Policy Briefing — Singapore prepares to commence PDPA Data Portability obligations
Singapore’s Personal Data Protection Commission plans to activate PDPA Data Portability obligations in April 2025, requiring organisations to process access-style transfer requests, maintain data maps, and coordinate with designated data intermediaries.
Executive briefing: The Personal Data Protection Commission (PDPC) signalled in its March 2024 consultation that the Personal Data Protection (Data Portability) Regulations will commence in April 2025. Organisations must be able to receive, authenticate, and fulfil Data Portability Requests (DPRs) within standard service levels while safeguarding national security, proprietary, and derived data exemptions.
Obligation highlights
- Request handling. Covered organisations must acknowledge DPRs within two business days and complete transfers within 30 calendar days, barring permitted extensions.
- Scope management. Data maps must distinguish between user-provided data, user-activity data, and derived data to determine what qualifies for transfer.
- Intermediary coordination. Where data intermediaries process information on behalf of controllers, contracts must enable timely extraction and secure transfer of portable datasets.
Program actions
- Operational playbooks. Draft DPR playbooks covering authentication, fraud prevention, and secure transfer formats such as JSON or CSV.
- Systems readiness. Implement APIs or export tooling that can package portable data aligned to PDPC’s proposed Data Portability Request Template.
- Exception governance. Establish review committees to adjudicate refusals based on national security, proprietary, or disproportionate burden grounds, with documentation ready for PDPC inspection.