Cross-Border Transfer

Plain English Translation

Personal information controllers are accountable for all personal data under their custody, including data transferred internationally to processors or third parties. Before transferring data outside the Philippines, the controller must ensure the recipient country or organization provides a comparable level of data protection — typically through contractual provisions or binding corporate rules. Accountability for the data's protection does not transfer with the data.

Executive Takeaway

Organizations must use legally binding contracts to ensure overseas vendors and partners provide a comparable level of data protection to Philippine law.

ImpactHigh
ComplexityHigh

Why This Matters

  • The organization remains fully legally accountable for personal data even after it is transferred outside of the Philippines.
  • Failing to secure cross-border transfers exposes the organization to severe administrative and criminal penalties under RA 10173.
  • Contractual safeguards prevent international third parties from misusing data or ignoring critical data subject rights.

What “Good” Looks Like

  • All international data transfers are strictly governed by formal, legally executed data processing or data sharing agreements.
  • Vendors undergo comprehensive security reviews to verify they actually provide a comparable level of protection, and tools like WatchDog Security's Vendor Risk Management can help track assessments, risk tiers, and remediation follow-up.
  • The organization maintains a complete, accurate map of all cross-border data flows and international data storage locations, with tools like WatchDog Security's Asset Inventory helping identify relevant cloud, SaaS, and identity-linked assets.

Put Philippines DPA (2012) compliance + 19 others on autopilot

Starting at $99/admin/mo — includes all frameworks, evidence automation, and AI-powered gap analysis.

Start Free Trial No credit card required

The Act requires the transferring organization to use contractual or other reasonable means to ensure the receiving party provides a comparable level of protection to RA 10173.

Yes, RA 10173 allows international transfers, provided the Personal Information Controller maintains accountability and ensures adequate safeguards are legally enforced.

It means the international recipient must uphold data privacy principles, security measures, and data subject rights to a standard equivalent to Philippine law.

Yes, if the cross-border transfer involves sharing data with another autonomous controller for their own purposes, a formal Data Sharing Agreement is legally required.

When outsourcing to a processor, organizations must execute a Data Processing Agreement detailing the subject, duration, nature of processing, and strict security obligations.

Outsourcing involves transferring data to a processor who acts solely on the controller's instructions, whereas data sharing transfers data to another controller for independent use.

Companies should use standardized contractual clauses whenever transferring personal data internationally to legally bind the recipient to Philippine data protection standards.

The agreement must include the processing scope, security measures, monitoring rights, subcontracting rules, and mechanisms for data return or erasure upon termination.

Under Section 51 of the IRR, the original Personal Information Controller remains fully accountable and responsible for the personal data transferred to any overseas third party.

CISOs should conduct rigorous security risk assessments, review international vendor certifications, enforce audit rights, and verify adherence to contracted security controls. Tools like WatchDog Security's Vendor Risk Management can support this process by organizing vendor evidence, risk ratings, reassessment schedules, and open remediation items in one workflow.

Cross-border transfer risk is difficult to manage when vendor ownership, security reviews, contract status, and reassessment dates are tracked in separate spreadsheets. Tools like WatchDog Security's Vendor Risk Management can centralize the vendor catalog, document security assessments, risk-tier international recipients, and track whether required data processing or data sharing agreements are in place.

Data flow maps become outdated when new SaaS tools, cloud regions, processors, or subprocessors are added without a formal review. Tools like WatchDog Security's Asset Inventory can help identify cloud assets, SaaS applications, and identity relationships so compliance teams have a more accurate starting point for documenting international data storage, access, and transfer locations.

PHILIPPINES-DPA IRR Rule XII, Section 51

"Each personal information controller is responsible for personal data under its control or custody, including information that have been transferred to a personal information processor or a third party for processing, whether domestically or internationally, subject to cross-border arrangement and cooperation."

PHILIPPINES-DPA IRR Rule XII, Section 51(a)

"The personal information controller is accountable for complying with the requirements of this Act and shall use contractual or other reasonable means to provide a comparable level of protection while the information are being processed by a personal information processor or a third party."

VersionDateAuthorDescription
1.0.02026-05-06WatchDog GRC TeamInitial publication