Icons to convey information quickly
The following icons are used in the table, to clarify the impact of each change:
Issue
General prohibition on transfers
Cross-Border Data Transfers are
prohibited, unless certain
conditions are met.
Commission Adequacy Decisions
Cross-Border Data Transfers to a
recipient in a third country may
take place, without a need to
obtain any further authorisation, if
the Commission has decided that
such third country ensures an
adequate level of data protection
(an "Adequate Jurisdiction"). The
basis for this principle is that such
jurisdictions provide sufficient
The Directive
Rec.56-57; Art.25, Art.26(1)-(2)
Cross-Border Data Transfers were,
without prejudice to compliance
with national law, prohibited,
unless the transfer was made to an
Adequate Jurisdiction (see below)
or the data exporter had
implemented a lawful data transfer
mechanism (or an exemption or
derogation applied).
Rec.56-57; Art.25(1)-(6), 31(2)
Cross-Border Data Transfers to a
recipient in a third country could
take place if the third country
ensured an adequate level of data
protection. Adequacy was assessed
in the light of all circumstances
surrounding the transfer, in
particular:
 the nature of personal
The GDPR
 Rec.101-116; Art.44, 45
Cross-Border Data Transfers may
only take place if the transfer is
made to an Adequate Jurisdiction
(see below) or the data exporter
has implemented a lawful data
transfer mechanism (or an
exemption or derogation applies).
 Rec.103-107; Art.44, 45
Cross-Border Data Transfers to a
recipient in a third country may
take place if the third country
receives an Adequacy Decision
from the Commission. Factors that
may affect an Adequacy Decision
include, inter alia:
 the rule of law and legal
protections for human
protection for the rights and
freedoms of data subjects without
the need for further safeguards.
The current list of Adequate
Jurisdictions is: Andorra,
Argentina, Canada (for
organisations that are subject to
Canada's PIPEDA law),
Switzerland, the Faeroe Islands,
Guernsey, Israel, Isle of Man,
Jersey, New Zealand, and
Uruguay. Following the decision
in Schrems II, the EU-US Privacy
Shield is no longer deemed
adequate. It remains to be seen
whether the European Commission
and the US government will
negotiate a replacement
mechanism.
Review of Adequacy Decisions
As illustrated by
the Schrems decision, it is always
possible that conditions in an
Adequate Jurisdiction may change,
and that jurisdiction may no longer
provide adequate protection.
Therefore, the Commission's
data;
 the purpose and
duration of processing;
 country of origin and
country of final
destination;
 the rule of law; and
 professional rules and
security measures.
The Commission could determine
third countries to be Adequate
Jurisdictions.
N/A
The Directive did not directly
address the need to review
Adequacy Decisions. The CJEU
in Schrems determined that DPAs
can examine claims that an
Adequacy Decision provides
insufficient protection for
rights and fundamental
freedoms;
 access to transferred
data by public
authorities;
 existence and effective
functioning of DPAs;
and
 international
commitments and other
obligations in relation to
the protection of
personal data.
The Commission may declare third
countries (or a territory, a specified
sector, or an international
organisation) to be Adequate
Jurisdictions.
 Rec.106-107; Art.45(3)-
(5), 93(2)-(3)
Adequacy Decisions are subject to
a periodic review, at least every
four years, taking into account all
relevant developments. The
Commission can repeal, amend or
suspend Adequacy Decisions for
Adequacy Decisions may need to
be reviewed from time to time.
Agreements between public
authorities
Public sector Cross-Border Data
Transfers may take place on the
basis of agreements between a
public authority in the EU and a
public authority in a third country,
without requiring a specific
authorisation from a DPA.
Binding Corporate Rules
Cross-Border Data Transfer within
a corporate group may take place
on the basis of Binding Corporate
Rules ("BCRs"). The BCRs
require approval from DPAs, but
once such approval is obtained,
individual transfers made under
the BCRs do not require further
approval.
transferred personal data.
N/A
The Directive did not specifically
provide for binding agreements
between public authorities or
bodies as a legal basis for Cross-
Border Data Transfers.
Art.26(2)
The Directive did not specifically
address BCRs. However, it
permitted Member States to
authorise data transfers where the
controller has adduced adequate
protections for the transferred data.
BCRs being one such measure.
Much of the guidance on the
requirements for BCRs under the
Directive comes from WP29
working papers (see, in particular,
working papers 74, 107, 108, 133,
jurisdictions no longer ensuring an
adequate level of data
protection (without retroactive
effect).
 Rec.108; Art.46(2)(a), (3)(b)
Cross-Border Data Transfers
between public authorities may
take place on the basis
of agreements between public
authorities, which do not require
any specific authorisation from a
DPA. The public authorities
must ensure compliance with
GDPR requirements.
 Rec.108, 110; Art.4(20) 46(2)
(b), 47; WP29 BCR Guidance
(WP256, WP257)
The GDPR directly addresses the
concept of BCRs. The competent
DPA will approve BCRs as an
appropriate mechanism for Cross-
Border Data Transfers within a
corporate group (including to
members of that group that are
established in third countries). If
the BCRs meet the requirements
set out in the GDPR, they will be

