DATA PROTECTION AGREEMENT

TABLE OF CONTENTS

1. Definitions and interpretation................................................................................1

2. Protection of Personal Data....................................................................................4
3. Liability...................................................................................................................6
4. Audit......................................................................................................................7
5. Term and termination.............................................................................................7
6. Miscellaneous.........................................................................................................7
Schedule I (Details of processing).....................................................................................13
Schedule II (Description of technical and organisational security measures).....................14
THIS AGREEMENT is dated [•]

PARTIES

(1) [•] of [•] (the Transferor); and

(2) [•] of [•] (the Recipient),

(each a Party and together, the Parties).

WHEREAS

This Data Protection Agreement (the Agreement) sets out the terms and conditions on
which the Recipient will process Personal Data on behalf of the Transferor.

IT IS AGREED:

1. Definitions and interpretation

1.1 In this Agreement:

Affiliates means in relation to any Party, means any Subsidiary or

Parent Company of that Party and any Subsidiary of
that Parent Company, in each case from time to time;

Business Day means a day other than a Saturday, Sunday or public

holiday in Singapore, on which banks are open in
Singapore for general commercial business;

Connected Persons means, in relation to a Party, any Affiliate of that Party

and any officer, employee, agent, adviser or
representative of that Party or any of its Affiliates, in
each case, from time to time;

Data Controller means the entity which determines the purposes for
which and the means by which Personal Data is
processed, and includes the term “organisation” as
defined in the PDPA;
 [Style used is ‘Running heads’]

Data Processor has the same meaning as the term “data intermediary”
as defined in the PDPA;

Data Standards means the PDPA and accompanying regulations and

guidelines issued by the Personal Data Protection
Commission (PDPC), all applicable Laws, and [the
Transferor’s Privacy Policy/Notice at [insert URL]];

Data Subject has the same meaning as the term “individual” as

defined in the PDPA and includes the categories of
persons as described in paragraph 1.1 of Schedule I;

Governmental means any administrative, executive, judicial,

Authority legislative, regulatory, licensing, competition or other
governmental authority having applicable jurisdiction;

Law means any statute, law, rule, regulation, guideline,

ordinance, code or rule of law issued, administered or
enforced by any Governmental Authority, and any
judicial or administrative interpretation of any of these;

Parent Company means any company that, in relation to another

company (its Subsidiary):
(a) holds a majority of the voting rights in the
Subsidiary;
(b) is a shareholder of the Subsidiary and has the
right to appoint or remove a majority of its
board of directors;
(c) is a shareholder of the Subsidiary and controls a
majority of the voting rights in it under an
agreement with other members; or
(d) has the right to exercise a dominant influence
over the Subsidiary under the Subsidiary’s
articles or a contract authorised by its
shareholders,
in each case, whether directly or indirectly through one
or more companies or other entities;

PDPA means the Personal Data Protection Act 2012 (Act 26 of

2012) as amended from time to time;

Personal Data means data, whether true or not, about a Data Subject
who can be identified: (a) from that data alone; or (b)
from that data and other information which the

2
 [Style used is ‘Running heads’]

Recipient has or is likely to have access, which the

Transferor discloses to the Recipient or which the
Recipient processes on behalf of the Transferor as
specified in paragraph 2.1 of Schedule I;

Purposes has the meaning given to it in Clause 2.1

Subsidiary has the meaning given in the definition of Parent

Company; and

Working Hours means 9.00am to 5.30pm in the relevant location on a

Business Day.

1.2 In this Agreement, unless the context otherwise requires:

(a) references to a person include any individual, firm, body corporate (wherever
incorporated), government, state or agency of a state or any joint venture,
association, partnership, works council or employee representative body (in
any case, whether or not it has separate legal personality);

(b) references to a paragraph, Clause or Schedule are to those of this

Agreement;

(c) headings do not affect its interpretation;

(d) the singular shall include the plural and vice versa, and references to one
gender include all genders;

(e) any phrase introduced by the terms including, include, in particular or any
similar expression shall be construed as merely illustrative and shall not limit
the sense of the words preceding those terms; and

(f) any reference to a document in the agreed form is to the form of the
relevant document agreed between the Parties and, for the purpose of
identification, initialled for or by each of them (in each case with any
amendments that the Parties may agree).

