Using ASEAN Model Contractual Clauses as a Legal Basis for Data Transfers

The MCCs are contractual terms and conditions that may be included in the binding legal agreements between parties transferring personal data to each other across borders. Implementing the MCCs and their underlying obligations helps parties ensure that the transfer of personal data is done in a manner that complies with the ASEAN Member States’ (AMS) legal and regulatory requirements, protects the data of Data Subjects based on the principles of the ASEAN Framework on Personal Data Protection (2016) and promotes trust among citizens in the ASEAN digital ecosystem. The MCCs are templates setting out responsibilities, required personal data protection measures and related obligations of the parties. The MCCs have been created, in particular, to identify for parties key issues when transferring personal data across borders.

Recognising the different levels of development of AMS, private sector parties in AMS may voluntarily adopt the MCCs, in the transfer of data to other parties in other AMS. While the MCCs are primarily designed for intra-ASEAN flow of personal data, parties may adapt these clauses with appropriate modifications at their discretion for transfers between businesses intra-country in AMS, or transfers to non-AMS, particularly those with legal regimes based upon the principles of the APEC Privacy Framework or OECD Privacy Guidelines, from which the principles in the ASEAN Framework on Personal Data Protection (2016) are derived.

The MCCs are a voluntary standard designed to provide guidance on baseline considerations for transferring personal data. Parties may, by written agreement, adopt or modify the MCCs in accordance with the principles set forth in the ASEAN Framework on Personal Data Protection (2016) or as required by any AMS Law. This does not preclude the parties from adding clauses, by written agreement, as appropriate for their commercial or business arrangements so long as they do not contradict the MCCs. Parties are free to negotiate commercial terms provided they do not contradict the MCCs.

Parties are also free to use any other valid data transfer mechanisms recognized within ASEAN, if or when they are available or relevant to AMS. ASEAN recognizes that these mechanisms include, but are not limited to, self-assessment that transfer of data overseas shall be protected to a comparable level of protection, consent, codes of conduct, binding corporate rules, certifications, such as ISO series relating to security and privacy techniques, APEC Cross Border Privacy Rules and Privacy Recognition for Processors Systems, or other legally enforceable mechanisms. Companies have the flexibility to choose the most appropriate personal data protection- or privacy-enhancing data transfer mechanism for a particular context.