Content of BCRs
Although the language of BCRs
can be drafted by the parties, that
language must cover certain
specified topics, and satisfy the
requirements of EU data protection
law, before the BCRs can be
approved by DPAs.
153, 154, 155, 195, 195a, 204 and
212) and from guidance issued by
DPAs in certain Member States.
N/A
The Directive did not specify
requirements for the content of
BCRs. The WP29 working papers
noted above set out guidance on
the content of BCRs. Certain
general principles (e.g., the
requirement to make the BCRs
binding upon the members of the
relevant corporate group) applied
uniformly in all Member States.
However, a number of other
requirements were interpreted
inconsistently from one DPA to
another.
approved, and no further DPA
approval will be required for
transfers of personal data made
under the BCRs.
 Rec.108, 110; Art.47(1)-
(3); WP29 BCR Guidance
(WP256, WP257)
BCRs must include a mechanism
to make the BCRs legally binding
on group companies. Among other
things, the BCRs must:
 specify the purposes of
the transfer and affected
categories of data;
 reflect the requirements
of the GDPR;
 confirm that the EU-
based data exporters
accept liability on
behalf of the entire
group;
 explain complaint
procedures; and
 provide mechanisms for
ensuring
compliance (e.g.,

Approval of BCRs
Unlike Model Clauses (which are
discussed below), the content of
BCRs can be drafted to suit the
needs and circumstances of the
organisation (provided that they
also satisfy the requirements of EU
data protection law). Consequently
(also unlike Model Clauses) BCRs
are not deemed to be pre-
approved. Instead, BCRs always
require prior approval from DPAs.
Model Clauses
Cross-Border Data Transfers may
take place on the basis of standard
data protection clauses approved
by the Commission ("Model
Clauses").
N/A
The Directive did not discuss the
requirements for approval of
BCRs. A mutual recognition
procedure applied in 21 Member
States, and provided that the
applicant must appoint a lead DPA
to review the application for
BCRs. Once the lead DPA
approved the BCRs, that approval
was recognised by those 21
Member States. However, for the
remaining seven Member States,
separate applications were
required.
Rec.59-60; Art.26(2)-(4), 31(2)
Member States could authorise a
Cross-Border Data Transfer where
the controller adduced adequate
safeguards in the form of Model
Clauses. Under the Directive,
several Member States required
DPA notification or authorisation
(or both) before Model Clauses
could be used.
audits).
 Rec.108, 110; Art.47(1), 57(1)
(s) WP29 BCR Guidance (WP256,
WP257)
The competent DPA must approve
BCRs that fulfil the criteria set out
in the GDPR. Where the BCRs are
intended to cover data transfers
from multiple Member States, the
Consistency Mechanism applies
(see Chapter 15).
 Rec.81, 108-109; Art.28(6)-(8),
46(2)(c), 57(1)(j), (r), 93(2)
Cross-Border Data Transfers are
permitted if the controller or
processor adduces appropriate
safeguards in the form of Model
Clauses. These do not require any
further authorisation from a DPA.
The Commission may create new
types of Model Clauses.
DPA Clauses
Cross-Border Data Transfers may
take place on the basis of standard
data protection clauses adopted by
one or more DPAs, in accordance
with the GDPR ("DPA Clauses").
Codes of Conduct
A Cross-Border Data Transfer may
take place on the basis of approved
Codes of Conduct.
N/A
The Directive did not provide for
DPA Clauses as an adequate
safeguard for Cross-Border Data
Transfers.
Rec.61; Art.27
The Directive encouraged the
drawing up of Codes of Conduct.
