Employee Data Privacy

Singapore - Cross-Border Data Transfer

 Download as a PDF

Are there any restrictions on transferring personal data and how can these be overcome?

Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. Understanding the applications of lawful data transfer mechanisms is essential to validate recipients located in other nations.

Employers who continuously comply with the Transfer Limitation Obligation in the Personal Data Protection Act 2012 (PDPA, Sec. 26) and the Personal Data Protection Regulations 2014, are allowed to transfer personal employee data outside of Singapore. The law requires that any transfers of personal data outside of Singapore follow the standards set by the Act, by taking appropriate steps to ensure compliance. The recipient of the employee data is also bound by ‘legally enforceable obligations’ to provide a standard of data protection that is at least equivalent to the PDPA. There is no requirement to notify or obtain approval from the Personal Data Protection Commission when transferring employee data internationally.

Recipients of data protection can meet these 'legally enforceable obligations' through (Advisory Guidelines on Key Concepts in the PDPA, July 2017):

  • any law;
  • contracts which require the recipient to provide a comparable or higher level of data protection as the standard under the PDPA and, specify the countries/territories where the data may be transferred;
  • binding corporate rules that: require all data recipients to provide a comparable or higher level of data protection as the standard under the PDPA; and, specify the countries/territories where the data may be transferred, the recipients, and the rights/obligations set by the rules; or,
  • other legally binding instruments.

Singapore’s personal data protection laws are compliant with the APEC Privacy Framework. Therefore, data transfers are allowed between Singapore and other APEC Privacy Framework members (including Australia, Chinese Taipei, Japan, the Republic of Korea, the USA, Canada and Mexico). 

 

HR Best Practices: The use of applications in the cloud frequently results in the international transfer of employee data. Personal data should only be transferred outside Singapore when a level of protection comparable to those under the PDPA can be ensured. Singapore employers who transfer personal employee data internationally to a related group of companies often use binding corporate rules. When transferring data to unrelated third parties (such as an accounting firm), employers often use data transfer agreements.

Ultimate Software's HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where Ultimate Software's customers have employees. HR Compliance Assist is a service exclusively available to Ultimate Software customers.

Share Your Feedback

Let's Talk