1. Cross Border Transfer of Personal Data
1.1 TDCX Singapore (hereinafter called the “Company” or “TDCX”) should not transfer personal data outside of Singapore, except in accordance with requirements under the PDPA. Consent to such transfers (prior to the transfer) would need to be obtained from individuals and customers whose personal data are being transferred, through the use of appropriate consent clauses. Whenever you transfer personal data of an individual outside of Singapore to another legal entity (group companies included), you are to ensure that you obtain the individual’s consent by utilizing the appropriate consent and notification clause, an example of which is provided in Appendix 1.
1.2 In the absence of such consent from an individual, do not transfer any personal data of that individual overseas. Contact the DPO immediately to consult on whether there is any statutory exception to the requirement of consent that may be applicable.
1.3 Consent from an individual or customer must be given freely and can subsequently be withdrawn by him/her.
2. Legally Binding Instruments
2.1 The Company’s transfer of personal data outside of Singapore must be in a manner that is consistent with the Company’s obligations under the PDPA and pursuant to a legally binding instrument that provides the appropriate safeguards (i.e. contracts between the Company and third-party recipients or binding corporate rules for group companies).
2.2 The transfer of personal data to a third party outside of Singapore must be pursuant to a legally binding instrument that provides the appropriate safeguards for the personal data transferred. You must not transfer personal data to a third party outside of Singapore until the third party has entered into and agreed to be bound by a legally binding contract consistent with the above obligations. Please refer to Appendix 1 for such transfer of personal data are set out. Please contact the DPO before entering into such an arrangement.
2.3 The transfer of personal data to a group company outside of Singapore is pursuant to our group company’s binding corporate rules on personal data transfer. Such binding corporate rules are legally binding and applicable to and enforceable by every organization within our group. In addition, all transfers of data within the Company’s group of companies are to be pursuant to the binding corporate rules mentioned in TDCX BCR Appendix 1. Please refer to the DPO on the use of binding corporate rules mentioned in Appendix 1 of TDCX BCR.
Appendix 1
Part 1 – Introduction and Scope of Binding Corporate Rules
1.1 At the Company, we value our employees’ and customers’ trust and confident in us to properly handle their personal information.
1.2 It is our commitment to ensure compliance with the laws applicable to the restriction of cross-border data flows when the Company transfers personal information across borders between the Company’s group companies (collectively the “Group”; with each individual group company being referred to as the “Group Company”).
1.3 It is our Management’s intention for these Binding Corporate Rules (“Rules”) to apply to all international transfers of personal data between all organizations within the Group (each such organization within the Group shall be referred to as a “Member”). These Rules shall be legally binding on all Members.
1.4 Each Member is responsible for the implementation of its own internal processes to ensure compliance with these Rules.
1.5 These Rules (including the Parts herein) being each Member and each Member is to fully comply with these Rules. Part II of these Rules sets pit the minimum mandatory standards for any cross-border transfer of personal data between Members.
Part 2 – Compliance with Data Protection Legislation
2.1 All Members shall comply with all legislation (primary and subsidiary) and regulations relating to privacy and data protection applicable to the Member, including but not limited to Singapore’s PDPA and all subsidiary legislation related thereto (collectively “Data Protection Legislation”), with regards to any and all personal data (as defined in the Data Protection Legislation) that our Members transfer across borders between the Members and with respect to personal data that a Member receives from another Member pursuant to these Rules.
Part 3 – Transfer of Personal Data
3.1 The Members agree that personal data transfer may only take place between the identified Members, with respect to the territories, for the categories of individuals and personal data and for the necessary purposes.
Part 4 – Members’ Obligations
4.1 Without limiting the generality of paragraph 2.1, each Member of the Group (“Receiving Member”) agrees that when dealing with personal data received from another Member (“Disclosing Member”), it shall:
(a) only use the personal data in accordance with the purposes for which Disclosing Member disclosed the personal data, in accordance with the instructions of the Disclosing Member and as is necessary for the Disclosing Member to fulfill its obligations under the Data Protection Legislation;
(b) take appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and against all other unlawful forms of processing. Such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected, having regard to the state of the art and the cost of implementation;
(c) give the Disclosing Member notice in writing as soon as reasonably practicable should it be aware of, or reasonably suspect, that any of the events referred to in rule 4.1(b) has occurred and shall promptly take all steps necessary to remedy the event and prevent its re-occurrence;
(d) employ reasonable efforts to ensure that the personal data that it processes are accurate and complete;
(e) not retain personal data for any longer than is necessary for the purposes for which the Disclosing Member disclosed the personal data, and retention is no longer necessary for legal or business purposes. Hence the Receiving Member shall cease to retain or anonymize personal data when the purpose for which the personal data was collected by the Receiving Member is no longer relevant and retention is no longer necessary for legal or business purpose;
(f) apply internal policies that it has with regards to the protection of personal data to the personal data that it receives from the Disclosing Member. In this regard, the Receiving Member warrants to the Disclosing Member that the Receiving Member has in place appropriate internal policies dealing with the protection of personal data and that such policies provide for a level of protection that is equivalent or comparable to the protection accorded by the Data Protection Legislation;
(g) on request of an individual whose personal data the Receiving Member has received from the Disclosing Member, provide the requesting individual with rights of access and rights of correction to/of his/her personal data, that is accorded to the individual and in compliance to the conditions and requirements of the PDPA with respect thereto;
(h) without limiting the generality of subparagraph (g), with respect to access rights, among other things, on request of an individual who has rights under the PDPA, the Receiving Member shall, as soon as reasonably possible, provide the individual with:
(i) personal data about the individual that is in the possession or under the control of the Receiving Member; and
(ii) information about the ways in which the personal data has been or may have been used or disclosed by the Receiving Member within a year before the date of the request;
(iii) in compliance with the PDPA and other requirements dealing with an individual’s access rights set out therein;
(i) Without limiting the generality of subparagraph (g), with respect to correction rights, among other things, on request of an individual who has rights under the PDPA to correct an error or omission in that individual’s personal data, the Receiving Member shall:
(i) correct the personal data as soon as practicable; and
(ii) send the corrected personal data to every other organization to which the personal data was disclosed by the Receiving Member within a year before the date the correction was made, unless that other organization does not need the corrected personal data for any legal or business purpose;
(iii) in compliance with the PDPA and other requirements dealing with an individual’s correction rights set out therein;
(j) limit disclosure of such personal data to its employees, agents and professional advisers:
(i) on a need-to-know basis and only for the purposes of processing for which such personal data was disclosed by the Disclosing Member; and
(ii) who have been made aware of the obligations specified under these Rules and who agree to abide by the same;
(k) without prejudice to rule 4.1(e), not disclose or transfer any personal data received from the Disclosing Member to any other third party without the prior written approval of the Disclosing Member, and such disclosing shall be consistent with the ability of the Disclosing Member to disclose the personal data and upon such additional terms and conditions which the Disclosing Member may impose on it for such disclosure or transfer; and
(l) not transfer the personal data or any part thereof to another country (whether for data storage, back-up or otherwise), unless the consent of the individual whose personal data is to be transferred to another country has been obtained (except where an exception to such consent from the individual in question under the Data Protection Legislation applies) and Disclosing Member has approved the same in writing. Further and subject to the aforesaid, where the personal data is to be transferred to another county, to take any such additional measures as are necessary to ensure that the personal data is transferred in accordance with the requirements of the Data Protection Legislation. Where appropriate or as required by law, transfer of personal data to a third party (except to other Members, for which these Rules shall apply) in another country shall be pursuant to written agreements between parties to ensure that the personal data will be adequately protected.
4.2 The Receiving Member shall promptly notify the Disclosing Member if any complaints are received about the processing of the personal data that it receives from the Disclosing Member. The Receiving Member shall not make any admissions or take any action which may be prejudicial to the defense or settlement of any such complaint and shall provide to the Disclosing Member such reasonable assistance as it may require in connection with such complaint.
4.3 Each Receiving Member undertakes to each Disclosing Member from whom it receives personal data that it is legally bound by and shall abide by these Rules and that any breach of these Rules by the Receiving Member shall permit the Disclosing Member to claim from the Receiving Member losses and damages that the Disclosing Member suffers arising from such breach. By these Rules, all Members agree that each Disclosing Member has rights under these Rules to enforce these Rules against the Receiving Member which receives personal data from the Disclosing Member and to claim losses and damages against the Receiving Member arising from a breach of these Rules by the Receiving Member.
Part 5 – Employee Undertakings
5.1 The Receiving Member shall, before it receives personal data from a Disclosing Member, obtain from those of its employees and agents to whom any personal data that it receives from the Disclosing Member is to be disclosed or who may in any way obtain access to any such personal data, enforceable undertakings in terms at least as binding upon the said employees and agents as the Receiving Member is bound to the Disclosing Member hereunder.
5.2 The Receiving Member shall take all reasonable steps to ensure the reliability of any of the Receiving Member’s employees and agents to whom any personal data is to be disclosed or who may have access to the personal data.
5.3 The Receiving Member shall ensure that all employees and agents involved in processing the personal data have undergone reasonably adequate training and testing in the care and handling of personal data.
5.4 For avoidance of doubt, the Receiving Member shall be and remain liable and responsible for the obligations of its employees and agents with regards to the access and/or processing of personal data that it receives from the Disclosing Member.
Part 6 – Return of Personal Data
6.1 Upon written request at any time by the Disclosing Member, the Receiving Member shall immediately cease all processing of the personal data and, as requested by the Disclosing Member, safely destroy the personal data or arrange for the prompt and safe return to the Disclosing Member on suitable media of all copies of the personal data held in whatever form by the Receiving Member or any third parties to whom the Receiving Member disclosed such personal data pursuant to these Rules. Where requested by the Disclosing Member, the Receiving Member shall certify that such destruction has taken place.
Part 7 – Structure and Contact Details of the Group and its Members
7.1 Please approach DPO for information on the structure and contact details of the Group and its Members.
Part 8 – Exceptions to these Rules
8.1 Members are prohibited from taking any action that is inconsistent with these Rules, unless with the prior written permission of [Group Compliance] Such written permission shall be obtained through each Member’s DPO.
Part 9 – Reporting Violations
9.1 Each Member is to fully comply with these legally binding Rules.
9.2 Members and their staff are encouraged to report violations of these Rules to the staff designated to manage compliance issues for their respective Members.
9.3 The Management prohibits retaliation against any staff for the making of a good faith report of actual or suspected violations of these Rules, applicable laws and/or any other Group policies.
Part 10 – Audit
10.1 Group Internal Audit Division will review the compliance with these Rules during their audit of the Member. The objectives of audits are to examine and evaluate the effectiveness and adequacy of the Member’s internal control, governance process, level of compliance with internal policies and procedures and relevant regulatory requirements.
Part 11 – Further Information
For further Information on these Rules and/or other policies relating to personal data protection, please seek assistance from your DPO.
Last updated: 18 October 2024