ASEAN Model Contractual Clauses
for Cross Border Data Flows
Final Copy Endorsed by the 2
nd
ASEAN Digital Senior Officials’ Meeting (ADGSOM), January 2021
2
Using the ASEAN Model Contractual Clauses as a Legal Basis
for Data Transfers
o About the ASEAN Model Contractual Clauses for Cross
Border Data Flows (MCCs)
o The Obligations of the ASEAN MCCs
o Modules Based on the Relationship of the Parties
Module 1: ASEAN MCCs for a Controller-to-Processor Transfer
Module 2: ASEAN MCCs for a Controller-to-Controller Transfer
Terms and Conditions for Use of MCCs
3
4
5
6
7
14
22
Table of Contents
Final Copy Endorsed by the 2
nd
ASEAN Digital Senior Officials’ Meeting (ADGSOM), January 2021
3
Using the ASEAN Model
Contractual Clauses as a
Legal Basis for Data Transfers
Final Copy Endorsed by the 2
nd
ASEAN Digital Senior Officials’ Meeting (ADGSOM), January 2021
4
Using ASEAN Model Contractual Clauses as a Legal Basis
for Data Transfers
About the ASEAN Model Contractual Clauses for Cross Border Data Flows (MCCs)
The MCCs are contractual terms and conditions that may be included in the binding
legal agreements between parties transferring personal data to each other across
borders. Implementing the MCCs and their underlying obligations helps parties ensure
that the transfer of personal data is done in a manner that complies with the ASEAN
Member States’ (AMS) legal and regulatory requirements, protects the data of Data
Subjects based on the principles of the ASEAN Framework on Personal Data
Protection (2016) and promotes trust among citizens in the ASEAN digital ecosystem.
The MCCs are templates setting out responsibilities, required personal data protection
measures and related obligations of the parties. The MCCs have been created, in
particular, to identify for parties key issues when transferring personal data across
borders.
Recognising the different levels of development of AMS, private sector parties in AMS
may voluntarily adopt the MCCs, in the transfer of data to other parties in other AMS.
While the MCCs are primarily designed for intra-ASEAN flow of personal data, parties
may adapt these clauses with appropriate modifications at their discretion for transfers
between businesses intra-country in AMS, or transfers to non-AMS, particularly those
with legal regimes based upon the principles of the APEC Privacy Framework or
OECD Privacy Guidelines, from which the principles in the ASEAN Framework on
Personal Data Protection (2016) are derived.
The MCCs are a voluntary standard designed to provide guidance on baseline
considerations for transferring personal data. Parties may, by written agreement,
adopt or modify the MCCs in accordance with the principles set forth in the ASEAN
Framework on Personal Data Protection (2016) or as required by any AMS Law. This
does not preclude the parties from adding clauses, by written agreement, as
appropriate for their commercial or business arrangements so long as they do not
contradict the MCCs. Parties are free to negotiate commercial terms provided they do
not contradict the MCCs.
Parties are also free to use any other valid data transfer mechanisms recognised
within ASEAN, if or when they are available or relevant to AMS. ASEAN recognises
that these mechanisms include, but are not limited to, self-assessment that transfer of
data overseas shall be protected to a comparable level of protection, consent, codes
of conduct, binding corporate rules, certifications, such as ISO series relating to
security and privacy techniques, APEC Cross Border Privacy Rules and Privacy
Recognition for Processors Systems, or other legally enforceable mechanisms.
Companies have the flexibility to choose the most appropriate personal data
protection- or privacy-enhancing data transfer mechanism for a particular context.
Final Copy Endorsed by the 2
nd
ASEAN Digital Senior Officials’ Meeting (ADGSOM), January 2021
5
The Obligations of the ASEAN MCCs
To rely on the ASEAN MCCs as a legal basis for the cross-border transfer of data,
parties must employ the contractual provisions outlining key data protection
obligations in their commercial contracts between the parties to the data transfer(s).
These obligations are derived from the ASEAN Framework on Personal Data
Protection (2016) and, to the extent possible and relevant to the ASEAN context, are
aligned with global best practices
1
to ensure accountability and the security of personal
data, when data is transferred between companies or organisations. The clauses are
baseline in nature, and businesses are encouraged to check if individual AMS have
provided further guidance or templates, including those that are sector-specific and
specific to the AMS’ requirements.
These obligations embody fundamental principles of data protection, as articulated in
the ASEAN Framework on Personal Data Protection (2016), including:
Data Exporters are encouraged to conduct due diligence on other parties to meet the
requirements of the MCCs. If there is onward transfer of the data by Data Importers to
third-party importers, Data Importers are encouraged to conduct due diligence on them
to ensure that they are also able to meet the obligations imposed under these MCCs.
