PHILIPPINES Law and Practice Contributed by: Kerwin K. Tan, Veronica S. Balbin and Jose Maria B. Buenagua, Tan Hassani and Counsels
– even where a personal information processor per - forms the task. The law explicitly affirms that account - ability lies with the controller. In practice, this means the outsourcing contract should comply with several security safeguards under the directions of the controller. These include: clearly identifying the lawful basis for processing; limiting data use strictly to agreed purposes; implementing security measures consistent with the National Pri - vacy Commission (NPC)’s standards; and ensuring prompt breach notifications within the seventy-two- hour reporting window. These contractual and operational safeguards are reinforced by recent issuances of the NPC, which provide detailed regulatory guidelines. NPC Circular No 2023-06 (on Security of Personal Data) sets the current security baseline for control - lers and processors. The circular mandates a privacy impact assessment for each processing system. For outsourced activities, a concrete security safeguard that the controller can introduce to the processor is the presence of contractual controls within the pro - cessor’s procedures. In other words, this means there must be a documented control framework in the con - tract, privacy by design and by default must be the norm for both parties, and encryption and deperson - alisation must always be operational. NPC Circular No 2023-04 (on Consent) sets out how to obtain and document consent approvals. NPC Circular No 2023-07 (on Legitimate Interest) details that legitimate interest requires regulatory tests such as a purpose test, necessity test, and balancing test. Notably, these tests do not apply to sensitive personal information or privileged information. In outsourcing, this means that the controller must select the lawful basis and ensure the processor supports it through appropriate documentation. As regards personal data breaches, NPC Circular No 16-03 requires seventy-two-hour notification to the NPC of any knowledge or reasonable belief of a pos - sible breach affecting the data subjects concerned. In terms of outsourcing, this translates to tighter controls by the controller over the processor, whereby the for -
mer can institute shorter time periods for breach noti - fication to allow time for remediation before reporting to the NPC. The NPC has also intensified its enforcement regime. NPC Circular No 2022-01 establishes a schedule of fines, including penalties of up to 3% of annual gross income for serious violations, capped at PHP5 million per incident. These fines can serve as a reference for penalty clauses between controllers and processors in cases of negligence or breach. Finally, aligning with international data protection practices, NPC Advisory No 2024-01 recognises the use of model contractual clauses (MCCs), such as the ASEAN MCCs, and standard contractual clauses (SCCs), such as those of the EU, as voluntary tools for allocating responsibilities and demonstrating account - ability in cross-border data transfers. In outsourcing transactions, there is no standard model contract used universally. Typically, compa - nies employ some form of a services contract. For companies seeking tax exemptions, specific provi - sions are essential, including a detailed description of the services to be provided, the currency in which payment is made, proof of payment, the tax situs of the service, and compliance with tax regulations in invoicing. Additionally, transfer pricing considerations are important when drafting an outsourcing services contract. At a minimum, standard contract models contain boil - erplate provisions covering scope and service levels, change control, audit and access rights, confidenti - ality, information security, data processing under the DPA and the latest NPC circulars, business continuity, exit assistance, and a clear allocation of responsibili - ties for incident management and breach notification consistent with the NPC’s seventy-two-hour rule. For cross-border transactions, contracts should incorpo - rate security safeguards that, at the very least, align with DPA standards. 3. Model Outsourcing Contracts 3.1 Standard Contract Model
46 CHAMBERS.COM
Powered by FlippingBook