Data Processing Agreement Template for the Philippines

You need a Data Processing Agreement whenever your company shares personal data with outside service providers in the Philippines. This includes common scenarios like hiring payroll processors, using cloud storage services, working with marketing agencies, or partnering with IT consultants who can access your customer database.

Under the Data Privacy Act, these agreements become essential when outsourcing any data handling tasks. For example, if you're a retail business using a third-party email marketing platform, or a hospital working with an external medical billing company, you must have this agreement in place before sharing any personal information. This protects both parties and ensures legal compliance.

• Data Processing Contract: The standard, comprehensive version used with external service providers, covering all core data handling requirements under Philippine law
• Data Processing Addendum: A shorter form that attaches to existing service agreements, adding specific data protection terms
• Data Protection Agreement For Employees: Tailored for internal staff who handle sensitive data as part of their duties
• Intercompany Data Sharing Agreement: Used between separate companies for ongoing data exchange partnerships
• Intra Group Data Sharing Agreement: Specifically designed for data sharing between affiliated companies or subsidiaries

• Data Controllers: Companies or organizations in the Philippines that own and determine how personal data is processed, like hospitals, banks, or retailers
• Data Processors: Service providers who handle data on behalf of controllers, such as cloud storage companies, payroll processors, or marketing agencies
• Legal Teams: In-house lawyers or external counsel who draft and review Data Processing Agreements to ensure compliance
• Data Protection Officers: Required by Philippine law to oversee data privacy compliance and approve these agreements
• IT Security Teams: Technical staff who implement the security measures specified in the agreement
• Compliance Officers: Professionals who monitor adherence to the agreement's terms and data privacy regulations

• Identify Data Types: List all personal information that will be processed, including sensitive data categories under Philippine law
• Define Processing Activities: Document exactly how the data will be collected, stored, used, and deleted
• Map Data Flows: Outline where data will be stored and transferred, especially for international transfers
• Security Measures: Detail specific safeguards and encryption methods to protect the data
• Breach Protocol: Establish clear procedures for reporting and handling data breaches
• Compliance Checks: Verify alignment with Data Privacy Act requirements and NPC guidelines
• Review Process: Our platform generates a customized agreement incorporating all these elements, ensuring legal compliance

• Parties and Roles: Clear identification of the data controller and processor with their legal responsibilities
• Data Scope: Detailed description of personal data types and processing activities covered
• Security Measures: Specific technical and organizational safeguards meeting DPA standards
• Processing Instructions: Written directives on permitted data handling and limitations
• Breach Protocols: Mandatory notification procedures and response timelines
• Confidentiality: Staff obligations and non-disclosure requirements
• Data Transfer Rules: Guidelines for cross-border data movement compliance
• Termination Terms: Procedures for data return or deletion upon agreement end
• Compliance Framework: References to Philippine Data Privacy Act and NPC guidelines

A Data Processing Agreement differs significantly from a Data Sharing Agreement, though they're often confused in Philippine business practice. While both deal with personal data handling, their core purposes and legal implications are distinct.

• Purpose and Scope: Data Processing Agreements govern how a service provider handles data on behalf of another company, while Data Sharing Agreements facilitate the exchange of data between equal partners who both act as data controllers
• Legal Relationship: Processing agreements create a controller-processor relationship with clear hierarchical responsibilities under the Data Privacy Act, whereas sharing agreements establish mutual obligations between independent controllers
• Data Control: In processing agreements, the processor must follow the controller's instructions strictly. In sharing agreements, each party has autonomy in how they use the shared data
• Compliance Requirements: Processing agreements need specific security measures and processor obligations, while sharing agreements focus more on mutual responsibilities and joint compliance