However, it did not specifically
permit Cross- Border Data
Transfers to be made on the basis
of a Code of Conduct.
 Rec.108-109; Art.46(2)(d),
64(1)(d), 57(1)(j), (r), 93(2)
A Cross-Border Data Transfer may
take place on the basis of DPA
Clauses, which offer a national
alternative to the Commission-
approved Model
Clauses. Transfers made on the
basis of DPA Clauses do not
require further DPA approval.
DPA Clauses may be included in a
wider contract (e.g., from one
processor to another), provided the
original wording of the authorised
DPA Clauses is not contradicted
(directly or indirectly).
 Rec.108; Art.40, 41, 46(2)(e)
A Cross-Border Data Transfer may
take place on the basis of an
approved Code of Conduct,
together with binding and
enforceable commitments to
provide appropriate safeguards.
Transfers made on this basis do
not require DPA approval
Certification
A Cross-Border Data Transfer may
take place on the basis of
certifications..
Ad hoc clauses
A Cross-Border Data Transfer may
take place on the basis of contracts
negotiated between the data
exporter and the data importer ("ad
hoc clauses"), subject to approval
from the competent DPA.
Administrative arrangements
A Cross-Border Data Transfer may
take place on the basis of
administrative arrangements made
N/A
The Directive did not provide for
certifications as a mechanism for
Cross-Border Data Transfers.
Rec.59-60; Art.26(2)-(3), 31(2)
A Cross-Border Data Transfer
could take place on the basis of ad
hoc clauses between the data
exporter and data importer. These
clauses had to conform to the
requirements of the national laws
of the relevant Member State, and
required approval from the
relevant DPA, before transfers
could begin.
N/A
The Directive did not provide for
administrative arrangements as a
legal basis for Cross-Border Data
 Rec.108; Art.42, 43, 46(2)(f)
A Cross-Border Data Transfer may
take place on the basis of
certifications together with binding
and enforceable commitments of
the data importer to apply the
certification to the transferred data.
Transfers made on this basis do
not require DPA approval
 Rec.108; Art.46(3)(a), (4), 63
A Cross-Border Data Transfer may
take place on the basis of ad hoc
clauses. These clauses must
conform to the requirements of the
GDPR, and must be approved by
the relevant DPA subject to the
Consistency Mechanism, before
transfers can begin.
 Rec.108; Art.46(3)(b), (4), 63
Cross-Border Data Transfers may
take place on the basis of
administrative arrangements
by the data exporter, subject to the
authorisation from the competent
DPA.
Third country judgments and
decisions
Third country court judgments, or
administrative authority decisions,
are recognised as a legal basis for a
Cross-Border Data Transfer only if
the transfer is subject to
appropriate international
agreements.
Consent
A Cross-Border Data Transfer may
be made on the basis of the
Transfers.
N/A
The Directive did not directly
mention third country court
judgments or administrative
authority decisions as a lawful data
transfer mechanism.
Rec.58; Art.26(1)(a)
A Cross-Border Data Transfer
could be made on the basis of the
between public authorities (e.g., a
Memorandum of
Understanding), which include
adequate protection for the rights
of data subjects. Transfers made
on this basis require DPA
approval.
 Rec.115; Art.48
A judgment from a third country,
requiring a Cross- Border Data
Transfer, only provides a legal
basis for such a transfer if the
transfer is based on an appropriate
international agreement, such as a
Mutual Legal Assistance
Treaty. However, this is without
