# One-time controller-to-controller — virtual data room transfer for share-sale due diligence

> **Sample document &mdash; not legal advice.** This document is one of a library of sample legal drafts published by LawCrew at `lawcrew.ai/samples`. It illustrates how the LawCrew agent team approaches a common Singapore DPA scenario. **It is not legal advice and is not tailored to any specific transaction.**
>
> LawCrew is a legal-technology service, not a law firm. For your own matter, run an intake through the product and engage an independent Singapore-qualified lawyer to review before signing.
>
> *Sample DPA #06 &middot; Hand-authored pending specialist roll-out &middot; Published 2026-05-22*

---


# Personal Data Transfer Agreement (Due Diligence)

This Personal Data Transfer Agreement (this **"Agreement"**) is entered into as of 1 January 2026 (the **"Effective Date"**) between:

**(1) Pandan Holdings Pte Ltd**, a company incorporated in Singapore [UEN: 200731485B] with its registered office at 152 Beach Road, #25-05, Gateway East, Singapore 189721 (the **"Seller"**); and

**(2) Capricorn Acquisitions Pte Ltd**, a company incorporated in Singapore [UEN: 202404519F] with its registered office at 9 Battery Road, #15-01, MYP Plaza, Singapore 049910 (the **"Buyer"**).

The Seller and the Buyer are each a **"Party"** and together the **"Parties"**.

## Recitals

(A) The Seller is the legal and beneficial owner of all the issued shares in the capital of **Sembawang Diagnostics Pte Ltd**, a company incorporated in Singapore [UEN: 201410287K] (the **"Target"**).

(B) The Parties are negotiating the sale by the Seller to the Buyer of all the issued shares in the capital of the Target (the **"Proposed Transaction"**).

(C) For the purpose of evaluating the Proposed Transaction, the Seller proposes to disclose to the Buyer certain personal data held by the Target through a virtual data room hosted by an independent service provider (the **"Data Room"**).

(D) The Parties acknowledge that:

  (1) the Proposed Transaction is a "business asset transaction" within the meaning of paragraph 2(2) of the Twelfth Schedule to the Personal Data Protection Act 2012 (No. 26 of 2012) of Singapore (the **"PDPA"**); and

  (2) the disclosure of personal data for the purpose of the Proposed Transaction is permitted by the Business Asset Transaction exception under paragraph 4 of Part 1 of the First Schedule to the PDPA (collection), paragraph 4 of Part 1 of the Second Schedule (use), and paragraph 6 of Part 1 of the Third Schedule (disclosure), subject to the conditions in this Agreement.

(E) The Parties enter into this Agreement to record the safeguards applicable to that disclosure.

## 1. Definitions

1.1 In this Agreement:

  (a) **"DD Personal Data"** means the personal data of individuals associated with the Target that is disclosed by the Seller (or by the Target on behalf of the Seller) to the Buyer in connection with the Proposed Transaction, including such personal data as is uploaded to the Data Room and any personal data disclosed in management presentations, expert calls and site visits in connection with the Proposed Transaction.

  (b) **"Notification Obligation"** has the meaning given in section 20 of the PDPA.

  (c) **"Permitted Purpose"** means the assessment, negotiation, structuring, pricing, financing and (if the Proposed Transaction proceeds) completion of the Proposed Transaction, and no other purpose.

  (d) **"Personal Data"** has the meaning given in section 2(1) of the PDPA.

  (e) **"Personal Data Breach"** has the meaning given in section 26A of the PDPA.

  (f) **"Process"**, **"Processing"** and **"Processed"** mean any operation or set of operations performed on Personal Data.

  (g) **"Representatives"** means, in relation to a Party, that Party's directors, officers, employees, professional advisers (including legal, financial, tax and accounting advisers), prospective financing sources and their respective professional advisers, in each case who have a need to access DD Personal Data for the Permitted Purpose.

  (h) **"Termination Event"** means (i) the abandonment of the Proposed Transaction by either Party in accordance with the non-disclosure agreement or term sheet between the Parties, (ii) the expiry of the exclusivity period under that non-disclosure agreement or term sheet without completion of the Proposed Transaction, or (iii) any other event that, in the reasonable view of either Party, indicates that the Proposed Transaction will not proceed to completion.

