Data Processing Agreement (Philippines)

A Data Processing Agreement in the Philippines defines what each party must do under the deal and the consequences of failing to perform.

The distinction between a personal information controller and a personal information processor is fundamental to Philippine data privacy law. A personal information controller is a natural or juridical person who controls the collection, holding, processing, or use of personal data — including a person who instructs another person to collect, hold, process, use, transfer, or disclose personal data on their behalf. A personal information processor, by contrast, is any natural or juridical person to whom a personal information controller may outsource or instruct the processing of personal data. Common examples in the Philippines include payroll processing companies, cloud service providers, call center operators processing customer data for a client, and BPO companies handling health records or financial data.

The NPC has emphasized through multiple advisory opinions — including NPC Advisory Opinion 2018-042 and the NPC's Handbook on Data Sharing Agreements — that a written Data Processing Agreement is not merely a best practice but a legal requirement under Section 14 of RA 10173. Where a processor subcontracts processing to a sub-processor, the DPA must either authorize such sub-processing in advance or require the processor to obtain prior written consent from the controller. The processor may not engage a sub-processor that offers fewer data protection guarantees than those required by RA 10173.

A Philippine Data Processing Agreement differs from a Data Sharing Agreement (DSA), which is used when two personal information controllers share personal data with each other for separate, independent purposes. The NPC's Guidelines on Data Sharing Agreements (NPC Circular 2019-01) impose additional requirements on DSAs, including a Data Sharing Assessment and registration of certain DSAs with the NPC.

The legal framework governing the Data Processing Agreement (Philippines) in Philippines draws on several key statutes and regulatory bodies. Under Philippine law, the Civil Code of the Philippines (Republic Act No. 386) governs contractual obligations. The Revised Corporation Code (Republic Act No. 11232) regulates corporate entities through the Securities and Exchange Commission (SEC). The Labor Code of the Philippines (Presidential Decree No. 442) and Department of Labor and Employment (DOLE) govern employment matters. The Data Privacy Act of 2012 (Republic Act No. 10173) and the National Privacy Commission (NPC) protect personal data. The Bureau of Internal Revenue (BIR) administers tax obligations under the National Internal Revenue Code. Parties executing a Data Processing Agreement (Philippines) in Philippines should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Data Privacy Act (RA 10173) sets the foundational requirements.

A Data Processing Agreement is required in the Philippines whenever a personal information controller outsources or delegates the processing of personal data to a third-party personal information processor.

A Philippine corporation (SEC-registered) or sole proprietor (DTI-registered) that engages a cloud computing provider — such as an Amazon Web Services (AWS) reseller, a Microsoft Azure partner, or a Google Cloud Platform distributor — to host systems containing personal data of Philippine customers or employees must execute a DPA with that provider under Section 14 of RA 10173.

A BPO company or call center engaged by a foreign principal to process personal data of the principal's customers on behalf of the principal requires a DPA that complies with both Philippine RA 10173 and the data protection law of the principal's jurisdiction, given the extraterritorial scope of RA 10173 and equivalent laws such as the EU General Data Protection Regulation (GDPR).

A Philippine employer that engages a third-party payroll processing company — which accesses employee TINs, SSS numbers, PhilHealth IDs, Pag-IBIG/HDMF numbers, and salary information — must have a DPA with the payroll processor to confirm that sensitive employee data is processed only on the employer's instructions and with equivalent security standards.

A hospital or healthcare provider that shares patient records with a laboratory, diagnostic center, or telemedicine platform for processing requires a DPA because health data constitutes sensitive personal information under Section 3(l) of RA 10173, which is subject to stricter processing requirements under Section 13 of the Act.

Any Philippine organization that engages a marketing analytics, CRM, or digital advertising platform that processes customer personal data — including behavioral data, purchase histories, and device identifiers — must have a DPA in place before commencing such data sharing.

A valid Philippine Data Processing Agreement under RA 10173 must contain the following essential elements.

Identification of Parties: Full legal names, addresses, and registration numbers (SEC or DTI) of the personal information controller and the personal information processor. The DPA must clearly define which party is the controller and which is the processor.

Scope and Purpose of Processing: Precise description of the personal data to be processed, the categories of data subjects, the nature and purpose of the processing, and the duration of the processing engagement.

Processing Instructions: A requirement that the processor processes personal data only on documented instructions from the controller, including with regard to cross-border transfers, and must immediately inform the controller if an instruction infringes RA 10173 or other applicable Philippine law.

Confidentiality: An obligation on the processor to confirm that all persons authorized to process personal data are committed to confidentiality and have received appropriate data privacy training.

Security Measures: Requirements for the processor to implement appropriate technical and organizational security measures under Section 20 of RA 10173 — including access controls, encryption, pseudonymization, and regular security testing — sufficient to protect against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

Sub-processor Restrictions: Conditions under which the processor may engage sub-processors, including prior written authorization from the controller and a requirement to impose equivalent data protection obligations on sub-processors.

Data Breach Notification: Obligation on the processor to notify the controller without undue delay — and no later than 72 hours — upon becoming aware of a personal data breach, as required under NPC Circular 2016-03.

Data Subject Rights Assistance: Obligation on the processor to assist the controller in fulfilling its obligations to respond to data subject rights requests under Sections 16 to 20 of RA 10173.

Return or Deletion of Data: Obligation on the processor to return or delete all personal data upon termination of the processing engagement, in accordance with the controller's retention schedule.

Additional compliance elements for a Data Processing Agreement (Philippines) used in Philippines include: Under Philippine law, the Civil Code of the Philippines (Republic Act No. 386) governs contractual obligations. The Revised Corporation Code (Republic Act No. 11232) regulates corporate entities through the Securities and Exchange Commission (SEC). The Labor Code of the Philippines (Presidential Decree No. 442) and Department of Labor and Employment (DOLE) govern employment matters. The Data Privacy Act of 2012 (Republic Act No. 10173) and the National Privacy Commission (NPC) protect personal data. The Bureau of Internal Revenue (BIR) administers tax obligations under the National Internal Revenue Code. Forms-legal.com provides this template as a starting point for Philippines-compliant documentation.