prejudice to other grounds for a
transfer.
 Rec.111; Art.49(1)(a), (3)
A Cross-Border Data Transfer may
be made on the basis that the data
consent of the data subject. Further
commentary on consent is
provided on Chapter 8.
Contracts between a data subject
and a controller
A Cross-Border Data Transfer may
be made on the basis that it is
necessary for the purposes of
performing or implementing a
contract between the data subject
and the controller.
Contracts that are in the data
subject's interest
A Cross-Border Data Transfer may
data subject's unambiguous
consent. Any such transfers could
only be carried out in full
compliance with the applicable
national laws that implemented the
Directive.
Rec.58; Art.26(1)(b)
A Cross-Border Data Transfer
could take place if the transfer was
necessary for:
 the performance of a
contract between the
data subject and the
controller; or
 the implementation of
pre contractual
measures taken in
response to the data
subject's request.
Rec.58; Art.26(1)(c)
A Cross-Border Data Transfer
could take place if the transfer was
subject, having been informed of
the possible risks of such transfer,
explicitly consents.
 Rec.111 Art.49(1)(b), (3)
A Cross-Border Data Transfer may
take place if the transfer is
necessary for:
 the performance of a
contract between the
data subject and the
controller; or
 the implementation of
pre-contractual
measures taken in
response to the data
subject's request.
 Rec.111; Art.49(1)(c), (3)
A Cross-Border Data Transfer may
take place if the transfer is
be made on the basis that it is
necessary for the purposes of
performing or concluding a
contract in the interests of the data
subject (e.g., a parent making a
purchase on behalf of a child).
Public interest
A Cross-Border Data Transfer may
be made on the basis that the
transfer is necessary for important
reasons of public interest.
Legal claims
A Cross-Border Data Transfer may
be made on the basis that it is
necessary for the purposes of legal
proceedings, or obtaining legal
advice.
Data subject's vital interests
A Cross-Border Data Transfer may
be made on the basis that the
transfer is necessary to protect the
vital interests of the data subject.
necessary for the conclusion or
performance of a contract between
the controller and a third party,
which was in the interests of the
data subject.
Rec.58; Art.26(1)(d)
A Cross-Border Data Transfer
could take place if the transfer was
necessary, or legally required, on
important public interest grounds.
Rec.58; Art.26(1)(d)
A Cross-Border Data Transfer
could take place if the transfer was
necessary, or legally required, on
important public interest grounds
for the establishment, exercise or
defence of legal claims.
Rec.58; Art.26(1)(e)
A Cross-Border Data Transfer
could take place if the transfer was
necessary in order to protect the
vital interests of the data subject.
necessary for the conclusion or
performance of a contract between
the controller and a third party,
where it is in the interests of the
data subject.
 Rec.111-112; Art.49(1)(d), (4)
A Cross-Border Data Transfer may
take place if the transfer is
necessary for important reasons of
public interest. Such interests must
be recognised in EU law or in the
law of the Member State to which
the controller is subject.
 Rec.111; Art.49(1)(e)
A Cross-Border Data Transfer may
take place if the transfer is
necessary for the establishment,
exercise or defence of legal claims.
 Rec.111-112; Art.49(1)(f)
A Cross-Border Data Transfer may
take place if the transfer is
necessary in order to protect the
vital interests of the data subject or

