国际法律视野｜新加坡法律制度介绍（四）——新加坡数据合规红线：PDPA 2025修订要点与企业应对方案

2025年PDPA修订并非局部微调，而是对数据保护规则的系统性升级，通过明确刚性义务、压缩合规弹性空间，构建与全球主流数据保护规则接轨的监管体系。

The revision of PDPA in 2025 is not a partial adjustment, but a systematic upgrade of data protection rules, by clarifying rigid obligations, compressing compliance flexibility space, and building a regulatory system that is in line with mainstream global data protection rules.

修订前，新加坡PDPA仅要求企业“指定专人负责数据保护合规”，未明确强制义务与资质标准，导致中小企业合规流于形式、大型企业职责不清。本次修订借鉴欧盟GDPR、马来西亚PDPA的成熟经验，确立DPO强制任命制度，形成全流程监管闭环。适用范围上，满足以下任一条件的企业必须任命DPO：处理个人数据涉及2万名以上数据主体、处理敏感个人数据（生物识别、财务信息等）涉及1万名以上数据主体，或数据处理包含对数据主体的常规性、系统性监控（如用户行为追踪、职场监控）。这一要求同时覆盖数据控制者与数据处理者，打破了此前仅数据控制者承担主要责任的格局。

Before the revision, Singapore's PDPA only required companies to "designate a dedicated person to be responsible for data protection compliance", without specifying mandatory obligations and qualification standards, resulting in compliance for small and medium-sized enterprises becoming a formality and unclear responsibilities for large enterprises. This revision draws on the mature experience of the EU GDPR and Malaysia PDPA, establishes a mandatory appointment system for DPOs, and forms a full process regulatory loop. In terms of scope of application, enterprises that meet any of the following conditions must appoint a DPO: processing personal data involving more than 20000 data subjects, processing sensitive personal data (biometric, financial information, etc.) involving more than 10000 data subjects, or data processing involving routine and systematic monitoring of data subjects (such as user behavior tracking, workplace monitoring). This requirement covers both data controllers and data processors, breaking the previous pattern where only data controllers were primarily responsible.

PDPC（新加坡个人数据保护委员会）同步发布《DPO能力框架》，明确任职核心要求：需熟悉PDPA及配套法规、了解企业业务流程与数据处理活动、掌握信息安全基础原理，且具备独立履职权限，企业不得干预其合规判断。法定职责包括监督政策执行、开展合规培训、对接PDPC、评估数据风险、响应数据主体请求等。此外，企业需在DPO任命后21日内通过PDPC官网专属通道完成注册备案，变更时需在15日内更新信息——需注意的是，2024年12月起ACRA的Bizfile+平台已暂停DPO注册服务，企业需避免因渠道错误导致合规瑕疵。

PDPC (Personal Data Protection Board of Singapore) has simultaneously released the "DPO Competency Framework", which clarifies the core requirements for the position: familiarity with PDPA and supporting regulations, understanding of enterprise business processes and data processing activities, mastery of basic principles of information security, and independent performance authority. Enterprises are not allowed to interfere with their compliance judgments. Statutory responsibilities include supervising policy implementation, conducting compliance training, liaising with PDPC, assessing data risks, and responding to data subject requests. In addition, companies need to complete registration and filing through the exclusive channel on the PDPC official website within 21 days after the appointment of the DPO, and update information within 15 days when making changes. It should be noted that starting from December 2024, ACRA's Bizfile+platform has suspended DPO registration services, and companies need to avoid compliance defects caused by channel errors.

此前PDPA仅要求企业“发现数据泄露后尽快通知PDPC”，未明确具体时限，部分企业存在拖延通知、掩盖风险的情况。2025年修订引入72小时强制通知规则，与全球主流监管标准形成协同，大幅提升数据泄露应对的时效性。触发条件包括三类场景：泄露可能导致数据主体遭受物理伤害、财务损失等“重大损害”；泄露涉及敏感个人数据；属于影响超1000名数据主体的“重大规模泄露”，典型如用户数据库被黑客攻击、员工误发包含客户信息的文件、云存储配置错误导致数据公开可访问等。

Previously, PDPA only required companies to "notify PDPC as soon as possible after discovering a data breach", without specifying a specific time limit. Some companies have delayed notification and concealed risks. In 2025, the mandatory 72 hour notification rule will be revised and introduced, in coordination with mainstream global regulatory standards, significantly improving the timeliness of data breach response. The triggering conditions include three scenarios: leakage may cause "significant damage" to the data subject, such as physical harm, financial loss, etc; Leakage involves sensitive personal data; Belonging to a 'major scale leak' that affects over 1000 data subjects, typical examples include user databases being hacked, employees mistakenly sending files containing customer information, and cloud storage configuration errors resulting in publicly accessible data.

