Binding Corporate Rules – Cross-border Data Transfer

1. Introduction and Purpose

1. Wotton Kearney (WK) is an international legal and advisory business operating through separately constituted and regulated entities in Australia, Singapore and Thailand.

2. WK recognises the importance of individuals’ privacy and manages personal information in accordance with all applicable privacy laws, including where data is transferred or processed across its global operations.

3. These Binding Corporate Rules (BCRs) establish a legally binding, enforceable, group-wide framework governing intra-group transfers of personal information between WK Group Entities located in Australia, Singapore and Thailand.

4. The BCRs are designed to:

    1. facilitate lawful cross border data transfers of personal information between the WK Group Entities;
    2. ensure a consistent and high standard of protection irrespective of where personal information is processed; and
    3. support compliance with applicable privacy laws including, the Australian Privacy Act 1988 (Cth) (Privacy Act), Singapore Personal Data Protection Act 2012 (Singapore PDPA) and the Thailand Personal Data Protection Act B.E. 2562 (2019) (Thailand PDPA), (collectively, Privacy Laws).

5. These BCRs operate in addition to, and not in substitution for, WK’s Group Privacy Policy.

2. Definitions and interpretation

1. Unless expressly defined otherwise in these BCRs, terms used in these BCRs are to be interpreted in accordance with the meanings assigned to them under the applicable Privacy Laws of the relevant jurisdiction, as in force from time to time. Where different jurisdictions use different terms to describe the same or substantially similar concepts, those terms are to be construed as referring to the same concept for the purposes of these BCRs, unless the context requires otherwise. In the event of any inconsistency or divergence between statutory definitions or terminology across jurisdictions, the definitions and terminology of the laws of the transferring entity prevail for the purposes of construing and applying these BCRs.

2. In these BCRs the following terms have the meanings set out below. Where a term differs from the terminology used in particular Privacy Laws, it shall be read as encompassing the corresponding statutory term and carrying the meaning given to it under that law:

    1. personal information” means any information or data relating to an identified or identifiable natural person, and encompasses “personal information” as defined in the Privacy Act and “personal data” as defined in the the Singapore PDPA, and the Thailand PDPA;
    2. individual” means the natural person that personal information relates to and encompasses an “individual” as referred to in the Privacy Act and the Singapore PDPA and a “data subject” defined in the Thailand PDPA;
    3. controller” means the entity that determines the purposes and means of processing personal information and encompasses an “APP entity” (being an organisation or agency) as referred to in the Privacy Act, an “organisation” as referred to in the Singapore PDPA, and a “data controller” as defined in the Thailand PDPA;
    4. processor” means the entity processing personal information on behalf of a controller and encompasses “data intermediary” as defined in the Singapore PDPA and “data processor” as defined in the Thailand PDPA. For the purposes of the Privacy Act, where an APP entity engages a third party to handle personal Information on its behalf, that third party shall be treated as a processor under these BCRs; and
    5. processing” means any operation or set of operations performed on personal information, and encompasses “processing” as defined in the Thailand PDPA and, in relation to the Privacy Act and the Singapore PDPA, the collection, use, disclosure, and holding of personal information.

3. Binding Nature

1. Each WK Group Entity is bound through execution of the Intra Group Data Transfer Agreement (IGDTA), which incorporates these BCRs by reference. No intra‑group transfer may take place until the receiving entity is bound and able to comply with the BCRs.

2. Compliance with these BCRs is mandatory for all directors, officers, employees and contractors.

3. The Appendices to the BCRs are incorporated into and form part of the BCRs. Unless the context requires otherwise, a reference to these BCRs includes a reference to its Appendices, and the Appendices have the same contractual force and effect as the terms set out in the body of these BCRs. In the event of any inconsistency between the terms of the BCRs and any Appendix the latter shall prevail to the extent necessary to comply with the applicable Privacy Law of the relevant transferring entity. For the avoidance of doubt, no Appendix may derogate from the minimum standard of protection established by the body of these BCRs, except where strictly required to comply with the applicable Privacy Laws of the relevant transferring jurisdiction, and a Jurisdiction Specific Interaction Statement shall be construed as supplementing the body of these BCRs unless it expressly and irreconcilably conflicts with a specific body provision.

