Singapore — International Data Transfers

Section 26(1) of Singapore's Personal Data Protection Act 2012 (PDPA) imposes a categorical transfer restriction: an organisation must not transfer any personal data to a country or territory outside Singapore except in accordance with requirements prescribed under the PDPA to ensure that organisations provide "a standard of protection to personal data so transferred that is comparable to the protection under the PDPA." The Personal Data Protection Commission (PDPC) calls this the Transfer Limitation Obligation.

The operative compliance framework is prescribed in Part III of the Personal Data Protection Regulations 2021 (PDPR 2021), effective 1 February 2021, which replaced the earlier 2014 regulations. Regulation 10(1) requires a transferring organisation (the Singapore entity that sends personal data overseas, or that arranges for a data intermediary to send the data on its behalf) to take "appropriate steps to ascertain whether, and to ensure that, the recipient of the personal data is bound by legally enforceable obligations … to provide to the transferred personal data a standard of protection that is at least comparable to the protection under the Act."

"Comparable protection" is a functional, not territorial, standard. There is no PDPC-published adequacy list of countries. Instead, the transferring organisation must undertake its own due-diligence assessment of whether the recipient—regardless of location—will apply data-protection safeguards at least as strong as those in Part IV–VI of the PDPA (the Data Protection Provisions covering consent, purpose limitation, access, correction, accuracy, security, retention, and openness).

Regulatory mechanics under PDPR 2021 Regulation 10 and 11. A transferring organisation satisfies the Transfer Limitation Obligation if it ensures that the recipient is bound by legally enforceable obligations that cover:

1. Purpose, use, and disclosure limits comparable to PDPA sections 18–20 (use and disclose only for notified, consented purposes).
2. Security arrangements comparable to section 24 (reasonable safeguards against unauthorised access, modification, or disclosure).
3. Retention limits comparable to section 25 (cease retention when purposes are over and retention is no longer legally required).
4. Onward-transfer restrictions: if the recipient sends the data to a sub-processor or further territory, that onward transfer must meet the same comparable-protection standard.
5. Individual access and correction rights comparable to sections 21–22, unless an exception applies.

Regulation 11 specifies that "legally enforceable obligations" may take the form of a contract (e.g., data-processing agreement with transfer clauses), binding corporate rules (BCRs approved at group level), or statutory or regulatory obligations binding the recipient in its own jurisdiction. The PDPC has endorsed the ASEAN Model Contractual Clauses for Cross-Border Data Flows and published a Guide on Data Protection Clauses for Agreements Relating to the Processing of Personal Data with template language. Use of these templates is not mandatory, but simplifies compliance demonstration.

Exceptions. Section 26(2) allows the PDPC to exempt a specific organisation or class of organisations from the requirements; any such exemption may be granted subject to conditions and need not be gazetted. The PDPA's statutory exceptions in the Third and Fourth Schedules (e.g., disclosure necessary to respond to an emergency threatening life or health, or for law-enforcement purposes) also relieve the Transfer Limitation Obligation in those narrow circumstances, as noted in the PDPC's Advisory Guidelines on the Transfer Limitation Obligation (2017).

PDPC enforcement. The PDPC has issued financial penalties for Transfer Limitation Obligation breaches. In Toll Logistics Asia Limited and Others [2022] SGPDPC 4, the Commission found that uploading employee personal data to an HR vendor's servers in the European Economic Area without ensuring the vendor was bound by comparable-protection obligations breached section 26. In Singapore Technologies Engineering Limited [2020] SGPDPC 21, the organisation's use of binding corporate rules that met Regulation 9(1)(b) of the earlier 2014 regulations was found sufficient to demonstrate compliance with the Transfer Limitation Obligation for intra-group transfers to the United States. These decisions underscore that the onus is on the transferring organisation to undertake appropriate due diligence and obtain assurances before the transfer occurs, and to retain evidence of that due diligence.

The PDPC does not pre-approve individual contracts or BCRs; the transferring organisation bears the risk of its own assessment.

Source: Personal Data Protection Act 2012, s. 26 Source: Personal Data Protection Regulations 2021, regs. 10–11 Source: PDPC, Advisory Guidelines on the Transfer Limitation Obligation (27 July 2017).pdf) Source: [Toll Logistics Asia Limited and Others [2022] SGPDPC 4 (18 March 2022)](https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/decision--toll-logistics-asia-limited-and-others--180322.pdf) Source: [Singapore Technologies Engineering Limited [2020] SGPDPC 21 (16 November 2020)](https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/decision----st-engineering-ltd---16112020.pdf)

Regulation 9 of the Personal Data Protection Regulations 2021 (PDPR 2021) carves out two categories of personal data from the Transfer Limitation Obligation imposed by section 26(1) of the Personal Data Protection Act 2012 (PDPA). An organisation transferring personal data that falls within these categories is not required to ensure that the overseas recipient applies comparable protection; the transferring organisation may move the data out of Singapore without the due-diligence assessment, contractual safeguards, or binding corporate rules otherwise mandated by regulations 10–11. The two exempted categories are:

1. Personal data in transit (regulation 9(a)) — data that is "transferred through Singapore in the course of its onward transportation to another country or territory, but is not collected, used or disclosed in Singapore, except in connection with its transportation."

1. Publicly available personal data (regulation 9(b)) — data that is "publicly available."

Data in transit. Regulation 9(a) exempts data that merely passes through Singapore's territorial or network boundaries en route to a final destination. This provision addresses routing scenarios — for example, an email server in Malaysia relaying personal data through a Singaporean network node to a recipient in Australia without any Singapore-based organisation collecting, using, or disclosing the data for purposes unrelated to transmission. The exemption does not extend to temporary storage or processing that constitutes a separate collection, use, or disclosure in Singapore. The PDPC's Advisory Guidelines on the Transfer Limitation Obligation (27 July 2017) clarify that if an organisation in Singapore hosts, processes, or otherwise uses the data — even briefly — the Transit exemption ceases to apply and the full Transfer Limitation Obligation attaches.

Publicly available data. Regulation 9(b) exempts personal data that is "publicly available." The PDPA does not define "publicly available" in the statute itself; the PDPC's Advisory Guidelines explain that personal data is publicly available if:

• it has been made available to the public generally and there is no reasonable expectation that the data would remain private or confidential; or
• the individual has made the data publicly available and it would be reasonable, in the circumstances, to expect that the data might be accessed or collected by others.

