--- title: "Singapore PDPA Transfer Clauses" canonical_url: "https://www.sorena.io/artifacts/apac/singapore-pdpa/transfer-clauses" source_url: "https://www.sorena.io/artifacts/apac/singapore-pdpa/transfer-clauses" author: "Sorena AI" description: "Draft Singapore PDPA transfer clauses for overseas vendors, affiliates, data intermediaries, onward transfers, breach support, ASEAN MCCs, and APEC CBPR or PRP evidence." published_at: "2026-05-09" updated_at: "2026-05-17" keywords: - "Singapore PDPA transfer clauses" - "ASEAN MCCs" - "APEC CBPR" - "APEC PRP" - "data intermediary contract" - "cross-border data transfer" - "Singapore PDPA" - "Transfer clauses" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # Singapore PDPA Transfer Clauses Draft Singapore PDPA transfer clauses for overseas vendors, affiliates, data intermediaries, onward transfers, breach support, ASEAN MCCs, and APEC CBPR or PRP evidence. *Contract Guide* *Singapore PDPA* *Transfers* ## Singapore PDPA Transfer Clauses Use transfer clauses to show that personal data sent outside Singapore remains protected to a standard comparable with the PDPA. This page turns PDPC transfer guidance, ASEAN MCCs, APEC CBPR or PRP certification use, data-intermediary duties, and breach support into contract language and evidence records. Under the Singapore PDPA Transfer Limitation Obligation, an organisation should not treat a cross-border transfer clause as a generic confidentiality add-on. The contract or certification evidence has to address the recipient role, destination countries, comparable protection, onward transfers, breach support, retention or deletion, and the records that prove the transfer basis was checked before data moved. ## Start with the transfer basis the clause must support The first drafting choice is whether the recipient is an overseas organisation using the data for its own purposes, an overseas data intermediary processing on behalf of the Singapore organisation, or a related group company covered by binding corporate rules. That role determines the clause set and the evidence needed before the transfer starts. For ongoing vendor, affiliate, cloud, analytics, payroll, fulfilment, or support arrangements, use legally enforceable obligations or specified certifications as the primary transfer basis. PDPC guidance says these routes provide better accountability than relying on fallback circumstances where the organisation cannot rely on legally enforceable obligations or certifications. - Name the exporter, importer, recipient role, transfer purpose, data categories, systems, and destination countries or territories in the transfer schedule. - State that the recipient must provide a standard of protection for transferred personal data that is comparable to the PDPA. - Use a contract, binding corporate rules, another legally binding instrument, applicable law, or a valid specified certification as the enforceable basis. - If relying on consent for a transfer, keep the written summary given to the individual explaining the extent of comparable protection in the destination country or territory. Sources for this answer: - [Advisory Guidelines on Key Concepts in the PDPA](https://www.pdpc.gov.sg/guidelines-and-consultation/2020/03/advisory-guidelines-on-key-concepts-in-the-personal-data-protection-act?ref=sorena.io) - Supports the rule that overseas transfers require comparable PDPA protection and identifies legally enforceable obligations, binding corporate rules, contracts, and specified certifications as transfer routes. - [Personal Data Protection Regulations 2021](https://sso.agc.gov.sg/SL/PDPA2012-S63-2021?ref=sorena.io) - Part 3 of the Regulations is the statutory source for overseas transfer requirements, legally enforceable obligations, and specified certifications. ## Use ASEAN MCCs when a model clause structure fits the transfer PDPC recognises and encourages ASEAN Model Contractual Clauses for fulfilling the PDPA Transfer Limitation Obligation. They are voluntary, so teams may use their own templates, but a custom template should still preserve the transfer safeguards needed under the PDPA and should not dilute the data protection obligations in the model terms. Choose the ASEAN MCC module by relationship. Use the controller-to-processor module where the importer processes only for the exporter or provides a related service. Use the controller-to-controller module where the importer receives the data for its own purposes or has full control after receipt. - Adapt the