Outsourcing Agreement (Philippines)

An Outsourcing Agreement in the Philippines governs the arrangement between the parties and the conditions on which it operates.

The Philippines is among the world's largest BPO destinations. The IT and Business Process Association of the Philippines (IBPAP) estimates that the Philippine IT-BPM (Information Technology and Business Process Management) sector employs over 1.7 million full-time equivalents and generates approximately USD 32 billion in annual revenue. The sector benefits from a highly educated English-proficient workforce, favorable labor costs, government incentives through the Philippine Economic Zone Authority (PEZA) and Board of Investments (BOI), and deep domain expertise in customer experience, healthcare, and financial services outsourcing.

The critical regulatory framework for Philippine outsourcing agreements is Department of Labor and Employment (DOLE) Department Order No. 174-17 (D.O. 174-17), which governs legitimate job contracting and subcontracting and prohibits 'labor-only contracting' — arrangements where the contractor does not have substantial capital, investment, or tools and the workers are used in activities directly related to the principal's main business. Under D.O. 174-17, a legitimate outsourcing provider must: (1) be registered with DOLE as a legitimate contractor; (2) have a paid-up capital of at least PHP 3,000,000; (3) exercise exclusive control over the manner and methods of work of the outsourced employees; and (4) provide the contracted employees with benefits, wages, and working conditions mandated by the Labor Code (Presidential Decree 442) — including SSS, PhilHealth, Pag-IBIG (HDMF), and mandatory 13th month pay under PD 851. A principal whose outsourcing arrangement is found to be labor-only contracting becomes the statutory employer of the workers.

Data privacy obligations are central to Philippine outsourcing agreements. When the outsourcing provider accesses, processes, or stores personal data on behalf of the client, the provider acts as a personal information processor (PIP) under the Data Privacy Act of 2012 (RA 10173). NPC Advisory No. 2020-01 requires that the client (as PIC) and outsourcing provider (as PIP) execute a written Data Processing Agreement as part of the outsourcing contract.

Tax compliance is another critical dimension. Under BIR Revenue Regulations No. 2-98, clients paying for outsourcing services are required to withhold creditable withholding tax from service fee payments. PEZA and BOI-registered outsourcing providers may have special tax incentives including income tax holidays (ITH) and 5% gross income tax (GIT) that affect the withholding tax treatment of their service fees.

A formal outsourcing agreement is needed in the Philippines whenever a company engages an external provider to perform business functions that would otherwise be performed by the company's own employees, particularly in the following circumstances:

BPO Engagements: A foreign company outsourcing its customer support, finance and accounting, or data entry operations to a Philippine BPO provider operating from PEZA-registered economic zones in Metro Manila, Cebu, Clark, or other BPO hubs needs a thorough outsourcing agreement defining service scope, staffing levels, SLAs, data privacy obligations under RA 10173, and DOLE compliance warranties.

The Outsourcing Agreement Outsourcing and Managed Services: A Philippine bank outsourcing its core banking application maintenance, IT helpdesk operations, or cybersecurity monitoring to an IT service provider requires an outsourcing agreement that complies with BSP Circular No. 982 (Technology Risk Management) mandatory outsourcing agreement provisions — including audit rights, business continuity requirements, data security, and sub-contracting restrictions.

Legal Process Outsourcing (LPO): Foreign law firms and corporate legal departments outsourcing document review, legal research, contract drafting support, and patent analysis to Philippine LPO providers need outsourcing agreements with strong confidentiality, attorney-client privilege protection, and conflict-of-interest provisions.

Healthcare Process Outsourcing: Healthcare outsourcing arrangements (medical transcription, medical billing and coding, health information management) involve health information protected under RA 10173 and the Philippine Health Insurance Corporation (PhilHealth) data security requirements. A formal outsourcing agreement with stringent data protection provisions is mandatory.

Captive vs. Third-Party Outsourcing: Philippine-incorporated captive shared service centers (SSCs) created by multinational companies to serve the parent group need intra-group service agreements (a form of outsourcing agreement) to document the arm's-length nature of intercompany service charges for transfer pricing compliance under BIR Revenue Regulations No. 2-2013 on transfer pricing documentation.

Parties in Philippines should prepare a Outsourcing Agreement (Philippines) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under Philippine law, the Civil Code of the Philippines (Republic Act No. 386) governs contractual obligations. The Revised Corporation Code (Republic Act No. 11232) regulates corporate entities through the Securities and Exchange Commission (SEC). The Labor Code of the Philippines (Presidential Decree No. 442) and Department of Labor and Employment (DOLE) govern employment matters. The Data Privacy Act of 2012 (Republic Act No. 10173) and the National Privacy Commission (NPC) protect personal data. The Bureau of Internal Revenue (BIR) administers tax obligations under the National Internal Revenue Code. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.

A legally complete Philippines outsourcing agreement must address labor law compliance, data privacy, tax, service levels, and business continuity to fully protect both parties.

