Book a demo Log in / Sign up

Privacy Information Notice Template for Singapore

Generate a bespoke document

  • England and Wales
  • Scotland
  • Northern Ireland
  • Ireland
  • United States
  • Alabama (USA)
  • Alaska (USA)
  • Arizona (USA)
  • Arkansas (USA)
  • California (USA)
  • Colorado (USA)
  • Connecticut (USA)
  • Delaware (USA)
  • Florida (USA)
  • Georgia (USA)
  • Hawaii (USA)
  • Idaho (USA)
  • Illinois (USA)
  • Indiana (USA)
  • Iowa (USA)
  • Kansas (USA)
  • Kentucky (USA)
  • Louisiana (USA)
  • Maine (USA)
  • Maryland (USA)
  • Massachusetts (USA)
  • Michigan (USA)
  • Minnesota (USA)
  • Mississippi (USA)
  • Missouri (USA)
  • Montana (USA)
  • Nebraska (USA)
  • Nevada (USA)
  • New Hampshire (USA)
  • New Jersey (USA)
  • New Mexico (USA)
  • New York (USA)
  • North Carolina (USA)
  • North Dakota (USA)
  • Ohio (USA)
  • Oklahoma (USA)
  • Oregon (USA)
  • Pennsylvania (USA)
  • Rhode Island (USA)
  • South Carolina (USA)
  • South Dakota (USA)
  • Tennessee (USA)
  • Texas (USA)
  • Utah (USA)
  • Vermont (USA)
  • Virginia (USA)
  • Washington (USA)
  • West Virginia (USA)
  • Wisconsin (USA)
  • Wyoming (USA)
  • Austria
  • Denmark
  • France
  • Germany
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • Australia
  • New Zealand
  • Singapore
  • Hong Kong
  • India
  • Malaysia
  • Pakistan
  • United Arab Emirates
  • Qatar
  • Saudi Arabia
  • South Africa
  • Nigeria
  • Canada
  • Brasil
  • Monaco
  • Bermuda
  • Cayman Islands
  • Gibraltar
  • Isle of Man
  • Mauritius

What is a Privacy Information Notice?

The Privacy Information Notice is a crucial document required under Singapore's Personal Data Protection Act 2012 (PDPA). Organizations must provide this notice to individuals before collecting, using, or disclosing their personal data. The notice ensures transparency and compliance with Singapore's data protection requirements, detailing the types of data collected, purposes of collection, security measures, and individuals' rights. It serves as both a legal compliance document and a trust-building tool with stakeholders.

Frequently Asked Questions

Is a Privacy Information Notice legally required under Singapore's PDPA?

Yes, under Singapore's Personal Data Protection Act 2012 (PDPA), organizations must provide a Privacy Information Notice before collecting personal data from individuals. This is a mandatory legal requirement, not optional, and failure to provide proper notice can result in penalties from the Personal Data Protection Commission (PDCA). The notice must be provided at or before the time of data collection.

What penalties can I face for not having a proper Privacy Information Notice in Singapore?

Under the PDPA, organizations can face financial penalties of up to S$1 million for non-compliance with notification requirements. The Personal Data Protection Commission can also issue directions for corrective action and publish details of breaches publicly. Additionally, individuals may lose trust in your organization, and you may face civil liability for damages resulting from improper data handling.

How is a Privacy Information Notice different from a Privacy Policy in Singapore?

A Privacy Information Notice is specifically required by the PDPA at the point of data collection and focuses on immediate transparency about data use. A Privacy Policy is broader, covering an organization's overall data practices and may be required for websites or general business operations. The Notice is more targeted and must be provided before or during data collection, while a Policy can be accessed separately.

How long does it typically take to prepare a Privacy Information Notice for Singapore businesses?

For simple businesses, creating a basic notice using templates can take 1-2 hours. However, for organizations with complex data processing activities, it may take several days to properly map data flows, identify legal bases, and ensure compliance with PDPA requirements. The 2020 amendments added new notification requirements that require careful consideration of data breach procedures and individual rights.

Can I use the same Privacy Information Notice for customers and employees in Singapore?

No, you typically need separate notices for different types of data subjects under the PDPA. Employee data collection involves different purposes, legal bases, and retention periods compared to customer data. The notice must be specific to the context of data collection, so employment-related data processing requires its own tailored Privacy Information Notice with relevant details about HR purposes and employee rights.

What are the most common mistakes businesses make with Privacy Information Notices in Singapore?

