Personal Data Protection in Singapore Series Part 3: Cross Border Data Transfers 新加坡个人数据保护系列(第三章):跨境数据传输
The Personal Data Protection Act 2012 (“PDPA”) restricts the ability of an organisation to transfer personal data to another organisation outside Singapore where it relinquishes possession or direct control over the personal data.
新加坡的《个人数据保护法2012》(”PDPA“)对有关机构(即数据输出机构)在放弃对个人数据的持有或直接控制权的情况下,将个人数据转移至新加坡境外的接收机构的行为进行了一定的法律约束。
Under the PDPA, an organisation must not transfer any personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA (i.e. to ensure that organisations provide a standard of protection to the personal data so transferred that is comparable to the protection under the PDPA).
新加坡的《个人数据保护法2012》规定,有关机构不可将任何个人数据传输至新加坡以外的国家或地区,除非该传输行为符合了《个人数据保护法2012》下规定的特定要求(即确保有关接收机构对所接收的个人数据提供与《个人数据保护法2012》同等标准的安全保障)。
The restriction on cross border data transfer set out in the PDPA is also referred to as the “Transfer Limitation Obligation”.
新加坡的《个人数据保护法2012》也称跨境数据传输的限制为“传输限制义务”。
Conditions for transfer of personal data overseas 将个人数据传输至新加坡境外的前提条件
The Personal Data Protection Regulations 2021 set out conditions under which an organisation may transfer data out of Singapore. An organisation may only transfer personal data overseas if it has taken appropriate steps to ensure that the overseas recipient is bound by legally enforceable obligations or specified certifications to provide the transferred personal data a standard of protection that is comparable to that under the PDPA.
新加坡的《个人数据保护条例2021》规定,数据输出机构可以在符合一定前提条件的情况下将数据传输到新加坡以外的国家或地区。具体而言,数据输出机构只有在采取适当措施以确保海外接收机构有法定义务或者得到特定认证的约束以确保有关个人数据可以得到与《个人数据保护法2012》同等标准的安全保护的前提下,才可将有关个人数据传输到对应境外接收机构。
Legally enforceable obligations may be imposed on a recipient organisation under:
有以下情况存在时,接收机构可以被认为负有了法律上的对个人数据的安全保护义务:
- any law;
存在特别的法律规定; - any contract that imposes a standard of protection that is comparable to that under the PDPA, and which specifies the countries and territories to which the personal data may be transferred under the contract;
存在特定的契约规定,根据有关契约而有义务对接收的个人数据提供与《个人数据保护法2012》同等标准的安全保护,并在契约中特别明确了可将个人数据传输至具体的国家和地区。 - any binding corporate rules that require every recipient of the transferred personal data to provide a standard of protection for the transferred personal data that is comparable to that of the PDPA, and which specify:
- the recipients of the transferred personal data to which the binding corporate rules apply; (ii) the countries and territories to which the personal data may be transferred under the binding corporate rules; and (iii) the rights and obligations provided by the binding corporate rules; or
存在特定的公司数据保护政策,根据这些特定公司政策而使得接收人必须为收到的相关个人数据提供与《个人数据保护法2012》同等标准的安全保护,并且在这些特定的公司政策中特别规定如下内容:(i) 具体明确哪些接收人受到公司数据保护政策的约束;(ii) 具体明确有关个人数据可以被输出的特定国家和地区;和 (iii) 具体明确适用的特定权利和义务;或者 - any other legally binding instrument.
存在其他具有法律约束力的文件。
The recipient organisation is deemed to be bound by legally enforceable obligations if it holds a “specified certification” that is granted or recognised under the law of that country or territory to which the personal data is transferred. A “specified certification” includes certifications under the Asia Pacific Economic Cooperation Cross Border Privacy Rules (“APEC CPBR”) System and the Asia Pacific Economic Cooperation Privacy Recognition for Processes (“APEC PRP”) System. The recipient satisfies the requirements under the PDPA if: (a) it is receiving the personal data as an organisation and it holds a valid APEC CBPR certification, or (b) it is receiving the personal data as a data intermediary and it holds either a valid APEC PRP or CBPR certification, or both.
