# Joint controllers — two SG companies sharing a lead database for a co-marketing campaign

> **Sample document &mdash; not legal advice.** This document is one of a library of sample legal drafts published by LawCrew at `lawcrew.ai/samples`. It illustrates how the LawCrew agent team approaches a common Singapore DPA scenario. **It is not legal advice and is not tailored to any specific transaction.**
>
> LawCrew is a legal-technology service, not a law firm. For your own matter, run an intake through the product and engage an independent Singapore-qualified lawyer to review before signing.
>
> *Sample DPA #04 &middot; Hand-authored pending specialist roll-out &middot; Published 2026-05-22*

---


# Joint Controller Data Processing Arrangement

This Joint Controller Data Processing Arrangement (this **"Arrangement"**) is entered into as of 1 January 2026 (the **"Effective Date"**) between:

**(1) Keppel Brewworks Pte Ltd**, a company incorporated in Singapore [UEN: 201627418A] with its registered office at 60 Robinson Road, #14-01, Singapore 068892 (**"Party A"**); and

**(2) Marina Vines Pte Ltd**, a company incorporated in Singapore [UEN: 201809732M] with its registered office at 138 Cecil Street, #15-02, Cecil Court, Singapore 069538 (**"Party B"**).

Each of Party A and Party B is a **"Party"** and together they are the **"Parties"**.

## Recitals

(A) The Parties have entered into a co-marketing agreement dated 1 January 2026 (the **"Co-Marketing Agreement"**), under which they will conduct a joint promotional campaign in Singapore (the **"Campaign"**) that includes:

  (1) joint marketing events;

  (2) a shared landing page hosted on a co-branded subdomain through which prospective customers may register their interest; and

  (3) a shared lead database populated by registrations submitted through the landing page and by leads captured at joint events (the **"Shared Lead Database"**).

(B) The Parties jointly determine the purposes and the essential means of the Processing of personal data in the Shared Lead Database and, in consequence, each Party is independently subject to the Personal Data Protection Act 2012 (No. 26 of 2012) of Singapore (the **"PDPA"**) in respect of that Processing.

(C) The Parties enter into this Arrangement to allocate their respective PDPA obligations in relation to the Shared Lead Database in accordance with the relevant Advisory Guidelines issued by the Personal Data Protection Commission (the **"PDPC"**) and to provide data subjects with a clear point of contact.

## 1. Definitions

1.1 In this Arrangement:

  (a) **"Campaign Personal Data"** means Personal Data Processed in connection with the Campaign, including Personal Data in the Shared Lead Database.

  (b) **"Joint Privacy Notice"** means the privacy notice referred to in Clause 3.

  (c) **"Personal Data"** has the meaning given in section 2(1) of the PDPA.

  (d) **"Personal Data Breach"** has the meaning given in section 26A of the PDPA.

  (e) **"Process"**, **"Processing"** and **"Processed"** mean any operation or set of operations performed on Personal Data, including collection, recording, organisation, storage, use, disclosure, transmission and erasure.

  (f) **"Protection Obligation"**, **"Retention Limitation Obligation"**, **"Notification of Purpose Obligation"**, **"Consent Obligation"**, **"Access and Correction Obligations"** and **"Notification Obligation"** each have the meaning given to them under the PDPA and the relevant PDPC Advisory Guidelines.

1.2 Other capitalised terms used but not defined have the meanings given in the Co-Marketing Agreement.

## 2. Roles and the essence of the arrangement

2.1 In respect of the Processing of Campaign Personal Data, each Party is an independent organisation subject to the PDPA in its own right. The Parties jointly determine the purposes and essential means of that Processing within the scope of the Campaign, and accordingly allocate their respective PDPA obligations as set out in this Arrangement.

2.2 The essence of the arrangement is that:

  (a) the Parties Process Campaign Personal Data for the purposes set out in Schedule 1 and for no other purpose, save as expressly agreed in writing;

  (b) each Party may also use the Campaign Personal Data for that Party's own ongoing direct-marketing purposes, but only to the extent and on the basis described in the Joint Privacy Notice and after the Campaign-related Processing has concluded;

  (c) Party A maintains the technical platform hosting the Shared Lead Database (as described in Schedule 2) and is operationally responsible for the security of the database;

  (d) Party B is responsible for the design, content and lawful basis of the Campaign communications it sends;

  (e) Party A is designated as the primary point of contact for data subjects in relation to the Campaign (Clause 6.3), without prejudice to a data subject's right to contact either Party directly;

  (f) the allocation of operational responsibilities for compliance with specific PDPA obligations is set out in Schedule 3; and

  (g) each Party remains independently liable to the PDPC and to data subjects for its own compliance with the PDPA.

