Search for:

In brief

The Philippine National Privacy Commission (NPC) recently issued NPC Circular No. 2020-03 on Data Sharing Agreements (Circular). The Circular applies to the disclosure of personal data from a personal information controller (PIC) to another PIC. It likewise applies to personal data that is consolidated by several PICs and shared or made available to each other and/or to one or more PICs. It excludes outsourcing or subcontracting arrangements between a PIC and a personal information processor (PIP).


Recent Developments

The Philippine National Privacy Commission (NPC) recently issued NPC Circular No. 2020-03 on Data Sharing Agreements (Circular). The Circular applies to the disclosure of personal data from a personal information controller (PIC) to another PIC. It likewise applies to personal data that is consolidated by several PICs and shared or made available to each other and/or to one or more PICs. It excludes outsourcing or subcontracting arrangements between a PIC and a personal information processor (PIP).

What the Circular Provides

Under the Circular, any PIC who engages in data sharing is required to adhere to the data privacy principles of transparency, legitimate purpose, and proportionality. It remains responsible for any personal data under its control or custody, including those where the processing has been outsourced or subcontracted to a personal information processor (PIP) and to all domestic and cross-border data transfers.

Data Sharing Agreement

Any data sharing should be supported by the applicable legal basis for data processing under Sections 12 and 13 of the Data Privacy Act of 2012. It should be covered by a written data sharing agreement (DSA) or a similar document containing the terms and conditions of the sharing arrangement, including obligations to protect the personal data shared, the responsibilities of the parties, and mechanisms through which data subjects may exercise their rights, among others. More specifically, the DSA should be executed by the PICs and witnessed by their respective Data Protection Officers (DPOs). The agreement should also contain the following:

  • Purpose and lawful basis of the data sharing
  • Objectives of the data sharing
  • Parties to the DSA
  • Term or duration of the DSA
  • Operational details of the data sharing, including the procedure the parties intend to observe in implementing the same
  • Description of the reasonable and appropriate organizational, physical, and technical security measures that the parties intend to adopt to ensure the protection of the shared data.
  • Mechanisms that allow affected data subjects to exercise their rights relative to their personal data
  • Rules for the retention of shared data and for the secure return, destruction, or disposal of the shared data and the timeline therefor.
  • Other stipulations, clauses, terms and conditions as the parties may deem appropriate that are not contrary to law, morals, public order, or public policy.

Copies of the DSA or relevant written document should be provided to a data subject or the NPC, upon request.

Privacy Notice

Each affected data subject should also be provided with the following information before personal data is shared or at the next practical opportunity, through an appropriate privacy notice or consent form, whichever is applicable or appropriate (to the lawful basis for data sharing relied upon):

  • Categories of recipients of the personal data (Note that the identity of the recipients may also be given upon request);
  • Purpose of data sharing and the objective/s it is meant to achieve;
  • Categories of personal data that will be shared;
  • Existence of the rights of data subjects; and
  • Other information that would sufficiently inform the data subject of the nature and extent of data sharing and the manner of processing involved.

Actions to Consider

Clients are advised to review their existing privacy notices and data sharing agreements, and implement changes if necessary, to ensure full compliance with the requirements of the Circular. In addition to compliance, the review of existing data sharing arrangements are also strongly encouraged in order to guarantee that the security measures being implemented are sufficient to protect and secure the personal data being processed by the organization.

Author

Bienvenido Marquez III is a partner and head of Quisumbing Torres' Intellectual Property Practice Group and Information Technology & Communications Industry Group. He is also a member of Baker McKenzie's Asia Pacific Intellectual Property Steering Committee. He is experienced in handling IP enforcement litigation, trademark and patent prosecution and maintenance, copyright, data privacy, information security, IT, telecommunications, e-commerce, electronic transactions and cybercrime matters. He also counsels clients on compliance with consumer product laws, including packaging, labeling and regulatory requirements for food, drugs and devices and cosmetics, and conducts administrative litigation relating to the same.

Author

Divina Ilas-Panganiban is a partner in Quisumbing Torres’ Intellectual Property and Information Technology & Communications practices. She has 15 years of experience in the fields of intellectual property law, commercial law and litigation. She currently serves as the Vice-President and Director of the Philippine Chapter of Licensing Executives Society International. Ms. Panganiban often serves as resource speaker in local and international seminars on IP and IT laws.

Author

Neonette Pascual is an associate in Quisumbing Torres' Intellectual Property Practice Group and Information Technology & Communications Industry Group. She has nine years of experience handling matters involving contracts, incorporation, compliance, litigation, and corporate housekeeping. Prior to joining Quisumbing Torres, Ms. Pascual worked as legal counsel for the Philippine offices of two global outsourcing services companies

Author

Danielle Lauren K. Lim is a junior associate in Quisumbing Torres. She works with the Corporate & Commercial/M&A, Dispute Resolution, Employment and Tax Practice Groups. Danielle graduated from Ateneo Law School with honors and was awarded Best Thesis for Batch 2019.