Singapore recognises APEC CBPR and PRP System certifications for overseas transfers of personal data from 1 June 2020

29 June 2020

With effect from 1 June 2020, the Personal Data Protection Regulations 2014 have been amended to recognise the Asia Pacific Economic Cooperation (“APEC”) Cross Border Privacy Rules (“CBPR”) System and Privacy Recognition for Processors (“PRP”) System certifications as one of the modes for transfers of data overseas.

Chapter 19 of the Advisory Guidelines on Key Concepts in the Personal Data Protection Act has been updated on 2 June 2020 to clarify that any recipient organisation holding a specified certification such as the APEC CBPR System or PRP System is taken to be bound by legally enforceable obligations to provide a standard of protection comparable to that under the Personal Data Protection Act 2012.

This means that organisations in Singapore can easily transfer personal data to an overseas recipient that is CBPR- or PRP-certified without meeting additional requirements. The Personal Data Protection Commission (“PDPC”) recommends that the transferring organisation in Singapore include the following sample clause (text in parenthesis to be adapted as appropriate) in its contract with the CBPR- or PRP-certified overseas recipient:

“The parties agree and acknowledge that [an organisation / a data intermediary] which is certified under the Asia-Pacific Economic Cooperation [Cross Border Privacy Rules System / Privacy Recognition for Processors System] is bound by a legally enforceable set of obligations to provide comparable protection to the Personal Data Protection Act 2012 (No. 26 of 2012, Statutes of the Republic of Singapore).

The receiving party shall maintain its certification under the Asia-Pacific Economic Cooperation [Cross Border Privacy Rules System / Privacy Recognition for Processors System] during the term of this Agreement, and promptly notify the disclosing party of any change in the receiving party’s certification status.”

Reference materials

The following materials are available on the PDPC website www.pdpc.gov.sg:

• PDPC announcement
  
• PDPC Infographic on easy data transfers to APEC CBPR and PRP certified organisation
  
• Advisory Guidelines on Key Concepts in the Personal Data Protection Act 
• Sample Clause for Data Transfers to APEC CBPR and PRP Certified Organisations 
• Welcome address by Commissioner, Mr Tan Kiat How, at the 53rd Asia Pacific Privacy Authorities Forum, on 2 June 2020