1
Global best practices include the Fair Information Practice Principles (FIPPs), the 1980 OECD
Privacy Guidelines, and reference to more recent legal and policy frameworks such as the APEC
Privacy Framework and the EU’s General Data Protection Regulation (GDPR).
Lawful/Legal Basis for Collection, Use and Disclosure
The Data Exporter warrants that the data is collected, used,
disclosed and transferred in accordance with applicable AMS law. In
the absence of such law, Data Subjects have been notified and given
consent to the purposes, where reasonable and practicable.
Data Breach Notification
The Data Importer shall notify the relevant authorities and Data
Exporter without undue delay or within a reasonable time specified
by the parties if it becomes aware of any loss or unauthorised use,
copying, modification, disclosure, destruction of, or access to,
personal data under the contract.
Baseline Data Protection Clauses
The Data Importer will process the data in accordance with baseline
clauses derived from the ASEAN Framework on Personal Data
Protection (2016) principles related to Collection, Notification,
Purpose, Accuracy, Security Safeguards, Access and Correction,
Transfers, Retention and Accountability.
Final Copy Endorsed by the 2
nd
ASEAN Digital Senior Officials’ Meeting (ADGSOM), January 2021
6
Modules Based on the Relationship of the Parties
The ASEAN MCCs provide two modules, as a first step, for use in two common
transfer scenarios, where parties may adapt their contractual provisions based upon
the nature of the relationship with the other party to the contract and the purposes of
the contemplated transfer of data. Parties should select the appropriate module. The
MCCs, unless otherwise marked as [Optional Clause], must be included as part of a
contract between parties. Clauses which are marked [Optional Clause] can be
included if relevant to or useful for the purposes of the commercial transaction. For
clauses marked out with [Choose the relevant clause], parties may choose the
clause that is most relevant to the domestic laws in which parties reside, or fill in the
appropriate requirements under domestic laws.
A controller or a processor from an AMS may transfer personal data to another AMS
only if it has provided appropriate safeguards, and where required by AMS laws, on
the condition that enforceable rights and effective legal remedies for Data Subjects
are available. Such safeguards may be provided for by model data protection clauses
adopted by an AMS such as this set of ASEAN MCCs. Furthermore, a Data Exporter
has to fulfil its general responsibilities as a controller or a processor in accordance with
the law of the respective AMS in which it is domiciled.
In order to provide appropriate safeguards, the MCCs between two parties in AMS
should take into consideration the necessity to ensure that the personal data
transferred on that basis is afforded a level of protection essentially equivalent to that
which is guaranteed within the AMS. Onward transfers by a Data Importer to another
importer in another AMS should be allowed only if the other importer complies with the
MCCs, if the continuity of protection is ensured otherwise or on the basis of the consent
of the Data Subject.
Controller-to-Processor Transfer
For use by Data Exporters who transfer data to Data Importers who
are contractors or vendors, also known as “data processors” in this
relationship, who process data on behalf of the transferring company,
also known as the “data controller,” including onward transfers from
data processors to downstream data processors, also known as
“sub-processors”. Common examples of data processors include HR
services or payroll administrators, logistics or fulfilment companies
and other third-party business service providers.
Controller-to-Controller Transfer
For use when the Data Exporter transfers data to the Data Importer
which processes the transferred data for its own purposes and may
have full control of the data upon receipt.
Final Copy Endorsed by the 2
nd
ASEAN Digital Senior Officials’ Meeting (ADGSOM), January 2021
7
Module 1:
ASEAN MCCs for a
Controller-to-Processor Transfer
Final Copy Endorsed by the 2
nd
ASEAN Digital Senior Officials’ Meeting (ADGSOM), January 2021
8
Module 1: ASEAN MCCs for a Controller-to-
Processor Transfer
For transfers from Data Exporters to Data Importers who are contracted solely
to process the data or provide a related service using the data
The material on this page is for explanatory purposes only and is not a substitute for
the use of the actual MCCs. The MCCs for this type of relationship, which must be
included, unless otherwise marked as [Optional Clause], as part of a contract
between parties that shall transfer data across borders, can be found here. For
clauses marked out with [Choose the relevant clause], parties may choose the
clause that is most relevant to the domestic laws in which parties reside, or fill in the
appropriate requirements under domestic laws.
By employing the underlying contractual clauses found here within a commercial
agreement with parties to the contemplated data transfer, parties may:
TRANSFER
THE DATA
Transfer the relevant data to another jurisdiction, to the party(ies)
named in the commercial agreement, for the following purpose:
PROCESS
THE DATA
The transfer of data is intended only for processing or for the provision
of related business services by the importing party(ies).
