Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing

        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing

        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing

        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing

        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training

        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing

        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review

        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention

        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise

        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle

        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

I'VE BEEN BREACHED

Transfer Limitation Obligation: What every organization should know

Transfer Limitation Obligation
The Transfer Limitation Obligation requires organizations to comply with the requirements prescribed by the PDPA before transferring personal data outside Singapore.

Organizations should implement the necessary security measures to ensure the safety of personal data in their possession or under their control, as well as its transfer from one server to another in or out of Singapore. This is to avoid breaching the Transfer Limitation Obligation of the Personal Data Protection Act or PDPA and face the consequences it may bring. 

The Transfer Limitation Obligation 

Transfer Limitation Obligation, as stated in Section 26 of the PDPA, restricts an organization’s capacity to transfer personal data outside of Singapore. In particular, section 26(1) stipulates that an organization may not transfer personal data to a country or territory outside of Singapore unless it complies with requirements prescribed by the PDPA to ensure that organizations provide a comparable level of protection to personal data so transferred. This need not to transfer personal data except in conformity with specified standards is referred to as the Transfer Limitation Obligation in these Guidelines.

Transfer Limitation Obligation restricts an organization’s capacity to transfer personal data outside of Singapore.

Transfer Limitation Obligation: Conditions for transfer of personal data overseas 

The PDPA’s implementing regulations will spell out the specifics of when and how businesses may send people’s personal data abroad. Basically, an organisation may transfer personal information abroad if:

  • While the transferred personal data is in its custody or control, it has taken the necessary precautions to ensure that it will be treated securely and in accordance with the Data Protection Provisions.
  • The recipient is located in a country or territory outside of Singapore and is obligated by legally enforceable responsibilities to provide to the personal data transferred a quality of protection that is comparable to that under the Personal Data Protection Act (PDPA) of Singapore. 

In this sense, legally enforceable obligations include the following:

  1. any law; 
  2. any contract that: 
    • i. requires the recipient to ensure at least comparable protection for the personal data transferred to the recipient; and
    • ii. specifies the countries and territories to which the personal data may be transferred pursuant to the contract.
  3. any binding corporate rules that: 
    • i. require every recipient of the transferred personal data to provide a level of protection that is at least comparable to the protection under the PDPA; and
    • ii. specify the recipients of the transferred personal data to which the binding corporate rules apply, the countries and territories to which the personal data may be transferred pursuant to the binding corporate rules, and the rights and obligations provided by the binding corporate rules; or
  4. any other legally binding instrument. 

An organization transferring personal data overseas is deemed to have complied with the requirement to take appropriate steps to ensure that the recipient is bound by legally enforceable obligations to provide to the personal data transferred a standard of protection comparable to that under the PDPA if:

  1.  The individual whose personal data is to be transferred consents to the transfer of his personal data, subject to certain conditions; 
  2. The transfer is necessary for the performance of a contract between the organization and the recipient; and 
  3. The transfer is essential for the conclusion or fulfillment of a contract entered into at the individual’s request or which a reasonable person would believe to be in the individual’s interest;
  4. The transfer is necessary for a use or disclosure in specific cases where the consent of the individual is not required under the PDPA, such as use or disclosure necessary to react to an emergency that threatens an individual’s life, health, or safety. In such cases, the organization may only transfer personal data if it has taken reasonable steps to ensure that the personal data will not be used or disclosed for other purposes by the recipient;
  5. The personal data is data in transit, or 
  6. The organization has obtained the consent of the individual.

Also Read: Guarding against common types of data breaches in Singapore

Scope of contractual clauses 

In establishing contractual clauses that oblige the receiver to comply with a standard of protection for the personal data transferred to him that is at least similar to the protection under the PDPA, a transferring organization shall, at a bare minimum, include the following protections: 

Source: Revised Advisory Guidelines on key concepts in the PDPA.

The preceding table represents the position under the PDPA that certain Data Protection Provisions are not applicable to the processing of personal data by a data intermediary on behalf of and for the purposes of another organization pursuant to a written contract. However, it is assumed that organizations employing such data intermediaries will have, as part of their processing contract, imposed responsibilities that assure protection in the relevant areas.