1.2 Terms used but not defined have the meanings given in the PDPA.

## 2. Roles

2.1 Each Party is a controller (and an organisation subject to the PDPA in its own right) in respect of its own Processing of DD Personal Data. The Buyer does not Process DD Personal Data on behalf of the Seller, and the Seller does not Process DD Personal Data on behalf of the Buyer.

2.2 In the event of any conflict between this Agreement and the non-disclosure agreement or term sheet between the Parties in relation to the Processing of DD Personal Data, this Agreement prevails.

## 3. Lawful basis and minimisation

3.1 The Parties rely on the Business Asset Transaction exception under the PDPA (the **"BAT Exception"**) as the basis for the disclosure, collection and use of DD Personal Data without the consent of the individuals concerned. Accordingly, the conditions in the Twelfth Schedule to the PDPA shall be observed throughout the term of this Agreement.

3.2 The Seller shall ensure that the categories and volume of DD Personal Data disclosed to the Buyer are limited to that which is reasonably necessary for the Buyer to evaluate the Proposed Transaction. In particular:

  (a) personal data relating to junior or operational employees shall, wherever practicable, be redacted or pseudonymised before being uploaded to the Data Room;

  (b) "key person" personal data (such as senior management, including the Target's chief executive, chief financial officer and senior medical officers) may be disclosed in unredacted form, but only to the extent necessary to assess key-person risk and continuity;

  (c) personal data relating to customers and patients of the Target shall be aggregated, anonymised or pseudonymised wherever practicable and shall not be disclosed in identifiable form unless the Buyer's specific diligence enquiry cannot be answered by aggregated data; and

  (d) the categories and approximate volumes of DD Personal Data to be disclosed are set out in Schedule 1, which the Parties shall update by exchange of email as the diligence progresses.

3.3 The Parties acknowledge that the Target's medical and clinical records, to the extent they relate to identifiable patients, are sensitive and shall be excluded from the Data Room unless and until the Parties have specifically considered and documented the lawful basis for that disclosure and the additional safeguards required.

## 4. Use restriction

4.1 The Buyer shall, and shall ensure that its Representatives shall, use DD Personal Data only for the Permitted Purpose.

4.2 Without limiting Clause 4.1, the Buyer shall not (and shall procure that its Representatives shall not) use DD Personal Data:

  (a) to market to, recruit, solicit or otherwise contact any individual identified in DD Personal Data;

  (b) to benchmark, profile or analyse competitors of the Target, the Seller or any affiliate of either;

  (c) to train any generally available or proprietary machine-learning model; or

  (d) for any purpose other than the Permitted Purpose.

4.3 The Buyer shall limit access to DD Personal Data to those of its Representatives who have a need to access it for the Permitted Purpose, and shall ensure that each such Representative:

  (a) has been informed of the use restrictions in this Clause 4 and the confidentiality obligations in Clause 5; and

  (b) is bound by written obligations of confidentiality (or, in the case of legal advisers, by professional obligations of confidentiality) at least as protective as those in this Agreement.

## 5. Confidentiality

5.1 The Buyer shall treat DD Personal Data as confidential information and shall not disclose DD Personal Data to any person other than:

  (a) its Representatives (subject to Clause 4.3); or

  (b) any other person to whom disclosure is required by law, in which case the Buyer shall, to the extent permitted by that law, notify the Seller before disclosure and shall make reasonable efforts to limit the scope of the disclosure.

5.2 The confidentiality obligations in this Clause 5 are in addition to the confidentiality obligations in the non-disclosure agreement between the Parties and survive the termination of that agreement.

## 6. Security measures

6.1 Each Party shall implement and maintain appropriate technical and organisational measures to protect DD Personal Data against unauthorised access, collection, use, disclosure, copying, modification and disposal, having regard to the nature of the data and the harm that would result from any such event.