ASEAN MCC definition of data subject for Singapore so it covers persons living or deceased where relevant to PDPA scope. - Include a defined breach-notice timeframe between the parties instead of leaving notice timing open-ended. - Allocate who contacts affected individuals when a notifiable breach requires individual notification. - Check whether the optional addendum is needed for the commercial arrangement; PDPC guidance says it is not required under the PDPA for contracts dealing with data transfers. Sources for this answer: - [Guidance for Use of ASEAN Model Contractual Clauses for Cross Border Data Flows in Singapore](https://www.pdpc.gov.sg/help-and-resources/2021/01/asean-data-management-framework-and-model-contractual-clauses-on-cross-border-data-flows/-/media/files/pdpc/pdf-files/practical-guidance-provided-by-pdpc/singapore-guidance-for-use-of-asean-mccs---010921.pdf?ref=sorena.io) - PDPC Singapore guidance recognises ASEAN MCCs for the PDPA Transfer Limitation Obligation and recommends Singapore-specific amendments for deceased-person scope, breach timing, affected-individual contact responsibility, and optional addendum use. - [ASEAN Model Contractual Clauses for Cross Border Data Flows](https://asean.org/wp-content/uploads/3-ASEAN-Model-Contractual-Clauses-for-Cross-Border-Data-Flows_Final.pdf?ref=sorena.io) - ASEAN MCCs provide controller-to-processor and controller-to-controller modules, baseline data protection obligations, and onward transfer controls. ## Handle APEC CBPR and PRP certifications precisely APEC certification can support a transfer only when the recipient role and certification type match. PDPC guidance treats a recipient organisation with valid APEC CBPR certification as bound by legally enforceable obligations. For a data intermediary, the recipient may rely on valid APEC PRP or CBPR certification, or both. The contract should still require certification maintenance and prompt notice of any certification-status change. Certification evidence should be checked before transfer and refreshed during the contract term, especially for high-volume or sensitive processing. - Use CBPR evidence when the overseas recipient receives personal data as an organisation rather than as the Singapore organisation's data intermediary. - Use PRP or CBPR evidence when the overseas recipient receives personal data as a data intermediary. - Do not rely on PRP alone for an overseas recipient acting as an independent organisation for its own purposes. - Keep the certification lookup, certificate scope, issuing economy or accountability agent, check date, and contract clause requiring continued certification. Sources for this answer: - [Advisory Guidelines on Key Concepts in the PDPA](https://www.pdpc.gov.sg/guidelines-and-consultation/2020/03/advisory-guidelines-on-key-concepts-in-the-personal-data-protection-act?ref=sorena.io) - Supports the role-specific use of APEC CBPR for organisations and APEC PRP or CBPR for data intermediaries under the transfer limitation guidance. - [Sample Clause for Data Transfers to APEC CBPR and PRP Certified Organisations](https://www.pdpc.gov.sg/help-and-resources/2020/06/sample-clause-for-data-transfers-to-apec-cbpr-and-prp-certified-organisations?ref=sorena.io) - PDPC provides sample contract language requiring comparable protection, certification maintenance, and prompt notice of certification-status changes. ## Write onward transfer and data-intermediary controls into the contract A transfer clause should not stop at the first overseas recipient. For processors, the ASEAN MCCs require the importer to notify the exporter before further disclosure or transfer, give a reasonable opportunity to object, and bind third parties or data sub-processors to the importer obligations. For Singapore data-intermediary arrangements, PDPC's DI guidance expects written obligations, clear scope, subcontracting rules, comparable-protection controls for overseas locations, incident reporting without undue delay, audit rights, and exit handling. These terms are especially important where a local vendor uses overseas hosting, support teams, subprocessors, or analytics tools. - Prohibit unauthorised use or disclosure and restrict processing to the documented purpose and exporter instructions. - Require prior approval or written notice before subcontracting or onward transfer, and flow down the same processing obligations to approved subcontractors. - List approved countries, hosting regions, support locations, and sub-processors