Rajesh has run the workshop on Ubi Road 1, in the middle of the Ubi motor cluster, for nineteen years. Six technicians, a counter clerk, around fifteen cars a day on a busy Wednesday. Timing belts, transmissions, air-con, diagnostics. Regulars from the Kembangan HDBs, Grab drivers from Bedok, fleet owners from the Paya Lebar industrial estate. The ritual when a car comes in has been the same for nineteen years: the clerk hands the customer a clipboard with a job sheet, asks for IC, records the full NRIC on the form — S1234567D or T1234567K — alongside name, mobile, address, plate, make, model and mileage. Everyone does it. Every Singapore workshop has done it since before anyone knew what "PDPA" stood for.

Wednesday, 10:05 a.m. A letter lands in the mail. Personal Data Protection Commission letterhead — recognisable teal and crest, the Commission's Singapore Post mailing address printed on the envelope. Rajesh opens it. "Case Reference PDPC/EN 2026/094 — Request for Preliminary Information in connection with complaints of unauthorised disclosure of personal data — Rajesh Auto Services Pte Ltd — please furnish the requested information within 14 days of this notice".

He reads on. Three customers had contacted the PDPC in the previous month to complain about WhatsApp scam messages they had received — addressed to them by their full name, citing their NRIC number, their vehicle plate and a fake invoice for "deferred workshop charges". The scammer used the data to set up a convincing claim. Two of the three customers had traced the timing of the scam back to their visit to Rajesh Auto six weeks earlier. The third had gone further: the ex-technician who had been dismissed for repeated lateness had been seen, post-dismissal, at a coffee shop across from the workshop, tapping at a laptop with what the customer described as "a spreadsheet that looked like it came from Rajesh Auto".

The PDPC letter is polite, procedural, and serious. It asks for: the Data Protection Officer's name and contact, the workshop's personal data collection and retention policy, the specific categories of personal data held about customers, the security measures in place, the record of the breach or incident, and any notification made to affected individuals. Time to respond: fourteen days. The letter notes that the Commission has statutory powers under Part IX of the Personal Data Protection Act 2012 to investigate, direct remedial action, and impose financial penalties.

Rajesh has never heard of a Data Protection Officer. He has no written retention policy. He has the spreadsheet that his ex-technician almost certainly took a copy of — on a shared workshop PC that anyone with the password could access. He has the clipboard system that collects full NRICs daily. He has no idea that since 2019 the PDPC has explicitly told businesses not to collect full NRIC numbers unless required by law. And he has no idea that since 1 October 2022 the financial penalty ceiling for organisations of his size is S$1 million — scaling to 10% of his Singapore turnover if turnover exceeds S$10 million.

What the PDPA actually says — and why workshops violate it without knowing

The PDPA has been in force since July 2014, with significant amendments in force from February 2021 and October 2022. It covers every Singapore organisation that collects, uses or discloses personal data. There is no small-business exemption. The full legal framework is detailed; for a workshop, four pillars carry the weight.

One — Consent, purpose limitation, reasonable use (PDPA Part IV). Personal data may be collected, used or disclosed only with the individual's consent and only for purposes that a reasonable person would consider appropriate in the circumstances. A workshop collects customer data to provide the service, to send service reminders, to issue the tax invoice, and to comply with tax and accounting obligations. Those purposes are reasonable and consent is usually implied by the customer handing over the data to get the service done. Marketing is a separate purpose that requires separate consent. A tick-box on the job sheet, correctly worded, covers both.

Two — NRIC / FIN collection restrictions. The PDPC issued binding Advisory Guidelines in 2018, effective 1 September 2019: organisations should not collect, use or disclose the full NRIC/FIN number of an individual except where required by law or necessary to establish or verify the identity of the individual to a high degree of fidelity. A workshop booking a service does not meet either ground. The law does not require NRIC on a workshop job sheet. The service does not demand identity verification to a high degree of fidelity — a mobile number and plate are sufficient. Acceptable practice is to collect only the last three digits and the checksum letter (e.g., "...567D") if any NRIC reference is needed for internal record-keeping — and even that is best avoided when mobile number uniquely identifies the customer.

For nineteen years, Rajesh has been collecting full NRICs without any legal basis. His workshop is not unusual; the same practice exists in half the workshops in the Ubi and Sin Ming clusters. The PDPC knows this — the Commission has brought enforcement cases specifically on NRIC over-collection in other sectors (motor retail, estate agencies, clinics) and has been open that auto workshops are a known compliance gap.