通知义务上，企业需在发现泄露后72小时内提交书面通知，特殊情况无法按时通知的需提交延迟说明及佐证材料。通知内容需涵盖泄露发生与发现过程、数据类型与数量、受影响范围、已采取的隔离措施（如系统关停、密码重置）、后续补救方案及数据主体咨询渠道；若可能造成重大损害，还需在通知PDPC后7日内直接告知受影响的数据主体。法律后果方面，未履行通知义务的企业最高可被处以10% 年度营业额（最低100万新元）的罚款，远超此前100万新元的固定上限，PDPC将综合泄露严重程度、企业整改态度、是否故意隐瞒等因素裁量处罚。

In terms of notification obligation, companies are required to submit written notice within 72 hours after discovering a leak. In special circumstances where timely notification is not possible, a delay explanation and supporting materials must be submitted. The notification content should cover the process of leakage occurrence and discovery, data types and quantities, affected scope, isolation measures taken (such as system shutdown, password reset), follow-up remedial plans, and data subject consultation channels; If there is a possibility of causing significant damage, the affected data subject must be directly informed within 7 days after notifying the PDPC. In terms of legal consequences, companies that fail to fulfill their notification obligations can be fined up to 10% of their annual turnover (with a minimum of SGD 1 million), far exceeding the previous fixed upper limit of SGD 1 million. PDPC will impose discretionary penalties based on factors such as the severity of the leakage, the company's attitude towards rectification, and whether they intentionally conceal information.

原PDPA适用范围限于“新加坡境内的数据处理活动”，难以规制境外企业对新加坡数据主体的影响。2025年修订明确引入“效果管辖原则”，将监管触角延伸至境外企业，构建“全球数据处理，新加坡标准约束”的格局。适用情形包括：为新加坡境内数据主体提供商品或服务并处理其个人数据、监控新加坡境内数据主体行为且与商业活动相关，或境外企业在新加坡设立分支机构且数据处理与分支机构业务相关。例如，境外电商平台向新加坡用户销售商品并收集收货地址、支付信息，或境外社交媒体平台追踪新加坡用户浏览行为，均需符合PDPA要求。

The original PDPA's scope of application was limited to "data processing activities within Singapore", making it difficult to regulate the impact of foreign companies on data subjects in Singapore. In 2025, the revision will clearly introduce the principle of "effect based jurisdiction", extend regulatory reach to overseas enterprises, and build a pattern of "global data processing, Singapore standard constraints". Applicable situations include: providing goods or services to data subjects within Singapore and processing their personal data, monitoring the behavior of data subjects within Singapore and related to commercial activities, or overseas enterprises setting up branches in Singapore and data processing related to branch business. For example, overseas e-commerce platforms selling goods to Singaporean users and collecting shipping addresses and payment information, or overseas social media platforms tracking Singaporean users' browsing behavior, all need to comply with PDPA requirements.

境外企业需额外承担两项义务：一是指定新加坡境内授权代表，负责接收PDPC的监管通知与法律文书；二是作为数据处理者时，需与新加坡境内数据控制者签订书面协议，明确责任划分，协议内容需符合《新加坡数据保护标准》最低要求。PDPC有权对境外企业开展跨境核查，不配合核查的企业将被限制向新加坡境内提供服务。

Overseas enterprises are required to undertake two additional obligations: one is to designate an authorized representative within Singapore to receive regulatory notices and legal documents from PDPC; Secondly, as a data processor, it is necessary to sign a written agreement with the data controller within Singapore to clarify the division of responsibilities, and the content of the agreement must comply with the minimum requirements of the Singapore Data Protection Standards. PDPC has the right to conduct cross-border inspections on overseas enterprises, and enterprises that do not cooperate with inspections will be restricted from providing services within Singapore.

2025年10月，PDPC对Marina Bay Sands Pte. Ltd.（以下简称 “MBS”）作出31.5万新元罚款决定，该案作为PDPA 2025修订后首个重大处罚案例，清晰揭示了监管执法逻辑，为企业提供重要警示。

In October 2025, PDPC imposed a fine of SGD 315000 on Marina Bay Sands Pte. Ltd. (hereinafter referred to as "MBS"). This case, as the first major penalty case after the revision of PDPA 2025, clearly reveals the logic of regulatory enforcement and provides important warnings for enterprises.

