Last review date: 15 January 2025

No. However, as an "organization" is responsible for the activities of the "data intermediaries" that it engages with, it is common in practice to conduct due diligence and include relevant contractual clauses in the agreement with the data intermediaries.

The obligations are as follows:

☒  controllers must conduct due conduct diligence on the processor to ensure it will provide appropriate security and processing of the personal data

☒  controllers must only use processors subject to a written agreement that complies with specific requirements

Last review date: 15 January 2025

Yes.

Data Intermediaries (i.e., the local equivalent of data processors) are subject to the Protection, Retention Limitation and Data Breach Notification obligations of the PDPA only where they process personal data for another organization (i.e., Data Controller) pursuant to a written contract.

The PDPC issued the 'Guide on Data Protection Clauses for Agreements Relating to the Processing of Personal Data,' which provides sample data protection clauses for organizations to include in their service agreements when engaging other organizations to provide services relating to the processing of personal data.