Three — Protection obligation (PDPA s.24). An organisation must make reasonable security arrangements to protect personal data in its possession from unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. A shared PC with a four-digit password that every technician knew, in a workshop where technicians cycle through every few months, fails this obligation without the PDPC needing to inspect a line of code. Add in a printed customer register that sat on the front counter for six weeks after the technician left, and the gap is structural.

Four — Data Breach Notification (PDPA Part VIA, added 2021, in force Feb 2022). An organisation must assess within 30 days whether a data breach is notifiable. A breach is notifiable if: (a) it causes or is likely to cause significant harm to any affected individual, OR (b) it affects 500 or more individuals. If notifiable, the organisation must notify the PDPC as soon as practicable, and in any case no later than 3 calendar days from making the assessment. Affected individuals must also be notified where likely significant harm applies, without unreasonable delay. Failure to notify is a separate offence under the PDPA.

Rajesh discovered the ex-technician's departure six weeks before the PDPC letter. He has not done any breach assessment. He has not notified anyone. That's not merely a gap — that's an independent PDPA contravention layered on top of the NRIC over-collection and the security-obligation failure.

The penalties — and why 10% of Singapore turnover is the new ceiling

From 1 October 2022, the PDPC's maximum financial penalty changed. Before that date, the ceiling was S$1 million flat for any organisation. After that date, the ceiling is now the higher of S$1 million or 10 per cent of the organisation's annual turnover in Singapore. For an organisation with Singapore turnover below S$10 million — which is most independent workshops — the effective ceiling remains S$1 million. But for any organisation crossing S$10 million in Singapore turnover (larger workshop chains, dealership-affiliated workshops, tyre chains), the ceiling can be significantly higher.

In practice, the PDPC rarely issues a ceiling-level penalty for a first-time, co-operative breach. Enforcement cases published in 2023-2024 on the PDPC website show financial penalties for small organisations typically in the S$5,000 to S$50,000 range, often accompanied by directions — mandatory remediation steps with follow-up audit. Aggravating factors that push penalties higher: failure to notify, failure to cooperate with PDPC inquiries, repeat incidents, large number of affected individuals, or commercial harm to individuals (as with the WhatsApp scam traced back to Rajesh's workshop).

Each financial penalty is published on pdpc.gov.sg as a decision with the organisation named. The PDPC decision pages are indexed by Google. A workshop with a PDPC finding on its public record carries a reputational cost that is not subtle when a future customer searches the name.

The five lines every Singapore workshop should already have in place

1. Named Data Protection Officer (DPO) — published and reachable

Under PDPA s.11(3), every organisation must designate at least one individual as the Data Protection Officer and make the DPO's business contact information available publicly. For a small workshop, the DPO can be the owner — no specialist qualification is required for SME-scale. The essential is that the DPO's name, role, email and phone number are published on the workshop's website, Google Business profile, and a visible notice at the customer counter. A job sheet footer that reads "Data Protection Officer: Rajesh Kumar — [email protected] — 6512-3456" meets the obligation cleanly.

2. Data collection notice at the counter — no full NRIC, purpose-limited, consent-ticked

Revise the intake job sheet: ask for name, mobile number, vehicle plate, address (if home collection is offered) — and not the full NRIC. If internal record-keeping benefits from a partial NRIC identifier (rare, but some insurers require this at claims-handling), take only the last three digits and the checksum letter. Add a brief notice beside the form: "Personal data collected is used to perform the service, send service reminders, issue tax invoices, and for tax and accounting compliance, per our Personal Data Protection Policy available on request. Tick here if you also consent to marketing communications about promotions and services: [ ]." Separate consent for marketing, implied consent for the core service purposes.

3. Written Personal Data Protection Policy — one page, publicly available

A one-page policy stating: what categories of personal data are collected, the purposes for which each is used, the retention period (typically 5 years for tax/invoice data per Inland Revenue requirements, 2 years for service history, deleted on request for marketing data), the security measures in place (access-controlled system, no shared spreadsheets, no printed customer registers left on the counter), the rights of the individual (access, correction, withdrawal of consent, portability), the DPO contact, and the complaint process. Print, laminate, display at counter. Publish on the website. Update when something material changes. PDPC provides template policies that are appropriate for SMEs — use them as the base.