instead of relying on broad worldwide-transfer wording. - Reserve audit, independent report, or inspection rights proportionate to the volume, sensitivity, duration, and risk of the processing. Sources for this answer: - [ASEAN Model Contractual Clauses for Cross Border Data Flows](https://asean.org/wp-content/uploads/3-ASEAN-Model-Contractual-Clauses-for-Cross-Border-Data-Flows_Final.pdf?ref=sorena.io) - Supports onward-transfer controls requiring exporter notice, opportunity to object, and third-party or sub-processor obligations aligned with the importer obligations. - [Guide to Managing Data Intermediaries](https://www.pdpc.gov.sg/help-and-resources/2020/09/guide-to-managing-data-intermediaries?ref=sorena.io) - PDPC DI guidance supports written contracts, subcontracting controls, overseas-transfer checks, breach reporting, audit rights, and return, destruction, deletion, or anonymisation at exit. ## Add breach support, exit handling, and evidence records Transfer clauses should make breach cooperation operational. Singapore guidance for ASEAN MCC use recommends party-to-party breach timing because the PDPA requires data intermediaries to notify the organisation without undue delay, while organisations notify PDPC as soon as practicable and no later than three calendar days after assessing a breach as notifiable. The evidence record should show the reviewer exactly why the transfer was approved and how the contract will work during an incident or exit. Keep the record beside the signed agreement so procurement, privacy, security, and incident response teams can act on the same terms. - Require the recipient to notify the exporter without undue delay of confirmed or suspected data incidents, abnormal access patterns, regulator inquiries, or onward-recipient breaches. - Require prompt cooperation on facts, affected data categories, containment, remediation, affected-individual support, regulator notices, and post-incident corrective actions. - At termination or processing completion, require return or approved cessation of retention, and written confirmation after return, destruction, deletion, or anonymisation. - Keep a transfer evidence pack: data-flow record, transfer basis, clause module or custom clause map, certification checks, subprocessor list, destination list, breach contact matrix, audit reports, exit checklist, and approval history. Sources for this answer: - [Guidance for Use of ASEAN Model Contractual Clauses for Cross Border Data Flows in Singapore](https://www.pdpc.gov.sg/help-and-resources/2021/01/asean-data-management-framework-and-model-contractual-clauses-on-cross-border-data-flows/-/media/files/pdpc/pdf-files/practical-guidance-provided-by-pdpc/singapore-guidance-for-use-of-asean-mccs---010921.pdf?ref=sorena.io) - Supports adding breach timing and affected-individual contact allocation when adapting ASEAN MCCs for Singapore PDPA compliance. - [Guide on Managing and Notifying Data Breaches under the PDPA](https://www.pdpc.gov.sg/help-and-resources/2021/01/data-breach-management-guide?ref=sorena.io) - Supports incident-response records, notifiable breach assessment, PDPC notification timing, affected-individual communication, and remediation planning. - [ASEAN Model Contractual Clauses for Cross Border Data Flows](https://asean.org/wp-content/uploads/3-ASEAN-Model-Contractual-Clauses-for-Cross-Border-Data-Flows_Final.pdf?ref=sorena.io) - Supports return or cessation of retention at the exporter's election and written confirmation when action has been taken. *Recommended next step* *Placement: after the transfer clause guidance* ## Turn Singapore PDPA transfer clauses into evidence-backed vendor work Use this transfer-clause guide to assign contract updates, certification checks, subprocessor reviews, breach-support terms, and evidence records before personal data leaves Singapore. - [Open Assessment Autopilot for Singapore PDPA](/solutions/assessment.md): Turn transfer clauses into scoped questions, vendor evidence fields, and review tasks. - [Review Singapore PDPA source evidence](/solutions/research-copilot.md): Use Research Copilot to check transfer basis, ASEAN MCC, CBPR, PRP, and breach-support evidence. - [Talk through implementation](/contact.md): Review transfer scope, vendor terms, evidence gaps, and next compliance actions with Sorena. ## Primary sources - [Advisory Guidelines on Key Concepts in the PDPA](https://www.pdpc.gov.sg/guidelines-and-consultation/2020/03/advisory-guidelines-on-key-concepts-in-the-personal-data-protection-act?ref=sorena.io) - Primary