## 3. Joint privacy notice and lawful basis for collection

3.1 The Parties shall jointly prepare and publish a Joint Privacy Notice that:

  (a) identifies both Parties, including their UENs and registered addresses;

  (b) describes the purposes for which Campaign Personal Data is collected, used and disclosed;

  (c) identifies the categories of recipients (including sub-processors used by Party A to host the platform);

  (d) explains how an individual may withdraw consent or exercise the Access and Correction Obligations rights;

  (e) sets out the Campaign retention period and the basis on which Campaign Personal Data is migrated into each Party's own marketing systems at the end of the Campaign; and

  (f) names Party A as the primary point of contact for data subjects, with Party B's contact details also provided.

3.2 The Joint Privacy Notice shall be published on the Campaign landing page and shall be presented to each data subject in a manner that satisfies the Notification of Purpose Obligation before any Campaign Personal Data is collected.

3.3 Consent for the Processing of Campaign Personal Data shall be obtained on the basis of the Joint Privacy Notice. A separate, clearly distinguished consent option shall be presented in respect of post-Campaign direct marketing by each Party, and an individual may select either, both, or neither.

3.4 Any material change to the Joint Privacy Notice requires the prior written agreement of both Parties. Where a change requires fresh consent under the PDPA, the Parties shall jointly procure and document that consent before relying on the changed terms.

## 4. Information security and the Protection Obligation

4.1 Party A shall, as operator of the Shared Lead Database, implement and maintain the technical and organisational measures set out in Schedule 2, which are designed to satisfy the Protection Obligation under section 24 of the PDPA.

4.2 Party B shall:

  (a) access the Shared Lead Database only through credentials and roles issued to it by Party A;

  (b) ensure that personnel granted access are limited to those with a need to access Campaign Personal Data for the Campaign, are bound by written confidentiality obligations and have completed annual PDPA training; and

  (c) not extract Campaign Personal Data from the Shared Lead Database for purposes outside the Campaign other than as expressly permitted by Clause 2.2(b) and only after the individual has given the relevant post-Campaign direct-marketing consent.

4.3 Each Party shall apply equivalent security measures to any copy of Campaign Personal Data held within its own systems.

## 5. Use restrictions and retention

5.1 The Parties shall use Campaign Personal Data only for the purposes set out in Schedule 1 and, where the data subject has given the relevant post-Campaign direct-marketing consent, for that Party's direct marketing on the basis described in the Joint Privacy Notice.

5.2 The Campaign-specific Processing shall end on the date that is six (6) months after the close of the Campaign, or such other date as the Parties may agree in writing. From that date:

  (a) the Shared Lead Database shall be securely deleted by Party A, save for an export to each Party of those records in respect of which the data subject has given that Party's post-Campaign direct-marketing consent; and

  (b) each Party shall thereafter Process the relevant Campaign Personal Data within its own systems under its own privacy notice and its own retention policy, subject to the Retention Limitation Obligation.

5.3 Party A shall provide Party B with a written certificate of deletion of the Shared Lead Database, signed by an authorised officer of Party A, within thirty (30) days of the date of deletion.

## 6. Data subject rights

6.1 Each Party shall promptly notify the other of any request, complaint or communication received from a data subject, the PDPC or any other person that relates to the Campaign or to the other Party.

6.2 The Parties shall cooperate in good faith to respond to such requests within the timeframes required by the PDPA and the relevant PDPC Advisory Guidelines, including:

  (a) requests for access to and correction of Campaign Personal Data; and

  (b) withdrawals of consent.

6.3 Party A is designated as the primary point of contact for data subjects in respect of the Campaign. Notwithstanding that designation, a data subject may exercise rights against either Party, and each Party shall give effect to any such request that it receives.

6.4 Withdrawal of consent shall, on receipt by either Party, be propagated to the Shared Lead Database and to both Parties' own marketing systems within five (5) Business Days, and the affected Campaign Personal Data shall not thereafter be used for marketing purposes.

## 7. Personal Data Breach

7.1 Each Party shall notify the other of any Personal Data Breach affecting Campaign Personal Data without undue delay and in any event within forty-eight (48) hours of becoming aware of it.