The Guidelines illustrate the principle with several examples. Data posted on a publicly accessible social-media profile, published in a newspaper or telephone directory, or displayed on a public registry (e.g., a corporate register listing directors' names) is ordinarily publicly available. Conversely, data obtained by hacking into a restricted database, even if subsequently republished, does not become "publicly available" for PDPA purposes; the manner of collection determines the status, not merely the fact of later dissemination.

The public-availability exemption operates only at the point of transfer. Once personal data is transferred overseas under regulation 9(b), the overseas recipient is not bound by the PDPA's Data Protection Provisions (those apply only to organisations subject to Singapore law); however, the transferring organisation in Singapore remains subject to all other PDPA obligations (consent, purpose limitation, security, retention) in respect of the data it collected in Singapore. The exemption relieves only the Transfer Limitation Obligation, not the broader compliance framework.

No sectoral or PDPC exemption order required. The regulation 9 exemptions apply automatically if the factual conditions are satisfied. Unlike the discretionary exemption power in section 26(2) of the PDPA (which permits the PDPC to exempt specific organisations or classes of organisations by order), regulation 9 operates as a self-executing statutory carve-out. The transferring organisation bears the burden of demonstrating that the data falls within the exempted category if challenged by the PDPC during an investigation or enforcement proceeding.

The PDPC has not published a separate registry of exempt transfers, nor does it require notification of a regulation 9 transfer. Organisations should retain documentation (e.g., network-routing logs evidencing transit status, or evidence of the public nature of the data at the time of transfer) to satisfy the burden of proof in the event of a subsequent enforcement inquiry.

Source: Personal Data Protection Regulations 2021, reg. 9 Source: Personal Data Protection Act 2012, s. 26 Source: PDPC, Advisory Guidelines on the Transfer Limitation Obligation (27 July 2017).pdf)

The ASEAN Model Contractual Clauses for Cross Border Data Flows (ASEAN MCCs) are a standardized contract template that a Singapore transferring organisation may incorporate into its data-processing or service agreements with overseas recipients to satisfy the Transfer Limitation Obligation under section 26(1) of the Personal Data Protection Act 2012 (PDPA) and the "legally enforceable obligations" requirement in regulation 10 of the Personal Data Protection Regulations 2021 (PDPR 2021). The ASEAN MCCs were approved by the ASEAN Digital Ministers' Meeting on 22 January 2021 and are recognized by all ten ASEAN Member States. Singapore's Personal Data Protection Commission (PDPC) published jurisdiction-specific Guidance for Use of ASEAN Model Contractual Clauses in January 2021, revised September 2021, confirming that incorporation of the ASEAN MCCs satisfies the comparable-protection standard when implemented correctly.

Status and voluntary nature. Use of the ASEAN MCCs is voluntary, not mandatory. A Singapore organisation may instead draft its own bespoke transfer clauses, use binding corporate rules (BCRs), or rely on the recipient's statutory obligations in its home jurisdiction, provided any of those mechanisms deliver legally enforceable obligations covering the substance required by regulation 10(1) and regulation 11 (purpose limitation, security, retention, onward-transfer restrictions, and access/correction rights). However, the PDPC has expressly endorsed the ASEAN MCCs as a ready-made, pre-vetted tool that simplifies compliance demonstration. The PDPC does not pre-approve individual contracts or issue adequacy decisions; by publishing the Singapore Guidance, the Commission signals that faithful use of the ASEAN MCCs template will ordinarily meet the regulatory standard, shifting the transferring organisation's compliance burden from substantive contract drafting to correct tailoring and execution.

Structure and modular approach. The ASEAN MCCs adopt a modular structure to accommodate different transfer scenarios. Parties select the module that matches their relationship:

• Module 1 (Controller to Controller) — the data exporter (Singapore organisation) and data importer (overseas recipient) both determine purposes and means of processing.
• Module 2 (Controller to Processor) — the Singapore controller engages an overseas processor that processes personal data on the controller's documented instructions.
• Module 3 (Processor to Sub-Processor) — an overseas processor (already engaged by a Singapore or third-country controller) sub-contracts processing to another overseas entity.

The parties delete irrelevant modules and complete the mandatory annexes specifying: (1) a description of the transfer (categories of data subjects, types of personal data, purposes); (2) the list of sub-processors (if any); (3) technical and organisational security measures the data importer will apply; and (4) the ASEAN Member State law(s) or other data-protection framework governing the parties. The PDPC's Singapore Guidance emphasizes that Annex completion is not optional — failing to specify the safeguards, purposes, and data categories renders the MCCs unenforceable and defeats the comparable-protection standard.

Core substantive obligations in the ASEAN MCCs. The template clauses impose on the data importer (overseas recipient) binding obligations that mirror the PDPA Data Protection Provisions in Part IV–VI:

1. Purpose limitation (Clause 4.1) — the data importer may process personal data only for the purposes specified in the annexes and must not use or disclose the data for any other purpose unless the data exporter consents or an exception applies.
2. Security arrangements (Clause 4.3) — the data importer must implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage, taking into account the nature of the data and the risks.
3. Retention limitation (Clause 4.4) — personal data must be retained only as long as necessary for the specified purposes or as required by law, and must be securely destroyed or anonymised thereafter.
4. Onward transfer (Clause 4.6) — if the data importer sends personal data to a sub-processor or further territory, the importer must ensure that the sub-processor is bound by substantially the same obligations (via contract, BCRs, or applicable law) and remains liable for the sub-processor's breach.
5. Data subject rights (Clause 4.7) — the data importer must, upon request from the data exporter, assist in enabling data subjects to exercise their rights of access, correction, and (where applicable) withdrawal of consent, unless an exception under the data exporter's jurisdiction applies.
6. Breach notification (Clause 4.8) — the data importer must notify the data exporter without undue delay upon becoming aware of a personal data breach that affects the transferred data, enabling the data exporter to comply with the PDPA's breach-notification obligations under sections 26B–26D.

These substantive obligations are mandatory; the PDPC Guidance notes that amendments or additional clauses may be added to reflect commercial arrangements but must not contradict, reduce, or nullify the data-protection obligations in the MCCs.