MBS作为新加坡知名综合度假村运营商，运营两大会员计划，累计收集约190万用户个人数据。2023年10月，黑客通过密码喷洒攻击（利用用户生日设置的4位默认PIN码）入侵6个会员账户，借助 MBS新middleware平台的API配置错误，非法获取并泄露665,495名会员的姓名、邮箱、电话号码等信息。PDPC调查发现，MBS存在两大核心违规：系统迁移时手动复制API配置，遗漏关键令牌验证机制，导致黑客可跨账户访问数据；密码政策存在重大缺陷，默认密码过于简单且未强制定期更换，为攻击提供可乘之机。

MBS, as a well-known comprehensive resort operator in Singapore, operates two major membership programs and has collected personal data from approximately 1.9 million users. In October 2023, hackers invaded six member accounts through password spraying attacks (using the default 4-digit PIN code set by the user's birthday), illegally obtained and leaked the names, email addresses, phone numbers, and other information of 665495 members by taking advantage of API configuration errors on the MBS new middleware platform. The PDPC investigation found that MBS had two core violations: manually copying API configurations during system migration and omitting key token verification mechanisms, which allowed hackers to access data across accounts; The password policy has significant flaws, with default passwords being too simple and not mandatory to be changed regularly, providing opportunities for attacks.

该案的处罚裁量体现三大核心导向：一是聚焦违规行为严重性，泄露数据量巨大且涉及敏感联系信息，可能导致数据主体遭受诈骗、骚扰等二次伤害；二是考量企业主观过错，MBS在系统迁移中未开展充分安全测试，对员工操作缺乏有效监督，存在明显疏忽；三是重视整改配合态度，MBS主动承认违规、及时采取系统修复、密码重置、用户通知等补救措施，因此PDPC酌情降低了处罚金额。这一案例警示企业，技术层面需建立“安全优先”的系统升级流程，避免手动操作带来的配置错误；管理层面需常态化开展数据保护风险评估，强化密码政策、访问控制等基础安全措施；响应层面需秉持“主动报告+快速整改”原则，避免拖延或隐瞒。

The punishment discretion of this case reflects three core directions: firstly, focusing on the seriousness of the violation, leaking a huge amount of data and involving sensitive contact information, which may lead to secondary harm such as fraud and harassment to the data subject; Secondly, considering the subjective fault of the enterprise, MBS did not conduct sufficient security testing during system migration and lacked effective supervision of employee operations, resulting in obvious negligence; Thirdly, we attach great importance to the attitude of rectification and cooperation. MBS actively admitted to the violation, promptly took remedial measures such as system repair, password reset, and user notification. Therefore, PDPC reduced the penalty amount at its discretion. This case serves as a warning to companies that they need to establish a "safety first" system upgrade process at the technical level to avoid configuration errors caused by manual operations; At the management level, it is necessary to conduct regular data protection risk assessments and strengthen basic security measures such as password policies and access controls; The response level should adhere to the principle of "proactive reporting+rapid rectification" to avoid delays or concealment.

结合PDPA 2025修订要求与《新加坡数据保护标准》（SS 714:2025），企业需构建“政策-流程-技术-人员”四位一体的合规体系，实现从形式合规到实质合规的转变。

In accordance with the revised requirements of PDPA 2025 and the Singapore Data Protection Standards (SS 714:2025), enterprises need to establish a four in one compliance system of "policy process technology personnel" to achieve the transition from formal compliance to substantive compliance.

政策体系构建需锚定修订要点完善制度文件：制定《数据保护官工作规程》，明确DPO任职资质、职责权限、汇报路径及资源保障；修订《数据泄露应急响应预案》，细化72小时通知流程、责任分工、证据固定要求；新增《跨境数据处理管理办法》，规范域外传输合规路径。同时需配套《隐私增强技术应用规范》《供应商数据保护评估清单》等标准文件，所有制度需经DPO审核，通过员工培训、内部公示确保知晓率，每年开展一次有效性评估。

The construction of the policy system needs to anchor and revise key points to improve institutional documents: formulate the "Work Regulations for Data Protection Officers", clarify the qualifications, responsibilities, authorities, reporting paths, and resource guarantees for DPOs; Revise the Emergency Response Plan for Data Leakage, refine the 72 hour notification process, division of responsibilities, and fixed evidence requirements; Add the "Management Measures for Cross border Data Processing" to standardize the compliance path for transmission outside the domain. At the same time, standard documents such as "Application Specification for Privacy Enhancement Technology" and "Supplier Data Protection Evaluation Checklist" need to be provided. All systems must be reviewed by DPO, and awareness must be ensured through employee training and internal publicity. An effectiveness evaluation must be conducted once a year.

