--- title: "Singapore PDPA Data Intermediary Responsibilities" canonical_url: "https://www.sorena.io/artifacts/apac/singapore-pdpa/data-intermediary-responsibilities" source_url: "https://www.sorena.io/artifacts/apac/singapore-pdpa/data-intermediary-responsibilities" author: "Sorena AI" description: "Practical Singapore PDPA guide to data intermediary role boundaries, organisation accountability, protection, retention, breach escalation, and contract evidence." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "Singapore PDPA" - "data intermediary" - "data processor" - "Protection Obligation" - "Retention Limitation" - "breach notification" - "Data intermediaries" - "Data breach notification" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # Singapore PDPA Data Intermediary Responsibilities Practical Singapore PDPA guide to data intermediary role boundaries, organisation accountability, protection, retention, breach escalation, and contract evidence. *Artifact Guide* *Singapore* *Data Intermediaries* ## Singapore PDPA Data Intermediary Responsibilities Use this page to separate organisation and data intermediary responsibilities under the Singapore PDPA when personal data is processed for another organisation under a written or evidenced contract. The practical focus is role classification, protection and retention duties, organisation accountability, breach escalation to the organisation, contract terms, and evidence records. Under the Singapore PDPA, a data intermediary processes personal data on behalf of another organisation and for that organisation's purposes. For that processing, the intermediary has narrower direct PDPA duties than the organisation, but those duties still need clear contracts, operational controls, incident reporting, and exit records. ## Classify the data intermediary role before assigning PDPA duties Start with the processing activity, not the vendor label. A supplier, affiliate, cloud provider, print house, courier, payroll provider, or support vendor may be a data intermediary for one activity if it processes personal data on behalf of and for the purposes of another organisation. The boundary changes if the supplier uses or discloses the personal data outside the remit granted by the organisation. In that case, the supplier is no longer acting only as a data intermediary for that use or disclosure and may have to comply with the full set of Data Protection Provisions for that activity. - Record the organisation that determines the purpose of the processing and the data intermediary that performs the processing. - Describe the personal data, systems, locations, operations, and processing purpose covered by the intermediary role. - Separate mixed roles: the same company can be a data intermediary for customer processing and an organisation for its own employee or business data. - Do not treat the contract label as conclusive if the actual processing shows that the supplier is acting on behalf of another organisation. Sources for this answer: - [PDPC Advisory Guidelines on Key Concepts in the PDPA](https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/AG-on-Key-Concepts/Advisory-Guidelines-on-Key-Concepts-in-the-PDPA-17-May-2022.pdf?ref=sorena.io) - Supports the role test for data intermediaries, mixed-role scenarios, and the point that using data beyond the contracted processing can shift the supplier into organisation obligations. - [PDPC Guide to Managing Data Intermediaries](https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/Guide-to-Managing-Data-Intermediaries--2020.pdf?ref=sorena.io) - Supports classifying the outsourced processing scope and using the data intermediary management lifecycle for governance, policies, service management, and exit management. ## Keep organisation accountability separate from intermediary obligations For processing performed on behalf of and for the purposes of an organisation under a written or evidenced contract, the data intermediary is directly subject to the Protection Obligation, the Retention Limitation Obligation, and the duty to notify the organisation of data breaches. The organisation remains accountable for personal data processed on its behalf as if it processed the data itself. That means the organisation should perform due diligence, define the outsourced processing scope, approve security and retention requirements, and supervise the intermediary through reports, meetings, audits, or inspections where proportionate. - Organisation owner: approve the business purpose, processing scope, risk assessment, security requirements, retention outcome, overseas-transfer expectations, and breach escalation route. - Data intermediary owner: implement the approved protection, retention, reporting, monitoring, staff