Public registers
A Cross-Border Data Transfer may
be made on the basis that the data
to be transferred are taken from a
public register.
Controller's compelling legitimate
interests
A Cross-Border Data Transfer may
be made on the basis that the
transfer is necessary for the
purposes of a compelling
legitimate interests of the
controller. Further commentary on
legitimate interests is provided
in Chapter 7.
Rec.58; Art.26(1)(f)
A Cross-Border Data Transfer
could take place if the transferred
data were taken from a register
which was open to the public, or to
any person who could demonstrate
a legitimate interest in inspecting
it.
N/A
The Directive did not allow for
Cross-Border Data Transfers to be
made on the basis of the
controller's legitimate interests.
of other persons, where the data
subject is physically or legally
incapable of giving consent.
 Rec.111; Art.49(1)(g), (2)
A Cross-Border Data Transfer may
take place if the transferred data
are taken from a register which is
open to the public or, upon
request, to any person who can
demonstrate a legitimate interest in
inspecting it. This does not permit
a transfer of the entire register.
 Rec.113; Art.49(1), (3), (6)
A Cross-Border Data Transfer may
take place if:
 none of the other legal
bases applies;
 the transfer is not
repetitive;
 it only concerns a
limited number of data

Certain transfer mechanisms may
be limited by law
A number of lawful mechanisms
for Cross-Border Data Transfers
may be limited, under applicable
EU or Member State law, to
certain categories of data.
N/A
The Directive did not provide for
the possibility of limiting lawful
data transfer mechanisms in this
way.
subjects;
 the transfer is necessary
for the purposes of
compelling legitimate
interests pursued by the
controller which are not
overridden by those of
the data subject; and
 the controller
has adduced suitable
safeguards for the
transferred data.
The controller must inform the
relevant DPA and the data subjects
about the transfer.
 Rec.111; Art.49(5)
EU law or law of the Member
States may, for important reasons
of public interest, expressly limit
Cross– Border Data Transfers
relating to specific categories of
personal data. Member States must
notify such restrictions to the
Commission.
Commentary: GDPR Transfer Mechanisms

The GDPR maintains the pre- existing data transfer mechanisms created under the Directive
(with some minor amendments). It also creates a number of new transfer mechanisms, of which
organisations should be aware. Key changes from the Directive include the following:

 Under the GDPR, several transfer mechanisms no longer require notification to, and/
or authorisation from, DPAs. This significantly reduces the administrative burden on
organisations.

 The GDPR introduces several new transfer mechanisms, including DPA Clauses,
certifications and a derogation for the purposes of legitimate interests.

 Transfer mechanisms such as BCRs and Codes of Conduct may become more
important as a result of the increased harmonisation introduced by the GDPR.

However, there remains a significant amount of uncertainty in this area, in light of Schrems
II and the EU-US Privacy Shield is no longer deemed adequate.

3. General Data Protection Law-Lei Geral de Proteção de Dados (LGPD)

Overlooked in a year dominated by a "wait-and-see" dynamic with both the finalization and
enforcement of the California Consumer Privacy Act (CCPA), Brazil's General Data
Protection Law-Lei Geral de Proteção de Dados (LGPD)-is another major privacy compliance
obligation that must be undertaken for 2021.

The following are some key points that compliance teams should evaluate when integrating
LGPD requirements into their larger privacy compliance infrastructure.
What is the LGPD's effective date?
The law took immediate effect on September 18, 2020. Brazil's data protection authority,
Autoridade Nacional de Proteção de Dados (ANPD), will oversee enforcement of the law.

How is "personal data" defined?

Personal data is defined quite ambiguously and broadly under the LGPD: "any information
related to an identified or identifiable natural person."

What rights do consumers have under the law?

