Cross-Border Transfer
Plain English Translation
Personal information controllers are accountable for all personal data under their custody, including data transferred internationally to processors or third parties. Before transferring data outside the Philippines, the controller must ensure the recipient country or organization provides a comparable level of data protection — typically through contractual provisions or binding corporate rules. Accountability for the data's protection does not transfer with the data.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Map where all user data is stored geographically, focusing particularly on international cloud providers and SaaS applications.
Required Actions (scaleup)
- Implement a formal vendor management process that requires signed Data Processing Agreements with specific cross-border transfer clauses for all overseas processors.
Required Actions (enterprise)
- Deploy continuous third-party risk monitoring and automated data mapping solutions to track cross-border data flows in real-time across the global supply chain.
Evidence Required
The Act requires the transferring organization to use contractual or other reasonable means to ensure the receiving party provides a comparable level of protection to RA 10173.
Yes, RA 10173 allows international transfers, provided the Personal Information Controller maintains accountability and ensures adequate safeguards are legally enforced.
It means the international recipient must uphold data privacy principles, security measures, and data subject rights to a standard equivalent to Philippine law.
Yes, if the cross-border transfer involves sharing data with another autonomous controller for their own purposes, a formal Data Sharing Agreement is legally required.
When outsourcing to a processor, organizations must execute a Data Processing Agreement detailing the subject, duration, nature of processing, and strict security obligations.
Outsourcing involves transferring data to a processor who acts solely on the controller's instructions, whereas data sharing transfers data to another controller for independent use.
Companies should use standardized contractual clauses whenever transferring personal data internationally to legally bind the recipient to Philippine data protection standards.
The agreement must include the processing scope, security measures, monitoring rights, subcontracting rules, and mechanisms for data return or erasure upon termination.
Under Section 51 of the IRR, the original Personal Information Controller remains fully accountable and responsible for the personal data transferred to any overseas third party.
CISOs should conduct rigorous security risk assessments, review international vendor certifications, enforce audit rights, and verify adherence to contracted security controls. Tools like WatchDog Security's Vendor Risk Management can support this process by organizing vendor evidence, risk ratings, reassessment schedules, and open remediation items in one workflow.
Cross-border transfer risk is difficult to manage when vendor ownership, security reviews, contract status, and reassessment dates are tracked in separate spreadsheets. Tools like WatchDog Security's Vendor Risk Management can centralize the vendor catalog, document security assessments, risk-tier international recipients, and track whether required data processing or data sharing agreements are in place.
Data flow maps become outdated when new SaaS tools, cloud regions, processors, or subprocessors are added without a formal review. Tools like WatchDog Security's Asset Inventory can help identify cloud assets, SaaS applications, and identity relationships so compliance teams have a more accurate starting point for documenting international data storage, access, and transfer locations.
"Each personal information controller is responsible for personal data under its control or custody, including information that have been transferred to a personal information processor or a third party for processing, whether domestically or internationally, subject to cross-border arrangement and cooperation."
"The personal information controller is accountable for complying with the requirements of this Act and shall use contractual or other reasonable means to provide a comparable level of protection while the information are being processed by a personal information processor or a third party."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-06 | WatchDog GRC Team | Initial publication |

