DataCare Solutions

DataCare Solutions Pte. Ltd.
UEN: 202530943R
Website: www.datacaresolutions.biz
Email: info@datacaresolutions.biz

Privacy Notice Template

PDPA-Compliant Privacy Notice for Singapore Organisations

About This Template

This template provides a comprehensive, PDPA-compliant privacy notice that organisations in Singapore can adapt for their own use. It covers all mandatory notification requirements under the Personal Data Protection Act 2012 (as amended).

Replace all fields marked in [BRACKETS] with your organisation's specific information. Guidance notes in italics explain each section's purpose and should be removed from your final notice.

Important: This template is provided for informational purposes only and does not constitute legal advice. Organisations should review their final privacy notice with a qualified legal professional to ensure full compliance with the PDPA and any sector-specific requirements that may apply.

How to Use This Template

Replace all [BRACKETED] placeholder text with your organisation's information
Remove all italicised guidance notes before publishing
Add or remove sections as appropriate for your business operations
Publish the completed notice on your website and make it available at all points of data collection
Review and update at least once per year or whenever your data practices change

1. Data Controller Identity

This section identifies your organisation as the data controller responsible for the personal data you collect. Under the PDPA, every organisation must clearly identify itself when notifying individuals about data collection.

This Privacy Notice is issued by [FULL LEGAL COMPANY NAME] (UEN: [UEN NUMBER]), hereinafter referred to as "[COMPANY SHORT NAME]", "we", "us", or "our".

Registered Address:
[STREET ADDRESS]
[UNIT NUMBER, IF APPLICABLE]
Singapore [POSTAL CODE]

Website: [WEBSITE URL]
Email: [GENERAL EMAIL ADDRESS]
Phone: [PHONE NUMBER]

Include all relevant contact channels through which individuals can reach your organisation regarding data protection matters.

2. Types of Personal Data Collected

List all categories of personal data your organisation collects. Be specific and comprehensive. Under the PDPA, "personal data" means data about an individual who can be identified from that data, or from that data combined with other information the organisation has access to.

We may collect, use, and disclose the following types of personal data, depending on the nature of your interaction with us:

2.1 Personal Identifiers

Full name, alias, or preferred name
NRIC, FIN, or passport number (only where legally required or with consent)
Date of birth, age, gender, nationality
Photographs or video images
[ADD OR REMOVE ITEMS AS APPLICABLE]

2.2 Contact Information

Residential or mailing address
Email address (personal and/or business)
Telephone and mobile numbers
[ADD OR REMOVE ITEMS AS APPLICABLE]

2.3 Financial and Transactional Data

Bank account details and payment information
Transaction history and billing records
Credit or debit card information (where applicable)
[ADD OR REMOVE ITEMS AS APPLICABLE]

2.4 Employment and Professional Data

Job title, employer name, and business contact details
Resume, qualifications, and professional certifications
Employment history and references
[ADD OR REMOVE ITEMS AS APPLICABLE]

2.5 Technical and Usage Data

IP address, browser type, and device information
Website browsing activity and interaction data
Cookies and tracking technology data (see Section 9)
[ADD OR REMOVE ITEMS AS APPLICABLE]

Add additional categories if your organisation collects health data, biometric data, children's data, or other sensitive categories. Note: NRIC collection is restricted under the PDPA Advisory Guidelines.

3. Purposes of Collection, Use and Disclosure

The PDPA requires organisations to notify individuals of the purposes for which their data is being collected, used, or disclosed. Be specific and do not use vague catch-all statements.

We collect, use, and may disclose your personal data for the following purposes:

3.1 Primary Purposes

To provide, manage, and administer our products and/or services to you
To process transactions, orders, payments, and refunds
To verify your identity and perform due diligence checks
To communicate with you regarding your account, enquiries, or requests
To comply with applicable laws, regulations, and legal processes
[ADD PURPOSES SPECIFIC TO YOUR BUSINESS]

3.2 Secondary Purposes

To send marketing communications about our products and services (with your consent)
To conduct market research, surveys, and data analytics to improve our services
To personalise your experience and provide tailored recommendations
To manage and improve our internal business operations
[ADD PURPOSES SPECIFIC TO YOUR BUSINESS]

3.3 Employment-Related Purposes

Include this subsection if you collect personal data from employees, job applicants, or contractors.

To evaluate job applications and conduct recruitment
To administer employment contracts, payroll, and benefits
To manage work performance, training, and career development
To ensure workplace health and safety compliance
[ADD PURPOSES SPECIFIC TO YOUR BUSINESS]

4. Consent

The PDPA requires organisations to obtain consent before collecting, using, or disclosing personal data, unless an exception applies. Explain how you obtain and manage consent.