briefing, and incident-response procedures for the contracted processing. - Shared review record: keep contract terms, schedules, SOPs, management reports, incident logs, audit findings, remediation records, and exit evidence in one vendor file. - Escalation record: document unresolved role, transfer, subcontractor, or retention questions before production processing begins. Sources for this answer: - [PDPC Advisory Guidelines on Key Concepts in the PDPA](https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/AG-on-Key-Concepts/Advisory-Guidelines-on-Key-Concepts-in-the-PDPA-17-May-2022.pdf?ref=sorena.io) - Supports the organisation's continuing PDPA responsibility for personal data processed by a data intermediary on its behalf and for its purposes. - [PDPC Guide to Managing Data Intermediaries](https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/Guide-to-Managing-Data-Intermediaries--2020.pdf?ref=sorena.io) - Supports practical accountability measures including governance, risk assessment, due diligence, service management, audits, inspections, and exit management. ## Build contracts and SOPs around protection, retention, and breach escalation The contract or written evidence should make the intermediary's obligations reviewable. At minimum, the record should identify the processing scope, prohibited uses, required protection measures, subcontracting limits or approval rules, incident and abnormality reporting, overseas-transfer controls where relevant, and return, deletion, destruction, or anonymisation at exit. Operational procedures should make the contract executable. For higher-risk or larger processing, document onboarding, training, management reporting, regular review meetings, proactive monitoring, audit rights, on-site inspection rights, incident investigation, and tested breach response steps. - Protection controls: define technical and operational measures such as access controls, secure transfer, patching, vulnerability testing, monitoring, and evidence of remediation where they are relevant to the processing. - Retention controls: define when processing ends, what must be returned, deleted, destroyed, or anonymised, who verifies completion, and what exit evidence is handed back. - Breach escalation: require the intermediary to notify the organisation without undue delay once it has credible grounds to believe a data breach has occurred. - Subcontracting controls: require approval or equivalent flow-down obligations when subcontractors process personal data for the intermediary. Sources for this answer: - [PDPC Guide to Managing Data Intermediaries](https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/Guide-to-Managing-Data-Intermediaries--2020.pdf?ref=sorena.io) - Supports contract evidence, operational SOPs, incident reporting without undue delay, monitoring, audits, inspections, and exit management for data intermediary relationships. - [PDPC Guide on Data Protection Clauses for Agreements Relating to the Processing of Personal Data](https://www.pdpc.gov.sg/help-and-resources/2017/10/guide-on-data-protection-clauses-for-agreements-relating-to-the-processing-of-personal-data?ref=sorena.io) - Supports using adapted service-agreement clauses when engaging another organisation to provide services involving personal data processing. - [PDPC Guide on Managing and Notifying Data Breaches Under the PDPA](https://www.pdpc.gov.sg/help-and-resources/2021/01/data-breach-management-guide?ref=sorena.io) - Supports keeping data breach management and notification procedures ready so the organisation can assess and handle notifiable breaches after intermediary escalation. ## Use owner records that match PDPC-supported controls Keep owner records practical and limited to the controls the PDPC guidance supports. The record should prove that the organisation scoped the outsourcing, selected a capable intermediary, put written obligations in place, monitored performance, handled incidents, and completed exit actions. For the intermediary, the record should prove that it implemented the agreed procedures for the organisation's processing rather than reusing the data for its own purposes. Keep proof close to the control: security test results with protection measures, incident timestamps with breach escalation, and deletion or anonymisation evidence with retention controls. - Role record: organisation, intermediary, contracted processing purpose, data categories, systems, locations, subcontractors, and prohibited uses. - Contract record: signed contract or written key terms, schedules, technical standards if used, SOPs, reporting format, audit rights, and exit obligations. - Service record: onboarding notes, training scope, regular management reports, monitoring outputs, meeting