6 Simple guides on PDPA clause for agreements of personal data

6 Simple guides on PDPA clause for agreements of personal data

In today’s digitally driven world, organizations routinely collect a plethora of data that individuals submit – be it to extend product offers or to keep their customers informed about a topic of personal interest. It is the right of the individuals who submit this personal data to expect its ethical management. Since organizations can leverage this data in many ways – whether for lead generation or targeted marketing based on profiles – it is important for them to ensure that it is legitimately used.

In Singapore, personal data is protected under the Personal Data Protection Act 2012 (PDPA). This Act has various rules governing the collection, use, disclosure, and care of individuals’ personal data.

For small and medium-sized businesses, creating awareness about your product or service is vital for growth. But with the PDPA, you will need to heed its various stipulations so that you do not tread on customers’ (or potential customers’) privacy. This may seem like a hindrance, but few realize that the PDPA can actually be a blessing in disguise. It actually gives companies the opportunity to allay concerns of data mismanagement, which in turn helps to build customer trust. 

Also read: 12 brief explanation about the benefits of data protection for business success

Below are the 6 Simple guides on PDPA clause for agreements of personal data

1. An organization may engage another organization to provide services relating to the processing of personal data (such as hosting or storage of data, payroll processing etc.). In this Guide, the organization purchasing services will be known as the “Customer,” while the organization providing services will be known as the “Contractor.” A Customer and a Contractor will usually enter into a written agreement to set out the services provided and the parties’ obligations (“Service Agreement”).

2. This Guide provides sample data protection clauses that Customers may include in their Service Agreements with Contractors, for general reference. The sample clauses should be adapted to suit the Customer’s particular circumstances and needs. For example, the sample clauses may be modified to take into account the Customer’s operational and business requirements, the context of the Service Agreement, and the other clauses of the Service Agreement dealing with similar or related issues (e.g., confidentiality clauses). Please read the explanatory notes in the next section of this Guide before using the sample clauses.

3. A Contractor who processes personal data on behalf of, and for the purposes of, a Customer will likely be considered as a data intermediary of the Customer under the Personal Data Protection Act 2012 (“PDPA”). Where the Contractor is processing personal data as a data intermediary pursuant to a contract in writing, the Contractor will not be subject to the obligations set out in Parts III to VI of the PDPA clause (“Data Protection Obligations”) except for the obligations relating to protection and retention of personal data.

4. A Customer will be liable for any act done, or omission, by the Contractor in the course of processing personal data on behalf of the Customer where such Act or omission amounts to a breach of any Data Protection Obligation. When engaging Contractors to process personal data on their behalf and for their purposes, Customers should therefore ensure that their Service Agreements with the Contractors impose sufficient obligations on the Contractors so as to ensure the Customer’s own compliance with the PDPA clause.

5. For more information about the Data Protection Obligations, please refer to Parts III to VI of the PDPA clause and the advisory guidelines issued by the Personal Data Protection Commission (“Commission”). In particular, the Commission’s Advisory Guidelines on Key Concepts in the PDPA clause (“Key Concepts Guidelines”) elaborate on the key terms in the PDPA clause relating to data intermediaries and explain the general issues surrounding various obligations which organizations have to comply with under the PDPA clause. Note, however, that each advisory guideline should always be read in conjunction with any other relevant advisory guidelines that the Commission has issued or may from time to time issue.

6. Use of the sample clauses does not mean that you would be in compliance with the PDPA clause or any other law. You should seek professional legal advice if you are uncertain of your legal position or obligations under the law or require assistance with the drafting of any Service Agreement (including the use of the sample clauses).

Also read: How Being Data Protection Trained Can Help With Job Retention