PDPC guidance for the Transfer Limitation Obligation, comparable protection, legally enforceable obligations, APEC CBPR or PRP certifications, consent fallback, data in transit, and minimum contractual protections. - Quote: "standard of protection that is comparable to that under the PDPA" - [Personal Data Protection Regulations 2021](https://sso.agc.gov.sg/SL/PDPA2012-S63-2021?ref=sorena.io) - Statutory regulations covering Part 3 transfer requirements, legally enforceable obligations, and recipients holding specified certifications. - Quote: "TRANSFER OF PERSONAL DATA OUTSIDE SINGAPORE" - [Guidance for Use of ASEAN Model Contractual Clauses for Cross Border Data Flows in Singapore](https://www.pdpc.gov.sg/help-and-resources/2021/01/asean-data-management-framework-and-model-contractual-clauses-on-cross-border-data-flows/-/media/files/pdpc/pdf-files/practical-guidance-provided-by-pdpc/singapore-guidance-for-use-of-asean-mccs---010921.pdf?ref=sorena.io) - PDPC Singapore guidance for using ASEAN MCCs to satisfy the PDPA Transfer Limitation Obligation and adapting them for breach timing and affected-individual responsibility. - Quote: "recognises and encourages the use of the ASEAN MCCs" - [ASEAN Model Contractual Clauses for Cross Border Data Flows](https://asean.org/wp-content/uploads/3-ASEAN-Model-Contractual-Clauses-for-Cross-Border-Data-Flows_Final.pdf?ref=sorena.io) - Model clauses supporting controller-to-processor and controller-to-controller transfer structures, baseline obligations, onward-transfer controls, breach notification, security, audit, and return or deletion terms. - Quote: "contractual terms and conditions that may be included in the binding legal agreements" - [Sample Clause for Data Transfers to APEC CBPR and PRP Certified Organisations](https://www.pdpc.gov.sg/help-and-resources/2020/06/sample-clause-for-data-transfers-to-apec-cbpr-and-prp-certified-organisations?ref=sorena.io) - PDPC sample language for transfers to APEC CBPR or PRP certified recipients, including comparable protection, continued certification, and certification-status change notice. - Quote: "bound by a legally enforceable set of obligations" - [Guide to Managing Data Intermediaries](https://www.pdpc.gov.sg/help-and-resources/2020/09/guide-to-managing-data-intermediaries?ref=sorena.io) - PDPC guidance for data-controller and data-intermediary contracts, including written responsibilities, subcontracting controls, overseas transfer protections, incident reporting, audit rights, and exit handling. - Quote: "binding contractual agreement that sets out the obligations and responsibilities" - [Guide on Managing and Notifying Data Breaches under the PDPA](https://www.pdpc.gov.sg/help-and-resources/2021/01/data-breach-management-guide?ref=sorena.io) - PDPC breach guide supporting transfer-clause cooperation terms for incident escalation, assessment, PDPC notification, affected-individual notification, mitigation, and remediation. - Quote: "without undue delay" ## Related Topic Guides - [Singapore PDPA Anonymisation and DPIA Records](/artifacts/apac/singapore-pdpa/anonymisation-and-dpias.md): Build Singapore PDPA anonymisation and DPIA records around PDPC guidance: release model, re-identification risk, data flows, action plans, safeguards, and monitoring. - [Singapore PDPA anonymisation FAQ](/artifacts/apac/singapore-pdpa/faq/anonymisation.md): FAQ on anonymisation under the Singapore PDPA: de-identification, pseudonymisation, re-identification risk, when PDPA may no longer apply, and evidence records. - [Singapore PDPA Applicability Test](/artifacts/apac/singapore-pdpa/applicability-test.md): Test whether Singapore PDPA obligations apply by checking personal data, organisation role, data intermediary status, public agency and individual boundaries, and business contact information. - [Singapore PDPA Breach Notification Playbook](/artifacts/apac/singapore-pdpa/breach-notification-playbook.md): A grounded Singapore PDPA breach-notification playbook covering assessment, notifiable-breach thresholds, PDPC and affected-individual notification steps, roles, records, and citations. - [Singapore PDPA breach notification thresholds FAQ](/artifacts/apac/singapore-pdpa/faq/breach-thresholds.md): FAQ on Singapore PDPA notifiable data breach tests: significant harm, significant scale, 500 affected individuals, assessment timing, PDPC notices, and affected-individual notices. - [Singapore PDPA Breach Notification