Two years ago, on January 22, 2021, the First Association of Southeast Asian Nations (ASEAN) Digital Ministers’ Meeting (ADGMIN) adopted the ASEAN Data Management Framework (DMF) and Model Contractual Clauses for Cross Border Data Flows (MCCs).
Image by Freepik
For your information, ASEAN Member States include Brunei Darussalam, Cambodia, Indonesia, Lao PDR, Malaysia, Myanmar, Philippines, Singapore, Thailand, Vietnam. In general, the DMF guides the businesses, including SMEs in setting up a data management system, especially data governance structures and safeguards. In addition to the DMF, the MCCs are the template of contractual terms and conditions which may be integrated in the binding legal agreement on transferring personal to each other across borders
What do you need to know about the DMF?
The ASEAN Member States designed it as a voluntary and non-binding guidance. Accordingly, they expected to adapt it to varying business needs for adoption and tailoring by the businesses to their own data management systems. In addition, the DMF refers to the data in general meaning in the business context, which may include personal data and business transactional data. Also, it may apply to all private sector businesses operating within ASEAN Member States’ territory. It proposed the high-risk based controls, which are commensurate to the potential impact of the data compromised. Accordingly, the DMF is inclusive of 6 foundational components: (1) Governance and oversight, (2) Policy and procedural documents, (3) Data inventory, (4) Impact/ Risk assessment, (5) Controls, (6) Monitoring and continuous improvement, aiming to facilitate a corporate governance structure to define, manage and monitor its data management processes.
How to use ASEAN MCCs
Since MCCs are a voluntary standard, the entities may use their own template for cross-border data transfers between Controller-Controller or Controller-Processor in accordance with the ASEAN Framework on Personal Data Protection of 2016. The Personal Data Protection Commission of Singapore recommended that the parties may
- specify the “data subject” definition, including persons living or deceased;
- determine the time frame for notification to each other of any data breaches, without undue delay and to the data protection authority, such as PDPC no later than 3 days, for example;
- include clauses allocating responsibility to contact individuals affected by data breaches;
- not insert the Addendum of Additional Terms to the MCCs.
Furthermore, MCCs may fulfil the obligation of transfer limitation under the Personal Data Protection Act of Singapore and the other Member States’ regimes based on the APEC Privacy Framework or OECD Privacy Guidelines.
Sources:
https://asean.org/our-communities/economic-community/asean-digital-sector/
https://asean.org/wp-content/uploads/2021/08/ASEAN-Data-Management-Framework.pdf
For more information about Asia: https://www.astraiagear.com/2023/02/06/eu-singapore-digital-partnership/