4. Unless expressly defined otherwise in the BCRs or its Appendices, all terms used in herein are to be interpreted in accordance with the meanings assigned to them under the applicable legislation of the applicable jurisdiction, as in force from time to time. Where different jurisdictions use different terms to describe the same or substantially similar concepts, those terms are to be construed as referring to the same concept for the purposes of the BCRs, unless the context requires otherwise. In the event of any inconsistency or divergence between statutory definitions or terminology across jurisdictions, the laws of the transferring jurisdiction, including their applicable definitions and terminology, prevail for the purposes of construing and applying the BCRs.

4. Scope and Application

1. These BCRs apply to all WK entities that have acceded to the IGDTA and are listed below:

    1. Wotton Kearney Pty Ltd (Australia) (WK AU)
    2. Wotton Kearney Advisory Pty Limited (Australia) (WK Advisory)
    3. Wotton Kearney Pte Ltd (Singapore) (WK SG)
    4. Wotton Kearney Co. Ltd (Thailand) (WK TH)
    5. Any future WK entity that formally accedes to these BCRs

(together, the WK Group and each a WK Group Entity)

2. These BCRs cover transfers of personal information between Australia, Singapore and Thailand where the transfer is conducted solely between the WK Group Entities.

3. Each WK Group Entity is generally considered a controller for its own employees and local client relationships and a processor when processing personal information with shared group services or platforms. Each WK Group Entity must comply with applicable Privacy Laws according to its role as a controller or processor as determined under those laws in each relevant jurisdiction.

4. These BCRs cover personal information relating to:

  1. clients, customer and matters;
  2. employees, contractors and applicants;
  3. marketing, event and business development;
  4. suppliers and business contacts;
  5. cyber hotline and incident response; and
  6. other individuals whose personal information is processed in the ordinary course of WK Group’s business.

5. Data Transfer and Data Protection Principles

1. Personal information will only be transferred and processed where permitted under the applicable Privacy Laws and, where relevant, in accordance with the documented instructions of the transferring WK Group Entity, subject at all times to client contractual restrictions regarding data sovereignty. Where required under the applicable Privacy Laws, a valid legal basis must exist, including where the transfer or processing is:

  1. necessary to fulfil the primary purpose for which the data was collected;
  2. carried out with the individual’s consent;
  3. necessary for the performance of a contract;
  4. required to comply with a legal obligation;
  5. necessary for legitimate interests (subject to balancing tests);
  6. necessary to protect vital interests; or
  7. carried out in the public interest (where applicable).

2. Transfers between the WK Group Entities are permitted, subject to client contractual restrictions regarding data sovereignty, where the recipient entity is bound by these BCRs and processes the data solely in accordance with the instructions of the transferring entity.

3. Onward transfers to any third party outside of the WK Group Entities must be permitted under applicable Privacy Laws and require adequacy, Standard Contractual Clauses (SCCs) or other lawful safeguards and written agreements imposing equivalent protections. For the avoidance of doubt these BCRs apply solely to the WK Group Entities that are expressly bound by them. No third party is bound by or entitled to rely on these BCRs, and onward transfers to such third parties must be governed by separate contractual arrangements and comply with applicable Privacy Laws.

4. All processing under these BCRs must comply with the following principles, consistent with the Australian Privacy Principles (APPs), Singapore PDPA and Thailand PDPA:

  1. Lawfulness, fairness and transparency in accordance with WK’s Privacy Policy.
  2. Personal information will be collected for a specified, explicit and legitimate purpose and limited to what is adequate, relevant and necessary, in accordance with WK’s Privacy Policy.
  3. Reasonable steps are taken to ensure personal information is accurate and up to date.
  4. Personal information is retained only for as long as necessary or required by law.
  5. Appropriate technical and organisational measures will be implemented to protect against unauthorised access, loss or misuse, and to ensure the confidentiality, integrity and security of personal information.
  6. Privacy risks are assessed and considerations are embedded into systems, products and processes.