7.2 The Party first becoming aware of the Personal Data Breach shall, in cooperation with the other Party, assess whether the breach is a "notifiable data breach" within the meaning of section 26B of the PDPA. Each Party shall provide such information and assistance as the other reasonably requires to discharge its Notification Obligation to the PDPC and to Affected Individuals under section 26D of the PDPA.

7.3 Notwithstanding Clause 6.3, where a Personal Data Breach affects only one Party's portion of the Campaign Personal Data (for example, data held within that Party's own systems after the close of the Campaign), the affected Party is primarily responsible for assessment and notification, with the other Party providing reasonable cooperation.

7.4 Neither Party shall make any public communication concerning a Personal Data Breach affecting Campaign Personal Data without the prior written consent of the other Party, save where required by law. Such consent shall not be unreasonably withheld where the communication is required by the Notification Obligation.

## 8. Sub-processors and onward disclosures

8.1 Party A may engage data intermediaries to provide infrastructure, email delivery and analytics services in support of the Shared Lead Database, provided that each such data intermediary is engaged on terms imposing obligations no less protective than those of Article 28 GDPR (used here as a market benchmark) and consistent with section 24 of the PDPA. The data intermediaries engaged as at the Effective Date are listed in Schedule 4.

8.2 Party A shall give Party B not less than thirty (30) days' prior written notice before adding or replacing a data intermediary used to Process Campaign Personal Data. Party B may object on reasonable grounds relating to data protection, and the Parties shall negotiate in good faith for a further fifteen (15) days. If they cannot agree, Party B may terminate its participation in the Campaign without liability for early-termination charges in respect of that portion.

8.3 Neither Party shall disclose Campaign Personal Data to any third party other than (a) the data intermediaries permitted under Clause 8.1, (b) the other Party, or (c) where required by law or by the PDPC.

## 9. International transfers

9.1 The Shared Lead Database is hosted in Singapore and the Campaign Personal Data shall not be transferred outside Singapore other than as permitted by Schedule 2 and Schedule 4. Where any such transfer occurs, the transferring Party shall ensure that the Transfer Limitation Obligation is satisfied, including by way of contractual safeguards providing a comparable standard of protection.

## 10. Liability and indemnity between the Parties

10.1 Each Party shall remain liable to the PDPC and to data subjects for its own compliance with the PDPA. Nothing in this Arrangement limits or excludes the rights of data subjects under the PDPA.

10.2 As between the Parties:

  (a) Party A shall indemnify Party B against any losses arising from Party A's breach of this Arrangement, including in particular any failure to maintain the security measures in Schedule 2 or to meet the operational responsibilities allocated to Party A in Schedule 3; and

  (b) Party B shall indemnify Party A against any losses arising from Party B's breach of this Arrangement, including in particular any unauthorised use of Campaign Personal Data outside the permitted purposes or any failure to maintain its own security measures in respect of Campaign Personal Data held within its systems.

10.3 The aggregate liability of each Party under Clause 10.2 in respect of any twelve (12) month period shall not exceed the limit specified in the Co-Marketing Agreement.

## 11. Term and termination

11.1 This Arrangement takes effect on the Effective Date and remains in force for so long as either Party Processes Campaign Personal Data, notwithstanding the termination or expiry of the Co-Marketing Agreement.

11.2 The Parties may terminate this Arrangement by mutual written agreement; otherwise, it terminates automatically on the secure deletion of all Campaign Personal Data held by both Parties (save for any post-Campaign direct-marketing portion lawfully migrated into each Party's own systems under Clause 5.2(b), which thereafter is governed by that Party's own privacy notice and retention policy).

## 12. General

12.1 **Governing law.** This Arrangement is governed by and construed in accordance with the laws of Singapore.

12.2 **Jurisdiction.** The dispute resolution and jurisdiction provisions of the Co-Marketing Agreement apply.

12.3 **Order of precedence.** In the event of any conflict between this Arrangement and the Co-Marketing Agreement in relation to the Processing of Personal Data, this Arrangement prevails.

12.4 **Variation.** This Arrangement may only be varied by written agreement signed by an authorised representative of each Party.

12.5 **Severability.** If any provision is held to be invalid or unenforceable, the remaining provisions remain in full force and effect.

