The Philippine National Privacy Commission (“NPC”) has issued new guidelines on data sharing agreements (“NPC Circular No. 2020-03”). This is a welcome news for personal data controllers in the private sector that have been relying on the 2016 guidelines particularly governing data sharing agreements involving Philippine government agencies and third party data processors (“NPC Circular No. 16-02”).

NPC Circular No. 2020-03 repeals the NPC Circular No. 16-02 in its entirety.

Consent to data sharing is required

In the private sector, data sharing is allowed if the data subject specifically consents to it. This is true even if the sharing of data takes place between an affiliate and a parent company.

To guide a data subject on whether to consent to data sharing, the data subject should be provided with adequate information about the transfer of his/her personal data, which shall include the following:

• categories of the recipients of the personal data;
• purpose of data sharing and the objective/s it is meant to achieve;
• categories of personal data that will be shared;
• existence of the rights of the data subject; and
• other information that would sufficiently inform the data subject of the nature and extent of data sharing, and the manner of processing involved.

Contents of a data sharing agreement

A data sharing agreement covers personal data under the control or custody of a personal information controller (“PIC”) that is being shared, disclosed or transferred to another PIC. It excludes arrangements between a PIC and a personal information processor (“PIP”), which is usually governed by an outsourcing or subcontracting agreement.

A data sharing agreement should set out the obligations, responsibilities and liabilities of the PICs involved in the transfer of the personal data between or among them, including the implementation of adequate safeguards for data privacy and security, and upholding the rights of the data subjects.

A data sharing agreement shall contain the following at the minimum:

• purpose and lawful basis of the transfer and sharing of data;
• objectives that the data sharing is meant to achieve;
• identification of the PICs that are party to the agreement as well as the type of personal data it will share, its designated data protection officer (“DPO”), and the manner of data processing it will employ;
• duration of the data sharing agreement. It should be noted that data sharing agreements with a perpetual term shall be deemed invalid;
• operational details of the data sharing;
• description of the reasonable and appropriate organisational, physical and technical security measures to ensure the protection of the shared data, including the procedure for data breach management;
• rights of the data subjects and the mechanisms for their exercise; and
• rules and methods for the retention and disposal of personal data.

The DPOs of the parties shall sign as witnesses to the data sharing agreement.

Data sharing has become more prevalent in a technologically dependent society. Data sharing can be resorted to quite easily and is done so for multitude of reasons. There is thus a need to require PICs to adhere to the data privacy principles of transparency, legitimate purpose and proportionality, whether or not a written data sharing agreement is put in place, in order to ensure that data privacy is respected by all stakeholders involved.

If you have any questions or require any additional information, please contact Felix Sy or Reeneth B. Santos of Insights Philippines Legal Advisors (a member of ZICO Law).

This alert is for general information only and is not a substitute for legal advice.