Optional clauses and flexibility. The ASEAN MCCs include optional clauses that parties may elect to include, such as provisions on audit rights, dispute resolution mechanisms, and governing law. The PDPC's Singapore Guidance notes that because the ASEAN MCCs are designed to accommodate the diverse legal maturity of ASEAN member states—three have comprehensive data-protection laws (Singapore, Malaysia, Philippines) while others are still developing their frameworks—the template is more flexible than the EU Standard Contractual Clauses (SCCs). Parties may tailor annexes and optional clauses to commercial needs, but the core protection obligations must remain intact to satisfy regulation 10.

Integration with the ASEAN Data Management Framework (DMF). The ASEAN MCCs are intended to work in conjunction with the ASEAN Data Management Framework, a step-by-step operational guide for implementing data governance structures, technical safeguards, and security measures. The PDPC has encouraged data importers in jurisdictions without mature data-protection laws to use the DMF as a practical implementation roadmap for the contractual promises in the MCCs. For Singapore transferring organisations, this means that during due-diligence assessment under regulation 10(1), confirming that the overseas recipient has adopted DMF-aligned practices provides additional assurance that the comparable-protection standard will be met in practice, not merely on paper.

Relationship to EU Standard Contractual Clauses and cross-border interoperability. In May 2023 the PDPC and the European Commission published a Joint Guide to ASEAN Model Contractual Clauses and EU Standard Contractual Clauses, mapping the substantive overlaps and divergences between the two instruments. For a Singapore organisation transferring personal data to an EU-based recipient (or vice versa), the Joint Guide clarifies which clauses in the ASEAN MCCs correspond to which modules in the EU SCCs, facilitating contractual negotiation and dual compliance. A Singapore exporter may incorporate both the ASEAN MCCs and EU SCCs into a single contract where necessary to satisfy both Singapore's regulation 10 and the GDPR's Chapter V transfer requirements. In January 2025 ASEAN and the Ibero-American Data Protection Network (RIPD) published a similar Joint Mapping Guide comparing the ASEAN MCCs to the RIPD MCCs for transfers to Latin America, furthering the PDPC's stated policy goal of enabling data free flow with trust through interoperable transfer instruments.

PDPC enforcement and contract as evidence. The PDPC does not pre-certify that a specific contract satisfies regulation 10; the transferring organisation bears the onus of demonstrating compliance if challenged. In enforcement decisions, the Commission has treated the existence of contractually binding transfer clauses as strong evidence of compliance, while the absence of such clauses has been cited as a breach. In Toll Logistics Asia Limited and Others [2022] SGPDPC 4, uploading employee data to an EEA-based HR vendor without ensuring the vendor was bound by comparable-protection obligations was found to breach section 26. Conversely, in Singapore Technologies Engineering Limited [2020] SGPDPC 21, binding corporate rules that met the earlier 2014 regulation 9(1)(b) standard were found sufficient for intra-group transfers to the United States. Organisations using the ASEAN MCCs should retain executed contracts and completed annexes as documentary evidence of compliance in the event of a PDPC investigation, audit, or data-breach incident requiring explanation of the transfer chain.

Where to access the ASEAN MCCs. The official text of the ASEAN Model Contractual Clauses and annexes is published by the ASEAN Secretariat and linked from the PDPC's Guide to Cross-Border Data Transfers resource page. The PDPC's Guidance for Use of ASEAN Model Contractual Clauses and the Joint Guides to EU SCCs and RIPD MCCs are published on the PDPC website under practical guidance resources. No registration or notification to the PDPC is required to use the ASEAN MCCs; they are a self-executing compliance tool.

Source: PDPC, Guidance for Use of ASEAN Model Contractual Clauses (January 2021, revised September 2021) Source: Personal Data Protection Regulations 2021, regs. 10–11 Source: Personal Data Protection Act 2012, s. 26 Source: PDPC announcement, ASEAN Data Management Framework and Model Contractual Clauses (22 January 2021) Source: PDPC announcement, Joint Guide to ASEAN MCCs and EU SCCs (24 May 2023) Source: PDPC, Guide to Cross-Border Data Transfers

Binding corporate rules (BCRs) are a legally enforceable transfer mechanism available to multinational corporate groups that wish to implement a single, enterprise-wide data-protection framework governing intra-group transfers of personal data out of Singapore. Under regulation 11(1)(c) of the Personal Data Protection Regulations 2021 (PDPR 2021), a Singapore transferring organisation may satisfy the Transfer Limitation Obligation imposed by section 26 of the Personal Data Protection Act 2012 (PDPA) by ensuring that the overseas recipient is bound by BCRs, provided the recipient is a related organisation and the BCRs meet the substantive requirements prescribed in regulation 11(3). The Personal Data Protection Commission (PDPC) has confirmed in enforcement decisions that properly implemented BCRs demonstrate compliance with the comparable-protection standard, obviating the need for individual contracts or assessments for every transfer within the group.

Scope: BCRs apply only to intra-group transfers. Regulation 11(3) limits the use of BCRs to transfers between related organisations. Regulation 11(5) defines "related" for this purpose: a recipient is related to the transferring organisation if:

1. the recipient, directly or indirectly, controls the transferring organisation;
2. the recipient is, directly or indirectly, controlled by the transferring organisation; or
3. the recipient and the transferring organisation are, directly or indirectly, under the control of a common person (for example, a parent holding company that controls both the Singapore entity and the overseas affiliate).

"Control" takes its ordinary corporate law meaning—the power to direct the management and policies of the entity, typically through majority ownership, voting rights, or contractual arrangements. The PDPC's Advisory Guidelines on the Transfer Limitation Obligation (27 July 2017) note that BCRs may be adopted where a recipient is an organisation related to the transferring organisation and is not already subject to other legally enforceable obligations (such as a contract or local law) that provide comparable protection. In practice, BCRs are designed for multinational groups that wish to centralize data-governance commitments rather than negotiate bilateral data-processing agreements between every pair of affiliates.

Substantive requirements under regulation 11(3). To satisfy the Transfer Limitation Obligation, BCRs must meet three mandatory conditions:

1. Comparable-protection standard. The BCRs must require every recipient (every entity within the group to which the BCRs apply) to provide a standard of protection to the transferred personal data that is at least comparable to the protection under the PDPA. This mirrors the general obligation in regulation 10(1) and means the BCRs must address the substantive data-protection principles in Part IV–VI of the PDPA, including purpose limitation (sections 18–20), security arrangements (section 24), retention limitation (section 25), accuracy (section 23), and access and correction rights (sections 21–22). The PDPC's 2017 Advisory Guidelines clarify that "comparable protection" is a functional standard, not a requirement that the receiving country's national law match the PDPA verbatim; the BCRs themselves supply the enforceable framework.