1. Notice. Like the CCPA and GDPR, the consumer has been given a right under Article
9 of the LGPD to meaningful notice, which includes notification on matters such as the
specific purposes of the processing, the type and time period of processing, the identity
of the processing entity and contact information, the nature and purpose of any data
shared with third parties, the responsibilities of the entity processing the data, and
information regarding the consumer's rights.
2. Right to Know. Under Article 18, the consumer is given a series of rights akin to the
GDPR. The first of these rights, the right to know, addresses businesses having a
distinct responsibility to provide information to the consumer about what data, if any,
is being processed by the entity.
3. Right to Correct. Consumers have the right to correct inaccurate information.
4. Data Portability . Consumers have the right to a copy of their data to port from a data
processing system.
5. Data Deletion. Consumers have a right to have their data deleted, subject to certain
exceptions.
6. Consent. Much like the GDPR, consent must be express, informed, and clear.
Consumers must be given information about what giving their express consent means
as well as the consequences of denying or revoking consent to the processing of their
personal data.
 4. Singapore—Personal Data Protection Act (PDPA) (Act 26 of 2012)
Singapore adopted its Personal Data Protection Act (PDPA) way back in 2012 before the
EU’s General Data Protection Regulation (GDPR) made its appearance on the legal stage. It
came into full force on 2 July 2014 and governs the collection, use, disclosure and care of
personal data. It also regulates telemarketing practices through the Do Not Call registry which
allows Singaporeans who sign up for it to opt out of marketing messages on their telephones,
mobile phones and fax machines.
While it may be considered progressive for its time and contains much of the same jargon that
has now become the staple of data protection regulations across the world, the PDPA falls short
of the GDPR’s hard line approach to privacy and personal data protection. It was criticized for its
many exemption clauses and does not have any requirements for special categories of sensitive
data such as those relating to health, race, ethnicity etc.
This particular failing was not without its consequences: in June 2018, Singapore suffered
its worst data breach to date when the personal data of 1.5 million healthcare patients including
that of its Prime Minister, Lee Hsien Loong, was compromised. The Personal Data Protection
Committee (PDPC) tasked with enforcing the PDPA fined Integrated Health Information
Systems (IHIS), the technology agency running the healthcare institutions’ IT systems,
S$750,000 (approx. $540,000) and SingHealth, the data controller, S$250,000 (approx.
$181,000). A probe report found that the data breach was primarily caused by weak
cybersecurity practices.
The PDPC has since announced its intention to update the PDPA’s requirements, most notably,
adding mandatory data breach notifications and data portability to the legislation. It also issued a
number of guides to assist organizations in understanding its approach to regulating Singapore’s
personal data protection regime. Its most recent, released on 22 May 2019, cover data protection
management, active enforcement and managing data breaches.

Who does the PDPA apply to?

The PDPA has an extraterritorial reach and applies to organizations collecting personal data from
individuals in Singapore, whether the companies are located in the country or not. The Act does
not apply to the public sector which is governed by other rules.
What is personal information under the PDPA?
Personal data under the PDPA is defined as data that, whether true or not, can be used to identify
an individual by itself or together with other information to which the organization has or is
likely to have access to.

Business contact information, when used for business purposes and not in a personal capacity, is
not protected by the PDPA. Neither is personal data about an individual that has been in
existence for at least 100 years or personal data about individuals that have been deceased for
over 10 years.

It requires express consent from individuals to collect personal data, but includes no less than 18
exemptions to the rule, which allow organizations to collect personal data without consent.
The PDPA goes a step further than exemptions and also accepts deemed consent as valid
consent. Deemed consent is essentially data provided voluntarily by an individual to an
organization when it is reasonable for the individual to do so. This voluntarily provided data can
then be passed on to another organization for a particular purpose.

Singaporeans have the option of withdrawing consent, even in the case of deemed consent.
However, any legal consequences of the withdrawal have to be borne by the individual who must
be informed of these likely consequences by the organization from whom they request the
withdrawal. Companies are also not obligated to inform third parties of consent withdrawals, so
it falls to the individual to seek them out and withdraw consent from them as well. The
withdrawal of consent cannot be requested if the collection, use or disclosure of the information
is required by law, or if it is necessary for legal or business purposes.
Cross-border data transfers
Organizations can transfer personal information from Singapore to other countries only in
compliance with the PDPA or if they have applied for and received exemption from the PDPC.
Those that need to transfer data across borders in accordance with the PDPA, must ensure that
the country to which the data is being transferred has a comparable level of data protection to the
standards set forth by the PDPA.

Data can also be transferred to other countries if organizations have received consent from the
individual to do so, if data transfer agreements have been put in place or transfers are necessary
for certain prescribed circumstances.

The Penalties
If organizations tamper with personal data or hide information concerning its collection, use or
disclosure, they face a fine not exceeding S$50,000 (approx. $36,000). Any attempts to hinder a
PDPC investigation can lead to a fine of not more than S$100,000 (approx. $72,000). Companies
are also liable for their employees’ actions in the eyes of the PDPA, whether they are aware of
them or not.

The maximum penalty allowed by the PDPA is of S$1,000,000 (approx. $725,000) and, as
shown in the case of the SingHealth data breach, the PDPC is not shy about issuing it.