6. Rights of Individuals

1. Individuals are expressly granted enforceable rights, including

  1. access, correction and the right to request deletion of personal information (subject to legal limitations);
  2. objection to, or restriction of, certain processing;
  3. withdrawal of consent where consent is relied upon;
  4. protection in relation to automated decision‑making where applicable;
  5. the right to lodge a complaint; and
  6. the right to obtain redress for breaches of these BCRs.

2. The Group Privacy Officer (Australia) is the primary contact point for data protection matters:

Email: privacyofficer@wottonkearney.com

Address: Level 9, Grosvenor Place, 225 George Street, Sydney NSW 2000, Australia.

3. Information about these BCRs is provided to individuals through:

  1. WK’s external Privacy Policy;
  2. Privacy collection notices; and
  3. Upon request, a copy or summary of these BCRs.

7. Governance and Accountability

1. Wotton Kearney Pty Ltd is designated as the BCR Lead Entity and the entity responsible for overall compliance, governance and coordination of the BCR framework.

2. Each WK Group Entity remains accountable for its own processing activities and must be able to demonstrate compliance with these BCRs and applicable local law.

3. Wotton Kearney Pty Ltd has appointed a Group Privacy Officer, based in Australia, who is responsible for:

  1. Monitoring compliance with these BCRs;
  2. Advising on data protection obligations;
  3. Coordinating training;
  4. Overseeing complaints and breach responses; and
  5. Liaising with regulators.

4. Where a WK Group Entity receives a legally binding request for access to personal information by a public authority or government body, it must:

  1. assess the request on a case-by-case basis for legality, necessity and proportionality under the applicable Privacy Laws;
  2. challenge the request where there are reasonable grounds to consider it unlawful or disproportionate, to the extent permitted by law;
  3. limit disclosure to the minimum required;
  4. document the request and its assessment, and promptly refer the matter to the BCR Lead Entity and Group Privacy Officer; and
  5. where required by applicable Privacy Laws, report or escalate the request to the relevant supervisory authority.

8. Complaints

1. Complaints may be lodged with any WK Group Entity or directly with the BCR Lead Entity. The following procedure applies to all complaints relating to processing under these BCRs:

  1. each complaint will be acknowledged without undue delay;
  2. the complaint will be investigated by the Group Privacy Officer in coordination with the relevant WK Group Entity;
  3. a reasoned response will be provided within the timeframe required by applicable Privacy Laws; and
  4. the individual will be informed of their right to lodge a complaint with the relevant supervisory authority and, where applicable, to seek judicial remedies.

2. Where a complain remains unresolved it may be escalated to relevant supervisory authorities in accordance with WK’s Group Privacy Policy.

9. Data Breach Notification

1. Each WK Group Entity must notify the BCR Lead Entity without undue delay upon becoming aware of a data breach involving personal information transferred under these BCRs.

2. The BCR Lead Entity will coordinate notification to affected individuals and regulators in accordance with applicable Privacy Laws and the WK Group Privacy Policy, including the Notifiable Data Breaches scheme under the Privacy Act, part 6A of the Singapore PDPA (read with the Personal Data Protection (Notification of Data Breaches) Regulations 2021) and the equivalent obligations under the Thailand PDPA.

10. Training

1. WK provides mandatory, role‑appropriate data protection training to all personnel with permanent or regular access to personal information, with refresher training conducted at least annually.

11. Liability

1. The BCR Lead Entity accepts responsibility for breaches of these BCRs by non‑Australian Group entities and will provide effective remedies, including compensation where required by law, unless it proves that the relevant WK Group Entity is not responsible for the event giving rise to the damage. The burden of proof rests with the WK Group.