6.2 Without limiting Clause 6.1, the Parties shall:

  (a) access DD Personal Data only through the Data Room or through other secure channels agreed in writing;

  (b) not download or extract DD Personal Data from the Data Room save where reasonably necessary for the Permitted Purpose;

  (c) keep an internal log of which Representatives have accessed DD Personal Data; and

  (d) ensure that all storage media on which DD Personal Data is held are encrypted using AES-256 or equivalent.

6.3 The Data Room shall be operated under a written contract with a reputable virtual data room provider, on terms requiring the provider to (i) host data in Singapore, (ii) maintain ISO/IEC 27001 certification, (iii) provide access logs to the Seller and (iv) flow down obligations consistent with this Clause 6.

## 7. Personal Data Breach

7.1 Each Party shall notify the other Party of any Personal Data Breach affecting DD Personal Data without undue delay and in any event within seventy-two (72) hours of becoming aware of it.

7.2 The notification shall include, to the extent then known, a description of the nature of the Personal Data Breach, the categories and approximate number of individuals concerned, the likely consequences and the measures taken or proposed to address the Personal Data Breach.

7.3 The Parties shall cooperate in good faith to assess whether the Personal Data Breach is a notifiable data breach within the meaning of section 26B of the PDPA, and each Party shall comply with its own Notification Obligation under section 26D in respect of DD Personal Data within its possession or control.

## 8. Return and destruction on Termination Event

8.1 On the occurrence of a Termination Event, the Buyer shall, within thirty (30) days:

  (a) cease all use of DD Personal Data;

  (b) destroy or return to the Seller all DD Personal Data in its possession or control and procure that its Representatives do the same; and

  (c) provide the Seller with a written certificate of destruction signed by an authorised officer of the Buyer.

8.2 The obligations in Clause 8.1 do not apply to:

  (a) DD Personal Data retained by the Buyer's legal advisers in accordance with their professional or regulatory obligations; or

  (b) DD Personal Data retained in the Buyer's automated backup systems that are not reasonably accessible, in which case the Buyer shall procure that no person accesses such DD Personal Data and shall destroy it in accordance with its standard backup rotation cycle.

8.3 DD Personal Data retained pursuant to Clause 8.2 shall remain subject to the use restriction in Clause 4 and the confidentiality obligation in Clause 5 for so long as it is retained.

## 9. Position if the Proposed Transaction completes

9.1 If the Proposed Transaction completes:

  (a) the Buyer becomes the controller of the personal data held by the Target through its acquisition of the Target;

  (b) DD Personal Data Processed by the Buyer in its own systems for the Permitted Purpose may be retained by the Buyer following completion, subject to the use restriction in Clause 4 ceasing to apply only to the extent necessary for post-completion integration; and

  (c) the Buyer shall, within a reasonable period after completion, notify the individuals to whom the DD Personal Data relates of the disclosure to the Buyer and of the purposes for which the Buyer intends to Process the DD Personal Data, in a manner that satisfies the Buyer's Notification Obligation under the PDPA and, where applicable, paragraph 3 of the Twelfth Schedule to the PDPA.

9.2 Notwithstanding completion of the Proposed Transaction, the obligations in this Agreement continue to apply to DD Personal Data of individuals who are not (or who cease to be) associated with the Target or its business as acquired (for example, personal data of a director who steps down at completion), and such DD Personal Data shall be returned or destroyed under Clause 8 within sixty (60) days of completion.

## 10. Use restriction on disclosed personal data following completion

10.1 In respect of any DD Personal Data that, after completion, the Buyer continues to hold otherwise than as controller of the Target's data (for example, copies of DD Personal Data in the Buyer's pre-completion files), the Buyer shall:

  (a) limit its use of that DD Personal Data to the purposes notified to the individuals concerned under Clause 9.1(c); and

  (b) apply its own ordinary retention schedule, subject to the Retention Limitation Obligation.

## 11. Liability

11.1 Each Party shall remain independently liable to the Personal Data Protection Commission (the **"PDPC"**) and to individuals for its own compliance with the PDPA in respect of its own Processing of DD Personal Data. Nothing in this Agreement limits or excludes the rights of individuals under the PDPA.

