Home Compliance & Certification Data Protection Notice Guide

Data Protection Notice Guide

Last updated on Feb 01, 2026

1. Purpose of This Guide

This artefact proves that your organisation has published a Data Protection Notice that is publicly accessible and clearly states:

  • Who your Data Protection Officer (DPO) is

  • How to contact them

  • How personal data is collected, used, and disclosed

Under PDPA Data Protection Essentials Clause 1.1.2, making the DPO’s business contact information publicly available is mandatory.
This fulfils the PDPA Notification Obligation and allows individuals to exercise their data protection rights without friction.

In short: people must be able to find this information without logging in or asking.

2. What You Will Submit

You will upload evidence of your published Data Protection Notice.

This is usually:

  • screenshot of the notice on your website, or

  • PDF or document that is publicly hosted (with proof of access)

The notice must be accessible to:

  • Customers

  • Website visitors

  • Members of the public

3. How to Collect / Obtain This Evidence

Step 1: Publish your Data Protection Notice

Your Data Protection Notice should be published on:

  • Your company website (commonly in the footer), or

  • A publicly accessible page provided to customers

It must include:

  • Organisation name

  • Purposes for collecting, using, and disclosing personal data

  • DPO’s business contact information (email or phone)

Step 2: Verify public access

Before capturing evidence:

  • Open the page in an incognito/private browser

  • Confirm it loads without login or authentication

  • Scroll until the DPO contact details are visible

Step 3: Capture screenshot evidence

Take a screenshot that clearly shows:

  • The Data Protection Notice heading

  • The section containing the DPO’s business contact information

  • Website URL or branding (to show ownership)

If your notice is long, multiple screenshots are acceptable.

4. Evidence Format

  • Accepted file types: PNG, JPG, PDF

  • Recommended naming format:

    YourCompanyName_DataProtectionNotice_YYYY-MM-DD.png

    Example:

    AcmeCorp_DataProtectionNotice_2025-07-01.png

5. What “Good” Looks Like

Strong Data Protection Notice evidence includes:

  • Visible Element: Public-facing webpage or document
    Why it matters: Confirms accessibility to the public.

  • Visible Element: DPO’s business email or phone number
    Why it matters: Directly fulfils Clause 1.1.2.

  • Visible Element: Clear description of data use purposes
    Why it matters: Satisfies the PDPA Notification Obligation.

If an assessor can answer “Who do I contact, and what happens to my data?” within a minute — you’ve nailed it.

6. Tips from Sir Stonk 🗡️

  • Use a role-based email (e.g. dpo@company.com) instead of a personal inbox.

  • If your notice changes, update the screenshot — assessors expect it to reflect current practice.