流程优化需将合规要求嵌入数据全生命周期：数据收集阶段采用 “明确告知+单独同意”模式，向数据主体说明收集目的、范围及使用方式，敏感个人数据需获取专门同意，且遵循“最小必要原则”；存储与处理阶段建立分类分级制度，对敏感数据采取加密存储、权限管控等强化措施，定期清理超期数据；销毁与归档阶段制定安全销毁流程，电子数据采用不可逆删除技术，纸质数据粉碎处理，归档数据单独存储并明确访问权限。

Process optimization requires embedding compliance requirements throughout the entire lifecycle of data: the data collection phase adopts a "clear notification+separate consent" model, explaining the purpose, scope, and usage of the collection to the data subject. Sensitive personal data requires specific consent and follows the "minimum necessary principle"; Establish a classification and grading system during the storage and processing phase, strengthen measures such as encrypted storage and permission control for sensitive data, and regularly clean up expired data; Develop a secure destruction process during the destruction and archiving phase, using irreversible deletion technology for electronic data, shredding paper data, and storing archived data separately with clear access permissions.

技术支撑方面，企业需借助合规工具提升防御能力：部署隐私增强技术（PETs），如AI模型训练采用联邦学习、跨境传输使用差分隐私技术，实现“数据可用不可见”；应用数据安全技术，包括泄露检测系统、API安全管理工具，定期开展漏洞扫描与渗透测试；搭建集中化合规管理平台，实现DPO注册备案、数据泄露通知、合规培训记录等功能的一站式管理。

In terms of technical support, enterprises need to use compliance tools to enhance their defense capabilities: deploying privacy enhancing technologies (PETs), such as using federated learning for AI model training and differential privacy technology for cross-border transmission, to achieve "data available but invisible"; Apply data security technology, including leak detection systems, API security management tools, and regularly conduct vulnerability scanning and penetration testing; Build a centralized compliance management platform to achieve one-stop management of DPO registration and filing, data breach notification, compliance training records, and other functions.

人员管理需强化全员数据保护意识：组织DPO参加PDPC认证培训，鼓励其参与行业交流提升专业能力；针对不同岗位设计差异化培训内容，技术岗位聚焦系统安全配置与泄露检测，业务岗位侧重数据收集规范与客户隐私保护，管理层强化合规责任与风险管控；将数据保护合规纳入绩效考核，对合规表现优秀者给予奖励，对违规行为实行 “零容忍”。

Personnel management needs to strengthen the awareness of data protection among all staff: organize DPOs to participate in PDPC certification training, encourage them to participate in industry exchanges and enhance their professional abilities; Design differentiated training content for different positions, with technical positions focusing on system security configuration and leak detection, business positions emphasizing data collection standards and customer privacy protection, and management strengthening compliance responsibilities and risk management; Incorporate data protection compliance into performance evaluation, reward those who perform well in compliance, and implement "zero tolerance" for violations.

PDPA 2025修订后，跨境数据传输的合规要求更为明确，企业需根据传输场景选择合法路径，确保数据出境安全。

After the revision of PDPA 2025, the compliance requirements for cross-border data transmission have become more clear. Enterprises need to choose a legal path based on the transmission scenario to ensure the security of data export.

合法跨境传输的三大核心路径包括：充分性认定路径，即向PDPC 认定的数据保护水平“充分”的国家或地区（如欧盟、新西兰、瑞士等12个司法管辖区）传输数据，无需额外保障措施；标准合同条款（SCCs）路径，与境外接收方签订PDPC 2025年更新的SCCs模板，新增数据泄露通知协作、争议解决等条款，避免使用过时版本；绑定公司规则（BCRs）路径，跨国企业可申请BCRs认证，在集团内部实现数据自由流动，申请需满足政策统一、合规监控有效、指定集团DPO等条件，认证流程通常为6-12个月。

The three core paths for legitimate cross-border transmission include: adequacy determination path, which refers to the transmission of data to countries or regions with a "sufficient" level of data protection recognized by PDPC (such as 12 jurisdictions including the European Union, New Zealand, Switzerland, etc.) without the need for additional safeguard measures; Standard Contract Terms (SCCs) pathway, signing PDPC 2025 updated SCCs template with overseas recipients, adding clauses such as data breach notification collaboration and dispute resolution to avoid using outdated versions; Binding Company Rules (BCRs) pathway, multinational enterprises can apply for BCRs certification to achieve free flow of data within the group. The application must meet the conditions of policy uniformity, effective compliance monitoring, and designated group DPO. The certification process usually takes 6-12 months.