1. Specification of recipients. The BCRs must specify the recipients of the transferred personal data to which the binding corporate rules apply—in other words, the covered entities within the group. This enables both the data subject and the PDPC to identify which organisations are bound by the BCRs and therefore accountable for compliance. A global BCR policy typically includes a schedule or annex listing all subsidiaries, joint ventures, or affiliates covered by the framework, updated periodically as the corporate structure evolves.

1. Specification of permitted destination countries and territories. The BCRs must specify the countries and territories to which the personal data may be transferred under the BCRs. This requirement parallels the contract specification in regulation 11(2)(b) and ensures that the transferring organisation has assessed the data-protection landscape in each destination jurisdiction. The BCRs may specify "all countries in which group entities operate" or list jurisdictions individually, but the specification must be clear and documented.

1. Specification of rights and obligations. The BCRs must specify the rights and obligations provided by the binding corporate rules. Regulation 11(3)(c) requires an enumeration of the substantive commitments—for example, the purposes for which personal data may be used, the security measures each recipient will implement, the data subject rights (access, correction, withdrawal of consent) and how individuals may exercise them, the procedures for onward transfers within or outside the group, and the breach-notification protocols. The PDPC has not prescribed a mandatory BCR template, but the regulation's language mirrors the EU GDPR's BCR requirements under Articles 47 and 4(20); organisations drafting BCRs often benchmark against EU-approved BCR models for comprehensiveness and interoperability.

No PDPC pre-approval or certification process. Unlike the EU GDPR regime, which requires BCRs to be approved by a lead supervisory authority under the Article 63–64 consistency mechanism, Singapore's PDPR 2021 operates on a self-assessment basis. The PDPC does not pre-approve, certify, or maintain a public registry of BCRs. A Singapore transferring organisation bears the onus of ensuring that its BCRs satisfy regulation 11(3) and the comparable-protection standard. The PDPC will assess whether BCRs meet the regulatory standard only in the course of an investigation, audit, or enforcement proceeding following a complaint or data breach. Organisations should retain documentary evidence that the BCRs have been adopted (board resolution, group policy directive), communicated to covered entities, and implemented in practice (training records, audit reports, internal compliance certifications).

Relationship to the EU GDPR and cross-border BCR interoperability. Many Singapore-headquartered multinationals or regional subsidiaries of EU groups operate under BCRs originally approved by an EU supervisory authority. Regulation 11(3) does not require Singapore-specific BCRs; an existing EU-approved BCR may satisfy the PDPR 2021 standard if it covers the Singapore entity and addresses the PDPA Data Protection Provisions. The PDPC's 2017 Advisory Guidelines note that Singapore's BCR framework is designed to promote interoperability with the EU GDPR and APEC CBPR systems. A transferring organisation relying on EU BCRs should document how the EU BCRs satisfy the four regulation 11(3) elements—particularly the specification of recipients and permitted destination countries, which may need to be updated if the EU BCRs were drafted before the Singapore entity joined the group. Conversely, a Singapore organisation drafting BCRs for the first time may wish to adopt language that mirrors EU GDPR Article 47 to facilitate future adequacy assessments or to satisfy European data-protection authorities if the group also operates in the EU.

PDPC enforcement precedent: BCRs as evidence of compliance. In Re Singapore Technologies Engineering Limited [2020] SGPDPC 21, the PDPC found that the organisation's use of binding corporate rules governing intra-group transfers from Singapore to the United States satisfied the Transfer Limitation Obligation under the earlier Personal Data Protection Regulations 2014. The decision noted that the BCRs specified the permitted purposes for transfer, the data-protection obligations of the receiving company, and the protection and security of personal data, thereby meeting the substantive requirements then codified in regulation 9(1)(b) of the 2014 regulations (now regulation 11(3) of the 2021 regulations). The PDPC's positive finding in ST Engineering demonstrates that properly drafted and implemented BCRs are an accepted and effective compliance mechanism.

Conversely, in Re NUI Galway and NewRIIS [2021] SGPDPC 5, the PDPC found that the organisations breached section 26 by failing to put in place intra-group agreements or binding corporate rules before transferring personal data of 44 Singapore employees to affiliated entities in the United Kingdom. The Deputy Commissioner directed the organisations to "put in place intra-group agreements or binding corporate rules for compliance with section 26 of the PDPA in relation to any personal data transferred out of Singapore" within 30 days. The decision underscores that the absence of BCRs (or an equivalent contractual framework) when transferring data to related entities abroad, even when the recipient is located in a jurisdiction with a mature data-protection law (the UK GDPR was in force at the time), constitutes a breach of the Transfer Limitation Obligation. The transferring organisation must affirmatively ensure that the recipient is bound by legally enforceable obligations; it is not sufficient to assume that the recipient's local law automatically provides comparable protection without documenting that assessment and, where necessary, implementing supplementary contractual or BCR commitments.

Interaction with APEC CBPR and other transfer mechanisms. Regulation 12 of the PDPR 2021 provides an alternative pathway: if the overseas recipient holds a valid APEC Cross-Border Privacy Rules (CBPR) certification or APEC Privacy Recognition for Processors (PRP) certification, the recipient is deemed to satisfy the comparable-protection standard, and the transferring organisation need not rely on a contract or BCRs. However, APEC CBPR certification is an individual entity certification, not a group-wide instrument. For a multinational group with dozens of affiliates in multiple jurisdictions, implementing BCRs may be administratively simpler and more cost-effective than obtaining separate APEC certifications for each recipient entity. BCRs and APEC CBPR are complementary, not mutually exclusive; an organisation may rely on BCRs for intra-group transfers to affiliates that lack APEC certification, while relying on regulation 12 for transfers to certified entities.