4. Access controls — no shared passwords, no standing shared spreadsheet

Individual logins for each staff member. Revoke access within the same day a staff member leaves. Keep customer data inside a system that logs access — not on a shared Excel file, not on a printed register left at the counter. Do not discuss customer data in staff WhatsApp groups; WhatsApp is outside the workshop's controlled environment and screenshots are trivially easy. Written internal policy signed by each staff member at onboarding: "I will not copy, photograph, or forward customer personal data outside the workshop's controlled systems. I understand that unauthorised disclosure of personal data is an offence under s.48D of the PDPA, punishable by a fine of up to S$5,000 or 2 years imprisonment or both." That last line is the deterrent — the individual criminal liability that matters when a technician is tempted to walk out with the database.

5. Breach-response plan on a single page — 30 days to assess, 3 days to notify

Write, print, and rehearse a one-page response plan for a suspected data breach. The plan lists: who is informed first (DPO), how the breach is contained (revoke access, change passwords, secure physical copies), how the DPO assesses whether the breach is "notifiable" (significant harm OR ≥500 individuals) within 30 days, how the PDPC is notified within 3 calendar days of the assessment concluding it is notifiable (portal: eservice.pdpc.gov.sg), how affected individuals are notified, and how the incident and response is recorded in the internal register. Without this plan, when a breach happens the organisation improvises under the Commission's spotlight. Improvisation reads as negligence in an enforcement decision and the PDPC's dosimetry lifts the fine.

What happens now in Rajesh's file

Within the fourteen-day response window, Rajesh appoints himself as DPO, publishes the contact, takes the printed customer register off the counter, revokes all shared access to the customer database, changes passwords, and prepares a written statement to the PDPC acknowledging the incident, describing the remedial steps taken, listing the affected individuals (around 840 NRIC records were on the departing technician's printout), and notifying those affected through mobile-number SMS. He hires a Singapore-admitted lawyer with PDPA practice for the PDPC correspondence — around S$8,000 to S$15,000 for the investigation phase.

The PDPC opens an enforcement investigation. Evidence is weighed: the organisation failed to collect only necessary personal data (NRIC over-collection), failed to protect data (shared access, physical printouts), failed to assess and notify the breach within the statutory window (six weeks elapsed before PDPC heard of it from complainants, not from the organisation), and the breach caused demonstrable harm to at least three individuals (the WhatsApp scam recipients). Mitigating factors: first-time enforcement, cooperation once notified, full remediation within the investigation period.

Published PDPC decisions in comparable small-workshop cases in 2023-2024 fell in the S$15,000 to S$40,000 range plus directions. The decision naming Rajesh Auto Services Pte Ltd becomes public on pdpc.gov.sg; Google indexes it within weeks. Combined with the lawyer's fees, the direct cost is likely S$25,000 to S$55,000. Indirect cost is the loss of customers who search the workshop's name and decide to go to the one next door.

Cost of having written a one-page PDPA policy, appointed a DPO, switched to partial-NRIC collection, and placed a breach-response plan in a drawer? Two afternoons of work, no ongoing cost, no fine, no public decision.

The policy and the job sheet you're already writing

Mekavo's customer intake captures only the data a workshop genuinely needs — name, mobile, email, plate, vehicle details — with no NRIC field in the default configuration. Access is per-user with logged actions. The platform generates a Personal Data Protection Policy template in SGD-currency Singapore English that a workshop can customise and publish in two minutes. The tax-invoice footer supports a DPO contact line. Staff accounts are revocable in one click when someone leaves. The data-breach response plan template is in the Mekavo help centre alongside the PDPC notification portal link.

The PDPA framework is detailed, the enforcement activity is steady, and the 10% turnover ceiling is a real number now. What a workshop can change is the shape of data collection at the counter, the shape of the job sheet, the shape of the staff access policy, and the speed of response when something goes wrong. Five measures. Set them up once. Keep them running on every job.

Official resources

Last updated: April 2026. The statutes, guidelines and enforcement data cited were current at the date of publication. For a live PDPC inquiry letter, a suspected data breach under active assessment, or a compliance review under the recent amendments, consult a lawyer admitted to the Singapore Bar with data-protection practice before responding.

Note on scenarios: The shops, names, addresses, and case reference numbers in this article are fictional and used solely to illustrate how the cited statutes operate in practice. Any resemblance to actual shops, owners, or events is coincidental. The statutes, regulations, and agency procedures cited are real and current as of publication.