Data Processing Contract Template for the Philippines
Generate a bespoke document
What is a Data Processing Contract?
This Data Processing Contract is essential for organizations in the Philippines that engage third parties to process personal data on their behalf. It is required under the Data Privacy Act of 2012 and its implementing regulations, which mandate specific contractual safeguards for personal data processing. The document should be used whenever an organization (data controller) outsources the processing of personal data to another entity (data processor), whether for services such as cloud storage, payroll processing, customer service, or any other data processing activities. It includes crucial provisions on data security, confidentiality, breach notification, audit rights, and compliance with Philippine privacy laws. The agreement is particularly important given the strict penalties for non-compliance with Philippine data protection requirements and the increasing focus on data privacy protection by the National Privacy Commission.
About the Data Processing Contract
A Data Processing Contract is a legally binding agreement required under Philippine law when organizations engage third parties to handle personal data on their behalf. Under the Data Privacy Act of 2012 (Republic Act No. 10173), this contract establishes the relationship between a data controller (the organization that owns or controls the data) and a data processor (the service provider processing the data), ensuring compliance with strict national privacy regulations.
When do you need this document?
You need this contract whenever your organization outsources any personal data processing activities to external service providers. This includes engaging cloud storage providers, payroll processing companies, customer service centers, IT support services, marketing agencies, or accounting firms that will handle personal information. The contract is also required when working with sub-processors, such as when your primary data processor engages additional third parties. Philippine law mandates this agreement before any personal data processing begins, making it essential for legal compliance and avoiding penalties from the National Privacy Commission.
Key legal considerations
The contract must clearly define the scope and purpose of data processing, specifying exactly what personal data will be processed and for what purposes. You must include robust data security measures, confidentiality obligations, and detailed procedures for data breach notification. The agreement should establish audit rights, allowing you to verify the processor's compliance with Philippine privacy laws. Data retention and deletion requirements must be explicitly stated, along with procedures for returning or destroying data when the contract ends. The contract must also address sub-processor arrangements, requiring your written consent before any additional parties handle your data. Cross-border data transfer provisions are crucial if data will be processed outside the Philippines.
Legal requirements in Philippines
Under the Data Privacy Act of 2012 and its Implementing Rules and Regulations, the contract must ensure the data processor implements appropriate technical and organizational security measures to protect personal data. The processor must assist you in responding to data subject requests, including access, correction, and deletion requests. The agreement must include provisions for immediate breach notification, typically within 72 hours of discovery. The contract should specify that the processor will only process data according to your documented instructions and will not use the data for its own purposes. Philippine law also requires that the processor maintains records of all processing activities and makes these available for regulatory inspection. The National Privacy Commission may require specific contractual clauses, and failure to include mandatory provisions can result in significant penalties ranging from PHP 500,000 to PHP 5,000,000 for serious violations.
GOVERNING LAW
Applicable law
This Data Processing Contract is drafted to comply with Philippines law. Key legislation includes:
Implementing Rules and Regulations of the Data Privacy Act of 2012: Detailed regulations that implement the Data Privacy Act, providing specific requirements for compliance, security measures, and data processing procedures.
Civil Code of the Philippines (Republic Act No. 386): Governs general contract formation, validity, and enforcement, providing the basic legal framework for all contracts in the Philippines.
Electronic Commerce Act of 2000 (Republic Act No. 8792): Regulates electronic data messages and electronic documents, relevant for digital aspects of data processing and electronic contracts.
NPC Circular No. 16-01 on Security of Personal Data in Government Agencies: Provides guidelines on security measures for protection of personal data in government agencies, relevant if one party is a government entity.
NPC Circular No. 16-03 on Personal Data Breach Management: Sets out the procedure for personal data breach notification and management, which should be addressed in the data processing contract.
Explore 208,390+ legal templates
Explore 208,390+ legal templates
Genie's Security Promise
Genie is the safest place to draft. Here's how we prioritise your privacy and security.
Your data is private:
We do not train on your data; Genie's AI improves independently
All data stored on Genie is private to your organisation
Your documents are protected:
Your documents are protected by ultra-secure 256-bit encryption
We are ISO27001 certified, so your data is secure
Organizational security:
You retain IP ownership of your documents and their information
You have full control over your data and who gets to see it