2. Each WK Group Entity will cooperate with the relevant supervisory authority in connection with the performance of its tasks relating to these BCRs, including by responding to enquiries, submitting to audits, and complying with advice or decisions of the relevant supervisory authority on any issues related to these BCRs.

3. The BCR Lead Entity will notify the relevant supervisory authorities of any material changes to these BCRs that may affect the level of protection afforded to personal information, and will maintain a record of such changes.

12. Review and Approval

1. Material changes to these BCRs or the list of bound entities will be communicated internally and published externally.

2. These BCRs enter into force on approval by the WK Board and execution of the IGDTA by participating entities.

Appendix 1 – Categories of Data, Individuals and Processing Activities

1. Categories of Individuals

1. The BCRs apply to personal information relating to the following categories of individuals:

  1. clients (including client personnel and insureds), prospective clients, individuals involved in client matters (e.g. witnesses, claimants, counterparties);
  2. current and former employees, directors, contractors, consultants, volunteers;
  3. job applicants and candidates;
  4. suppliers;
  5. business partners and professional contacts;
  6. referees and emergency contacts (collected indirectly);
  7. cyber hotline callers (including employees of client organisations); and
  8. website visitors, subscribers, event attendees and members of the public who communicate with WK.

2. Categories of Personal information

1. The BCRs apply to personal information relating to the following categories of information including but not limited to:

Personal Information

  • Identification details (name, title)
  • Contact details (postal address, email address, telephone number)
  • Employment details (employer, role, position, company name)
  • Dates of birth
  • Financial information (including billing and transaction information)
  • Attendance and interaction records (events, meetings)
  • Online identifiers and technical data (IP address, domain name, access logs)
  • Application and recruitment information (CVs, references, qualifications)
  • Photographic images and CCTV footage
  • Communications content (emails, calls, correspondence)

Sensitive Information

  • Government identifiers (e.g. TFN, driver’s licence)
  • Nationality and country of birth
  • Professional memberships
  • Criminal records
  • Family court orders
  • Biometric information (where applicable)

Health Information

  • Medical records and reports
  • Disabilities and injuries
  • Immunisation information
  • Psychological reports
  • Health information disclosed in the context of legal services
  • Health‑related information collected via employment processes or counselling services

Cyber Hotline–Specific Data

  • Caller contact details
  • Employer and role
  • Incident and technical details
  • Call recordings and transcripts
  • Information relevant to cyber incidents and insurance notifications

The categories of personal information set out in this Appendix align with the categories described in WK’s Group Privacy Policy. References to “Sensitive Information” in these BCRs include health information, ‘special categories of personal data’ and any other information that is treated as sensitive under applicable Privacy Laws.

3. Processing

1. Personal information is processed for legitimate business purposes including:

  1. Provision of legal services and advice, including establishing, exercising or defending legal claims
  2. Client relationship management, matter management, conflict checks, and responding to enquiries and requests
  3. Cyber incident response services, including but not limited to hotline support and related notifications
  4. Recruitment, employment administration, and talent management
  5. Training, professional development, and workforce capability building
  6. Marketing, communications, direct marketing (where consented), event management, and registrations
  7. Surveys, research, service improvement, and stakeholder feedback
  8. Website operation, analytics, optimisation, and digital service delivery
  9. Compliance with legal and regulatory obligations, including record keeping and reporting
  10. Risk management, security, and prevention of fraud and unlawful activity

4. Transfer Scenarios

1. Personal information may be transferred in the following scenarios, subject at all times to client contractual restrictions regarding data sovereignty

Internal Transfers

  • Between WK business units
  • Between related bodies corporate,

Third‑Party Disclosures (Domestic and Overseas)

  • IT, cloud storage and software providers
  • AI system providers (including telephony systems)
  • Cyber hotline service providers
  • Insurers (in relation to cyber incidents)
  • Counsel, experts and consultants
  • Recruitment service providers
  • Marketing, advertising and research agencies
  • Payroll, HR and professional service providers
  • Counselling service providers (with consent)