Provided that parties:
Protect the data by employing the Obligations of the ASEAN MCCs;
Ensure that the onward transfer of the data to any additional parties
is governed by the same terms of the contract and subject to the
same data protection and security requirements (Requirements for
Onward Transfers); and
Ensure that a process exists to respond to inquiries regarding the
data, and that there is clear agreement between the parties as to who
shall respond in a prompt fashion (Response to Inquiries).
Final Copy Endorsed by the 2
nd
ASEAN Digital Senior Officials’ Meeting (ADGSOM), January 2021
9
Examples of common relationships that undertake this type of data transfer:
Online Delivery / Logistics
HR / Payroll Administration
Singapore e-commerce platform,
OnlineGoodies!, makes a sale to
a customer in Malaysia, and needs
to deliver the package to the
customer. The company contracts
a local delivery service, RapidVans,
and provides the customer’s
personal data (name, mobile number,
delivery address) necessary to send
the package.
Because RapidVans is contracted
by and is processing data on behalf
of OnlineGoodies!, the parties should
use the ASEAN MCCs provisions
included in Module 1.
HR Pros, a Jakarta-based company,
undertakes payroll administration for
a number of organisations in various
ASEAN countries, and therefore holds
the personal data of the employees of
these organisations (name, duration
of employment, salary and bank
account details). HR Pros processes
such personal data solely for the
purpose of payroll administration, as
per their written contracts with
these organisations.
Because HR Pros is contracted by
and is only processing data on
behalf of the companies according to
the purposes listed in their written
contracts, the parties should use the
ASEAN MCCs provisions included in
Module 1.
Final Copy Endorsed by the 2
nd
ASEAN Digital Senior Officials’ Meeting (ADGSOM), January 2021
10
Module 1: Contractual Provisions for Controller-to-Processor Transfers
1. Definitions
1.1. “AMS Law”: Any and all written laws of an ASEAN Member State relating to data protection (or are, minimally, relevant to the
transfer of Personal Data) which the Data Exporter or the Data Importer (or both) are subject to.
1.2. “Data Breach”: Any loss or unauthorised use, copying, modification, disclosure, or destruction of, or access to, Personal Data
transferred under this contract.
1.3. “Data Exporter”: The Party which transfers Personal Data to the Data Importer under this contract.
1.4. “Data Importer”: The Party which receives Personal Data from the Data Importer for Processing under this contract.
1.5. “Data Sub-Processor”: Any person or legal entity which may be engaged by the Data Importer to assist in the Data Exporter’s
Processing of Personal Data on behalf of the Data Exporter.
1.6. “Enforcement Authority”: Any public authority empowered by applicable AMS Law to implement and enforce the applicable
AMS Law.
1.7. “Personal Data”: Any information relating to an identified or identifiable natural person (“Data Subject”) transferred under
this contract.
1.8. “Processing”: any operation or set of operations that are performed on Personal Data or on sets of Personal Data, whether or
not by automated means, including, for example, collection, use and disclosure of Personal Data.
2. Obligations of Data Exporter
The Data Exporter warrants, represents and undertakes that:
2.1. The Personal Data has been collected, used, disclosed and transferred to the Data Importer under this contract in accordance
with applicable AMS Law. In the absence of such law, where reasonable and practicable, the Data Subject has been notified of
and given consent to the purpose(s) of the collection, use, disclosure and/or transfer of his/her Personal Data.
2.2. [Optional Clause] Any Personal Data that have been transferred under this contract is accurate and complete to the extent
necessary for the purposes identified by the Data Exporter in order to comply with Clause 2.1.
2.3. The Data Exporter shall implement adequate technical and operational measures to ensure the security of the Personal Data
during transmission to the Data Importer.
2.4. The Data Exporter shall respond to enquiries from Data Subjects or Enforcement Authorities regarding the Processing of
Personal Data by the Data Importer as required by applicable AMS Law, including requests to access or correct Personal Data,
unless the Parties have agreed in writing that the Data Importer shall so respond, and such delegation is permitted by applicable
AMS Law. Responses to such enquiries and requests shall be made within a reasonable time frame or within the time frame and
in the manner, if any, required under the applicable AMS Law.
3. Obligations of Data Importer
The Data Importer warrants, represents and undertakes that:
3.1. The Data Importer shall Process the Personal Data only in compliance with the Data Exporter’s instructions and for the purposes
described in Appendix A.
3.2. The Data Importer shall not further disclose or transfer the Personal Data it receives from the Data Exporter to another person,
Enforcement Authority or legal entity, including to Data Sub-Processors, unless it has notified the Data Exporter of such further
disclosure or transfer in writing, and provided reasonable opportunity for the Data Exporter to object.