decisions, audit or inspection findings, and remediation evidence. - Incident and exit record: first credible breach grounds, notice to the organisation without undue delay, containment steps, organisation assessment handoff, return or deletion evidence, and exit check results. Sources for this answer: - [PDPC Guide to Managing Data Intermediaries](https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/Guide-to-Managing-Data-Intermediaries--2020.pdf?ref=sorena.io) - Supports owner records for governance and risk assessment, policies and practices, service management, incident reporting, monitoring, audits, and exit checks. - [PDPC Advisory Guidelines on Key Concepts in the PDPA](https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/AG-on-Key-Concepts/Advisory-Guidelines-on-Key-Concepts-in-the-PDPA-17-May-2022.pdf?ref=sorena.io) - Supports keeping records that distinguish intermediary processing from activities where the supplier determines its own purposes and must meet broader PDPA obligations. *Recommended next step* *Placement: after the practical guidance* ## Turn Singapore PDPA data intermediary duties into vendor controls Use this guide to convert intermediary role boundaries into contract clauses, SOPs, breach escalation paths, retention controls, and evidence requests inside Sorena. - [Open Assessment Autopilot for Singapore PDPA](/solutions/assessment.md): Turn intermediary roles, contracts, protection controls, retention steps, and breach escalation into assigned assessment work. - [Review Singapore PDPA source evidence](/solutions/research-copilot.md): Use Research Copilot to check the PDPC guidance behind intermediary obligations and contract controls. - [Talk through implementation](/contact.md): Review vendor scope, written obligations, breach escalation, retention evidence, and accountable owner records with Sorena. ## Primary sources - [PDPC Advisory Guidelines on Key Concepts in the PDPA](https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/AG-on-Key-Concepts/Advisory-Guidelines-on-Key-Concepts-in-the-PDPA-17-May-2022.pdf?ref=sorena.io) - Primary PDPC source for the definition of a data intermediary, the limited direct obligations for contracted intermediary processing, organisation accountability, overseas-transfer accountability, and breach notice to the organisation without undue delay. - Quote: "notifying the organisation of data breaches" - [PDPC Guide to Managing Data Intermediaries](https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/Guide-to-Managing-Data-Intermediaries--2020.pdf?ref=sorena.io) - Primary PDPC implementation source for governance, risk assessment, contracts, SOPs, service management, incident reporting, monitoring, audits, inspections, and exit management for data intermediary relationships. - Quote: "processing personal data on behalf of a DC pursuant to a contract" - [PDPC Guide on Data Protection Clauses for Agreements Relating to the Processing of Personal Data](https://www.pdpc.gov.sg/help-and-resources/2017/10/guide-on-data-protection-clauses-for-agreements-relating-to-the-processing-of-personal-data?ref=sorena.io) - PDPC source for using adapted service-agreement clauses when an organisation engages another organisation to process personal data. - Quote: "adapted to suit the organisation's particular circumstances and needs" - [PDPC Guide on Managing and Notifying Data Breaches Under the PDPA](https://www.pdpc.gov.sg/help-and-resources/2021/01/data-breach-management-guide?ref=sorena.io) - PDPC source for the organisation-side breach management and notification process that should receive and assess intermediary incident escalations. - Quote: "criteria, timelines and information to be provided when notifying the PDPC and affected individuals" ## Related Topic Guides - [Singapore PDPA Anonymisation and DPIA Records](/artifacts/apac/singapore-pdpa/anonymisation-and-dpias.md): Build Singapore PDPA anonymisation and DPIA records around PDPC guidance: release model, re-identification risk, data flows, action plans, safeguards, and monitoring. - [Singapore PDPA anonymisation FAQ](/artifacts/apac/singapore-pdpa/faq/anonymisation.md): FAQ on anonymisation under the Singapore PDPA: de-identification, pseudonymisation, re-identification risk, when PDPA may no longer apply, and evidence records. - [Singapore PDPA Applicability Test](/artifacts/apac/singapore-pdpa/applicability-test.md): Test whether Singapore PDPA obligations apply by checking personal data, organisation role, data intermediary status, public agency and individual boundaries, and business contact information. - [Singapore PDPA Breach Notification Playbook](/artifacts/apac/singapore-pdpa/breach-notification-playbook.md): A grounded Singapore PDPA breach-notification