Plug into more global business opportunities. These certifications facilitate how your business can seamlessly exchange personal data across APEC member economies while respecting privacy and security.
About APEC Cross Border Privacy Rules (CBPR)
The APEC CBPR System was developed by APEC economies to build consumer, business, and regulator trust in cross border flows of personal data. The APEC CBPR System requires participating businesses to implement data privacy regulations and policies consistent with the APEC Privacy Framework and helps to bridge differing national privacy laws within the APEC region, reducing barriers to the flow of information for global trade.
The CBPR System applies to organisations (data controllers) that control the collection, holding, processing, or use of personal data and enables certified organisations across APEC economies to exchange personal data more seamlessly.
The APEC CBPR certification is based on the APEC Privacy Framework which features nine privacy principles: Accountability, Prevent Harm, Notice, Choice, Collection Limitation, Use of Personal Information, Integrity of Personal Information, Security Safeguards, and Access and Correction. The framework was endorsed by 21 APEC economies to promote accountable and responsible transfers of personal information between the APEC economies.
Singapore recognises the APEC CBPR and PRP certifications for overseas transfers of personal data under the PDPA. This move enhances data privacy and security for individuals and enables organisations in Singapore can easily transfer personal data to overseas certified recipients without meeting additional requirements.
- Template contract clause for transfers of data to overseas recipients that hold CBPR or PRP certifications can be found here
- Learn about the announcement here
The directory of CBPR-certified organisations can be found here.
To learn more:
- CBPR Information Kit (467.65KB)
- APEC CBPR/PRP Brochure (2.14MB)(updated 17 Jun 2020)
- CBPR Success Story
- IMDA’s Accountability Agent Participation Documents
- Other IMDA Data Protection Certifications:
Who can apply?
To be eligible, your organisation must be subject to the laws of Singapore.
Interested organisations (also known as data controllers) that control the collection, holding, processing, or use of data can apply for APEC CBPR. They should be either (1) formed or recognised under the laws of Singapore, or (2) resident, or having an office or a place of business, in Singapore, and in any case, not a public agency (as defined in the Personal Data Protection Act 2012).
Upon submission of the application, the Applicant Organisation is bound by the Terms of Agreement (758.72KB) of the APEC CBPR scheme.
To apply, click here.
Application fee of S$535 (inclusive of GST) is payable to IMDA.
Assessment fee, payable to the Assessment Body, ranges and depends on the size of the organisation (e.g. annual sales turnover, no. of sites, etc) and the Assessment Body you engaged. Please approach the Assessment Bodies listed in this website for a quotation to confirm the actual fee.
To encourage organisations to take up more than one certification (i.e. DPTM, CBPR and PRP), one application fee of S$535 (inclusive of GST) is payable to IMDA when organisations apply for multiple certifications in a single application process.
The Assessment Body (AB) acts as an independent body to assess that an organisation’s data protection practices conform to the APEC CBPR requirements. An organisation may select any of the following seven ABs:
|Assessment body||Contact person||Contact no|
|BSI Group Singapore||Stella Kong||6270 0777||DPTM@bsigroup.com|
|EPI Certification Pte Ltd||May Cheow||8823 3347||
|Guardian Independent Certification Pte Ltd
||Baljit Singh||6742 3075 / 8268 email@example.com|
|ISOCert Pte Ltd||
Saju S Pillai
9475 5120 / 6659 0810
|Setsco Services Pte Ltd||
|SOCOTEC Certification Singapore Pte Ltd
||Chris Lim (Ms)||6299 9001 / 6499 firstname.lastname@example.org
|TUV SUD PSB Pte Ltd||
For more information on how to be an assessment body, please refer to our information kit (324.47KB).
CBPR certification requirements and support details
The CBPR certification is based on the APEC Privacy Framework which features nine privacy principles: Accountability, Prevent Harm, Notice, Choice, Collection Limitation, Use of Personal Information, Integrity of Personal Information, Security Safeguards and Access and Correction. The framework was endorsed by 21 APEC economies to promote accountable and responsible transfers of personal information between the APEC economies.
Eligible organisations can consider applying to Enterprise Singapore (ESG) to seek support for some of the costs for APEC CBPR certification and consultancy services. Details on the criteria and application process can be found below:
Interested organisations may refer to this Quick Guide on Enterprise Development Grant Application (256.46KB).
Professional consultancy services:
Organisations can refer to the List of Consultancy Service Providers (under DPTM Requirements and Resources section) if they wish to engage professional consultancy services to prepare them for the APEC CBPR certification.
For questions, please refer to our FAQs.
For queries, please email Data_Protection_Certifications@imda.gov.sg or call 6377 3800.