Privacy & Data Protection

Singapore: Joint Guide on ASEAN and EU Model Contractual Clauses

Latest developments

On 24 May 2023, the Association of Southeast Asian Nations (ASEAN) and the European Commission issued a Joint Guide to the ASEAN Model Contractual (MCCs) and EU Standard Contractual Clauses (SCCs) (Joint Guide).

The Joint Guide is intended to help companies that operate in ASEAN and the EU comply with requirements for cross-border transfers of personal data.

Summary

Both ASEAN and the EU have developed model contractual clauses as a tool that can be used by companies to enable cross-border data flows:

  • The ASEAN MCCs are a baseline set of contractual clauses that can be voluntarily adopted by companies as a means to lawfully transfer personal data across borders in ASEAN member states. The ASEAN MCCs are recognised by the Singapore PDPC as a means of fulfilling cross-border transfer requirements under the PDPA.

  • Similarly, the EU SCCs can be used voluntarily by companies as a basis for cross-border transfers of personal data under the EU’s General Data Protection Regulation (GDPR).

The Joint Guide comprises two parts. The first part (Reference Guide), which has been published, sets out a detailed comparison and relevant commentary on the similarities and differences between the ASEAN MCCs and EU SCCs, under three sections:

  • General: issues relevant to entering into and interpreting the MCCs/SCCs, including the incorporation of the MCCs/SCCs into broader contracts;

  • Obligations for Controller-to-Controller Transfers: issues relating to data protection safeguards, data subject rights, compliance, dispute resolution and termination; and

  • Obligations for Controller-to-Processor Transfers: similar issues as under the section on controller-to-controller transfers, but in the context of controller-to-processor transfers.

The second part to the Joint Guide (Implementation Guide) has yet to be published and is intended to set out best practices for companies to meet the requirements of both sets of contractual clauses.

How could it be relevant for you?

Companies with operations involving cross-border transfers of personal data in the ASEAN and EU regions can refer to the Joint Guide to facilitate their compliance with both regions’ data protection laws. That said, whilst the Joint Guide may serve as an aid to compliance, companies should still undertake appropriate reviews of their contractual terms and data processing activities to ensure compliance with relevant laws.

Next steps

The Implementation Guide has yet to be published. When published, it is expected to complement the Reference Guide by setting out best practices for companies undertaking EU-ASEAN cross-border data transfers, and may serve as an additional aid for companies to comply with relevant laws.

*Information is accurate up to 27 November 2023

 

Privacy & Data Protection - Explore further sections

Explore other chapters in the guide

Data as a key digital asset

Crypto assets

AI as a digital asset

Privacy & Data Protection

Cybersecurity

Digital Identity and Trust Services

Consumer