Event Registration PDPA: What Singapore Event Organisers Get Wrong About PDPA and Attendee Data

In December 2023, the Personal Data Protection Commission (PDPC) opened an investigation after a software misconfiguration on Ticketmaster Singapore’s platform caused users buying tickets to see other users’ accounts. The glitch exposed the names, phone numbers, email addresses, and order histories of approximately 400 individuals.

Following the investigation, the PDPC accepted a voluntary undertaking in April 2024, requiring Ticketmaster to completely overhaul its content distribution network configuration, testing protocols, and security architecture.

This was not a malicious hack. It was not a rogue employee selling data. It was a simple configuration error made during a routine software upgrade—with inadequate post-upgrade testing to catch it.

The lesson for Singapore event organisers is stark: you do not need a malicious actor to breach the Personal Data Protection Act (PDPA). A misconfigured registration platform, a shared spreadsheet, a photographer who didn’t obtain consent, or a lucky draw whose terms buried a sponsor data-sharing clause—any of these common event scenarios can trigger a PDPC investigation.

And the penalties are severe. The maximum financial penalty for a data breach is up to S$1 million, or up to 10% of annual Singapore turnover for organisations with a turnover exceeding S$10 million. In January 2026 alone, the PDPC fined People Central Pte Ltd S$17,500 for a breach exposing 95,000 individuals’ data, and Singapore Data Hub Pte Ltd another S$17,500 for exposing 689,000 records.

The 11 PDPA Obligations That Apply to Every Event

Most event organisers know the PDPA exists but have never mapped its specific obligations to their actual event workflow. Under Singapore law, your event must comply with 11 distinct data protection obligations. Here is where events typically fail:

PDPA Obligation	What It Means for Your Event	Where Events Typically Fail
Accountability	Designate a Data Protection Officer (DPO); have documented policies.	No DPO appointed; no written data policy for the event.
Notification	Tell attendees why you’re collecting their data before collecting it.	Registration forms with no stated purpose.
Consent	Get explicit, informed consent for each purpose.	One buried checkbox for registration, marketing, and sponsor sharing.
Purpose Limitation	Only use data for the purpose collected.	Using event RSVPs to send unrelated future marketing.
Accuracy	Keep data accurate and correctable.	No mechanism for attendees to update their details post-registration.
Protection	Reasonable security arrangements to prevent unauthorised access.	Attendee lists stored in shared Google Drive folders or emailed spreadsheets.
Retention Limitation	Cease retention when no longer needed.	Attendee data sitting in CRMs and spreadsheets two years after the event.
Transfer Limitation	Ensure overseas transfers have adequate protection.	Using US-based platforms without assessing cross-border data safeguards.
Access & Correction	Allow individuals to access and correct their data.	No process to handle data access requests at events.
Data Breach Notification	Notify PDPC if a breach meets the severity threshold.	No incident response plan; discovering a breach days later.
Do Not Call (DNC)	Do not send unsolicited marketing to unregistered numbers.	Post-event marketing SMS blasts to all attendees without opt-in consent.

The 7 Mistakes Singapore Event Organisers Make Most Often

Mistake 1: Treating Attendance as Blanket Consent

Attending an event does not constitute consent to be photographed, filmed, or added to a marketing mailing list. These are three separate purposes—each requiring separate, specific consent. Yet, many organisers combine all of them into a single checkbox or assume attendance implies consent.

The Fix: Use layered consent. Create one tick box for essential event communications (logistics, confirmations), a separate tick for post-event marketing, and a third separate tick for sponsor communications. Each must state clearly what the attendee is agreeing to.

Mistake 2: Sharing Attendee Lists with Sponsors Without Explicit Consent

This is one of the most common PDPA violations at B2B corporate events. When a sponsor pays to access the event’s attendee data, and the attendees were not explicitly told at registration that their data would be shared, the event organiser has breached both the Consent and Purpose Limitation Obligations.

The Fix: Add a specific, standalone consent field on the registration form: “I agree to share my contact details with event sponsors for post-event follow-up.” This must be opt-in, not opt-out.

Mistake 3: Collecting NRIC Numbers for Check-In

From 1 January 2027, private organisations using National Registration Identity Card (NRIC) numbers—whether full or partial—for authentication will face stepped-up PDPC enforcement, including directions and financial penalties. The PDPC and Cyber Security Agency (CSA) issued a joint advisory explicitly prohibiting the use of NRIC numbers as passwords or default credentials. Organisers running government-adjacent events or AGMs have until 31 December 2026 to phase this out.

The Fix: Replace NRIC-based check-in with dynamic QR code confirmation. Attendees receive a unique QR code at registration, which is scanned at check-in to confirm identity. It is vastly more secure and significantly faster.

Mistake 4: Post-Event Data Hoarding

The Retention Limitation Obligation requires organisations to destroy personal data once it is no longer needed for the purpose it was collected. In practice, event teams commonly leave past event data in live CRM systems for years, keep spreadsheets in open-access Dropbox folders, or fail to confirm their event platform vendor has cleared the data.