3.3. The Data Importer agrees that prior to any disclosure or transfer of Personal Data to third parties, including to Data Sub-
Processors, the Data Importer shall ensure that the third party shall be subject to and bound by the obligations of the Data
Importer to the Data Exporter.
3.4. [Optional Clause] The Data Importer agrees to take reasonable steps to implement measures on the storage and Processing of
Personal Data that comply with adequate security standards prescribed by the Data Exporter.
Final Copy Endorsed by the 2
nd
ASEAN Digital Senior Officials’ Meeting (ADGSOM), January 2021
11
3.5. The Data Importer shall promptly communicate and refer to the Data Exporter any enquiries and requests from Data Subjects
relating to the Personal Data transferred by the Data Exporter, including requests to access or correct the Personal Data.
3.6. [Optional Clause] At the reasonable request of the Data Exporter, the Data Importer shall provide access to its data processing
facilities, data files, and documentation by [insert requirements for required notice and permissible timing of such access] for
purposes of review and/or audit to verify compliance with the obligations set forth in this contract.
3.7. [Optional Clause] The Data Importer shall correct any error or omission in the Personal Data reasonably requested by the Data
Exporter within [insert mutually agreed-upon time period for corrections], or such other time frame required by applicable AMS
Laws, whichever is shorter.
3.8. Upon the termination of this contract or completion of Processing required under this contract, the Data Importer shall, at the
election of the Data Exporter, either return to the Data Exporter the Personal Data held in its possession pursuant to this
contract, or cease to retain such Personal Data in manner approved of by the Data Exporter. The Data Importer agrees to confirm
this with the Data Exporter in writing once action has been taken to cease to retain such Personal Data.
3.9. The Data Importer shall have in place reasonable and appropriate technical, administrative, operational and physical measures,
consistent with applicable AMS Laws to protect the confidentiality, integrity and availability of Personal Data, in particular
against risks of Data Breaches.
3.10. If the Data Importer becomes aware that a Data Breach has occurred affecting Personal Data in its possession or under its
control, or in the possession or under the control of an importer of an onward disclosure or transfer of the Personal Data, it
shall notify the Data Exporter [Choose the relevant clause][without undue delay]/[within a reasonable time period specified by
the Parties].
3.11. The Data Importer shall promptly notify and consult with the Data Exporter regarding any investigation regarding the collection,
use, transfer, disclosure, security, or disposal of the Personal Data transferred under this contract, unless otherwise prohibited
under law.
3.12. The Data Importer shall provide prompt assistance to the Data Exporter upon request for the purposes of clause 2.4; and where
the Data Importer has agreed in writing, to respond to enquiries and requests from Data Subjects or Enforcement Authorities
regarding its Processing of Personal Data when notified by the Data Exporter.
COMMERCIAL COMPONENTS
The remaining clauses are of a general commercial nature, not specific to data protection obligations, and therefore are offered for inclusion
only in the event that the contract between the Parties is a stand-alone data protection contract and does not already include such provisions.
These commercial components are offered for reference and the Parties are free to make amendments to the terms that are not data
protection related.
4. Choice of Law; Disputes:
4.1. This contract shall be interpreted according to the laws of [insert name of ASEAN Member State].
4.2. If there is any conflict or inconsistency between clauses in this contract and AMS Law, then the applicable AMS law shall prevail.
4.3. [Optional Clause] Any dispute under this contract shall be resolved via [selected method].
5. Suspension of Transfer
5.1. In the event that the Data Importer is in breach of its obligations under this contract or applicable AMS Law, then the Data
Exporter may temporarily suspend the transfer of Personal Data to the Data Importer until the breach is repaired or the
Processing under this contract is terminated.
6. Termination of Contract
6.1. In the event that:
6.1.1. the transfer of Personal Data to the Data Importer has been temporarily suspended by the Data Exporter for longer than
[insert timeframe] pursuant to Clause 5.1;
6.1.2. compliance by the Data Importer with this contract would put it in breach of its obligations under the law in the country
in which it is Processing the Personal Data;
Final Copy Endorsed by the 2
nd
ASEAN Digital Senior Officials’ Meeting (ADGSOM), January 2021
12
6.1.3. the Data Importer is in material breach of any obligations under this contract;
6.1.4. there is a final decision from which no further appeal is possible of a competent court that there has been a breach of
this contract by the Data Importer; or
6.1.5. the Data Importer ceases its operations voluntarily or involuntarily, announces its intent to cease operations, or transfers
all or substantially all of its assets to a non-affiliated entity,
then the Data Exporter, without prejudice to any other rights which it may have against the Data Importer shall be entitled
to terminate this contract. In cases covered by (6.1.1), (6.1.2), or (6.1.4) above the Data Importer may also terminate
this contract.