11.2 As between the Parties, each Party shall indemnify the other against any losses arising from a breach of this Agreement by the indemnifying Party. The aggregate liability of each Party under this Clause 11 shall not exceed the limit specified in the non-disclosure agreement or term sheet between the Parties, save in respect of:

  (a) breaches of Clause 4 (Use restriction);

  (b) breaches of Clause 5 (Confidentiality);

  (c) breaches of Clause 8 (Return and destruction); or

  (d) any administrative fine or compensation order imposed on the other Party by the PDPC under section 48J or section 48O of the PDPA to the extent caused or contributed to by the indemnifying Party's breach,

in respect of which the cap shall not apply.

## 12. Term and termination

12.1 This Agreement takes effect on the Effective Date.

12.2 The obligations in Clauses 4, 5, 6.1, 7, 8, 9, 10 and 11 survive the termination of this Agreement (whether on a Termination Event or otherwise) for the period necessary to give them effect, and in any event for not less than three (3) years from the date of the last Processing of DD Personal Data by the Buyer.

## 13. General

13.1 **Governing law.** This Agreement is governed by and construed in accordance with the laws of Singapore.

13.2 **Jurisdiction.** The courts of Singapore have exclusive jurisdiction to settle any dispute arising out of or in connection with this Agreement.

13.3 **Variation.** This Agreement may only be varied by written agreement signed by an authorised representative of each Party.

13.4 **Severability.** If any provision is held invalid or unenforceable, the remaining provisions remain in force.

13.5 **Notices.** Notices under this Agreement shall be sent to the addresses given at the head of this Agreement, with a copy by email to each Party's data protection officer.

---

**Signed for and on behalf of Pandan Holdings Pte Ltd**

Name: ______________________________

Title: ______________________________

Date: ______________________________

**Signed for and on behalf of Capricorn Acquisitions Pte Ltd**

Name: ______________________________

Title: ______________________________

Date: ______________________________

---

## Schedule 1 — DD Personal Data: categories and approximate volumes

This Schedule is indicative and will be updated by exchange of email as the diligence progresses.

| Category | Description | Treatment | Approximate volume |
|---|---|---|---|
| Directors and senior management | Names, NRIC / FIN, residential addresses, dates of birth, remuneration packages, service agreements, options and other equity entitlements | Unredacted | ~ 12 individuals |
| Other employees | Names, employment commencement and end dates, job titles, employment status, base salary bands, benefit entitlements | Pseudonymised (employee IDs) save where unredacted disclosure is requested for a specific diligence enquiry and approved by the Seller | ~ 240 individuals |
| Independent contractors and consultants | Names, contract terms, fees | Pseudonymised save where unredacted disclosure is necessary | ~ 30 individuals |
| Customers and patients of the Target | Aggregated demographics; volumes by service line; case-mix information | Aggregated and anonymised; no identifiable patient data without a specific clause 3.3 process | n/a (aggregated) |
| Suppliers (individuals) | Names and contact details of individual suppliers and sole-proprietor counterparties | Unredacted | ~ 45 individuals |
| Litigation and disputes | Personal data of individuals named in litigation files, regulatory correspondence and complaints | Disclosed only as necessary to evaluate the matter | Variable |
| Health screening clientele lists | Names and contact details of corporate-clients' employees screened by the Target | Excluded from Data Room — flagged under Clause 3.3 for specific consideration | Not disclosed |

## Schedule 2 — Technical and organisational measures (summary)

**1. Hosting.** The Data Room is hosted in Singapore by a reputable virtual data room provider operating to ISO/IEC 27001.

**2. Access control.** Named-user access only; multi-factor authentication for all users; per-user access logs available to the Seller on request.

**3. Document protections.** Watermarked downloads with viewing-user attribution; download restrictions configurable per folder; expiring view links.

**4. Encryption.** TLS 1.2 or higher in transit; AES-256 at rest.

**5. Retention by the Data Room operator.** All DD Personal Data is to be deleted from the Data Room within thirty (30) days of a Termination Event or of completion of the Proposed Transaction, save for an encrypted archive retained by the Seller for evidentiary purposes for a period not exceeding three (3) years.

**6. Each Party's own systems.** Each Party shall apply equivalent measures to any copy of DD Personal Data held within its own systems, including encryption at rest, access logging and least-privilege access.