如果接收机构持有数据输入国依法认可或颁发的“特定认证”,那么该接收机构就被视为负有法定义务对输入个人数据提供对应安全保护。“特定认证“包括了亚太经济合作组织跨境隐私规则(”APEC CPBR“)系统的认证以及亚太经济合作组织流程隐私认可(”APEC PRP“)系统的认证。若符合以下情况,接收人将被认定为符合《个人数据保护法2012》的规定的适格接收人:(a)以机构的身份接收个人数据,且持有有效的 APEC CPBR 认证;或 (b)以数据接收中介机构的身份接收个人数据,并持有有效的 APEC PRP 或 CBPR 认证,或两者兼有。
Circumstances in which the Transfer Limitation Obligation is satisfied
传输限制义务得到履行的情况
A transferring organisation is deemed to have satisfied the Transfer Limitation Obligation in the following circumstances, where they are unable to rely on legally enforceable obligations or specified certifications:
若数据输出机构因为种种原因而无法依赖具有法律效力的义务或特定认证,那么该数据输出机构在以下情况发生时将被视为已履行了传输限制义务:
- the individual whose personal data is to be transferred gives his / her consent to the transfer of his / her personal data, after he / she has been informed about how the personal data will be protected in the destination country;
相关自然人在被告知其个人数据将被输出至目的地国家并获得保护的情况后,同意了其个人数据的境外传输; - the individual is deemed to have consented to the disclosure by the transferring obligation of the individual’s personal data where the transfer is reasonably necessary for the conclusion or performance of a contract between the organisation and the individual, including the transfer to a third party organisation;
根据有关自然人与数据持有机构达成的合同条款的规定,合理且有必要由数据持有机构将数据进行输出(包括输出至境外第三方中介机构)从而达到履行合同条款之目的,那么该自然人在这种情况下被视作已经同意了对应个人数据的输出; - the transfer is necessary for a use or disclosure that is in the vital interests of individuals or in the national interest, and the transferring organisation has taken reasonable steps to ensure that the personal data will not be used or disclosed by the recipient for any other purpose;
传输数据的行为是出于对相关自然人的切身利益或国家利益保护所必须的,且进行传输的机构已采取了合理措施以确保接收方不会将获得的个人数据进行滥用。 - the personal data is data in transit; or
个人数据本身就是在传输过程中的数据;或者 - the personal data is publicly available in Singapore.
个人数据可以在新加坡的公开渠道获得。
IMPORTANT NOTICE: This memorandum is only intended as a guide and does not purport to be an exhaustive or conclusive discussion of the matters set out herein and should not be relied on as a substitute for definitive legal advice. Reference should always be made to the applicable statutes, the relevant subsidiary legislations and other applicable guidelines. This memorandum is not to be transmitted to any other person nor is it to be relied upon by any other person or for any other purpose or quoted or referred to in any public document or filed with any governmental or other authorities without our consent in writing. This memorandum is limited to the laws of Singapore. In issuing this memorandum, we do not assume any obligation to notify or inform you of any developments subsequent to its date that might render its contents untrue or inaccurate in whole or in part at such later time. If you would like to discuss the implications of these legal developments on your business or obtain advice, please do not hesitate to approach your usual contact at Insights Law LLC or you may direct the inquiry to our key contacts stated above.
重要提示:本备忘录仅用于参考,并不视作对本文所载事项的详尽或结论性的讨论,且不应被依赖作为替代明确的法律意见。应参考所适用的法规、有关附属法例、及其他适用的原则。未经本所书面同意,本备忘录不得向任何其他人传送,任何人也不得就任何目的依赖本备忘录,并于任何公共文件引述或专署,或提交给任何政府或有关当局。本备忘录仅限于新加坡的法律。本所就这份备忘录的发行,对较后时间日期发生的任何进展导致本备忘录所呈现的全部或部分不实或不准确的内容不承担任何义务。如果您想了解这些法律发展对您业务的影响或咨询意见,请随时与您智诚法律(新加坡)的联系人联系,或直接联系上述的主要联系人。