Module 2: Contractual Provisions for Controller-to-Controller Transfers
1. Definitions
1.1. “AMS Law”: Any and all written laws of an ASEAN Member State relating to data protection (or are minimally relevant to the
transfer of personal data) which the Data Exporter or the Data Importer (or both) are subject to.
1.2. “Data Breach”: Any loss or unauthorised, use, copying, modification, disclosure, or destruction of, or access to, Personal Data
transferred under this contract.
1.3. “Data Exporter”: The Party which transfers Personal Data to the Data Importer under this contract.
1.4. “Data Importer”: The Party that receives Personal Data from a Data Exporter under this contract.
1.5. “Enforcement Authority”: Any public authority empowered by applicable AMS Law to implement and enforce the applicable
AMS Law.
1.6. “Personal Data”: any information relating to an identified or identifiable natural person (“Data Subject”) transferred under
this contract.
1.7. “Processing”: any operation or set of operations that are performed on Personal Data or on sets of Personal Data, whether or
not by automated means, including for example, collection, use, transfer and disclosure of Personal Data.
2. Obligations of Data Exporter
The Data Exporter warrants, represents and undertakes that:
2.1. The Personal Data has been collected, used, disclosed and transferred to the Data Importer under this contract in accordance
with applicable AMS Law, or in the absence of such laws, where reasonable and practicable, the Data Subject has been notified
of and given consent to the collection, use, disclosure and/or transfer of his/her Personal Data.
2.2. [Optional Clause] Any Personal Data that have been collected, processed, and transferred is accurate and complete to the
extent necessary for the purposes of transfer under this contract.
2.3. [Optional Clause] The Data Exporter shall provide the Data Importer, on request, with copies of relevant data protection laws
or references to them (where relevant, and not including legal advice) of the country in which the Data Exporter is established.
3. Obligations of Data Importer
The Data Importer warrants, represents and undertakes that:
3.1. [Optional Clause] The Data Importer shall Process the Personal Data only for the purposes described in Appendix A.
3.2. The Data Importer shall have in place reasonable and appropriate technical, administrative, operational and physical measures,
consistent with any applicable AMS Law, to protect the Personal Data against risks of Data Breaches.
3.3. The Data Importer shall provide to the Data Exporter and Data Subjects a contact point who is authorized on behalf of the Data
Importer to respond to enquiries concerning Personal Data.
3.4. If the Data Importer becomes aware that a Data Breach has occurred or is likely to occur affecting Personal Data in its possession
or under its control, or by the importer of an onward transfer, it shall notify the Data Exporter [Choose the relevant clause]
[without undue delay]/[within a reasonable time period specified by the Parties].
3.5. [Optional Clause] The Data Importer acknowledges that upon receipt of the Personal Data, it assumes responsibility for the
protection, Processing and maintenance of the Personal Data in its possession, in accordance with applicable AMS Law and this
contract.
3.6. [Optional Clause] The parties agree that upon the termination or completion of the performance of this contract, the Data
Importer shall, at the election of the Data Exporter, either return to the Data Exporter the Personal Data held in its possession,
or dispose of such data in a manner approved of by the Data Exporter. The Data Importer agrees to confirm this in writing with
the Data Exporter once such action has been taken.