Workflow](/artifacts/apac/singapore-pdpa/breach-notification-workflow.md): A grounded Singapore PDPA workflow for containing a personal data breach, assessing notifiability, notifying PDPC or affected individuals, and retaining evidence. - [Singapore PDPA Compliance Checklist](/artifacts/apac/singapore-pdpa/checklist.md): A grounded Singapore PDPA checklist for scope, DPO accountability, consent, data intermediaries, breach notification, DNC checks, transfers, and evidence records. - [Singapore PDPA Compliance Guide](/artifacts/apac/singapore-pdpa/compliance.md): Build a Singapore PDPA compliance plan covering DPO accountability, consent and notification, protection, retention, access and correction, transfers, breach notification, and DNC checks. - [Singapore PDPA Consent and Deemed Consent Workflow](/artifacts/apac/singapore-pdpa/consent-and-deemed-consent-selection-workflow.md): Choose express consent, deemed consent by conduct, contractual necessity, notification, or the legitimate interests exception under Singapore PDPA with grounded intake fields and evidence records. - [Singapore PDPA Consent, Notification and Purpose Rules](/artifacts/apac/singapore-pdpa/consent-notification-and-purposes.md): How Singapore PDPA consent, notification, purpose limitation, deemed consent, withdrawal, and consent exceptions should be handled in product and privacy workflows. - [Singapore PDPA Cross-Border Transfers](/artifacts/apac/singapore-pdpa/cross-border-transfers.md): Grounded Singapore PDPA guidance for overseas personal data transfers, comparable protection, ASEAN MCCs, APEC certifications, vendor roles, and evidence records. - [Singapore PDPA Data Breach Notification Thresholds](/artifacts/apac/singapore-pdpa/breach-notification-thresholds.md): Grounded Singapore PDPA breach notification thresholds covering significant harm, the 500-individual significant-scale test, assessment records, and notification timing. - [Singapore PDPA Data Intermediaries FAQ](/artifacts/apac/singapore-pdpa/faq/data-intermediaries.md): FAQ guidance on Singapore PDPA data intermediary roles, direct obligations, organisation accountability, contracts, retention, protection, and breach escalation. - [Singapore PDPA Data Intermediary Responsibilities](/artifacts/apac/singapore-pdpa/data-intermediary-responsibilities.md): Practical Singapore PDPA guide to data intermediary role boundaries, organisation accountability, protection, retention, breach escalation, and contract evidence. - [Singapore PDPA Deadlines and Compliance Calendar](/artifacts/apac/singapore-pdpa/deadlines-and-compliance-calendar.md): A grounded Singapore PDPA compliance calendar for breach notification, DNC checks, access and correction requests, retention reviews, and DPMP maintenance. - [Singapore PDPA Deemed Consent and Legitimate Interests](/artifacts/apac/singapore-pdpa/deemed-consent-and-legitimate-interests.md): How to apply Singapore PDPA deemed consent by conduct, contractual necessity, notification, and legitimate interests with opt-out, adverse-effect, disclosure, and assessment records. - [Singapore PDPA Deemed Consent FAQ](/artifacts/apac/singapore-pdpa/faq/deemed-consent.md): FAQ on Singapore PDPA deemed consent by conduct, contractual necessity, notification, opt-out periods, adverse-effect assessment, withdrawal, and direct-marketing limits. - [Singapore PDPA DNC and Marketing Messages Guide](/artifacts/apac/singapore-pdpa/dnc-and-marketing-messages.md): A grounded Singapore PDPA guide to DNC checks, specified marketing messages, Singapore telephone numbers, consent evidence, opt-outs, sender duties, and excluded messages. - [Singapore PDPA DNC checking FAQ: when to check the DNC Registry](/artifacts/apac/singapore-pdpa/faq/dnc-checking.md): FAQ guidance on Singapore PDPA DNC checking: when to check the DNC Registry, which registers apply, 8-digit numbers, 21-day result validity, consent evidence, on-behalf checks, opt-outs, and supported exclusions. - [Singapore PDPA DNC Marketing Checks](/artifacts/apac/singapore-pdpa/dnc-marketing-checks.md): Operational checklist for Singapore PDPA DNC marketing checks: account evidence, register status, 21-day result validity, consent evidence, and campaign owner records. - [Singapore PDPA DNC Marketing Workflow](/artifacts/apac/singapore-pdpa/dnc-marketing-workflow.md): Workflow for Singapore PDPA DNC marketing campaigns: classify specified messages, check Singapore telephone numbers, document consent, suppress opt-outs, and approve sends. - [Singapore PDPA DPIAs: when to run and what to