6.2. In the event that:
6.2.1. compliance by the Data Exporter with this contract would put it in breach of its obligations under the law;
6.2.2. the Data Exporter is in material breach of any obligations under this contract;
6.2.3. there is a final decision from which no further appeal is possible of a competent court that there has been a breach of
this contract by the Data Exporter; or
6.2.4. the Data Exporter ceases its operations voluntarily or involuntarily, announces its intent to cease operations, or transfers
all or substantially all of its assets to a non-affiliated entity,
then the Data Importer, without prejudice to any other rights which it may have against the Data Exporter, shall be entitled to
terminate this contract. In cases covered by (6.2.1), or (6.2.3) above, the Data Exporter may also terminate this contract.
6.3. The Parties agree that the termination of this contract at any time, in any circumstances and for whatever reason does not
exempt them from the obligations of this contract regarding the return or deletion of the Personal Data transferred.
7. General Undertakings
7.1. Each Party warrants, represents and undertakes to the other Party that it has full capacity and authority to enter into and to
perform its obligations under and in accordance with this contract.
7.2. Each Party agrees to comply with all applicable AMS Law in connection with the performance of its obligations under
this contract.
8. Variation
8.1. The Parties may, by written agreement, adopt or modify this contract where consistent with the principles set forth in the ASEAN
Framework on Personal Data Protection, or as required by applicable AMS Law. This does not preclude the Parties from adding
or amending clauses, by written agreement, as appropriate for their commercial or business arrangements.
9. Description of the Transfer
9.1. The details of the transfer and the Personal Data involved are specified in Appendix A. The Parties agree that Appendix A may
contain confidential business information which they shall not disclose to third parties, except as in accordance with Clause 3.2.
Final Copy Endorsed by the 2
nd
ASEAN Digital Senior Officials’ Meeting (ADGSOM), January 2021
13
Additional Terms for Individual Remedies
This section contains the additional provisions and should be read as forming part of the attached contract between the Parties. Words and
phrases given a defined meaning in these additional terms have the same meaning in the attached contract. If there is any inconsistency
between these additional terms and the contract, these additional terms shall prevail.
Individual Remedies:
1.1. The Parties acknowledge that the law of [insert AMS name here] confers a right on Data Subjects to enforce the data protection
warranties and undertakings of this contract as third-party beneficiaries. The Parties agree that this contract shall uphold such
rights of Data Subjects under [insert specific jurisdiction] law.
1.2. Data Subjects can enforce against the Data Exporter Clauses 2.1 and 2.4 as third-party beneficiary.
1.3. Data Subjects can enforce against the Data Importer Clauses 3.5.
1.4. Data Subjects can enforce against Sub-Processors Clauses 2.1, 2.4 and 3.5 when both the Data Exporter and Data Importer have
ceased operations, ceased to exist in law, or transferred all or substantially all of their assets to a non-associated entity such
that the non-associated entity has assumed the legal obligations of the Data Exporter by contract or operation of law.
1.5. To the extent authorized by applicable AMS Law, Data Subjects may obtain compensation for breaches of this contract by either
the Data Importer and/or Data Exporter (as prescribed by applicable AMS Law or, if such law is silent on the allocation of
compensation, then [Choose the relevant clause][in such manner as the Data Subjects may determine]/[from both the Data
Importer and Data Exporter in equal shares]).
1.6. The Parties do not object to a Data Subject being represented by another body if the Data Subject expressly wishes so and such
representation is permitted by applicable law.
Final Copy Endorsed by the 2
nd
ASEAN Digital Senior Officials’ Meeting (ADGSOM), January 2021
14
\
Module 2:
ASEAN MCCs for a
Controller-to-Controller Transfer
Final Copy Endorsed by the 2
nd
ASEAN Digital Senior Officials’ Meeting (ADGSOM), January 2021
15
Module 2: ASEAN MCCs for a Controller-to-
Controller Transfer
For transfers when the Data Importer wishes to process the transferred data
for its own purposes and may have full control, authority and responsibility
for the data upon import
The material on this page is for explanatory purposes only and is not a substitute for
the use of the actual MCCs. The MCCs for this type of relationship, which must be
included, unless otherwise marked as [Optional Clause], as part of a contract
between parties that shall transfer data across borders, can be found here. For
clauses marked out with [Choose the relevant clause], parties may choose the
clause that is most relevant to the domestic laws in which parties reside, or fill in the
appropriate requirements under domestic laws.