playbook covering assessment, notifiable-breach thresholds, PDPC and affected-individual notification steps, roles, records, and citations. - [Singapore PDPA breach notification thresholds FAQ](/artifacts/apac/singapore-pdpa/faq/breach-thresholds.md): FAQ on Singapore PDPA notifiable data breach tests: significant harm, significant scale, 500 affected individuals, assessment timing, PDPC notices, and affected-individual notices. - [Singapore PDPA Breach Notification Workflow](/artifacts/apac/singapore-pdpa/breach-notification-workflow.md): A grounded Singapore PDPA workflow for containing a personal data breach, assessing notifiability, notifying PDPC or affected individuals, and retaining evidence. - [Singapore PDPA Compliance Checklist](/artifacts/apac/singapore-pdpa/checklist.md): A grounded Singapore PDPA checklist for scope, DPO accountability, consent, data intermediaries, breach notification, DNC checks, transfers, and evidence records. - [Singapore PDPA Compliance Guide](/artifacts/apac/singapore-pdpa/compliance.md): Build a Singapore PDPA compliance plan covering DPO accountability, consent and notification, protection, retention, access and correction, transfers, breach notification, and DNC checks. - [Singapore PDPA Consent and Deemed Consent Workflow](/artifacts/apac/singapore-pdpa/consent-and-deemed-consent-selection-workflow.md): Choose express consent, deemed consent by conduct, contractual necessity, notification, or the legitimate interests exception under Singapore PDPA with grounded intake fields and evidence records. - [Singapore PDPA Consent, Notification and Purpose Rules](/artifacts/apac/singapore-pdpa/consent-notification-and-purposes.md): How Singapore PDPA consent, notification, purpose limitation, deemed consent, withdrawal, and consent exceptions should be handled in product and privacy workflows. - [Singapore PDPA Cross-Border Transfers](/artifacts/apac/singapore-pdpa/cross-border-transfers.md): Grounded Singapore PDPA guidance for overseas personal data transfers, comparable protection, ASEAN MCCs, APEC certifications, vendor roles, and evidence records. - [Singapore PDPA Data Breach Notification Thresholds](/artifacts/apac/singapore-pdpa/breach-notification-thresholds.md): Grounded Singapore PDPA breach notification thresholds covering significant harm, the 500-individual significant-scale test, assessment records, and notification timing. - [Singapore PDPA Data Intermediaries FAQ](/artifacts/apac/singapore-pdpa/faq/data-intermediaries.md): FAQ guidance on Singapore PDPA data intermediary roles, direct obligations, organisation accountability, contracts, retention, protection, and breach escalation. - [Singapore PDPA Deadlines and Compliance Calendar](/artifacts/apac/singapore-pdpa/deadlines-and-compliance-calendar.md): A grounded Singapore PDPA compliance calendar for breach notification, DNC checks, access and correction requests, retention reviews, and DPMP maintenance. - [Singapore PDPA Deemed Consent and Legitimate Interests](/artifacts/apac/singapore-pdpa/deemed-consent-and-legitimate-interests.md): How to apply Singapore PDPA deemed consent by conduct, contractual necessity, notification, and legitimate interests with opt-out, adverse-effect, disclosure, and assessment records. - [Singapore PDPA Deemed Consent FAQ](/artifacts/apac/singapore-pdpa/faq/deemed-consent.md): FAQ on Singapore PDPA deemed consent by conduct, contractual necessity, notification, opt-out periods, adverse-effect assessment, withdrawal, and direct-marketing limits. - [Singapore PDPA DNC and Marketing Messages Guide](/artifacts/apac/singapore-pdpa/dnc-and-marketing-messages.md): A grounded Singapore PDPA guide to DNC checks, specified marketing messages, Singapore telephone numbers, consent evidence, opt-outs, sender duties, and excluded messages. - [Singapore PDPA DNC checking FAQ: when to check the DNC Registry](/artifacts/apac/singapore-pdpa/faq/dnc-checking.md): FAQ guidance on Singapore PDPA DNC checking: when to check the DNC Registry, which registers apply, 8-digit numbers, 21-day result validity, consent evidence, on-behalf checks, opt-outs, and supported exclusions. - [Singapore PDPA DNC Marketing Checks](/artifacts/apac/singapore-pdpa/dnc-marketing-checks.md): Operational checklist for Singapore PDPA DNC marketing checks: account evidence, register status, 21-day result validity, consent evidence, and campaign owner records. - [Singapore PDPA DNC Marketing Workflow](/artifacts/apac/singapore-pdpa/dnc-marketing-workflow.md): Workflow for Singapore PDPA DNC marketing campaigns: classify specified messages, check Singapore telephone numbers, document consent, suppress opt-outs, and approve sends. - [Singapore PDPA DPIAs: when to run and what to