Practical implementation: drafting, adoption, and enforcement. To implement BCRs, a Singapore transferring organisation should:

• Draft a comprehensive BCR policy that addresses the four regulation 11(3) elements and the substantive PDPA obligations (purpose limitation, security, retention, access, correction, onward transfer, breach notification).
• Obtain binding commitment from all covered entities—typically through a board resolution, deed of adherence, or group policy directive signed by authorized representatives of each affiliate, making the BCRs legally enforceable against each recipient.
• Specify governance and accountability mechanisms: designate a BCR coordinator or group privacy officer responsible for monitoring compliance across the group, conducting audits, and updating the BCRs as the corporate structure or regulatory landscape changes.
• Communicate the BCRs to data subjects: the PDPC's openness obligation (section 13 PDPA) requires organisations to make available information about their data-protection policies. Many BCR-compliant groups publish a summary of the BCRs on their websites, explaining that personal data may be transferred within the group under binding data-protection commitments and providing contact information for data subject requests.
• Retain evidence of implementation: audit reports, training records, internal compliance certifications, and incident-response logs demonstrating that the BCRs are applied in practice, not merely adopted on paper.

The PDPC has not prescribed a minimum BCR review cycle, but as a matter of good governance, organisations should review and update BCRs at least annually or whenever there is a material change in the group structure, the jurisdictions in which the group operates, or the data-protection laws in those jurisdictions.

No notification to the PDPC required. Unlike some EU member states that maintain national BCR registries, Singapore does not require organisations to notify the PDPC of BCR adoption or to submit the BCRs for review. BCRs are a self-executing compliance tool under regulation 11(1)(c). The transferring organisation is free to rely on BCRs immediately upon adoption, and the PDPC will assess their adequacy only if an investigation arises. Organisations should treat the absence of pre-approval as an invitation to robust internal governance, not as an excuse for minimal compliance.

Source: Personal Data Protection Regulations 2021, reg. 11 Source: Personal Data Protection Act 2012, s. 26 Source: PDPC, Advisory Guidelines on the Transfer Limitation Obligation (27 July 2017).pdf) Source: [Re Singapore Technologies Engineering Limited [2020] SGPDPC 21 (16 November 2020)](https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/commissions-decisions/decision----st-engineering-ltd---16112020.pdf) Source: [Re NUI Galway and NewRIIS [2021] SGPDPC 5 (23 June 2021)](https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---NUI-and-NewRIIS--23062021.pdf)

Regulation 12 of the Personal Data Protection Regulations 2021 (PDPR 2021) provides a streamlined transfer pathway that eliminates the due-diligence and contractual-safeguard requirements otherwise mandated under regulations 10–11 when a Singapore transferring organisation sends personal data to an overseas recipient that holds a valid APEC Cross-Border Privacy Rules (CBPR) certification or APEC Privacy Recognition for Processors (PRP) certification. An overseas recipient holding either certification is deemed to satisfy the comparable-protection standard required by section 26(1) of the Personal Data Protection Act 2012 (PDPA), and the Singapore transferring organisation may transfer personal data to that recipient without executing a data-processing contract, binding corporate rules, or conducting a jurisdiction-by-jurisdiction assessment of the recipient's data-protection framework. Singapore's Personal Data Protection Commission (PDPC) announced recognition of APEC CBPR and PRP certifications as stand-alone transfer mechanisms on 1 June 2020, effective immediately, and the recognition was codified in regulation 12 when the PDPR 2021 came into force on 1 February 2021.

The APEC CBPR and PRP Systems: multilateral accountability frameworks. The APEC Cross-Border Privacy Rules System and the APEC Privacy Recognition for Processors System are voluntary, multilateral certification schemes developed under the Asia-Pacific Economic Cooperation (APEC) Privacy Framework. The Systems establish a network of certified organisations that have demonstrated, through independent third-party assessment by an approved Accountability Agent, that their data-protection policies and practices comply with the APEC Privacy Framework's nine substantive principles: preventing harm, notice, collection limitation, uses of personal information, choice, integrity of personal information, security safeguards, access and correction, and accountability. The CBPR System applies to controllers (organisations that control the collection, use, and disclosure of personal data), while the PRP System applies to processors (organisations that process personal data on behalf of controllers under documented instructions). Both Systems require the applicant organisation to implement enforceable policies, undergo assessment by the Accountability Agent, remediate any identified gaps, and receive a formal certification that is renewable periodically.

Regulation 12 deemed-compliance rule. Regulation 12(1) of the PDPR 2021 states that for the purposes of section 26(1) of the Act, a transferring organisation is taken to have met the requirement in regulation 10(1) in respect of a transfer of personal data outside Singapore to a recipient, if the recipient has and maintains a valid certification under the Asia-Pacific Economic Cooperation Cross Border Privacy Rules System or the Asia-Pacific Economic Cooperation Privacy Recognition for Processors System. This language establishes a legal presumption: the overseas recipient's APEC certification is treated as proof that the recipient is bound by legally enforceable obligations providing a standard of protection at least comparable to the PDPA. The transferring organisation need not execute a contract, adopt binding corporate rules, or independently verify the recipient's data-protection practices. The certification itself satisfies the Transfer Limitation Obligation under section 26(1) PDPA.

Practical application: verifying a recipient's certification. To rely on regulation 12, a Singapore transferring organisation should confirm that the overseas recipient holds a current, valid APEC CBPR or PRP certification. The PDPC's 1 June 2020 announcement states that "an overseas recipient that is CBPR- or PRP-certified is considered legally bound to provide comparable protection for the transferred personal data to the PDPA" and that "organisations in Singapore can thus easily transfer personal data to the overseas recipient without meeting additional requirements." The transferring organisation should confirm:

1. The overseas recipient's name and jurisdiction appear on an Accountability Agent's current certification list.
2. The certification type matches the recipient's role: CBPR certification for a controller, PRP certification for a processor.
3. The certification is current, meaning it has not expired and the recipient has not been suspended or decertified.

The transferring organisation should document the verification (for example, a screenshot of the Accountability Agent's registry entry, dated and retained in the organisation's compliance files) to demonstrate due diligence in the event of a subsequent PDPC investigation or audit.

Interaction with other transfer mechanisms: regulation 12 as an alternative pathway. Regulation 12 operates as one of several acceptable transfer mechanisms under Part III of the PDPR 2021. A Singapore transferring organisation may rely on regulation 12 if the recipient holds a valid APEC CBPR or PRP certification, or may instead rely on regulation 10 (due-diligence assessment and contractual safeguards, including ASEAN Model Contractual Clauses) or regulation 11 (binding corporate rules for intra-group transfers) even when the recipient is APEC-certified. The mechanisms are not mutually exclusive. In practice, many organisations that have implemented ASEAN MCCs or BCRs covering an entire vendor base or corporate group may continue using those instruments for consistency, treating the APEC certification as an additional layer of assurance.

