For transfers of data to overseas recipients that hold CBPR or PRP certifications, we recommend that the transferring organisation include the following clause in its contract with the recipient:

The parties agree and acknowledge that [an organisation / a data intermediary]* which is certified under the Asia-Pacific Economic Cooperation [Cross Border Privacy Rules System / Privacy Recognition for Processors System]* is bound by a legally enforceable set of obligations to provide comparable protection to the Personal Data Protection Act 2012 (No. 26 of 2012, Statutes of the Republic of Singapore).

The receiving party shall maintain its certification under the Asia-Pacific Economic Cooperation [Cross Border Privacy Rules System / Privacy Recognition for Processors System]* during the term of this Agreement, and promptly notify the disclosing party of any change in the receiving party’s certification status.

*Please adapt the text in parenthesis as appropriate.