Singapore's PDPA governs personal data protection. For third parties, a key concept is the data intermediary: an organization that processes personal data on behalf of another organization.
Official sources
What the PDPA is trying to do
The PDPA protects personal data while allowing organizations to use data responsibly. When another party processes personal data, the organization needs to know what data is involved, why it is used, where it goes, how it is protected, and what contractual and operational controls apply.
What teams need to do
- Map organizations, data intermediaries, processors, and subcontractors.
- Track personal data categories, purposes, locations, retention, transfers, and access.
- Review contracts, protection obligations, breach support, and deletion or return.
- Monitor provider changes and breach events.
Evidence to maintain
- Personal data and processing inventory.
- Data intermediary and subcontractor records.
- Contracts, protection evidence, transfer evidence, and retention records.
- Breach assessment, notification, remediation, and reporting evidence.
Common gaps
- Data intermediary roles are not documented clearly.
- Subcontractors are missing from the privacy record.
- Breach notification support is not operationalized.
- Processing changes do not trigger contract and safeguard review.
How Halbarad helps
Halbarad helps privacy teams maintain processor records, data maps, contracts, safeguards, subcontractors, incidents, remediation, and audit trail.
Disclaimer
This guide is for general information only and is not legal advice. Review the official regulation, guidance, and supervisory materials, and consult qualified counsel or compliance advisors for your organization's specific obligations.