Skip to main content

Singapore PDPA prohibits transfer of data among group entities except in accordance with the Act. It is important for companies operating in multi-jurisdiction to have in place group-level privacy compliance and data transfer agreements. Interesting read on Singapore PDPA

-

Singapore: beyond the organisation – intra-group data privacy compliance

Bird & Bird ATMD LLP

Singapore August 3 2015

Image result for data protectionHaving put in place internal data protection compliance processes, organizations should begin looking beyond their borders (pun intended), towards establishing group-level privacy compliance.

 The need for group-level privacy compliance and data transfer agreements ("DTAs")

In today's globally-connected environment, it is not uncommon for Singapore entities to share data, including personal data, with related entities which may or may not be based in Singapore. Given the increasing international focus on privacy and personal data protection, the well-established privacy regimes in the European Union, and the proliferation of comprehensive data protection laws across Asia over the past five years, it may not be enough to focus solely on localized data protection compliance – companies must adopt a holistic approach to data protection that allows them to share data globally within their group of related companies ("Related Entities").
The Singapore Personal Data Protection Act 2012 ("PDPA") prohibits the sharing of personal data among Related Entities or transfer personal data out of Singapore except in accordance with the PDPA. Where personal data is to be transferred out of Singapore, the transferor is to provide the transferred personal data with a standard of protection comparable to the protection under the PDPA (the "Transfer Obligations"). Therefore, a Singapore-based organization must meet its Transfer Obligations in order to share personal data globally.

The Personal Data Protection Regulations 2014 ("Regulations") require the transferor to take appropriate steps to ensure that the recipient is bound by legally enforceable obligations before transferring personal data. "Legally enforceable obligations" under the Regulations include any law, contract (i.e. a DTA), binding corporate rules ("BCRs"), or any other legally binding instrument.
Image result for data privacy

 Deceptively complex Intra-Group DTAs and other "legally enforceable obligations"
A simple bilateral DTA allows entities to exchange personal data on an ad-hoc basis, and can be customized to suit various jurisdictions and obligations that an organization may wish to impose on the recipient, including reduced obligations if the recipient is merely a data intermediary.
Where there are more than 2 Related Entities in a group, multiple bilateral DTAs may or may not meet the group's operational needs. Another option to consider is the Intra-Group DTA. To implement an Intra-Group DTA, a number of questions need to be considered. For example, what is the simplest and most efficient way for a group with a large number of Related Entities to manage DTAs? What is the simplest way for future Related Entities to be bound by legally enforceable obligations after the DTA has been executed? How does the group address differing transfer requirements in various local jurisdictions? Will DTAs restrict the ability of an organization to scale globally?

Given that every organization has unique group-level operational requirements, customised multi-party DTAs or other binding legal obligations will be needed to achieve the group's desired outcomes.
Bird & Bird - Chia Ling Koh

Reference:http://www.lexology.com/library/detail.aspx?g=b78e7238-3955-444e-ba8f-8eded123ae73&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=Lexology+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2015-08-06&utm_term=

Comments

Post a Comment

Please share your valuable comments and thoughts on this article. Thanks!

Popular posts from this blog

Responding to Software Review Audits- Good tips on how to handle audit requests and settlements

-
Image
Managing Audits to Prevent Unauthorized Disclosures by Technology Teams by Keli Johnson Swan in Blogs , Software Audits Disputes involving software usage are on the rise for businesses of all sizes. In some cases, technical teams respond to a software publisher’s or a third party’s audit request and provide significant amounts of data without notifying anyone on the corporate governance or the legal teams.  It is critical for those teams to evaluate the publisher’s legal ability to audit, and to identify the data the publisher is entitled to request. It is not uncommon for the legal team to discover the existence of a software audit or license verification after the company has received a demand for damages arising from alleged over-usage of software. Often, employees responding to an audit request do not understand the request and provide inaccurate or incomplete information. Once this information is disclosed, it can expose the business to a damages cla
Read more

"What is the right thing to do?" What's The Difference Between Compliance And Ethics?

-
Image
  What's The Difference Between Compliance And Ethics? Bruce Weinstein, Ph.D. Contributor Customized ethics keynotes, training, and online courses for CE credit May 9, 2019, 01:19pm EDT  TWEET THIS High-character leaders ask, "What is required of me?" but they don't leave it at that. Ethical leaders also ask, "What is the right thing to do? How would an honorable person behave in this situation?" I've noticed some confusion about the roles that ethics and compliance play in organizations. This confusion arises, in part, from the way these two fields are identified. Some companies have only a compliance department. Others have a compliance  and  ethics (or ethics and compliance) department. Some companies have a Chief Ethics Officer separate from compliance. To get some clarity on these crucial roles, I asked seven leaders who are involved in both ethics and compliance to explain the similarities and differences as they saw them. I'll present their vi
Read more

The 6-D model of national culture by Geert Hofstede

-
Image
The 6-D model of national culture Geert Hofstede, assisted by others, came up with six basic issues that society needs to come to term with in order to organize itself. These are called dimensions of culture. Each of them has been expressed on a scale that runs roughly from 0 to 100. Dimension maps of the world: Individualism Each dimension has been derived by comparing many, but not all, countries in the world. The findings can be summarized into six world maps of the distribution of that dimension. Of course, in reality there can be quite a bit of within-country variation; these maps should be seen as rough 'climate maps' of culture. Individualism Individualism is the extent to which people feel independent, as opposed to being interdependent as members of larger wholes. Individualism does not mean egoism. It means that individual choices and decisions are expected. Collectivism does not mean closeness. It means that one "knows one's place&q
Read more