By employing the underlying contractual clauses found here within a commercial
agreement with parties to the contemplated data transfer, parties may:
TRANSFER
THE DATA
Transfer the relevant data to another jurisdiction, to the party(ies)
named in the commercial agreement, for the following purpose:
SALE OR
TRANSFER
OF CONTROL
OF THE DATA
An outright sale or other full transfer of a copy of the data to the
receiving party, which wishes to exercise full right of control,
authority, and responsibility for the data upon import.
Provided that parties:
Protect the data by employing the Obligations of the ASEAN
MCCs; and
Agree that the Data Importer need not accept limitations on future
processing of the transferred data and shall instead have the same
rights and obligation possessed by the exporter, as though it were a
controller, after the transfer is completed, unless it specifically agrees
otherwise (Independence of Importer).
Final Copy Endorsed by the 2
nd
ASEAN Digital Senior Officials’ Meeting (ADGSOM), January 2021
16
Examples of common relationships that undertake this type of data transfer:
Sale of Advertising Database
Cross-Border Data Licensing
Prime Fits, a Cambodian clothing
retailer, wishes to expand its online
sales in Laos and negotiates the
purchase of a Laotian shoemaker
Fancy Feet’s existing marketing
database. Prime Fits wishes to
acquire a copy of the marketing
database and integrate it with its
existing marketing materials, in
preparation for a new advertising
campaign where it hopes to expand its
sales in a new region.
Since Prime Fits is purchasing the
database from Fancy Feet free and
is clear of continuing obligations,
the exporter is the data controller at
the time of the sale, and the
importer shall be the data controller
when the sale is completed, the
parties should use the ASEAN
MCCs provisions included in
Module 2.
Fast Answer, a call centre in the
Philippines, wants to commission and
use a custom-made marketing
dataset sold by an advertising
agency in Singapore. However, while
the advertising agency is willing to
let Fast Answer use this product,
the company wants to ensure that
its dataset products are not resold
to its competitors.
Because Fast Answer shall control
the means and purposes of
processing the personal data in the
customer set (once it is delivered)
it is not a ‘data processor.’ Both
Fast Answer and the Singapore
company are data controllers, with
the Singapore company able to
take advantage of the contractual
variation permitted by Clause 8.1
to impose a restriction on the
resale of the data Fast Answer
shall obtain. The parties should
use the ASEAN MCCs provisions
included in Module 2.
Final Copy Endorsed by the 2
nd
ASEAN Digital Senior Officials’ Meeting (ADGSOM), January 2021
17
Module 2: Contractual Provisions for Controller-to-Controller Transfers
1. Definitions
1.1. “AMS Law”: Any and all written laws of an ASEAN Member State relating to data protection (or are minimally relevant to the
transfer of personal data) which the Data Exporter or the Data Importer (or both) are subject to.
1.2. “Data Breach”: Any loss or unauthorised, use, copying, modification, disclosure, or destruction of, or access to, Personal Data
transferred under this contract.
1.3. “Data Exporter”: The Party which transfers Personal Data to the Data Importer under this contract.
1.4. “Data Importer”: The Party that receives Personal Data from a Data Exporter under this contract.
1.5. “Enforcement Authority”: Any public authority empowered by applicable AMS Law to implement and enforce the applicable
AMS Law.
1.6. “Personal Data”: any information relating to an identified or identifiable natural person (“Data Subject”) transferred under
this contract.
1.7. “Processing”: any operation or set of operations that are performed on Personal Data or on sets of Personal Data, whether or
not by automated means, including for example, collection, use, transfer and disclosure of Personal Data.
2. Obligations of Data Exporter
The Data Exporter warrants, represents and undertakes that:
2.1. The Personal Data has been collected, used, disclosed and transferred to the Data Importer under this contract in accordance
with applicable AMS Law, or in the absence of such laws, where reasonable and practicable, the Data Subject has been notified
of and given consent to the collection, use, disclosure and/or transfer of his/her Personal Data.
2.2. [Optional Clause] Any Personal Data that have been collected, processed, and transferred is accurate and complete to the
extent necessary for the purposes of transfer under this contract.
2.3. [Optional Clause] The Data Exporter shall provide the Data Importer, on request, with copies of relevant data protection laws
or references to them (where relevant, and not including legal advice) of the country in which the Data Exporter is established.
3. Obligations of Data Importer
The Data Importer warrants, represents and undertakes that:
3.1. [Optional Clause] The Data Importer shall Process the Personal Data only for the purposes described in Appendix A.