实操层面，企业需在传输前开展数据传输影响评估（TIA），识别潜在风险并评估接收方数据保护能力，传输敏感个人数据需额外获取数据主体明确同意；合同签订时除约定核心条款外，还需明确数据传输范围、用途限制、保密义务及违约责任，定期对接收方合规情况进行审计；建立应急响应协作机制，若发生跨境数据泄露，需协同开展调查、通知及补救工作，确保境外接收方配合PDPC监管调查。

At the practical level, enterprises need to conduct a Data Transmission Impact Assessment (TIA) before transmission to identify potential risks and evaluate the recipient's data protection capabilities. The transmission of sensitive personal data requires additional explicit consent from the data subject; When signing the contract, in addition to agreeing on the core terms, it is also necessary to clarify the scope of data transmission, usage restrictions, confidentiality obligations, and breach of contract responsibilities, and regularly audit the compliance situation of the recipient; Establish an emergency response collaboration mechanism. In the event of a cross-border data breach, it is necessary to collaborate in conducting investigations, notifications, and remedial measures to ensure that overseas recipients cooperate with PDPC regulatory investigations.

此外，需规避三大常见误区：一是认为“数据主体直接传输数据”无需合规，事实上若传输与境内企业商业活动相关，企业仍需履行合规审查义务；二是过度依赖SCCs而忽视实质审查，需结合接收方所在地区法律环境、数据保护实践开展风险评估，必要时采取额外保护措施；三是跨境传输后放松数据管控，企业作为数据控制者需对数据全生命周期负责，持续监督接收方使用情况，避免数据滥用。

In addition, three common misconceptions need to be avoided: firstly, it is believed that "direct transmission of data by data subjects" does not require compliance, but in fact, if the transmission is related to the commercial activities of domestic enterprises, the enterprises still need to fulfill their compliance review obligations; Secondly, excessive reliance on SCCs and neglect of substantive review require risk assessment based on the legal environment and data protection practices of the recipient's region, and additional protective measures should be taken when necessary; The third is to relax data control after cross-border transmission. As data controllers, enterprises need to be responsible for the entire lifecycle of data, continuously monitor the usage of recipients, and avoid data abuse.

新加坡PDPA 2025修订标志着其数据保护体系进入“精细化、全球化、技术化”新阶段，既为企业设定了更高合规门槛，也通过配套标准与指南提供了清晰路径。对于在新加坡运营或面向新加坡市场的企业而言，数据合规已不再是单纯的法律义务，而是核心竞争力的重要组成部分。

The revision of Singapore's PDPA 2025 marks a new stage of "refinement, globalization, and technologization" in its data protection system, setting higher compliance thresholds for enterprises and providing a clear path through supporting standards and guidelines. For companies operating in Singapore or targeting the Singapore market, data compliance is no longer a simple legal obligation, but an important component of core competitiveness.

企业应尽快对照修订要点开展合规自查：是否已按要求任命合格 DPO并完成注册？数据泄露应急响应流程是否满足72小时通知要求？跨境数据传输是否采取合法保障措施？通过构建完善的合规体系，企业不仅能有效规避法律风险，还能借助《新加坡数据保护标准》认证提升品牌公信力，在新加坡数字经济市场中抢占先机。

Enterprises should conduct compliance self inspection as soon as possible based on the revised key points: Have qualified DPOs been appointed and registered as required? Does the emergency response process for data breaches meet the 72 hour notification requirement? Is there a legal safeguard measure for cross-border data transmission? By establishing a comprehensive compliance system, enterprises can not only effectively avoid legal risks, but also enhance brand credibility through the certification of the Singapore Data Protection Standards, and seize the opportunity in the Singapore digital economy market.

未来，新加坡将持续推进数据保护与AI、跨境贸易的协同发展，企业需保持对法规更新的敏感度，动态优化合规策略，在合规框架内实现数据价值最大化。

In the future, Singapore will continue to promote the coordinated development of data protection, AI, and cross-border trade. Enterprises need to maintain sensitivity to regulatory updates, dynamically optimize compliance strategies, and maximize data value within the compliance framework.