Online Data Processing Agreement

(“Customer”), (each of the Company and the Customer being a Party and together the Company and the Customer are the Parties. (“Parties”). 

WHEREAS

1. The Company acts as a Data Intermediary in processing the personal data you are about to provide as part of our service to you as our Customer.

2. The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing with the Personal Data Protection Act (2012) (“Act”) and that Act as modified, consolidated and/or re-enacted from time to time; and any subordinate legislation made under that Act. 

3. Where relevant, this is Agreement is incorporated into any other contract hereafter referred to as the Principal Agreement signed between the Parties on any matter relating to the handling of personal data. 

4. The Parties wish to lay down their rights and obligations.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

2. 1. Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

“Agreement” means this Data Processing Agreement and all Schedules.

“Data Intermediary” means the Company which processes Personal Data on behalf of another organisation but does not include an employee of that other organisation. It includes any entity acting as a contracted processor of the data intermediary. 

“Personal Data” means data, whether true or not, about an individual who can be identified: (a) from that data alone; or (b) from that data and other information which the Contractor has or is likely to have access.

“Derived Personal Data”—

1. means Personal Data about an individual that is derived by an organisation in the course of business from other personal data, about the individual or another individual, in the possession or under the control of the organisation; 
2. but does not include Personal Data derived by the organization using any prescribed means or method.

“Processing Personal Data” means any Personal Data processed by the Company or any Contracted Processor on behalf of Company pursuant to or in connection with the Principal Agreement. 

“Data Protection Laws” means Personal Data Protection Act (2012) Singapore (“Act”). 

“Data Transfer” means:

3. a transfer of Customer Personal Data from the Customer to the Company. 

4. an onward transfer of Company Personal Data from the Company to a Contracted Processor in each case, where such transfer would be prohibited by the Act or by the terms of data transfer agreements put in place to address the data transfer restrictions of the Act.  

“Services” means the agreed services provided by the Company to the Customer under the Principal Agreement. 

“Contracted Processor” means any person appointed by or on behalf of Company to process the Personal Data for and on behalf of the Company in connection with this  Agreement. 

The terms, “Commission“, “Organization“, “Personal Data“, “Personal Data Breach“,  and “Processing” shall have the same meaning as in the Act, and their cognate terms shall be construed accordingly.

2. Process, Use and Disclosure of Customer’s Personal Data

1. 1. The Data Intermediary shall only process, use or disclose Customer   Personal Data strictly for the purposes of fulfilling its obligations and providing the services required under this Agreement with the Customer’s prior written consent, when required by law or an order of court, but shall notify the Customer as soon as practicable before complying with such law or order of court at its own costs and to comply with the applicable Act in the processing of Customer’s Personal Data. 

3. Data Intermediary Personnel

3. 2. The Data Intermediary shall take reasonable steps to ensure that any employee, agent, or a contracted processor who may have access to the Data Intermediary’s Personal Data is strictly limited to those individuals who is required to process the data under the Principal Agreement and all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Security

4. 3. The Data Intermediary shall protect the Customer’s Personal Data under their control or possession by making reasonable security arrangements (including, where appropriate, physical, administrative, procedural, and information & communications technology measures) to prevent:

1. unauthorised or accidental access, collection, use, disclosure, copying, 

modification, disposal, or destruction of Customer personal data, or 

other similar risks; and

2. the loss of any storage medium or device on which Personal Datai s stored.  

5. Disclosure and Processing

5. 4. The Data Intermediary shall not disclose any Customer’s Personal Data to any contracted processor unless required or authorized by the Customer.

5. 5. The Data Intermediary shall:

1. promptly notify Customer if it receives a request from any party in respect of Customer’s Personal Data.

2. and ensure that it does not respond to that request except on the documented instructions of Customer or as required by the Act to which the Data Intermediary is subject to, in which case the Data Intermediary shall to the extent permitted by Act inform the Customer on the request.

6. Access to Personal Data

6.1 The Data Intermediary shall provide to the Customer with access to the Customer Personal Data that the Data Intermediary has in its possession or control, as soon as practicable upon Customer’s written request. The Data Intermediary  may impose a charge on this request from the Customer. The Data Intermediary is not required to process the request under the Act if the Customer refuses to pay the required charges.  

7. Accuracy and Correction of Personal Data. 

  7.1   Where the Customer provides any Personal Data to the Data Intermediary, the Customer shall make reasonable effort to ensure that the Customer Personal Data is accurate and complete before providing the same to the Data 

  Intermediary. 

  7.2. The Data Intermediary shall put in place adequate measures to ensure that the Customer Personal Data in its possession or control remain or is otherwise accurate and complete. In any case, the Contractor shall take steps to correct any errors in the Customer Personal Data, as soon as practicable upon the Customer’s written request.

8. Notifiable Data Breach 

8. 6. The Data Intermediary shall immediately notify the Customer when the Data Intermediary becomes aware of a breach under its obligations under the Act, and to provide the Customer with sufficient information to allow the Customer to meet any obligations including but not limited to informing the individual affected unless prohibited by the Commission.

8. 7. The Data Intermediary shall co-operate with the Customer and take reasonable steps as agreed upon between the Data Intermediary and the Customer to assist in the investigation, mitigation, and remediation of the notifiable data breach. 

9. Retention & Deletion of Customer Personal Data

9. 8. The Data Intermediary shall not retain Customer Personal Data or any documents or records containing Customer personal data, electronic or otherwise, for any period of time longer than is necessary to serve the purposes of this Agreement.

10. Data Transfer

10. 9. The Data Intermediary may not transfer or authorize the transfer of any Customer’s Personal Data to countries outside of Singapore unless the Customer’s Personal Data transferred outside Singapore will be protected at a standard that is comparable to that in Singapore. 

11. General Terms

1. 1. Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:

1. disclosure is required by law;

2. the relevant information is already in the public domain.

2. 2. Notices. All notices and communications given under this Agreement must   be in writing and will be delivered personally, sent by post, or sent by electronic mail to the addresses set out in the heading of this Agreement or such other address as notified from time to time by the Parties changing address.

2. 3. Rights of Third Parties. A person who is not a party to this Agreement has no rights under the Contracts (Rights of Third Parties) Act, Chapter 53B of Singapore. 

12. Governing Law and Jurisdiction

1. 1. This Agreement shall be governed by, and construed in accordance with the laws of Singapore. In the event of any dispute arising out of or in connection with this Agreement, including any question regarding its existence, validity or termination, and the Parties are unable to resolve the dispute amicably, the dispute shall be submitted to the exclusive jurisdiction of the courts of Singapore.