4.1 How We Obtain Consent

We obtain your consent for the collection, use, and disclosure of your personal data through the following means:

Written or electronic consent forms at the point of data collection
Verbal consent, which may be recorded for verification purposes
Implied consent through your voluntary provision of personal data for a stated purpose
Opt-in mechanisms for marketing communications (e.g., checkbox on forms, email subscription)
[DESCRIBE ANY OTHER CONSENT MECHANISMS USED]

Note: Under the PDPA, consent must be obtained before or at the time of data collection. Deemed consent may apply where an individual voluntarily provides data for a reasonable purpose.

4.2 Withdrawal of Consent

You may withdraw your consent for us to collect, use, or disclose your personal data at any time by contacting our Data Protection Officer (see Section 8). Please note:

We will process your withdrawal request within a reasonable timeframe
Withdrawal of consent may affect our ability to provide certain services to you
We will inform you of the likely consequences of withdrawing consent before processing your request
Withdrawal does not affect the lawfulness of data processing conducted prior to the withdrawal

To withdraw consent: Contact our Data Protection Officer at [DPO EMAIL ADDRESS] or write to us at [MAILING ADDRESS]. Please include your full name, contact details, and a clear description of the consent you wish to withdraw.

5. Third-Party Disclosure

Inform individuals about the categories of third parties to whom their data may be disclosed. The PDPA requires that you take reasonable steps to ensure third parties protect the data to a comparable standard.

We may disclose your personal data to the following categories of third parties for the purposes described in Section 3:

Service providers and vendors: companies that assist us in providing services, such as IT support, payment processing, delivery, and customer relationship management
Professional advisors: lawyers, auditors, accountants, and consultants engaged by us
Government and regulatory authorities: where required by applicable laws, regulations, or legal proceedings
Business partners: where necessary for joint marketing activities or co-branded services (with your consent)
Related corporations: our parent company, subsidiaries, and affiliates for internal administrative purposes
[ADD OTHER CATEGORIES OF THIRD PARTIES AS APPLICABLE]

5.1 Cross-Border Transfers

We may transfer your personal data to recipients located outside of Singapore. Where we do so, we will take reasonable steps to ensure that the receiving party provides a standard of protection comparable to that under the PDPA, including:

Entering into binding contractual arrangements with the recipient
Ensuring the recipient is subject to comparable data protection laws
Obtaining your consent for the transfer where required

Countries to which we may transfer personal data include: [LIST COUNTRIES, E.G., MALAYSIA, INDIA, UNITED STATES, ETC.]

Under Section 26 of the PDPA, organisations transferring data overseas must ensure a comparable standard of protection. List all countries where data may be processed.

6. Data Retention Policy

The PDPA requires that personal data be retained only for as long as it is needed for the purpose for which it was collected, or for legal/business purposes. Define your retention periods clearly.

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable laws and regulations. Our general retention practices are as follows:

Customer and transaction records: [X YEARS] after the end of the business relationship or last transaction
Employment records: [X YEARS] after the end of employment
Job application records (unsuccessful): [X MONTHS/YEARS] after the recruitment process is completed
Marketing and communication records: until consent is withdrawn or [X YEARS] from last engagement
Website usage and analytics data: [X MONTHS/YEARS]
CCTV and surveillance footage: [X DAYS/MONTHS]
[ADD OTHER DATA CATEGORIES AND RETENTION PERIODS]

When personal data is no longer needed, we will securely dispose of or anonymise it in accordance with our internal data disposal procedures. Disposal methods include secure digital deletion, physical shredding, and third-party certified destruction services.

Tip: Create a separate internal data retention schedule with specific periods for each data category. Ensure retention periods account for any statutory requirements (e.g., IRAS requires financial records to be kept for 5 years).

7. Access and Correction Rights

Under Sections 21 and 22 of the PDPA, individuals have the right to request access to and correction of their personal data held by an organisation. Organisations must respond within 30 days.

7.1 Right of Access

You have the right to request access to the personal data we hold about you and information about the ways in which your data has been or may have been used or disclosed within the past year. To submit an access request:

Contact our Data Protection Officer (see Section 8) in writing
Provide sufficient information for us to verify your identity
Specify the personal data you wish to access

We will respond to your request within 30 days. A reasonable administrative fee may apply for processing access requests: [STATE FEE AMOUNT OR "NO FEE IS CHARGED"].