Cross‑Border Transfers

  • Storage or processing via cloud service providers with servers outside the jurisdiction of the relevant WK Group Entity
  • Email or document transmission to overseas recipients
  • Access by overseas related entities
  • Overseas contractors or service providers
  • Online publication or access (e.g. website content accessible internationally)

Regulatory and Legal Disclosures

  • Government agencies and regulators
  • Courts, tribunals and law enforcement bodies
  • Office of the data protection regulatory authority of the jurisdiction of the relevant WK Group Entity and affected individuals in the event of a notifiable data breach

Appendix 2 – Jurisdiction‑Specific Interaction Statement

1. Australia

These BCRs constitute a safeguard mechanism supporting compliance with APP 8 (cross‑border disclosure) and provide a standard of protection for the personal information transferred from the relevant WK Group Entity to the recipient that is at least comparable to the protection under the Australian Act and APPs

2. Singapore

For the purposes of the Singapore PDPA, these BCRs provide a standard of protection that is at least comparable to the protection under the Singapore PDPA.

Data Transfers

1. A transfer of personal information from Singapore to a country or territory outside Singapore by WK SG or the relevant WK Group Entity (a Singapore Transfer) must comply with the requirements prescribed under section 26 of the Singapore PDPA and Part 3 of the Personal Data Protection Regulations 2021 (Singapore PDPR) to ensure a standard of protection comparable to that under the Singapore PDPA.

Legally enforceable obligations

2. Prior to making a Singapore Transfer, WK SG or the relevant WK Group Entity must take appropriate steps to ascertain whether, and ensure that, the recipient is bound by legally enforceable obligations (including these BCRs, the IGDTA or any other contract or law) that provide a standard of protection for the transferred personal information that is at least comparable to that under the Singapore PDPA, and that the transfer is permitted under the applicable Privacy Laws of both the transferring and recipient jurisdictions.

3. WK SG or the relevant WK Group Entity should maintain internal documentation evidencing the due diligence undertaken under clause 3.2 of this Appendix.

4. For the purposes of clause 3, a recipient entity is taken to be bound by legally enforceable obligations providing a comparable standard of protection if it holds the following certifications granted or recognised under the applicable Privacy Law of the recipient entity’s jurisdiction:

  1. where the recipient is a data intermediary — the Asia‑Pacific Economic Cooperation Privacy Recognition for Processors System or the Asia‑Pacific Economic Cooperation Cross Border Privacy Rules System; or
  2. in any other case — the Asia‑Pacific Economic Cooperation Cross Border Privacy Rules System.

Consent as a legally enforceable obligation

5. Where consent is relied upon as the legally enforceable obligation for a Singapore Transfer (pursuant to Regulation 10(2)(a) and (b) read with Regulation 10(3) of the Singapore PDPR), WK SG or the relevant WK Group Entity must ensure that:

  1. the individual was given a reasonable written summary of the extent to which the transferred personal information will be protected to comparable standard under the Singapore PDPA;
  2. consent was not requested as a condition of providing a product or service, unless the transfer is reasonably necessary for that purpose; and
  3. consent was not obtained through false, misleading or deceptive practices including misleading information about the transfer.

6. For the purposes of clause 3.5, consent includes:

    1. express consent, where the individual has been notified of the purpose of the collection, use or disclosure and other matters under section 20 of the Singapore PDPA;
    2. deemed consent under section 15 of the Singapore PDPA, including where disclosure, collection, use or onward disclosure is reasonably necessary for the conclusion or performance of a contract with the individual where the conditions prescribed therein (including for pre-contractual and contractual disclosures) are satisfied; and
    3. deemed consent by notification under section 15A of the Singapore PDPA, subject to compliance with the prescribed conditions, including:
      1. the prior conduct of a data impact assessment to assess whether the proposed collection, use or disclosure is likely to have an adverse effect on the individual and, where required, the implementation of reasonable measures to eliminate, reduce or mitigate any such adverse effect;
      2. taking reasonable steps to notify the individual of the organisation’s intention and purpose, and of a reasonable period and manner by which the individual may notify the organisation that he or she does not consent; and
  • satisfaction of any other prescribed requirements.