3.2. The Data Importer shall have in place reasonable and appropriate technical, administrative, operational and physical measures,
consistent with any applicable AMS Law, to protect the Personal Data against risks of Data Breaches.
3.3. The Data Importer shall provide to the Data Exporter and Data Subjects a contact point who is authorized on behalf of the Data
Importer to respond to enquiries concerning Personal Data.
3.4. If the Data Importer becomes aware that a Data Breach has occurred or is likely to occur affecting Personal Data in its possession
or under its control, or by the importer of an onward transfer, it shall notify the Data Exporter [Choose the relevant clause]
[without undue delay]/[within a reasonable time period specified by the Parties].
3.5. [Optional Clause] The Data Importer acknowledges that upon receipt of the Personal Data, it assumes responsibility for the
protection, Processing and maintenance of the Personal Data in its possession, in accordance with applicable AMS Law and this
contract.
3.6. [Optional Clause] The parties agree that upon the termination or completion of the performance of this contract, the Data
Importer shall, at the election of the Data Exporter, either return to the Data Exporter the Personal Data held in its possession,
or dispose of such data in a manner approved of by the Data Exporter. The Data Importer agrees to confirm this in writing with
the Data Exporter once such action has been taken.
Final Copy Endorsed by the 2
nd
ASEAN Digital Senior Officials’ Meeting (ADGSOM), January 2021
18
4. Obligations of both Data Exporter and Data Importer
4.1. Both Parties have taken appropriate steps to determine the level of potential risk of data breaches involved in transferring the
relevant data and to consider suitable security measures that both parties must undertake.
4.2. Both Parties shall agree on and implement appropriate controls and adequate security standards that shall apply to the storage
and Processing of Personal Data.
4.3. [Optional Clause] The Data Exporter and Data Importer shall each respond to enquiries from relevant Data Subjects or
Enforcement Authorities regarding processing of Personal Data in their respective jurisdictions, including requests to access or
correct Personal Data.
COMMERCIAL COMPONENTS
The remaining Clauses are of a general commercial nature, not specific to data protection obligations, and therefore are offered for inclusion
only in the event that the Contract between the parties is a stand-alone data protection contract and does not already include such provisions.
These commercial components are offered for reference and the Parties are free to make amendments to the terms that are not data
protection related.
5. Choice of Law; Disputes:
5.1. This contract shall be interpreted according to the laws of [insert national jurisdiction].
5.2. If there is any conflict or inconsistency between clauses in this contract and AMS Law, then the applicable AMS law shall prevail.
5.3. [Optional Clause] Any dispute under this contract shall be resolved via [selected method].
6. Termination of Contract
6.1. In the event that:
6.1.1. compliance by the Data Importer with this contract would put it in breach of its obligations under the law in the country
in which it is Processing the Personal Data;
6.1.2. the Data Importer is in material breach of any obligations under this contract;
6.1.3. there is a final decision from which no further appeal is possible of a competent court that there has been a breach of
this contract by the Data Importer; or
6.1.4. the Data Importer ceases its operations voluntarily or involuntarily, announces its intent to cease operations, or transfers
all or substantially all of its assets to a non-affiliated entity,
then the Data Exporter, without prejudice to any other rights which it may have against the Data Importer shall be entitled
to terminate this contract. In cases covered by (6.1.1) or (6.1.3) above the Data Importer may also terminate this contract.
6.2. In the event that:
6.2.1. compliance by the Data Exporter with this contract would put it in breach of its obligations under the law;
6.2.2. the Data Exporter is in material breach of any obligations under this contract;
6.2.3. there is a final decision from which no further appeal is possible of a competent court that there has been a breach of
this contract by the Data Exporter; or
6.2.4. the Data Exporter ceases its operations voluntarily or involuntarily, announces its intent to cease operations, or transfers
all or substantially all of its assets to a non-affiliated entity,
then the Data Importer, without prejudice to any other rights which it may have against the Data Exporter, shall be entitled to
terminate this contract. In cases covered by (6.2.1), or (6.2.3) above, the Data Exporter may also terminate this contract.
6.3. [Optional Clause] The Parties agree that the termination of this contract at any time, in any circumstances and for whatever
reason does not exempt them from the obligations of this contract regarding the return or deletion of the Personal Data
transferred.
Final Copy Endorsed by the 2
nd
ASEAN Digital Senior Officials’ Meeting (ADGSOM), January 2021
19
7. General Undertakings
7.1. Each Party warrants, represents and undertakes to the other Party that it has full capacity and authority to enter into and to
perform its obligations under and in accordance with this contract.
7.2. Each Party agrees to comply with all applicable AMS Law in connection with the performance of its obligations under
this contract.