Scope limitation: APEC certification does not override consent or other PDPA obligations. Regulation 12 relieves the transferring organisation only of the Transfer Limitation Obligation under section 26(1) PDPA—the requirement to ensure the overseas recipient applies comparable protection. The transferring organisation remains subject to all other PDPA obligations in respect of the personal data it collects, uses, and discloses in Singapore, including:

• Consent (section 13 PDPA): the organisation must obtain the individual's consent for the collection, use, and disclosure of personal data, unless an exception applies. The fact that the data will be transferred to an APEC-certified recipient does not, by itself, constitute consent; the organisation must notify the individual of the intended transfer and obtain consent (or rely on deemed consent or an exception).
• Purpose limitation (sections 18–20 PDPA): personal data must be used and disclosed only for purposes the individual was informed of and consented to.
• Security (section 24 PDPA): the transferring organisation must implement reasonable security safeguards to protect personal data in its possession or under its control, including during transmission to the overseas recipient.
• Retention (section 25 PDPA): personal data must be retained only as long as necessary for the stated purposes or as required by law.
• Breach notification (sections 26B–26D PDPA): if a data breach affecting the transferred data occurs (whether in Singapore or overseas), the transferring organisation must notify the PDPC and affected individuals if the breach is notifiable under the Personal Data Protection (Notification of Data Breaches) Regulations 2021.

The PDPC's June 2020 announcement emphasizes that regulation 12 creates a streamlined transfer process, not a blanket exemption from data-protection obligations. Transferring organisations must still comply with the full suite of PDPA Data Protection Provisions when handling personal data in Singapore.

Relationship to EU Standard Contractual Clauses and cross-border interoperability. Singapore's recognition of APEC CBPR and PRP certifications as stand-alone transfer mechanisms differs from the European Union's GDPR, which does not formally recognize APEC certifications as an adequacy mechanism under GDPR Chapter V. A Singapore-headquartered multinational that transfers personal data to an APEC-certified recipient in the United States may rely on regulation 12 to satisfy the PDPA Transfer Limitation Obligation, but if the same data includes personal data of EU data subjects (e.g., European employees of the Singapore company), the organisation must also satisfy GDPR Article 46 transfer requirements—typically by executing EU Standard Contractual Clauses or relying on approved Binding Corporate Rules under Article 47. A Singapore organisation may incorporate both regulation 12 (for PDPA compliance) and EU SCCs (for GDPR compliance) into the same vendor relationship without conflict; each instrument satisfies the requirements of its respective legal framework.

PDPC enforcement posture and reliance on certifications. The PDPC's June 2020 announcement and the Commissioner's remarks at the 53rd Asia Pacific Privacy Authorities Forum (2 June 2020) make clear that organisations may rely in good faith on the validity of a recipient's APEC certification as proof of comparable protection. The Commissioner stated that Singapore's recognition of APEC CBPR and PRP "means that personal data flows between Singapore and Japan companies within the APEC CBPR and PRP system can become seamless as more companies are certified." If an overseas recipient's APEC certification is later found to have been fraudulently obtained, or if the recipient is decertified due to non-compliance, the transferring organisation's documented reliance on the certification at the time of transfer would be a relevant factor in any subsequent PDPC investigation. Conversely, if the transferring organisation knew or should have known that the recipient's APEC certification had expired, been suspended, or was otherwise invalid, relying on regulation 12 would not excuse a Transfer Limitation Obligation breach.

Promotion and uptake: Singapore's role in the APEC Systems. The PDPC announced in June 2020 that CrimsonLogic was certified as Singapore's first APEC CBPR company, with additional companies in the pipeline. The Commissioner noted at the 2 June 2020 APPA Forum that "we have five more companies in the pipeline" and expressed the intention to "work with like-minded counterparts in Australia, Japan, Republic of Korea, Philippines and the United States to promote this network." The PDPC has promoted APEC CBPR and PRP certifications as a mechanism to facilitate seamless data flows with other APEC-certified entities in participating economies.

Unable to confirm as of 2026-06-02: the total number of Singapore organisations currently holding APEC CBPR or PRP certifications; the names and accreditation status of all Accountability Agents authorized to certify Singapore-based organisations; the availability and terms of government grant funding for APEC certification costs; and the operational status of the Global CBPR and Global PRP systems or any formal PDPC recognition of Global CBPR/PRP certifications.

No PDPC pre-approval or notification required. Regulation 12 operates as a self-executing compliance tool. A Singapore transferring organisation is not required to notify the PDPC before transferring personal data to an APEC-certified recipient, to submit documentation of the recipient's certification, or to obtain PDPC pre-approval of the transfer. The organisation should, as a matter of internal governance, document the verification of the recipient's certification and retain that documentation in the organisation's compliance files, but no filing with the PDPC is necessary. The PDPC will assess the transferring organisation's reliance on regulation 12 only in the course of an investigation, audit, or enforcement proceeding following a complaint or data breach.

Source: Personal Data Protection Regulations 2021, reg. 12 Source: Personal Data Protection Act 2012, s. 26 Source: PDPC announcement, Singapore Now Recognises APEC CBPR and PRP Certifications Under PDPA (1 June 2020) Source: PDPC, Welcome Address by Commissioner Tan Kiat How at 53rd Asia Pacific Privacy Authorities Forum (2 June 2020)

Regulation 12 of the Personal Data Protection Regulations 2021 (PDPR 2021) establishes a deemed-compliance pathway for international data transfers: if an overseas recipient holds a valid certification under the APEC Cross-Border Privacy Rules (CBPR) System or the APEC Privacy Recognition for Processors (PRP) System, that recipient is automatically deemed to be bound by legally enforceable obligations providing a standard of protection comparable to the PDPA, and the Singapore transferring organisation satisfies the Transfer Limitation Obligation imposed by section 26(1) of the Personal Data Protection Act 2012 (PDPA) without needing a separate contract, binding corporate rules, or jurisdiction-by-jurisdiction due-diligence assessment. The Personal Data Protection Commission (PDPC) endorsed this pathway in June 2020, stating that "an overseas recipient that is CBPR- or PRP-certified is considered legally bound to provide comparable protection for the transferred personal data to the PDPA."