7. Should an individual, upon providing reasonable notice, withdraw his or her consent in respect of the collection, use or disclosure by that organisation of personal information about that individual for any purpose, the organisation must not prohibit the individual from doing so but must inform the individual of the likely consequences of the withdrawal.

8. Where a Singapore Transfer relies on an exception to consent under Part 1 or paragraph 2 of Part 2 of the First Schedule of the Singapore PDPA, WK SG or the relevant WK Group Entity must take reasonable steps to ensure the transferred personal information is not used or disclosed by the recipient for any other purpose. The exceptions available under section 17 of the Singapore PDPA (read with the First and Second Schedules) apply as prescribed therein.

Data Protection Principles

9. The data protection principles in clause 5 of these BCRs apply to all Singapore Transfers. For the purposes of the Singapore PDPA, those principles encompass, at a minimum: purpose limitation (including limitations on collection, use and disclosure); accuracy; protection and security; retention limitation; and documented personal information protection policies.

Individual Rights and Complaints

10. The rights of individuals in clause 6 and the complaints procedure in clause 8 of these BCRs apply to all Singapore Transfers. In addition, for Singapore PDPA purposes:

  1. individuals have rights of access and correction, subject to the exceptions in the Fifth Schedule of the Singapore PDPA;
  2. individuals may withdraw consent, subject to section 16 of the Singapore PDPA and clause 3.7 of this Appendix; and
  3. individuals may lodge complaints with the Group Privacy Officer and the Singapore Personal Data Protection Commission.

3. Thailand

1. For the purposes of the Thailand PDPA, these BCRs provide a standard of protection that is at least comparable to the protection under the Thailand PDPA and support compliance with section 29 of the Thailand PDPA.

Individual Rights and Complaints

2. The rights of individuals in clause 6 and the complaints procedure in clause 8 of these BCRs apply to all transfers. Specifically, where the Thailand PDPA applies to a transfer conducted under these BCRs, individuals whose personal information is transferred shall be entitled, as third-party beneficiaries, to enforce the following provisions of the BCRs directly against WK Thailand and/or the relevant WK Group Entity:

  1. where consent is relied upon, the right to withdraw consent at any time under Section 19 of the Thailand PDPA;
  2. the right to access their personal information under Section 30 of the Thailand PDPA;
  3. the right to data portability under Section 31 of the Thailand PDPA;
  4. the right to object to or restrict processing under Section 32 of the Thailand PDPA;
  5. the right to request deletion, destruction, or anonymisation of personal information under Section 33 of the Thailand PDPA;
  6. the right to request suspension of the use of personal information under Section 34 of the Thailand PDPA;
  7. the right to rectify their personal information under Section 35 of the Thailand PDPA;
  8. the right to lodge a complaint with the Personal Data Protection Commission (PDPC) under Section 73 of the Thailand PDPA; and
  9. the right to pursue judicial remedies and to claim compensation for material and non-material damage under Sections 77–78 of the Thailand PDPA.

3. Individuals may exercise their rights under these BCRs before the courts of Thailand and before the PDPC, without prejudice to any other rights or remedies available under applicable law.

Duty to Cooperate with the PDPC

4. WK Thailand and each WK Group Entity agrees to:

  1. cooperate with the PDPC in the performance of its duties in relation to these BCRs;
  2. submit to audits and inspections conducted by the PDPC Office in respect of compliance with these BCRs; and
  3. comply with the recommendations and orders of the PDPC on matters relating to these BCRs.

5. Nothing in this Appendix or in these BCRs limits or qualifies the authority of the PDPC to carry out its functions under the Thailand PDPA in respect of any BCR Member.