What the Personal Data Protection Act 2012 requires when you use AI on personal data — consent, notification, protection and transfer limitation — grounded in the PDPC’s AI advisory guidelines, without overclaiming.
dgm is an independent osFoundry integration partner — not affiliated with osFoundry’s maker (OS LLC), and dgm has no completed client integrations yet.
The Personal Data Protection Act 2012 (PDPA) is Singapore’s data-protection law, and it applies to AI the same way it applies to any other handling of personal data. Here is what it actually requires — and what is not yet in force.
| Item | Detail |
|---|---|
| Regulator | Personal Data Protection Commission (PDPC), under IMDA |
| Core duties | Consent, notification, purpose limitation, protection, transfer limitation |
| Breach notification | Mandatory since 1 Feb 2021 — report within 3 days |
| AI guidance | PDPC Advisory Guidelines on Personal Data in AI systems (Mar 2024) |
What the PDPA requires for AI
The PDPA is technology-neutral: AI handling of personal data is subject to the same obligations — consent, notification, purpose limitation, accuracy, protection, retention limitation and transfer limitation, plus access and correction. The PDPC’s Advisory Guidelines on Use of Personal Data in AI Recommendation and Decision Systems (March 2024) clarify how these apply across the AI lifecycle — but they are advisory and do not change the statutory law.
Breach notification and penalties
Mandatory data-breach notification has been in force since 1 February 2021: a notifiable breach (one likely to cause significant harm, or of significant scale) must be reported to the PDPC as soon as practicable, no later than 3 calendar days. Since 1 October 2022 the maximum financial penalty can reach up to 10% of annual turnover in Singapore (or S$1 million, whichever is higher) for larger organisations.
What is not yet in force
The PDPA’s data-portability obligation was enacted but is not yet in force in 2026, so do not treat it as a current requirement. osFoundry’s managed cloud pins data to the US, EU or Japan — it does not currently offer a Singapore managed region (its nearest managed region is Japan). For data that must stay in Singapore, the honest path is self-hosting osFoundry (BYO Cloud) inside a Singapore cloud region such as AWS Asia Pacific (Singapore) ap-southeast-1, Microsoft Azure Southeast Asia (Singapore) or Google Cloud asia-southeast1 (Singapore), or running models locally on-device.
Where dgm fits
dgm is an independent integration partner that helps Singapore businesses adopt osFoundry — scoping a first use case, handling the build, and connecting AI to the systems you already run. dgm is independent of osFoundry’s maker (OS LLC) and has no completed client integrations yet, so everything described here is a service offered, not a past result. If you want to scope a practical first project, dgm can help you map it out.