The Ninja Sensei’s Logbook: Data Intermediaries and Your Business
Sometimes, organisations rely upon other organisations to process personal data on their behalf. They are called Data Intermediaries (DI), and they are typically under a written contract with a Data Controller (DC).
A DI may perform any action or a series of operations on personal data. As it is handling such data, the PDPA applies when there is a breach, and the liability will be determined based on the stipulations of such contract.
𝐖𝐡𝐨 𝐬𝐡𝐚𝐥𝐥 𝐛𝐞 𝐥𝐢𝐚𝐛𝐥𝐞?
When there is any cloud as to the scope of work of the DI, the DC will be liable under the Data Protection laws. This means that when there is no express stipulation laying out what to expect with the DI, the DC will suffer the consequences when there is a data breach.
However, when there is an outlined and clear stipulation as to how the DI processes and handles personal data, and it acted beyond the authority granted by the DC, in this instance, the DI will also be liable provided that the DC has complied with all the PDPA obligations.
This gives us an idea that the general weight of precaution must be within the DC or the organisation seeking the services of a DI. This is because the DI can only be liable when there is an express stipulation for its scope of work and if it goes beyond it. Beyond that, the instances of breach will be made accountable to the organisation.
𝐏𝐥𝐚𝐧𝐧𝐢𝐧𝐠 𝐭𝐨 𝐨𝐮𝐭𝐬𝐨𝐮𝐫𝐜𝐞 𝐚 𝐃𝐈? 𝐓𝐡𝐞𝐬𝐞 𝐚𝐫𝐞 𝐭𝐡𝐞 𝐭𝐡𝐢𝐧𝐠𝐬 𝐭𝐨 𝐫𝐞𝐦𝐞𝐦𝐛𝐞𝐫:
👉 Always conduct an adequate level of due diligence to ensure that a potential data intermediary is capable of complying with the PDPA; and
👉 Emphasise the scope of work that the data intermediary will perform on their behalf and for their purposes in written contracts.
P.S. For any further questions or if you need help with your cybersecurity and data protection compliance journey, don’t hesitate to reach out to us. We are always a text/call or email away!
📱 WhatsApp: +65 8750 4250
📧 Email: ninjas@privacy.com.sg
