If you collect personal data through third parties (e.g. marketing companies, another organisation referring a matter to you), do you ensure that the third party has obtained consent from the individuals to disclose the personal data to you for your intended purposes?
If you are engaging a data intermediary to collect, use or disclose personal data on your organisation’s behalf, have you ensured that the data intermediary will take the necessary action to ensure that your organisation will be in compliance with the PDPA?
A data intermediary is an organisation that processes personal data on behalf of another organisation but does not include an employee of that other organisation. Examples of data intermediaries include event management companies, market research companies, payment solutions service providers, human resource and administration management service providers, data hosting and storage service providers including cloud , microfilm and other storage.
You should consider entering into written agreements with third parties such as data intermediaries to provide that these third parties comply with certain PDPA obligations.
You should also consider checking with these third parties their policies and practices regarding personal data collection, storage and management before engaging them.
Sample Data Protection Clauses in a Third Party Service Agreement
This Service Agreement (the “Agreement”) is made on [date] between:
(A) [registered name of your organisation or your full name] (UEN / NRIC No. [number]), a Company duly incorporated in Singapore having its registered address at [address] [OR of [residential address]] (“Customer”);
(B) [registered name of third party contractor’s organisation or person’s full name] (UEN / NRIC No. [number]), a Company duly incorporated in Singapore having its registered address at [address] [OR of [residential address]] (“Contractor”).
A. Customer has engaged the Contractor to, and Contractor agrees to, provide the following services: [list services, e.g. cloud hosting services].
B. Contractor has agreed to provide the aforesaid services in consideration of the Customer’s payment of the fees, and on the terms and conditions, set out in this Agreement.
1.1. In this Agreement, unless the context otherwise requires, the following terms shall have the meanings assigned to them below:
1.1.1 [List other definitions.]
1.1.2 “Customer Personal Data” means Personal Data which the Customer discloses to the Contractor, or which the Contractor processes on behalf of the Customer, including: [set out specific examples of personal data which your organisation will provide to the contractor e.g. NRIC numbers, residential addresses, etc.];
1.1.3 “PDPA” means the Personal Data Protection Act 2012; and
1.1.4 “Personal Data” means personal data as defined in the PDPA.
2.1. [Set out terms on services, fee, payment, etc.]
3. HANDLING AND PROTECTION OF PERSONAL DATA
3.1. Compliance with PDPA. The Contractor shall comply with all its obligations under the PDPA at its own cost.
3.2. Process, Use and Disclosure. The Contractor shall only process, use or disclose Customer Personal Data:
a. strictly for the purposes of fulfilling its obligations and providing the services required under this Agreement;
b. with the Customer’s prior written consent; or
c. when required by law or an order of court, but shall notify the Customer as soon as practicable before complying with such law or order of court at its own costs.
3.3. Transfer of personal data outside Singapore. The Contractor shall not transfer Customer Personal Data to a place outside Singapore without the Customer’s prior written consent. If the Customer provides consent, the Contractor shall undertake to the Customer that the Customer Personal Data transferred outside Singapore will be protected at a standard that is comparable to that under the PDPA. If the Contractor transfers Customer Personal Data to any third party overseas, the Contractor shall procure the same written undertaking from such third party.
3.4. Security Measures.
3.4.1. The Contractor shall protect Customer Personal Data in the Contractor’s control or possession by making reasonable security arrangements (including, where appropriate, physical, administrative, procedural and information & communications technology measures) to prevent unauthorised or accidental access, collection, use, disclosure, copying, modification, disposal or destruction of Customer Personal Data, or other similar risks. For the purposes of this Agreement, “reasonable security arrangements” include arrangements set out below (which shall not be varied without the Customer’s prior written consent):
18.104.22.168. Physical Access Control. Contractor shall undertake reasonable measures to prevent unauthorized persons from gaining access to data processing systems in which Customer Personal Data is stored or processed, such as the use of security personnel, secured buildings and data centre premises.
22.214.171.124. System Access Control. Contractor shall undertake reasonable measures to ensure only authorised persons have access to the data processing systems in which Customer Personal Data is stored or processed, including authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes, and logging of access on several levels.
126.96.36.199. Data Access Control. Contractor shall undertake reasonable measures to ensure only authorised persons have access to, and may manage, Customer Personal Data.
188.8.131.52. Transmission Control. Contractor shall undertake reasonable measures to ensure that transfers of Customer Personal Data are encrypted.
184.108.40.206. Input Control. Contractor shall undertake reasonable measures to ensure that the Customer Personal Data source is solely under the control of the Customer and Customer Personal Data integration into the Contractor’s systems is managed by secured file transfer (e.g., via web services or entered into the application) from the Customer.
220.127.116.11. Data Segregation. Contractor shall undertake reasonable measures to ensure that the Customer Personal Data is locally segregated from Contractor’s data and any third parties.
18.104.22.168. [State other specific security measures that you want the Contractor to adopt.]
3.5. Access to Personal Data. The Contractor shall provide the Customer with access to the Customer Personal Data that the Contractor has in its possession or control, as soon as practicable upon Customer’s written request.
3.6. Accuracy and Correction of Personal Data. Where the Customer provides Customer Personal Data to the Contractor, the Customer shall make reasonable effort to ensure that the Customer Personal Data is accurate and complete before providing the same to the Contractor. The Contractor shall put in place adequate measures to ensure that the Customer Personal Data in its possession or control remain or is otherwise accurate and complete. In any case, the Contractor shall take steps to correct any errors in the Customer Personal Data, as soon as practicable upon the Customer’s written request.
3.7. Retention of Personal Data.
3.7.1. The Contractor shall not retain Customer Personal Data (or any documents or records containing Customer Personal Data, electronic or otherwise) for any period of time longer than is necessary to serve the purposes of this Agreement. The Contractor shall, upon the request of the Customer:
a. return to the Customer, all Customer Personal Data; or
b. delete all Customer Personal Data in its possession, and, after returning or deleting all Customer Personal Data, provide the Customer with written confirmation that it no longer possesses any Customer Personal Data. Where applicable, the Contractor shall also instruct all third parties to whom it has disclosed Customer Personal Data for the purposes of this Agreement to return to the Contractor or delete, such Customer Personal Data.
3.8. Audit. Customer may audit Contractor’s compliance with the terms of the Agreement up to [number] per year. To request an audit, Customer must submit a detailed audit plan at least two weeks in advance of the proposed audit date to Contractor, who shall work cooperatively with Customer to agree on a final audit plan. The audit must be conducted during regular business hours at the applicable facility, and may not unreasonably interfere with Contractor’s business activities. Any audit reports are confidential information of the parties under the terms of this Agreement. Any audits shall be conducted at the Customer's expense.
3.9. Notification of Breach. The Contractor shall immediately notify the Customer when the Contractor becomes aware of a breach of any of its obligations in this Clause 3.
3.10. Indemnity. The Contractor shall indemnify the Customer and its officers, employees and agents, against all actions, claims, demands, losses, damages, statutory penalties, expenses and cost (including legal costs on an indemnity basis), in respect of:
a. the Contractor’s breach of any obligation in Clause 3; or
b. any act, omission or negligence of the Contractor or its subcontractor that causes or results in the Customer being in breach of the PDPA.
[Insert other terms in respect of the service agreement.]