document](/artifacts/apac/singapore-pdpa/faq/dpias.md): FAQ-style implementation guidance on Singapore PDPA DPIAs, including when PDPC guidance recommends them, data-flow mapping, risk treatment, DPO review, and evidence records. - [Singapore PDPA DPMP Accountability FAQ | DPO, Policies, Evidence](/artifacts/apac/singapore-pdpa/faq/dpmp-accountability.md): FAQ for implementing Singapore PDPA accountability through a DPMP: DPO designation, policies, evidence, training, monitoring, incident logs, and review records. - [Singapore PDPA DPMP Accountability Guide](/artifacts/apac/singapore-pdpa/dpmp-accountability.md): Build a Singapore PDPA Data Protection Management Programme with DPO ownership, policies, data inventories, DPIAs, training, monitoring, breach logs, and review records. - [Singapore PDPA FAQ: scope, DPO, consent, breaches and DNC](/artifacts/apac/singapore-pdpa/faq.md): FAQ answers for Singapore PDPA implementation, covering scope, accountability, consent, access and correction, security, retention, transfers, data intermediaries, breach notification, and DNC checks. - [Singapore PDPA legitimate interests FAQ](/artifacts/apac/singapore-pdpa/faq/legitimate-interests.md): FAQ guidance on Singapore PDPA legitimate interests: assessment fields, adverse effects, mitigation, balancing, disclosure, records, and marketing limits. - [Singapore PDPA NRIC Handling FAQ](/artifacts/apac/singapore-pdpa/faq/nric-handling.md): FAQ guidance on when Singapore organisations may collect, use, disclose, retain, mask, or replace NRIC and other national identification numbers under PDPC guidance. - [Singapore PDPA NRIC Handling Rules](/artifacts/apac/singapore-pdpa/nric-handling.md): When Singapore organisations may collect, use, disclose, retain, mask, or replace NRIC numbers under PDPC guidance. - [Singapore PDPA Penalties and Enforcement Cases](/artifacts/apac/singapore-pdpa/pdpa-penalties-and-enforcement-cases.md): How PDPC enforcement under Singapore's PDPA works: directions, voluntary undertakings, published decisions, financial penalty caps, and implementation lessons from cases. - [Singapore PDPA Penalties and Fines](/artifacts/apac/singapore-pdpa/penalties-and-fines.md): Singapore PDPA penalty ceilings, PDPC directions, undertakings, breach notification context, and practical controls grounded in official PDPC and Singapore Statutes sources. - [Singapore PDPA Privacy Policy Template](/artifacts/apac/singapore-pdpa/pdpa-privacy-policy-template.md): A Singapore PDPA privacy policy template for writing notices, DPO contact details, access and correction routes, retention, transfers, protection, withdrawal, and complaint handling without overclaiming compliance. - [Singapore PDPA Requirements: Core Obligations](/artifacts/apac/singapore-pdpa/requirements.md): Map Singapore PDPA obligations across consent, notification, access, security, retention, transfers, accountability, breaches, DNC checks, and data intermediaries. - [Singapore PDPA Scope, Exclusions, and Data Intermediaries](/artifacts/apac/singapore-pdpa/scope-exclusions-and-data-intermediaries.md): Classify Singapore PDPA coverage, business contact information, personal or domestic activity, employee acts, and data intermediary obligations with grounded implementation records. - [Singapore PDPA Transfer Assessment Workflow](/artifacts/apac/singapore-pdpa/transfer-assessment-workflow.md): A Singapore PDPA workflow for assessing overseas personal data transfers, comparable protection, ASEAN MCCs, APEC CBPR/PRP certifications, vendor due diligence, onward transfers, and evidence records. - [Singapore PDPA Transfer Clauses](/artifacts/apac/singapore-pdpa/transfer-clauses.md): Draft Singapore PDPA transfer clauses for overseas vendors, affiliates, data intermediaries, onward transfers, breach support, ASEAN MCCs, and APEC CBPR or PRP evidence. - [Singapore PDPA transfer clauses FAQ](/artifacts/apac/singapore-pdpa/faq/transfer-clauses.md): FAQ guidance on Singapore PDPA transfer clauses, comparable protection, ASEAN MCCs, APEC CBPR and PRP certifications, onward transfers, and evidence records. - [Singapore PDPA Vendor Outsourcing and Contracts](/artifacts/apac/singapore-pdpa/vendor-outsourcing-and-contracts.md): Contract and operating checklist for Singapore PDPA vendor outsourcing: data intermediary status, written terms, security, retention, breach, transfers, sub-contracting, and exit evidence. - [Singapore PDPA vs GDPR Comparison](/artifacts/apac/singapore-pdpa/singapore-pdpa-vs-gdpr.md): Compare Singapore PDPA and GDPR implementation work across consent, DPO accountability, processors, transfers, breach notification, DNC marketing, rights, retention, and penalties. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/apac/singapore-pdpa/data-intermediary-responsibilities