Are there any restrictions on transferring personal data and how can these be overcome?
Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. Understanding the applications of lawful data transfer mechanisms is essential to validate recipients located in other nations.
Employers who continuously comply with the Transfer Limitation Obligation in the Personal Data Protection Act 2012 (PDPA, Sec. 26) and the Personal Data Protection Regulations 2014, are allowed to transfer personal employee data outside of Singapore. The law requires that any transfers of personal data outside of Singapore follow the standards set by the Act, by taking appropriate steps to ensure compliance. The recipient of the employee data is also bound by ‘legally enforceable obligations’ to provide a standard of data protection that is at least equivalent to the PDPA. There is no requirement to notify or obtain approval from the Personal Data Protection Commission when transferring employee data internationally.
Recipients of data protection can meet these 'legally enforceable obligations' through (Advisory Guidelines on Key Concepts in the PDPA, July 2017):
- any law;
- contracts which require the recipient to provide a comparable or higher level of data protection as the standard under the PDPA and, specify the countries/territories where the data may be transferred;
- binding corporate rules that: require all data recipients to provide a comparable or higher level of data protection as the standard under the PDPA; and, specify the countries/territories where the data may be transferred, the recipients, and the rights/obligations set by the rules; or,
- other legally binding instruments.
Singapore’s personal data protection laws are compliant with the APEC Privacy Framework. Therefore, data transfers are allowed between Singapore and other APEC Privacy Framework members (including Australia, Chinese Taipei, Japan, the Republic of Korea, the USA, Canada and Mexico).
HR Best Practices: The use of applications in the cloud frequently results in the international transfer of employee data. Personal data should only be transferred outside Singapore when a level of protection comparable to those under the PDPA can be ensured. Singapore employers who transfer personal employee data internationally to a related group of companies often use binding corporate rules. When transferring data to unrelated third parties (such as an accounting firm), employers often use data transfer agreements.