Regulation 12 mechanics: automatic recognition of APEC certifications. Regulation 12(1) provides that if the overseas recipient holds a "specified certification"—defined in regulation 12(2) as certification under the APEC CBPR System or the APEC PRP System—that is granted or recognised under the law of the country or territory to which the personal data is transferred, the recipient is deemed to satisfy the comparable-protection standard and the regulation 10(1) requirement for legally enforceable obligations. The Singapore transferring organisation need not negotiate contractual clauses, implement binding corporate rules, or conduct a separate assessment of the recipient's jurisdiction. The existence of the valid APEC certification itself constitutes sufficient evidence of compliance.

Regulation 12 operates as a safe harbour. It is one of several pathways available to satisfy the Transfer Limitation Obligation, alongside contracts (regulation 11(1)(a)), binding corporate rules for intra-group transfers (regulation 11(1)(c)), or relying on the recipient's domestic law where that law provides comparable protection (regulation 11(1)(a)). A transferring organisation may choose the APEC certification pathway if the overseas recipient holds the certification; if the recipient is not certified, the transferring organisation must use one of the alternative mechanisms.

APEC CBPR System — certification for data controllers. The APEC Cross-Border Privacy Rules (CBPR) System is a voluntary accountability-based certification framework developed by the Asia-Pacific Economic Cooperation (APEC) forum and launched in 2011. It applies to organisations that act as controllers (determine purposes and means of processing) and certifies that the organisation's data-protection policies and practices conform to the APEC Privacy Framework, a set of nine information privacy principles covering notice, collection limitation, uses of personal data, choice, integrity of personal data, security safeguards, access and correction, and accountability. As of June 2026, eleven APEC economies participate in the CBPR System: Australia, Canada, Japan, Mexico, the Philippines, Singapore, South Korea, Taiwan, the United Kingdom (an acceded economy), the United States, and Vietnam.

To obtain APEC CBPR certification, an organisation applies to an Accountability Agent appointed by its home jurisdiction. Singapore's Accountability Agent is the Infocomm Media Development Authority (IMDA), appointed in July 2019. The Accountability Agent assesses the applicant's privacy program against the CBPR requirements, which include a documented privacy policy, technical and organisational security measures, breach-response procedures, individual access and correction mechanisms, and accountability measures such as staff training and third-party oversight. The certification is entity-specific (granted to a named legal entity, not to a corporate group or product line), valid for a fixed term (typically two years), renewable, and subject to periodic compliance verification by the Accountability Agent. IMDA maintains a public registry of CBPR-certified Singapore organisations on the IMDA APEC CBPR/PRP webpage, and the APEC Secretariat maintains a global registry of all certified organisations across participating economies.

APEC PRP System — certification for data processors. The APEC Privacy Recognition for Processors (PRP) System, launched in 2011 alongside CBPR, certifies organisations that act as processors (process personal data on behalf of and under the instructions of a controller, such as cloud-service providers, payroll administrators, marketing agencies, or data-analytics firms). The PRP System verifies that the processor's practices conform to a subset of the APEC Privacy Framework principles relevant to processor responsibilities: security safeguards, breach notification, integrity and retention of data, accountability, and choice regarding onward transfers. The same eleven APEC economies participate in the PRP System, and IMDA serves as Singapore's Accountability Agent for PRP certifications. The certification process, validity period, and public-registry architecture mirror the CBPR System. An organisation may hold both CBPR and PRP certifications if it acts as a controller for some processing activities and as a processor for others.

Regulatory basis in Singapore: effective 2 June 2020. The PDPC introduced recognition of APEC CBPR and PRP certifications as a transfer mechanism by amending the Personal Data Protection Regulations in June 2020. Regulation 9(1)(c) of the Personal Data Protection Regulations 2014 (the predecessor to PDPR 2021) was amended by the Personal Data Protection (Amendment No. 2) Regulations 2020, which came into operation on 2 June 2020, to insert the certification pathway. When the 2014 regulations were revoked and replaced by PDPR 2021 on 1 February 2021, the certification pathway was carried forward as regulation 12. The PDPC announced the change on 9 June 2020, stating that Singapore "now recognises APEC CBPR and PRP certifications under PDPA" and that certified overseas recipients are "considered legally bound to provide comparable protection."

Cross-border interoperability and policy rationale. The PDPC's endorsement of APEC CBPR and PRP certifications reflects Singapore's policy commitment to the APEC Privacy Framework and to facilitating "data free flow with trust" across APEC economies. In a September 2021 speech, PDPC Deputy Commissioner Yeong Zee Kin described APEC CBPR and PRP as "comprehensive certification mechanisms for cross-border data transfers" that have "the advantage of allowing for intra- and inter-company transfers between certified companies in participating APEC member economies." The Deputy Commissioner noted that certification "builds momentum for certification to become a global norm for cross-border transfers" and could enable "only one approval process" if non-APEC countries adopt interoperable mechanisms. For Singapore organisations, the practical value of regulation 12 is that transfers to a CBPR- or PRP-certified recipient in Japan, the United States, Australia, Canada, or another participating APEC economy require no additional contractual negotiation—the transferring organisation verifies the recipient's certification status on the public registry, documents that verification, and proceeds with the transfer.

Practical implementation: verification and documentation. To rely on regulation 12, a Singapore transferring organisation should:

1. Verify the recipient's certification status on the public registry maintained by the recipient's home-economy Accountability Agent or on the APEC global registry. CBPR and PRP certifications are entity-specific and time-limited; the transferring organisation must confirm that the certification is current and covers the specific legal entity to which data will be transferred (not merely a parent company or affiliate).

1. Document the verification in the organisation's records. The PDPC does not require notification or pre-approval of APEC-certified transfers, but the transferring organisation bears the onus of demonstrating compliance if challenged. Retain a timestamped copy of the recipient's registry entry or certification certificate.

1. Monitor certification status during the relationship. APEC certifications expire and must be renewed. The PDPC's sample contractual clause for APEC-certified transfers (published June 2020) includes language requiring the recipient to "maintain its certification … during the term of this Agreement, and promptly notify the disclosing party of any change in the receiving party's certification status." Including such a clause in the service agreement or data-processing addendum provides contractual assurance that the recipient will notify the transferring organisation if the certification lapses, enabling the transferring organisation to switch to an alternative transfer mechanism (contract, BCRs) before the Transfer Limitation Obligation is breached.