document](/artifacts/apac/singapore-pdpa/faq/dpias.md): FAQ-style implementation guidance on Singapore PDPA DPIAs, including when PDPC guidance recommends them, data-flow mapping, risk treatment, DPO review, and evidence records. - [Singapore PDPA DPMP Accountability FAQ | DPO, Policies, Evidence](/artifacts/apac/singapore-pdpa/faq/dpmp-accountability.md): FAQ for implementing Singapore PDPA accountability through a DPMP: DPO designation, policies, evidence, training, monitoring, incident logs, and review records. - [Singapore PDPA DPMP Accountability Guide](/artifacts/apac/singapore-pdpa/dpmp-accountability.md): Build a Singapore PDPA Data Protection Management Programme with DPO ownership, policies, data inventories, DPIAs, training, monitoring, breach logs, and review records. - [Singapore PDPA FAQ: scope, DPO, consent, breaches and DNC](/artifacts/apac/singapore-pdpa/faq.md): FAQ answers for Singapore PDPA implementation, covering scope, accountability, consent, access and correction, security, retention, transfers, data intermediaries, breach notification, and DNC checks. - [Singapore PDPA legitimate interests FAQ](/artifacts/apac/singapore-pdpa/faq/legitimate-interests.md): FAQ guidance on Singapore PDPA legitimate interests: assessment fields, adverse effects, mitigation, balancing, disclosure, records, and marketing limits. - [Singapore PDPA NRIC Handling FAQ](/artifacts/apac/singapore-pdpa/faq/nric-handling.md): FAQ guidance on when Singapore organisations may collect, use, disclose, retain, mask, or replace NRIC and other national identification numbers under PDPC guidance. - [Singapore PDPA NRIC Handling Rules](/artifacts/apac/singapore-pdpa/nric-handling.md): When Singapore organisations may collect, use, disclose, retain, mask, or replace NRIC numbers under PDPC guidance. - [Singapore PDPA Penalties and Enforcement Cases](/artifacts/apac/singapore-pdpa/pdpa-penalties-and-enforcement-cases.md): How PDPC enforcement under Singapore's PDPA works: directions, voluntary undertakings, published decisions, financial penalty caps, and implementation lessons from cases. - [Singapore PDPA Penalties and Fines](/artifacts/apac/singapore-pdpa/penalties-and-fines.md): Singapore PDPA penalty ceilings, PDPC directions, undertakings, breach notification context, and practical controls grounded in official PDPC and Singapore Statutes sources. - [Singapore PDPA Privacy Policy Template](/artifacts/apac/singapore-pdpa/pdpa-privacy-policy-template.md): A Singapore PDPA privacy policy template for writing notices, DPO contact details, access and correction routes, retention, transfers, protection, withdrawal, and complaint handling without overclaiming compliance. - [Singapore PDPA Requirements: Core Obligations](/artifacts/apac/singapore-pdpa/requirements.md): Map Singapore PDPA obligations across consent, notification, access, security, retention, transfers, accountability, breaches, DNC checks, and data intermediaries. - [Singapore PDPA Scope, Exclusions, and Data Intermediaries](/artifacts/apac/singapore-pdpa/scope-exclusions-and-data-intermediaries.md): Classify Singapore PDPA coverage, business contact information, personal or domestic activity, employee acts, and data intermediary obligations with grounded implementation records. - [Singapore PDPA Transfer Assessment Workflow](/artifacts/apac/singapore-pdpa/transfer-assessment-workflow.md): A Singapore PDPA workflow for assessing overseas personal data transfers, comparable protection, ASEAN MCCs, APEC CBPR/PRP certifications, vendor due diligence, onward transfers, and evidence records. - [Singapore PDPA transfer clauses FAQ](/artifacts/apac/singapore-pdpa/faq/transfer-clauses.md): FAQ guidance on Singapore PDPA transfer clauses, comparable protection, ASEAN MCCs, APEC CBPR and PRP certifications, onward transfers, and evidence records. - [Singapore PDPA Vendor Outsourcing and Contracts](/artifacts/apac/singapore-pdpa/vendor-outsourcing-and-contracts.md): Contract and operating checklist for Singapore PDPA vendor outsourcing: data intermediary status, written terms, security, retention, breach, transfers, sub-contracting, and exit evidence. - [Singapore PDPA vs GDPR Comparison](/artifacts/apac/singapore-pdpa/singapore-pdpa-vs-gdpr.md): Compare Singapore PDPA and GDPR implementation work across consent, DPO accountability, processors, transfers, breach notification, DNC marketing, rights, retention, and penalties. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/apac/singapore-pdpa/transfer-clauses