regulatory regimes namely GDPR and PDPA spell out different sets of requirements, Singapore data protection compliance does not necessarily mean the organisation complies with the EU GDPR. While there are exemptions given to public agencies and their agents, employees, or individuals acting in a personal capacity in PDPA, there is no such waivers in GDPR and applies to everyone equally.

The revised and more detailed Singapore data protection compliance regulation enacted by the Singapore government on 1st February 2021 is however a more streamlined and converged approach towards the European regulation on data protection almost resembling the six legal bases for personal data processing specified in GDPR. The recent amendments incorporated in Singapore data protection compliance requirements include

  • Mandatory data breach notification
  • An exception to consent for legitimate interest
  • Increased financial penalties
  • Deemed consent by notification
The Personal Data Protection Commission (PDPC) Singapore illustrated through an infographic model the broad categorization highlighting differences between these two regulations with the exceptions to consent and legal bases of personal data processing as per GDPR.

Want to learn more about GDPR Compliance in Singapore?

Speak to one of our experts today.
Book a Consultation

What is needed for Singaporean organisations to be compliant with the EU GDPR?

There are guidelines provided by the European regulators for being compliant with the EU GDPR with references to specific online resources on the regulatory requirements. Business organisations can use this link for necessary GDPR compliance in Singapore. Legal help and advice may also be sought whenever needed.

The key requirements for EU GDPR have been highlighted in the factsheet pdpc issued by the PDPC and can be used by businesses in Singapore as an organizational database.

For GDPR compliance in Singapore, business organisations need to do the following

  • Establish data processing as a necessity
  • Decide on data retention and deletion
  • Ensure that all data are encrypted
  • Spread GDPR awareness
  • Train employees on proper data handling techniques
  • Frame data governance policies for transferring EU specific data to other countries outside the EU
  • Ensure appropriate procedures and processes for all data subject to GDPR compliance
The Personal Data Protection Commission (PDPC) Singapore illustrated through an infographic model the broad categorization highlighting differences between these two regulations with the exceptions to consent and legal bases of personal data processing as per GDPR.

Are there penalties for non-compliance with GDPR?

Yes, non-compliance with GDPR can bring severe consequences for non-compliant organisations with hefty administrative fines imposed by GDPR supervisory authorities.
  • For minor infringements such as failure in notifying data breaches and implementing data protection by default, a fine up to 10 million Euros or 2% of the yearly global turnover of the preceding financial year and whichever is higher
  • For major infringements such as violating the conditions for consent or failure to adhere to regulations while transferring personal data to a third country or an international organisation, a fine of up to 20 million Euros or 4% of the yearly global turnover of the preceding financial year and whichever is higher

In contrast to Singapore data protection compliance the penalties for GDPR non-compliance apply equally to business organisations and individuals. Besides huge penalties, any violation in GDPR compliance also damages the organizational reputation and adversely impacts the customer base and future growth prospects.

Conclusion

The EU with a population of 440 million is a huge market for Singapore which is only expected to grow over time. This will undoubtedly drive an increased number of businesses to go for GDPR compliance in Singapore. GDPR is unmatched legislation for enhancing the rights and transparency of individuals over their data and is embraced by Singaporean businesses with spirit and enthusiasm.

Your vision, our mission.
Let's discuss

Contact Us
mergers and acquisitions advisory services header
A Member Firm of Andersen Global
line
  • 175+ Countries
  • 525+ Locations
  • 17,500+ Professionals
  • 2350+ Global Partners
Contact Us
Global presence
Need Assistance?
Get In Touch

We appreciate your interest in IMC and are eager to address your needs.

To ensure we address your needs accurately and promptly, please fill out this form. This will help us in identifying and connecting you with the appropriate team of experts in our organization.

We take pride in our responsiveness and aim to get back to you within a span of 1-2 business days. Your journey towards solutions starts here.

Chat with Us in WhatsApp

Companies we have worked with

Get updated by Signup
to our Newsletter!

imc new logo

Get Started

About

Locations

BIS LOGO
Best in Singapore

© 2025 IMC Group. All Rights Reserved.

imc new logo

Get Started

About

Locations

BIS LOGO
Best in Singapore

© 2024 IMC Group. All Rights Reserved.

imc new logo

Get Started

About

Locations

BIS LOGO
Best in Singapore

© 2024 IMC Group. All Rights Reserved.

Please Fill the Form

Your Partner in
GrowthPartner in Growth

175+
Countries

17,500+
Professionals

525+
Locations

2350+
Global Partners

Companies we have worked with

Speak To Our Experts

Speak To Our Experts