Parties and Corporate Details: Identify the principal (client) and outsourcing provider with full legal names, registered addresses, TINs, SEC registration numbers, and — for the outsourcing provider — its DOLE registration certificate number as a legitimate contractor under D.O. 174-17. PEZA or BOI registration numbers should be included if the provider operates under special economic zone incentives.

Scope of Outsourced Services: Define in precise detail the business processes or IT services being outsourced (the 'Contracted Services'). Avoid scope ambiguity that could support a labor-only contracting finding — the service scope should reflect the outsourcing provider's genuine expertise and substantive delivery obligations, not simply the provision of manpower.

DOLE D.O. 174-17 Compliance: The outsourcing provider must warrant that: (1) it is duly registered with DOLE as a legitimate job contractor; (2) it has the required minimum paid-up capital of PHP 3,000,000; (3) it maintains exclusive control over the outsourced workers' work methods; (4) it pays all outsourced employees at least minimum wage under applicable DOLE Regional Wage Orders; and (5) it remits all mandatory government contributions (SSS under RA 11199, PhilHealth under RA 7875 as amended, Pag-IBIG/HDMF under RA 9679, and 13th month pay under PD 851). The principal should require evidence of DOLE registration annually and audit rights to verify compliance.

Service Level Agreement (SLA): Define quantitative performance metrics: for BPO services, typical SLA metrics include call handling time, first call resolution rate, customer satisfaction score (CSAT), quality assurance (QA) scores, and queue management. For IT outsourcing, typical SLAs cover system uptime, incident response times, mean time to repair (MTTR), and service desk ticket resolution rates. Include remedies for SLA breach: service credits, performance improvement plans, and termination rights for persistent SLA failure.

Data Privacy and DPA: Include a Data Processing Agreement (DPA) compliant with RA 10173 and NPC Advisory No. 2020-01. The outsourcing provider as PIP must: process personal data only on client instructions; implement organizational, physical, and technical security measures; provide security clearance and background checks for staff with access to personal data; report data breaches to the client within 72 hours (NPC Circular No. 16-03); allow client audits; and delete or return all personal data on contract termination.

Information Security: Define information security requirements — applicable standards (ISO/IEC 27001, SOC 2, PCI DSS if applicable), access control policies, prohibition on unauthorized data extraction, clean desk policies, visitor controls, and device management policies. For healthcare outsourcing, align with PhilHealth data security requirements. For financial services outsourcing, align with BSP Circular No. 982 requirements.

Fees, Payment, and BIR Compliance: Specify the service fee structure (monthly fixed fee, per-FTE pricing, transaction-based pricing, or hybrid), invoicing cycle, and payment terms. Include BIR compliance provisions: creditable withholding tax rate applicable to the service payments, the principal's obligation to withhold and remit the tax, and to issue BIR Form 2307. Address VAT at 12% — note that PEZA-registered outsourcing providers on income tax holiday may issue zero-rated VAT invoices to foreign principals for services rendered in PEZA zones under BIR Revenue Regulations No. 16-2005. Clearly specify the VAT treatment in the agreement.

Transition and Knowledge Transfer: For multi-year outsourcing agreements, include provisions on transition-in (knowledge transfer from the principal to the provider at contract start) and transition-out (reverse knowledge transfer from the provider back to the principal or successor provider at contract end). Knowledge transfer obligations are critical to avoid provider lock-in and confirm continuity of operations.

Business Continuity and Disaster Recovery: Require the outsourcing provider to maintain and test a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP). For BSP-regulated principals, align with BSP Circular No. 982 requirements. Define recovery time objectives (RTO) and recovery point objectives (RPO). For Philippine BPO providers in typhoon-prone areas, address specific natural disaster contingency planning.

Term and Termination: Specify the initial contract term, renewal process, and termination rights. Philippine outsourcing agreements typically have 3–5 year initial terms with 12-month notice for non-renewal. Termination rights for cause should cover DOLE compliance violations, persistent SLA failure, data breach, insolvency, and change of control. Include a definitive exit plan and transition assistance period to be provided by the outgoing provider.

Governing Law: The agreement is governed by the Civil Code of the Philippines (RA 386), the Labor Code (PD 442), DOLE D.O. 174-17, and RA 10173. Disputes should be resolved by Philippine courts or arbitration under RA 9285, with venue in Makati City, Taguig City, or such city agreed by the parties.

Under Philippine law, the Civil Code of the Philippines (Republic Act No. 386) governs contractual obligations. The Revised Corporation Code (Republic Act No. 11232) regulates corporate entities through the Securities and Exchange Commission (SEC). The Labor Code of the Philippines (Presidential Decree No. 442) and Department of Labor and Employment (DOLE) govern employment matters. The Data Privacy Act of 2012 (Republic Act No. 10173) and the National Privacy Commission (NPC) protect personal data. The Bureau of Internal Revenue (BIR) administers tax obligations under the National Internal Revenue Code. The forms-legal.com Outsourcing Agreement (Philippines) template covers the mandatory elements under Revised Corporation Code (RA 11232, 2019).