8. Variation
8.1. Parties may, by written agreement, adopt or modify clauses in this contract in a manner consistent with the principles set forth
in the ASEAN Framework on Personal Data Protection, or as required by applicable AMS Law. This does not preclude the parties
from adding or amending clauses, by written agreement, as appropriate for their commercial or business arrangements.
9. Description of the Transfer
9.1. The details of the transfer and the Personal Data involved are specified in Appendix A. The parties agree that Appendix A may
contain confidential business information which they shall not disclose to third parties, unless it has notified the other Party of
such further disclosure or transfer in writing, and provided reasonable opportunity for the other Party to object.
Final Copy Endorsed by the 2
nd
ASEAN Digital Senior Officials’ Meeting (ADGSOM), January 2021
20
Additional Terms for Individual Remedies
This section contains the additional provisions and should be read as forming part of the attached contract between the Parties. Words and
phrases given a defined meaning in these additional terms have the same meaning in the attached contract. If there is any inconsistency
between these additional terms and the contract, these additional terms shall prevail.
Individual Remedies:
1.1. The Parties acknowledge that the law of [insert specific jurisdiction] confers a right on Data Subjects to enforce the data
protection warranties and undertakings of this contract as third-party beneficiaries. The Parties agree that this contract shall
uphold such rights of Data Subjects under [insert specific jurisdiction] law.
1.2. Data Subjects can enforce against the Data Exporter Clauses 2.1 as third-party beneficiary.
1.3. Data Subjects can enforce against the Data Importer Clauses 3.3 as third-party beneficiary.
1.4. To the extent authorized by applicable AMS Law, Data Subjects may obtain compensation for breaches of this contract by either
the Data Importer and/or Data Exporter (as prescribed by applicable AMS Law or, if such law is silent on the allocation of
compensation, then [Choose the relevant clause][in such manner as the Data Subjects may determine]/[from both the Data
Importer and Data Exporter in equal shares]).
1.5. The Parties do not object to a Data Subject being represented by another body if the Data Subject expressly wishes so and such
representation is permitted by applicable law.
Final Copy Endorsed by the 2
nd
ASEAN Digital Senior Officials’ Meeting (ADGSOM), January 2021
21
APPENDIX A: TEMPLATE FOR DATA EXPORTERS AND IMPORTERS TO DESCRIBE PURPOSES
FOR THE TRANSFER OF PERSONAL DATA
Name of Data Exporter
Name of Data Importer
Description of the data
subjects and groups of
data subjects
Description of
purposes for the
processing of
personal data
Signed by:
Signature:
Signature:
Name of Data Exporter Organisation:
Name of Data Importer Organisation:
Date:
Final Copy Endorsed by the 2
nd
ASEAN Digital Senior Officials’ Meeting (ADGSOM), January 2021
22
Terms and Conditions for Use of MCCs
Without prejudice to the generality of the disclaimers set out below, you agree that the
MCCs shall not be construed as constituting any promise or representation by ASEAN,
AMS and/or their regulatory authorities to any person to adopt any particular course
of action. Nothing in the MCCs shall preclude, limit or constrain such regulatory
authorities’ exercise of rights, powers and discretion in any way nor compel, require or
oblige it or them to exercise any rights, powers and discretion in any particular manner
or to achieve any particular outcome.
AMS and/or their regulatory authorities reserve the right to change, modify, add to,
derogate from or vary its position in respect of any regulatory policies or frameworks
referred to in these MCCs at any time in its sole and absolute discretion without prior
notice to any person.
Parties shall obtain their own professional and/or legal advice and conduct all
necessary due diligence, including but not limited to seeking clarifications as may be
appropriate, as regards any decision or action that they intend to take in relation to
any matter relating to the MCCs.
Neither ASEAN, Member States and/or their regulatory authorities shall be responsible
or liable to any person for any errors or omissions, or for the results obtained or
consequences arising from the use of any of the MCCs, any damage or loss
whatsoever and howsoever caused, including without limitation, any direct or indirect,
special or consequential damages, loss of income, revenue or profits, lost or damaged
data, howsoever arising directly or indirectly from any decision made or action taken
in reliance upon the MCCs.
Final Copy Endorsed by the 2
nd
ASEAN Digital Senior Officials’ Meeting (ADGSOM), January 2021
23
Copyright 2021 — Association of Southeast Asian Nations (ASEAN)
The contents of this publication are protected by copyright, trademark or other forms of
proprietary rights and may not be reproduced, republished or transmitted in any form or by
any means, in whole or in part, without written permission.
This publication gives a general introduction to contractual terms and conditions and templates
that can help identify key issues when transferring personal data across borders.