3
 [Style used is ‘Running heads’]

1.3 The Schedules comprise Schedules to this Agreement and form part of this
Agreement.

2. Protection of Personal Data

2.1 For the purposes of this Agreement, the Transferor has determined that Personal
Data is required to be subjected to the processing operations particularised in
paragraph 3.1 of Schedule I of this Agreement (Purposes).

2.2 The Parties acknowledge that for the purpose of the PDPA, the Transferor is the Data
Controller of the Personal Data and the Recipient is the Data Processor.

2.3 The Recipient hereby undertakes to only process Personal Data in accordance with
applicable legislation, including the PDPA, this Agreement and Transferor’s
instructions from time to time, and in particular, to:

(a) comply with the applicable Data Standards, and not do or permit anything to
be done which might cause the Transferor to breach such Data Standards;

(b) process, use or disclose Personal Data:

(i) strictly for the purposes of fulfilling its obligations under this
Agreement and the Purposes;

(ii) with the Transferor’s prior written consent; or

(iii) when required by Law or an order of court, but shall notify the
Transferor as soon as practicable before complying with such Law or
order of court at its own costs;

(c) protect Personal Data in its possession or under its control by making
reasonable security arrangements to prevent unauthorised access, collection,
use, disclosure, copying, modification, disposal or processing, including such
measures as set out in Schedule II;

(d) immediately notify the Transferor as soon as it becomes aware of any:

4
 [Style used is ‘Running heads’]

(i) suspected loss or unauthorised access of the Personal Data, whether

or not under its possession or control; or

(ii) breach of the Data Standards,

and implement measures reasonably required by the Transferor to remedy

such breach;

(e) notify the Transferor of any notices, requests, orders or queries from Data
Subjects, any data protection or other Governmental Authority, law
enforcement agency, court order or tribunal, which the Transferor or
Recipient is obliged to comply with under the Data Standards to facilitate
timely resolution of any matter arising in connection with the foregoing or
any related investigation;

(f) prior to any transfer of Personal Data by the Recipient to third parties, to
obtain the written consent of the Transferor and enter into a data transfer
agreement with third parties and procure the compliance of such third
parties with the PDPA and the terms of this Agreement;

(g) prior to any transfer of Personal Data to a place outside of Singapore, obtain
the Transferor’s prior written consent and, if such consent is provided, the
Recipient shall ensure that the recipient of such Personal Data is under a
contractual obligation to provide a standard of protection that is comparable
to that under the PDPA;

(h) upon termination of this Agreement or on request by the Transferor,

promptly return to the Transferor or, at the Transferor’s option, irreversibly
destroy all Personal Data in the Recipient’s possession or control, unless
otherwise required by Law;

(i) cease to retain the Personal Data, or remove the means by which the
Personal Data can be associated with particular Data Subjects as soon as it is
reasonable to assume that:

5
 [Style used is ‘Running heads’]

(i) the Purposes are no longer being served by retention of the Personal
Data; and

(ii) the retention of the Personal Data is no longer necessary for any
business, regulatory, legal or audit purpose;

(j) verify that it has the legal authority to fulfil these undertakings set out in this
Clause; and

(k) not collect, use or disclose any Personal Data on behalf of the Transferor, or
hold itself out as doing so, unless it has obtained prior written authorisation
from the Transferor’s authorised representative.

2.4 Where the Transferor provides Personal Data to the Recipient, the Transferor shall
make reasonable efforts to ensure that the Personal Data is accurate and complete
before providing the same to the Recipient. The Recipient shall put in place adequate
measures to ensure that the Personal Data in its possession or control remain or is
otherwise accurate and complete.

2.5 The provisions of Clauses 2.3(h) and 2.3(i) shall survive the expiration or termination
of this Agreement.

3. Liability

3.1 The Recipient agrees to defend any claims brought against the Transferor, or its
Connected Persons by any person, including a Data Subject and any data protection
authority or other Governmental Authority, arising in connection with Recipient’s
breach of this Agreement or breach or non-compliance with any privacy or data
protection laws, including the PDPA.

3.2 The Recipient agrees to hold harmless and indemnify the Transferor, or its
Connected Persons against any and all third-party claims, demands, suits, liabilities,
losses, statutory penalties, damages, costs, and expenses (including legal costs on an
indemnity basis) arising out of or in connection with Recipient’s breach of this

6
 [Style used is ‘Running heads’]

Agreement or any privacy and data protection laws, including the PDPA or any act,
omission or negligence of the Recipient that causes or results in the Transferor being
in breach of any privacy and data protection laws, including the PDPA.

