Search for:
Asia-Pacific

Philippines: New Circular on Data Sharing Agreements issued by the National Privacy Commission

By , , and 4 Mins Read

In brief

The Philippine National Privacy Commission (NPC) recently issued NPC Circular No. 2020-03 on Data Sharing Agreements (Circular). The Circular applies to the disclosure of personal data from a personal information controller (PIC) to another PIC. It likewise applies to personal data that is consolidated by several PICs and shared or made available to each other and/or to one or more PICs. It excludes outsourcing or subcontracting arrangements between a PIC and a personal information processor (PIP).

Contents

  1. Recent Developments
  2. What the Circular Provides
  3. Actions to Consider

Recent Developments

The Philippine National Privacy Commission (NPC) recently issued NPC Circular No. 2020-03 on Data Sharing Agreements (Circular). The Circular applies to the disclosure of personal data from a personal information controller (PIC) to another PIC. It likewise applies to personal data that is consolidated by several PICs and shared or made available to each other and/or to one or more PICs. It excludes outsourcing or subcontracting arrangements between a PIC and a personal information processor (PIP).

What the Circular Provides

Under the Circular, any PIC who engages in data sharing is required to adhere to the data privacy principles of transparency, legitimate purpose, and proportionality. It remains responsible for any personal data under its control or custody, including those where the processing has been outsourced or subcontracted to a personal information processor (PIP) and to all domestic and cross-border data transfers.

Data Sharing Agreement

Any data sharing should be supported by the applicable legal basis for data processing under Sections 12 and 13 of the Data Privacy Act of 2012. It should be covered by a written data sharing agreement (DSA) or a similar document containing the terms and conditions of the sharing arrangement, including obligations to protect the personal data shared, the responsibilities of the parties, and mechanisms through which data subjects may exercise their rights, among others. More specifically, the DSA should be executed by the PICs and witnessed by their respective Data Protection Officers (DPOs). The agreement should also contain the following:

  • Purpose and lawful basis of the data sharing
  • Objectives of the data sharing
  • Parties to the DSA
  • Term or duration of the DSA
  • Operational details of the data sharing, including the procedure the parties intend to observe in implementing the same
  • Description of the reasonable and appropriate organizational, physical, and technical security measures that the parties intend to adopt to ensure the protection of the shared data.
  • Mechanisms that allow affected data subjects to exercise their rights relative to their personal data
  • Rules for the retention of shared data and for the secure return, destruction, or disposal of the shared data and the timeline therefor.
  • Other stipulations, clauses, terms and conditions as the parties may deem appropriate that are not contrary to law, morals, public order, or public policy.

Copies of the DSA or relevant written document should be provided to a data subject or the NPC, upon request.

Privacy Notice

Each affected data subject should also be provided with the following information before personal data is shared or at the next practical opportunity, through an appropriate privacy notice or consent form, whichever is applicable or appropriate (to the lawful basis for data sharing relied upon):

  • Categories of recipients of the personal data (Note that the identity of the recipients may also be given upon request);
  • Purpose of data sharing and the objective/s it is meant to achieve;
  • Categories of personal data that will be shared;
  • Existence of the rights of data subjects; and
  • Other information that would sufficiently inform the data subject of the nature and extent of data sharing and the manner of processing involved.

Actions to Consider

Clients are advised to review their existing privacy notices and data sharing agreements, and implement changes if necessary, to ensure full compliance with the requirements of the Circular. In addition to compliance, the review of existing data sharing arrangements are also strongly encouraged in order to guarantee that the security measures being implemented are sufficient to protect and secure the personal data being processed by the organization.

Categories:
Author

Bienvenido Marquez III is a partner in Quisumbing Torres' Intellectual Property, Data and Technology Practice Group. He also co-heads the Consumer Goods & Retail Industry Group and is a member of the Technology, Media & Telecommunications Group. He participates in initiatives of Baker & McKenzie International of which Quisumbing Torres is a member firm. He is a member of Baker McKenzie's Asia Pacific Intellectual Property Business Unit for Brand Enforcement. He is immediate Past President of the Philippine Chapter of the Licensing Executives Society International (2019-2021), and is currently co-chair of the LESI Asia Pacific. He is also a member of the Anti-Counterfeiting Committee of the International Trademarks Association (INTA). He has been appointed as member of the INTA Asia Global Advisory Council (GAC) for 2022 to 2023, making him the only Philippine representative on the council.

Bien has vast experience in handling IP enforcement litigation, trademark and patent prosecution and maintenance, copyright, data privacy, information security, IT, telecommunications, e-commerce, electronic transactions, cyber security and cybercrime. He has been consistently ranked as a leading individual for Intellectual Property and TMT in Legal 500 Asia Pacific, Chambers Asia Pacific, asialaw Leading Lawyers, Managing IP Stars, Asia IP, and World Trademark Review. He was also recognized as a Volunteer Service Awardee by INTA in 2018.

Author

Divina Ilas-Panganiban is a partner in Quisumbing Torres’ Intellectual Property and Information Technology & Communications practices. She has 15 years of experience in the fields of intellectual property law, commercial law and litigation. She currently serves as the Vice-President and Director of the Philippine Chapter of Licensing Executives Society International. Ms. Panganiban often serves as resource speaker in local and international seminars on IP and IT laws.

Author

Neonette Pascual is an associate in Quisumbing Torres' Intellectual Property Practice Group and Information Technology & Communications Industry Group. She has nine years of experience handling matters involving contracts, incorporation, compliance, litigation, and corporate housekeeping. Prior to joining Quisumbing Torres, Ms. Pascual worked as legal counsel for the Philippine offices of two global outsourcing services companies

Author

Danielle Lauren K. Lim is a junior associate in Quisumbing Torres. She works with the Corporate & Commercial/M&A, Dispute Resolution, Employment and Tax Practice Groups. Danielle graduated from Ateneo Law School with honors and was awarded Best Thesis for Batch 2019.

Related Posts