Data Sharing Agreements
Plain English Translation
Any sharing of personal data between separate organizations for commercial or operational purposes must be governed by a formal data sharing agreement that specifies the safeguards in place to protect the data. The agreement must define the purpose, scope, and duration of the sharing, and must ensure the receiving party meets the same data protection standards as the originating controller. Direct marketing use of shared data always requires a data sharing agreement.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Draft a standard Data Sharing Agreement template with legal counsel and ensure it is signed before sharing user lists or data with commercial partners.
- Include transparent data sharing disclosures in your primary privacy policy to gather appropriate user consent.
Required Actions (scaleup)
- Implement a centralized vendor and partner management system to track all active DSAs and monitor the expiration of contracts.
- Integrate consent tracking directly into the application database to automatically restrict unauthorized data sharing.
Required Actions (enterprise)
- Deploy automated data loss prevention (DLP) controls that block outgoing data transfers unless the destination is verified against an approved DSA register.
- Conduct regular third-party security audits on partner controllers to verify adherence to the physical and technical safeguards outlined in the DSA.
A data sharing agreement is a formal, legally binding contract between two or more Personal Information Controllers that defines the conditions, purpose, and adequate safeguards for the disclosure or transfer of personal data.
Yes. Section 49 of the IRR mandates the execution of a formal data sharing agreement, particularly when sharing personal data for commercial purposes like direct marketing, or when transferring government-controlled data.
The agreement must clearly state the purpose of the sharing, the categories of data involved, intended recipients, mechanisms for upholding data subject rights, and adequate physical, technical, and organizational safeguards.
Data sharing is considered controller-to-controller when personal data is transferred between two autonomous entities that each independently determine the purpose and extent of the data processing.
Outsourcing occurs when a Personal Information Processor strictly follows the instructions of a controller. Data sharing involves transferring data to another autonomous controller who will use the data for their own independent purposes.
Generally, yes. The IRR requires that data subjects consent to data sharing in the private sector, even with affiliates or mother companies, unless the sharing is specifically authorized by a legal exemption.
The DSA must establish adequate technical, physical, and organizational safeguards for data privacy and security, explicitly uphold data subject rights, and outline a system for obtaining relief in case of violations.
NPC Circular 2020-03 expands upon Section 49 of the IRR by providing specific regulatory guidelines on the formulation of Data Sharing Agreements, ensuring standardized protection for data subjects during transfers.
Under Section 51, each personal information controller remains accountable for the data under its control and must use contractual means, such as a Data Sharing Agreement, to ensure a comparable level of protection by the receiving party.
CISOs should enforce strict third-party risk management protocols, mandate the execution of standard Data Sharing Agreements prior to any data transfer, and conduct continuous security monitoring of all controller partners. Tools like WatchDog Security's Vendor Risk Management can help track controller partners, assessment status, DSA review dates, and risk treatment activity.
Data sharing risks often become difficult to manage when agreements, partner details, shared data categories, review dates, and evidence are tracked in separate spreadsheets. Tools like WatchDog Security's Vendor Risk Management can maintain a vendor and partner catalog, assign risk tiers, track assessments, and keep DSA-related review activity visible in one workflow.
Teams need audit-ready proof that DSAs were reviewed before transfer, approved by the right stakeholders, and periodically reassessed. Tools like WatchDog Security's Compliance Center can link DSA templates, signed agreements, review records, and related evidence to RA 10173 control requirements so gaps are easier to identify before an audit or regulatory review.
"The personal information controller seeking to enter into a data sharing agreement with a natural or juridical person or other body with control or custody of personal data shall enter into a formal data sharing agreement."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-06 | WatchDog GRC Team | Initial publication |