The Fix: Document a data retention schedule for every event detailing what data is held, where it is stored, who has access, and the exact deletion date.

Mistake 5: Not Briefing Your Event Platform Vendor

When you use a third-party registration platform, you become the Data Controller. The platform is simply a data intermediary. But most organisers never ask their vendor where the data is stored, who has access, or how they handle breach notifications. If your platform stores data on overseas servers, you have a Transfer Limitation Obligation to assess.

The Fix: Audit your vendors. Klobbi, for example, is ISO27001-certified and holds the CSA Cyber Trustmark. Data is held within a Singapore-compliant infrastructure with AES-256 encryption, TLS 1.2 transmission, and a documented 30-day post-event data destruction protocol.

Mistake 6: Photography and Video Without Proper Consent

Photos and videos of identifiable individuals are personal data under the PDPA. A venue photographer capturing candid shots of attendees without consent is a PDPA risk.

The Fix: Implement three-layer photography consent: state in the registration confirmation that photography will take place; display visible signage at the event entrances; and provide an opt-out mechanism, such as a specific lanyard or badge sticker, for attendees who prefer not to be photographed.

Mistake 7: Running Lucky Draws Without Proper Data Segregation

Attendees enter lucky draws for a chance at a prize—not because they want ongoing marketing. Using lucky draw entry data to build a marketing database without explicit opt-in consent violates the Purpose Limitation Obligation.

The Fix: Lucky draw mechanics should use existing event QR codes or ticket numbers where possible so no new data is collected. If new data is collected, state explicitly that it is strictly for prize notification.

The Data Intermediary Gap: What Your Platform is Actually Responsible For

Under the PDPA, an event registration platform provider processes personal data on your behalf as a data intermediary. However, as the event organiser, you remain the data controller and bear primary PDPA liability.

If your platform misconfigures a setting that exposes attendee data, your organisation faces the reputational and legal consequences. You cannot outsource PDPA accountability.

Before signing a contract with any event platform vendor, you must ask:

Are you ISO27001 certified?
Do you hold the CSA Cyber Trustmark?
Where is attendee data stored—Singapore or overseas?
What is your data retention and deletion policy post-event?
How do you notify the event organiser in the event of a data breach?
What are you encryption levels?
What is your incidence response plan?
Have you ever been subject to a PDPC investigation or voluntary undertaking?

No other event registration platform in Singapore’s market can currently document all seven of these publicly besides Klobbi.

The 2025–2027 Enforcement Wave

The PDPA is not a static framework, and Singapore’s enforcement posture is tightening significantly.

Organisations handling large volumes of personal data are now required to designate a Data Protection Officer. Significant breaches must be reported to the PDPC within three days. And with 82% of PDPC enforcement actions in 2023/24 stemming from cyber incidents and weak security measures, the compliance window for ad-hoc data handling has closed.

The PDPA Event Compliance Checklist

Use this checklist to audit your next corporate event workflow.

Pre-Event

[ ] Registration form explicitly states the purpose of each data field collected.
[ ] Separate consent tick-boxes are provided for event communications, marketing, and sponsor sharing.
[ ] NRIC is not used as check-in authentication or a password.
[ ] Photography/videography notices are included in the registration confirmation.
[ ] The event platform vendor has been audited for local compliance and security certifications.
[ ] A Data Protection Officer is designated for the event.
[ ] A data retention schedule is documented.

On Event Day

[ ] Digital attendee list screens face staff, not the queue.
[ ] Printed guest lists are stored securely behind the desk, not on open tables.
[ ] The event team is briefed: no photographing guest lists or emailing lists to personal accounts.
[ ] Photography signage is visibly displayed at all entrances.
[ ] An opt-out mechanism is available for attendees who do not wish to be photographed.

Post-Event

[ ] Attendee data access is immediately revoked for staff who no longer need it.
[ ] Shared folders containing attendee data are deleted or archived with strict access controls.
[ ] The platform vendor has confirmed the deletion of event data per the agreed 30-day schedule.
[ ] Marketing follow-ups are sent strictly to attendees who provided explicit opt-in consent.

Compliance as a Feature, Not a Footnote

Most event registration platforms were built for a global market that treats compliance as a checkbox. Klobbi was built strictly for Singapore’s regulatory reality.

When you run an event on Klobbi, your attendee data is encrypted end-to-end. Your event database is cleared on a strictly documented 30-day post-event destruction schedule to prevent data hoarding. The platform holds both ISO27001 certification and the CSA Cyber Trustmark at the advanced maturity tier.

For corporate event teams at banks, government-linked companies, and statutory boards—who are themselves subject to strict data governance standards and need their vendors to meet the exact same bar—Klobbi’s certifications are not marketing language. They are contractual assurance.