3.3 The provisions of this Clause 3 shall survive the expiration or termination of this
Agreement.

4. Audit

Upon the Transferor’s reasonable request, the Recipient will permit the Transferor
and/or its third-party representatives to audit the Recipient’s compliance with its
obligations under this Agreement, on at least 20 days’ notice. The Recipient will
provide the Transferor and/or the Transferor’s third-party representatives all
necessary reasonable assistance to conduct such audits.

5. Term and termination

This Agreement shall enter into force upon the signing hereof by the Parties and
shall remain in force for as long as the Recipient processes the Personal Data or until
such time as the Transferor provides written notice of the termination of this
Agreement to the Recipient.

6. Miscellaneous

6.1 Assignment

(a) Except with the prior written consent of the other Party, neither Party may:

(i) assign, transfer, charge or otherwise deal with any of its rights or
obligations under this Agreement nor grant, declare, create or dispose
of any right or interest in it; or

(ii) sub contract the performance of any of its obligations under this
Agreement.

6.2 Whole agreement

7
 [Style used is ‘Running heads’]

(a) This Agreement sets out the whole agreement between the Parties in respect
of the subject matter of this Agreement and supersedes any previous draft,
agreement, arrangement or understanding, whether in writing or not,
relating to its subject matter. It is agreed that:

(i) no Party has relied on or shall have any claim or remedy arising under
or in connection with any statement, representation, warranty or
undertaking made by or on behalf of the other Party in relation to the
subject matter of this Agreement that is not expressly set out in this
Agreement;

(ii) any terms or conditions implied by Law in any jurisdiction in relation

to the subject matter of this Agreement are excluded to the fullest
extent permitted by Law or, if incapable of exclusion, any rights or
remedies in relation to them are irrevocably waived;

(iii) save and except for any claim under Clause 3, the only right or
remedy of a Party in relation to any provision of this Agreement shall
be for breach of this Agreement; and

(iv) except for any liability in respect of a breach of this Agreement,

neither Party shall owe any duty of care or have any liability in tort or
otherwise to the other Party in relation to the subject matter of this
Agreement.

(b) Nothing in this Clause 6.2 shall limit any liability for (or remedy in respect of)
fraud or fraudulent misrepresentation.

(c) Each Party agrees to the terms of this Clause 6.2 on its own behalf and as
agent for each of its Connected Persons.

6.3 Counterparts

8
 [Style used is ‘Running heads’]

This Agreement may be executed in any number of counterparts, and by each Party
on separate counterparts. Each counterpart is an original, but all counterparts shall
together constitute one and the same instrument. Delivery of a counterpart of this
Agreement by e-mail attachment shall be an effective mode of delivery.

6.4 Variations

(a) No variation of this Agreement shall be valid unless it is in writing and signed
by or on behalf of all of the Parties to it.

(b) If this Agreement is varied:

(i) the variation shall not constitute a general waiver of any provisions of
this Agreement;

(ii) the variation shall not affect any rights, obligations or liabilities under
this Agreement that have already accrued up to the date of variation;
and

(iii) the rights and obligations of the Parties under this Agreement shall
remain in force, except as, and only to the extent that, they are
varied.

6.5 Waivers

No failure to exercise, or delay in exercising, any right under this Agreement or

provided by Law shall affect that right or operate as a waiver of the right. The single
or partial exercise of any right under this Agreement or provided by Law shall not
preclude any further exercise of it.

6.6 Notices

(a) Any notice to be given by one Party to the other Party in connection with this
Agreement shall be in writing in English and signed by or on behalf of the

9
 [Style used is ‘Running heads’]

Party giving it. It shall be delivered by hand, email, registered post or courier
using an internationally recognised courier company.

(b) A notice shall be effective upon receipt and shall be deemed to have been
received (i) at the time of delivery, if delivered by hand, registered post or
courier or (ii) at the time of transmission if delivered by email. Where delivery
occurs outside Working Hours, notice shall be deemed to have been received
at the start of Working Hours on the next following Business Day.

(c) The addresses and email addresses of the Parties for the purpose of Clause
6.6 are:

[•] Address: Email:

For the attention of:

[•] Address: Email:

For the attention of:

(d) Each Party shall notify the other Party in writing of a change to its details in
Clause 6.6(c) from time to time.