---

**Signed for and on behalf of Keppel Brewworks Pte Ltd**

Name: ______________________________

Title: ______________________________

Date: ______________________________

**Signed for and on behalf of Marina Vines Pte Ltd**

Name: ______________________________

Title: ______________________________

Date: ______________________________

---

## Schedule 1 — Campaign Processing details

| Item | Description |
|---|---|
| **Purposes** | (a) Operation of the Campaign landing page; (b) administration of joint Campaign events, including registration, attendance tracking and follow-up; (c) generation of Campaign reporting and analytics; (d) where the relevant post-Campaign direct-marketing consent has been given, ongoing direct marketing by the Party to which that consent was given. |
| **Means** | Shared Lead Database hosted on infrastructure operated by Party A and accessed by Party B via role-based credentials; email delivery via Party A's transactional email provider; event registration via a co-branded landing page. |
| **Types of Personal Data** | Full name; email address; mobile number; company name and role (where the individual chooses to provide them); event attendance records; marketing preferences and consent records; technical metadata (IP address, user agent) captured incident to the landing page. |
| **Categories of data subjects** | Individuals who register through the Campaign landing page or who attend Campaign events. |
| **Duration** | Campaign-specific Processing concludes six (6) months after the close of the Campaign; thereafter, each Party may continue Processing only to the extent of valid post-Campaign direct-marketing consent and subject to that Party's own privacy notice and retention policy. |

## Schedule 2 — Technical and organisational measures

**1. Hosting.** Shared Lead Database hosted in a Singapore region of a Tier 1 cloud provider; multi-zone deployment within the Singapore region.

**2. Encryption.** TLS 1.2 or higher in transit; AES-256 at rest with keys managed in a FIPS 140-2 Level 3 hardware security module.

**3. Access control.** Role-based access control; multi-factor authentication for all personnel access; quarterly access reviews; logged time-bounded just-in-time elevation for production data access.

**4. Logging.** Application and security logs retained for not less than twelve (12) months in a tamper-evident store, accessible to both Parties on request.

**5. Vulnerability management.** Continuous dependency scanning; monthly internal vulnerability scans; annual external penetration test by an independent CREST-accredited tester.

**6. Backup and continuity.** Daily backups encrypted with separate keys; RTO four (4) hours; RPO one (1) hour; restore drills tested at least annually.

**7. Personnel.** Mandatory PDPA training annually; written confidentiality obligations surviving termination.

**8. Sub-processor oversight.** Written contracts imposing flow-down obligations; due diligence prior to onboarding; ongoing performance and security monitoring.

## Schedule 3 — Allocation of PDPA operational responsibilities

| PDPA obligation | Operational lead | Notes |
|---|---|---|
| **Notification of Purpose Obligation** | Joint | Joint Privacy Notice published on the Campaign landing page and presented at event registration. |
| **Consent Obligation** | Joint | Single Campaign consent + separate post-Campaign direct-marketing consent per Party. |
| **Purpose Limitation Obligation** | Joint | Each Party is independently responsible for honouring the limitation in respect of its own use. |
| **Accuracy Obligation** | Joint | Self-service update facility on Campaign landing page; updates propagated to both Parties. |
| **Protection Obligation (Shared Lead Database)** | Party A | Measures set out in Schedule 2. |
| **Protection Obligation (each Party's own systems)** | Each Party for its own systems | Equivalent measures applied by each Party. |
| **Retention Limitation Obligation** | Party A operationally; both Parties responsible for own systems | Shared Lead Database deleted six (6) months after Campaign close. |
| **Access and Correction Obligations** | Joint, with Party A as primary point of contact | Either Party shall give effect to a request received by it. |
| **Withdrawal of consent** | Joint, with five (5) Business Day propagation SLA | See Clause 6.4. |
| **Transfer Limitation Obligation** | Party A | Hosting within Singapore; any onward transfer subject to comparable-standard safeguards. |
| **Notification Obligation (data breach)** | Party first aware notifies the other within 48 hours; primary lead allocated under Clause 7 | Each Party is independently responsible for its own notification to the PDPC and Affected Individuals. |
| **Data Protection Officer designation** | Each Party for its own organisation | Section 11(3) of the PDPA. |

## Schedule 4 — Data intermediaries engaged by Party A in connection with the Shared Lead Database

| Data intermediary | Function | Location of Processing |
|---|---|---|
| Sentosa Cloud Infrastructure Pte Ltd | Production cloud hosting | Singapore |
| Telok Blangah Mail Pte Ltd | Transactional email delivery (Campaign communications) | Singapore |
| Joo Chiat Analytics Pte Ltd | Aggregated Campaign analytics on pseudonymised event data | Singapore |