Data in transit 

The term “data in transit” is used to describe personally identifiable information that has been transferred through Singapore en route to a destination outside of Singapore but which has not been accessed, used, or disclosed by any organization (other than the transferring organization or an employee of the transferring organization acting in the course of his employment with the transferring organization) in Singapore. One type of data that is in transit is information that originates outside of Singapore but is ultimately destined for transmission to servers in Singapore. Companies that send personal information abroad are presumed to be in compliance with the Transfer Limitation Obligation while such information is in transit.

Organizations may not transfer personal data to a country or territory outside of Singapore unless it complies with requirements prescribed by the PDPA to ensure that organizations provide a comparable level of protection to personal data so transferred.

Breach of Transfer Limitation Obligation by Belden Singapore Pte Ltd

The recent decision that was released by the PDPC involving the Belden Singapore Pte Ltd underscores the importance of exercising the Transfer Limitation Obligation by the PDPA. After breaching such an Obligation, Belden was issued a warning by the PDPC.

In this case, the PDPC was notified on November 19 and 20, 2020, respectively, of a data breach incident in which an unauthorized third party gained access to Belden Group’s business servers and exfiltrated information, including personal data of the Organizations’ employees. The incident exposed the personal information of 126 people associated with Belden Singapore and 63 people associated with Grass Valley Singapore Pte Ltd.

The main Human Resources functions of Belden Singapore Pte Ltd are conducted by Belden Inc., which is headquartered in St Louis, Missouri, United States. With this, Belden Singapore transfers the personal data of its employees to Belden Inc. 

Thus, when Grass Valley entities were acquired by another company, formerly part of the global Belden Group, and which Grass Valley Singapore Pte Ltd is under, the personal data of Grass Valley Singapore’s employees were transferred to Belden Inc. and stored in Belden Inc.’s servers, as per the terms of the acquisition. 

While the PDPA does not generally apply to the Belden Singapore Pte Ltd on the basis of processing personal data in Singapore, it applies based on its failure to comply with the Transfer Limitation Obligation. Under this obligation, Organizations must ensure that the personal data transferred overseas is protected to a standard comparable with the Data Protection Provisions. This was executed by putting in place a binding intra-group contract called the Global Data Transfer Agreement (GDTA), which governs the terms on which the various Belden entities transfer personal data to each other.

However, the GDTA was not legally binding on Belden Singapore as it had not acceded to the GDTA. For Belden Singapore to be bound by the GDTA, it must have executed a Deed of Ascension, and this was the cause of the Transfer Limitation Obligation’s breach.

Although Belden Singapore Pte Ltd breached the Transfer Limitation Obligation by not signing a Deed of Accession prior to the incident, the Deputy Commissioner only decided to issue a warning considering that such breach was technical and the failure to oblige with the legal formalities was not substantive in nature.

What we can get from this case is the seriousness of the PDPC with regards to any legal formalities that are placed to protect the personal data of individuals. Without the signing of the Deed of Accession prior to the incident, there was no legally enforceable obligation to ensure that the personal data transferred from Singapore were afforded a level of protection comparable to that provided under the PDPA. 

This serves as a landmark case for future reference that prior to any transfer of personal data from Singapore, all formalities must be met to avoid any imposable fines. 

How a DPO value adds in this matter

Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Furthermore, every Organization’s DPO should be able to curb any instances of obligation breaches as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity.

DPOs complement the efforts of organizations in making sure that before the personal data is transferred outside Singapore, it has already complied with the PDPA, and the receiver has already set up a standard of protection for the personal data being transferred.

Also Read: What you need to know about appointing a Data Protection Officer in Singapore

0 Comments

Let us help you out.

Grab your free consultation NOW!

Privacy Ninja

Data Protection​

Cybersecurity

Support

Company

Locations

Singapore

7 Temasek Boulevard
#12-07, Suntec Tower One
Singapore 038987

Thailand

The Royal Place 1
2, 2/399 Mahatlek Luang 1 Alley, Lumphini, Pathum Wan, Bangkok 10330, Thailand



email-icon
Facebook Twitter Linkedin Youtube

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
TALK TO US
×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

× Chat with us