6.7 Invalid Terms

(a) Each of the provisions of this Agreement is severable.

(b) If and to the extent that any provision of this Agreement:

(i) is held to be, or becomes, invalid or unenforceable under the Law of

any jurisdiction; but

(ii) would be valid, binding and enforceable if some part of the provision
were deleted or amended,

then the provision shall apply with the minimum modifications necessary to
make it valid, binding and enforceable and neither the validity or

10
 [Style used is ‘Running heads’]

enforceability of the remaining provisions of this Agreement, nor the validity

or enforceability of that provision under the Law of any other jurisdiction,
shall in any way be affected or impaired as a result of this Clause 6.7(b).

6.8 No third-party enforcement

Except for the Connected Persons of the Transferor, a person who is not a Party to
this Agreement shall have no right under the Contracts (Rights of Third Parties) Act
(Cap 53B) of Singapore to enforce any of its terms.

6.9 Cumulative remedies

The provisions of this Agreement, and the rights and remedies of the Parties under
this Agreement are cumulative and are without prejudice and in addition to any
rights or remedies a Party may have at law or in equity; no exercise by a Party of any
one right or remedy under this Agreement, or at law or in equity, shall operate so as
to hinder or prevent the exercise by it of any other such right or remedy.

6.10 Governing law

This Agreement and any non-contractual obligations arising out of, or in connection
with it, shall be governed by, and interpreted in accordance with, Singapore law.

6.11 Dispute resolution

(a) Any dispute arising out of or in connection with this contract, including any
question regarding its existence, validity or termination, shall be referred to
and finally resolved by arbitration administered by the Singapore
International Arbitration Centre in accordance with the Arbitration Rules of
the Singapore International Arbitration Centre for the time being in force,
which rules are deemed to be incorporated by reference in this Clause.

(b) The seat of the arbitration shall be Singapore.

(c) The Tribunal shall consist of [• insert odd number eg, 1 or 3] arbitrator(s).

11
 [Style used is ‘Running heads’]

(d) The language of the arbitration shall be English.

(e) The law for the arbitration agreement shall be Singapore law.

This Agreement is signed by authorised representatives of the Parties:

SIGNED )
for and on behalf of
[] )

Signature: …………………………

Name: …………………………

SIGNED )
for and on behalf of
[] )

Signature: …………………………

Name: …………………………

12
 [Style used is ‘Running heads’]

Schedule I
(Details of processing)

1. Data Subjects
(a) The Personal Data to be processed by the Recipient relate to the following
categories of Data Subjects:
(i) [describe the persons whose Personal Data is processed]
2. Types of Personal Data
(a) The Personal Data to be processed by the Recipient consist of the following
types of Personal Data:
(i) [describe the types of Personal Data to be processed]
3. Processing operations
(a) The Personal Data to be processed by the Recipient will be subject to the
following processing activities:
(i) [describe how the Personal Data will be processed]

13
 [Style used is ‘Running heads’]

Schedule II
(Description of technical and organisational security measures)

Disclaimer: This precedent (the “Precedent”) is intended to give legal information only
and has been developed specifically for use in Singapore. The Precedent is drafted based
on the applicable laws as at the date of publication. You acknowledge and agree that the
Precedent may not be up to date in accordance with changes to the law or market practice
and Singapore Academy of Law (“SAL”) and the contributor of the Precedent
(“Contributor”) are under no obligation to update it.

You acknowledge and agree that the making available of the Precedent to you by SAL
and Contributor does not constitute the provision of legal advice or other professional
advice by SAL and Contributor and you will not rely on such documents as legal advice.
You further agree and acknowledge that the Precedent has not been prepared with your
specific circumstances in mind, may not be suitable for use in your situation, may not be
exhaustive in respect of provisions that are to be included, and does not constitute legal
or tax advice. In relying on the Precedent, you assume all risks and liabilities that may
result.

You are strongly advised to advise your client of the implications of entering into such an
agreement and ensure appropriate customization of the provisions as set out in this
specimen to ensure that the terms and conditions required in light of the circumstances
faced by your client are included.

You should review the Precedent carefully for accuracy before using it. These terms and
the operations or availability of the Precedent may be changed by SAL, with or without
notice, at its sole discretion.

14