1. Apply regulation 12 only to the certified entity. APEC certifications do not extend to corporate affiliates or sub-processors. If the CBPR- or PRP-certified recipient engages a sub-processor or onward-transfers data to an affiliate, the transferring organisation must ensure that the sub-processor or affiliate is itself APEC-certified, or that the primary recipient binds the sub-processor or affiliate by contract or BCRs meeting the regulation 10(1) standard. The regulation 12 safe harbour is narrow: it deems the certified recipient bound by comparable-protection obligations, not any downstream party.

Interaction with other transfer mechanisms. Regulation 12 does not displace or supersede contracts or binding corporate rules. A Singapore organisation may:

• rely on regulation 12 alone if the recipient is APEC-certified and the organisation prefers to avoid negotiating transfer clauses;
• use both regulation 12 and a contract (for example, incorporating the PDPC's sample clause into a data-processing agreement to require the recipient to maintain certification and notify if it lapses); or
• draft a contract that provides for alternative transfer mechanisms: regulation 12 while the recipient is APEC-certified, and contractual transfer clauses (ASEAN MCCs, bespoke clauses) that automatically govern if certification lapses.

The PDPC's Advisory Guidelines on the Transfer Limitation Obligation (2017, not yet updated to reflect regulation 12) do not require that a single transfer rely on only one mechanism. Layering regulation 12 with a contract is a belt-and-suspenders approach that many practitioners adopt to ensure continuity of compliance if the recipient's certification expires before renewal.

APEC CBPR/PRP versus ASEAN MCCs. APEC CBPR and PRP certifications and the ASEAN Model Contractual Clauses (ASEAN MCCs) are complementary, not competing transfer mechanisms. ASEAN MCCs apply to any overseas recipient in any jurisdiction, APEC-economy or otherwise, provided the parties execute the contract. APEC certifications apply only to recipients in APEC-participating economies that hold a valid certification. For a Singapore-to-Malaysia transfer, both mechanisms are available (Malaysia participates in APEC CBPR/PRP and is an ASEAN member state). For a Singapore-to-India transfer, only the ASEAN MCCs (or bespoke contract, or BCRs if intra-group) are available because India does not participate in APEC CBPR/PRP. For a Singapore-to-United-States transfer, APEC CBPR/PRP is often simpler administratively—many U.S. cloud and SaaS providers hold APEC PRP certification—whereas negotiating ASEAN MCCs with a U.S. counterparty unfamiliar with the ASEAN framework may require additional explanation and drafting.

PDPC enforcement and evidentiary value. The PDPC has not yet published an enforcement decision directly addressing regulation 12. However, in its June 2020 announcement the Commission stated that APEC-certified recipients are "considered legally bound" to provide comparable protection, indicating that the PDPC will treat the existence of a valid certification as conclusive evidence of compliance with the comparable-protection standard, absent fraud or misrepresentation. A transferring organisation that relies on regulation 12 and later discovers that the recipient's certification was invalid (e.g., obtained through false representations to the Accountability Agent, or revoked but not removed from the registry) may face enforcement risk if the PDPC determines that the organisation failed to exercise reasonable due diligence in verifying the certification. Best practice: verify certification on the official registry (not on the recipient's marketing materials) and retain timestamped evidence of the registry entry.

No substitute for data-security obligations. Regulation 12 satisfies the Transfer Limitation Obligation (section 26 PDPA), but does not relieve the transferring organisation of its data-protection obligations under Part IV–VI of the PDPA. The transferring organisation remains responsible for ensuring that the personal data is accurate (section 23), protected by reasonable security arrangements (section 24), retained only as long as necessary (section 25), and used and disclosed only for consented or otherwise-permitted purposes (sections 18–20). The PDPC's 2020 announcement emphasizes that APEC certifications provide assurance that the recipient will apply comparable protection, but the transferring organisation must still comply with its own PDPA obligations in Singapore. In particular, section 24 (Protection Obligation) requires the transferring organisation to "make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks" to the personal data in its possession or under its control. Transferring data to a certified recipient satisfies section 26, but does not satisfy section 24 unless the transferring organisation also implements encryption, access controls, and other technical safeguards appropriate to the sensitivity of the data and the risks of the transfer method (e.g., encrypted file transfer, encrypted email, secure API).

Duration and renewal of certifications. APEC CBPR and PRP certifications are typically valid for two years from the date of issuance, subject to the policies of the Accountability Agent in the certifying jurisdiction. IMDA's certification process in Singapore specifies a two-year validity period with annual surveillance audits to verify ongoing compliance. The certified organisation must apply for renewal before expiration; if the certification lapses, the organisation is removed from the public registry and can no longer be treated as certified under regulation 12. A Singapore transferring organisation that maintains ongoing relationships with APEC-certified recipients should implement a monitoring process (calendar reminders, contractual notification clauses, periodic registry checks) to detect certification lapses and switch to an alternative transfer mechanism if necessary.

Access to the APEC CBPR/PRP registry and application process. The global APEC CBPR and PRP registry is maintained by the APEC Secretariat and accessible via the APEC CBPR System website (cbprs.org). Singapore organisations wishing to verify a recipient's certification status, or to apply for APEC CBPR or PRP certification for themselves (to facilitate inbound transfers from other APEC economies), should consult the IMDA APEC CBPR/PRP webpage (imda.gov.sg). IMDA publishes the application process, certification requirements, fees, and a list of Singapore-certified organisations. The PDPC's June 2020 announcement and the PDPC's "Easy Data Transfers to APEC CBPR/PRP Certified Organisations" infographic (published June 2020) provide additional guidance on how to use regulation 12 in practice.

Source: Personal Data Protection Regulations 2021, reg. 12 Source: Personal Data Protection Act 2012, s. 26 Source: PDPC announcement, Singapore Now Recognises APEC CBPR and PRP Certifications Under PDPA (9 June 2020) Source: PDPC, Easy Data Transfers to APEC CBPR/PRP Certified Organisations (June 2020).pdf) Source: PDPC, Sample Clause for Data Transfers to APEC CBPR and PRP Certified Organisations (9 June 2020) Source: PDPC announcement, APEC CBPR/PRP Certification Now Available (17 July 2019)