Data Sharing Agreements

Plain English Translation

Any sharing of personal data between separate organizations for commercial or operational purposes must be governed by a formal data sharing agreement that specifies the safeguards in place to protect the data. The agreement must define the purpose, scope, and duration of the sharing, and must ensure the receiving party meets the same data protection standards as the originating controller. Direct marketing use of shared data always requires a data sharing agreement.

Executive Takeaway

Formal Data Sharing Agreements (DSAs) must be executed to govern controller-to-controller data transfers, ensuring adequate security safeguards and consent mechanisms.

ImpactHigh
ComplexityMedium

Why This Matters

  • Establishes clear legal boundaries and accountability when personal data leaves the direct control of the organization.
  • Ensures individuals' rights are protected across corporate boundaries, mitigating the risk of unauthorized secondary use.
  • Prevents severe regulatory penalties and reputational damage associated with unlawful and undocumented data disclosures.

What “Good” Looks Like

  • Standardized data sharing agreements are formally executed before any data transfer to a third-party controller occurs.
  • A centralized register of all active data sharing arrangements is maintained and reviewed periodically for compliance; tools like WatchDog Security's Vendor Risk Management can support partner cataloging, risk-tiering, and reassessment tracking.
  • Clear and transparent consent mechanisms are integrated into user workflows prior to collecting data meant for external sharing.

Put Philippines DPA (2012) compliance + 19 others on autopilot

Starting at $99/admin/mo — includes all frameworks, evidence automation, and AI-powered gap analysis.

Start Free Trial No credit card required

A data sharing agreement is a formal, legally binding contract between two or more Personal Information Controllers that defines the conditions, purpose, and adequate safeguards for the disclosure or transfer of personal data.

Yes. Section 49 of the IRR mandates the execution of a formal data sharing agreement, particularly when sharing personal data for commercial purposes like direct marketing, or when transferring government-controlled data.

The agreement must clearly state the purpose of the sharing, the categories of data involved, intended recipients, mechanisms for upholding data subject rights, and adequate physical, technical, and organizational safeguards.

Data sharing is considered controller-to-controller when personal data is transferred between two autonomous entities that each independently determine the purpose and extent of the data processing.

Outsourcing occurs when a Personal Information Processor strictly follows the instructions of a controller. Data sharing involves transferring data to another autonomous controller who will use the data for their own independent purposes.

Generally, yes. The IRR requires that data subjects consent to data sharing in the private sector, even with affiliates or mother companies, unless the sharing is specifically authorized by a legal exemption.

The DSA must establish adequate technical, physical, and organizational safeguards for data privacy and security, explicitly uphold data subject rights, and outline a system for obtaining relief in case of violations.

NPC Circular 2020-03 expands upon Section 49 of the IRR by providing specific regulatory guidelines on the formulation of Data Sharing Agreements, ensuring standardized protection for data subjects during transfers.

Under Section 51, each personal information controller remains accountable for the data under its control and must use contractual means, such as a Data Sharing Agreement, to ensure a comparable level of protection by the receiving party.

CISOs should enforce strict third-party risk management protocols, mandate the execution of standard Data Sharing Agreements prior to any data transfer, and conduct continuous security monitoring of all controller partners. Tools like WatchDog Security's Vendor Risk Management can help track controller partners, assessment status, DSA review dates, and risk treatment activity.

Data sharing risks often become difficult to manage when agreements, partner details, shared data categories, review dates, and evidence are tracked in separate spreadsheets. Tools like WatchDog Security's Vendor Risk Management can maintain a vendor and partner catalog, assign risk tiers, track assessments, and keep DSA-related review activity visible in one workflow.

Teams need audit-ready proof that DSAs were reviewed before transfer, approved by the right stakeholders, and periodically reassessed. Tools like WatchDog Security's Compliance Center can link DSA templates, signed agreements, review records, and related evidence to RA 10173 control requirements so gaps are easier to identify before an audit or regulatory review.

PHILIPPINES-DPA IRR Rule XI, Section 49

"The personal information controller seeking to enter into a data sharing agreement with a natural or juridical person or other body with control or custody of personal data shall enter into a formal data sharing agreement."

PHILIPPINES-DPA IRR Rule IV, Section 20(b)

"Data sharing for commercial purpose, including direct marketing, shall be covered by a data sharing agreement. The data sharing agreement should put in place adequate safeguards for data privacy and security..."

VersionDateAuthorDescription
1.0.02026-05-06WatchDog GRC TeamInitial publication