The most frequent errors include using vague language about data purposes, failing to specify retention periods, not updating notices after the 2020 PDPA amendments, and providing the notice too late in the data collection process. Many businesses also forget to include contact information for data protection queries or fail to explain individuals' rights under the PDPA, such as access and correction rights.

Must I provide the Privacy Information Notice in multiple languages in Singapore?

While the PDPA doesn't specify language requirements, you should provide the notice in a language the individual can reasonably understand. Given Singapore's multilingual population, consider providing notices in English and other relevant languages for your customer base. The key legal requirement is that the individual can understand the information being provided about their personal data collection and use.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

LinkedIn

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

LinkedIn

Jurisdiction

Singapore

Reviewed by

Swetha Meenal & Imad Mohammed Nazar

Publisher

GenieAI

Category

Privacy Notice

Sector

Business

Cost

Free to use

Last updated

About the Privacy Information Notice

A Privacy Information Notice is your organization's formal communication to individuals about how you handle their personal data. Under Singapore's Personal Data Protection Act 2012 (PDPA), you must provide this notice before or at the time of collecting personal data, ensuring transparency and regulatory compliance. This document protects both your organization from regulatory action and builds trust with customers, employees, and stakeholders by clearly explaining your data practices.

When do you need this document?

You need a Privacy Information Notice whenever your organization collects, uses, or discloses personal data in Singapore. This includes when setting up new customer registration systems, launching employee onboarding processes, or implementing third-party data sharing arrangements. E-commerce businesses require notices for online transactions, healthcare providers need them for patient records, and financial institutions must provide notices for account opening procedures. The notice is also essential when updating existing data practices or introducing new technologies that process personal data differently.

Key legal considerations

Your Privacy Information Notice must include specific mandatory elements under the PDPA. You need to identify yourself as the data controller, specify the types of personal data collected, and explain the purposes for collection and use. The notice must detail any third parties who will receive the data and describe your security measures for protecting personal data. You should also explain individuals' rights to access and correct their data, including contact information for data protection inquiries. Consider including retention periods, cross-border data transfers, and automated decision-making processes. The language must be clear and easily understood, avoiding complex legal jargon that could confuse data subjects.

Legal requirements in Singapore

Singapore's PDPA 2012, as amended in 2020, establishes strict requirements for privacy notices. You must provide the notice before or at the time of collection, and it must be readily accessible to individuals. The Personal Data Protection Commission (PDPC) requires notices to be written in plain language and provided in a format that allows individuals to retain a copy. For online services, this typically means prominent placement on websites with clear navigation. The PDPA Regulations 2021 specify additional requirements for certain sectors, and you must comply with both the primary legislation and secondary regulations. Cross-border data transfers require additional disclosures, and you may need to reference ASEAN Framework guidelines for regional data sharing arrangements.

GOVERNING LAW

Applicable law

This Privacy Information Notice is drafted to comply with Singapore law. Key legislation includes:

PDPA 2012: Singapore's Personal Data Protection Act 2012 - Primary legislation governing the collection, use, disclosure, and care of personal data, including 2020 amendments

PDPA Regulations 2021: SecoNDAry legislation providing detailed requirements for implementing the PDPA

Key Concepts Guidelines: Advisory Guidelines on Key Concepts in the PDPA providing interpretation and practical guidance

Selected Topics Guidelines: Advisory Guidelines on the PDPA for Selected Topics providing specific guidance on particular aspects

ASEAN Framework: ASEAN Framework on Personal Data Protection - Regional privacy guidelines for Southeast Asian nations

APEC Privacy Framework: Asia-Pacific Economic Cooperation Privacy Framework providing regional privacy principles

GDPR Considerations: EU General Data Protection Regulation considerations when dealing with EU residents

Notification Obligation: PDPA requirement to inform individuals of the purpose for collecting, using, and disclosing their personal data

Consent Obligation: PDPA requirement to obtain individuals' consent for collecting, using, or disclosing their personal data

Purpose Limitation: PDPA requirement to collect, use or disclose personal data only for purposes that a reasonable person would consider appropriate

Access and Correction: PDPA requirement to provide individuals with access to their personal data and make corrections upon request

Accuracy Obligation: PDPA requirement to make reasonable effort to ensure personal data collected is accurate and complete

Protection Obligation: PDPA requirement to implement reasonable security arrangements to protect personal data

Retention Limitation: PDPA requirement to cease retention of personal data when no longer necessary for legal or business purposes

Transfer Limitation: PDPA requirement to transfer personal data to other countries only with adequate protection

Data Breach Notification: PDPA requirement to notify affected individuals and the PDPC of significant data breaches

Explore 208,390+ legal templates

Explore 208,390+ legal templates

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it