7.2 Right of Correction

You have the right to request the correction of any personal data we hold about you that is inaccurate, incomplete, or misleading. To submit a correction request:

Contact our Data Protection Officer in writing
Identify the data to be corrected and provide the correct information
Provide supporting documentation where necessary

We will process correction requests within 30 days. Where we have disclosed the incorrect data to third parties, we will send the corrected data to those parties, unless they no longer need it for any legal or business purpose.

7.3 Exceptions

We may refuse access or correction requests in certain circumstances permitted by the PDPA, including where:

The data is subject to legal privilege
Compliance would threaten the safety or health of another individual
Compliance would reveal confidential commercial information
The data is generated for an evaluative purpose (e.g., performance reviews)

Where a request is refused, we will inform you of our reasons in writing.

8. Data Protection Officer Contact

Under the PDPA, every organisation must designate at least one individual as its Data Protection Officer (DPO) and make the DPO's business contact information publicly available.

If you have any questions, concerns, or requests relating to your personal data or this Privacy Notice, please contact our Data Protection Officer:

Data Protection Officer

Name: [DPO FULL NAME]
Designation: [DPO JOB TITLE]
Email: [DPO EMAIL ADDRESS]
Phone: [DPO PHONE NUMBER]
Mailing Address:
[COMPANY NAME]
Attn: Data Protection Officer
[FULL MAILING ADDRESS]
Singapore [POSTAL CODE]

We aim to acknowledge all enquiries and requests within 3 business days and to provide a substantive response within 30 days.

If your organisation uses an outsourced DPO service, provide the DPO service provider's contact details here. Ensure the DPO contact information is also displayed on your website.

9. Cookies and Tracking Technologies

If your organisation operates a website or mobile application, you should disclose the use of cookies and similar technologies. While the PDPA does not have a specific cookie law, transparency is a best practice and may be required if you serve users in jurisdictions with cookie regulations.

Our website and digital platforms use cookies and similar tracking technologies to enhance your experience and collect usage data. The types of cookies we use include:

9.1 Strictly Necessary Cookies

These cookies are essential for the operation of our website. They enable core functions such as security, session management, and accessibility. These cookies do not collect personal data for marketing purposes.

9.2 Analytical and Performance Cookies

These cookies help us understand how visitors interact with our website by collecting information about pages visited, time spent, and errors encountered. We use this data to improve our website's performance and user experience.

Analytics providers include: [E.G., GOOGLE ANALYTICS, HOTJAR, ETC.]

9.3 Marketing and Advertising Cookies

With your consent, we may use cookies to deliver relevant advertisements and track the effectiveness of our marketing campaigns. These cookies may be set by third-party advertising partners.

Advertising platforms include: [E.G., GOOGLE ADS, FACEBOOK PIXEL, LINKEDIN INSIGHT TAG, ETC.]

9.4 Managing Cookies

You can manage your cookie preferences through your browser settings or through the cookie consent banner on our website. Please note that disabling certain cookies may limit your ability to use some features of our website.

Consider implementing a cookie consent management tool on your website. If you serve users in the EU, GDPR cookie consent requirements may also apply.

10. Updates to This Notice

Inform individuals how they will be notified of changes to this privacy notice. The PDPA requires that you keep individuals informed of your data practices.

We may update this Privacy Notice from time to time to reflect changes in our data practices, legal requirements, or business operations. When we make material changes, we will:

Publish the updated Privacy Notice on our website at [PRIVACY NOTICE URL]
Update the "Last Updated" date at the top of this notice
Notify you via email or other appropriate communication channels for significant changes
Obtain fresh consent where required by the PDPA for any new purposes of data use

We encourage you to review this Privacy Notice periodically to stay informed about how we protect your personal data.

Version Control:

Version: [VERSION NUMBER, E.G., 1.0]
Effective Date: [DATE]
Last Reviewed: [DATE]
Next Review Due: [DATE]
Approved By: [NAME AND TITLE OF APPROVING OFFICER]

Need a Customised Privacy Notice?

DataCare Solutions can draft a PDPA-compliant privacy notice tailored to your business operations, industry requirements, and data processing activities. Our team ensures your notice meets all regulatory obligations while remaining clear and accessible to your customers.

DataCare Solutions Pte. Ltd.

Website: www.datacaresolutions.biz
Email: info@datacaresolutions.biz

Get in touch for a free initial consultation.

Document Version: 1.0 | Last Updated: February 2026
Prepared by: DataCare Solutions Pte. Ltd.

© 2026 DataCare Solutions Pte. Ltd. All rights reserved.
This template is for informational purposes only and does not constitute legal advice.