Outsourcing Agreements

Plain English Translation

When an organization outsources data processing to a third party, it must enter into a formal outsourcing agreement that specifies the scope, duration, purpose, and technical and organizational measures required to protect personal data. The processor must comply with all obligations imposed by RA 10173 in addition to contractual requirements. The controller remains responsible for any breach or non-compliance by its processors.

Executive Takeaway

Organizations must execute comprehensive written contracts with vendors processing personal data to enforce compliance and security standards.

ImpactHigh
ComplexityMedium

Why This Matters

  • Mitigates third-party risk by contractually obligating vendors to maintain strict technical and organizational security measures.
  • Ensures regulatory compliance with RA 10173, preventing penalties associated with unmanaged vendor data processing.
  • Provides legal recourse and clear incident response protocols if a vendor experiences a personal data breach.

What “Good” Looks Like

  • A standardized vendor assessment process integrated with mandatory data processing agreement execution; tools like WatchDog Security's Vendor Risk Management can help track vendor risk tiers, assessment status, and agreement coverage.
  • Contracts explicitly defining the duration, scope, and specific security controls required for the outsourced processing.
  • Regular audits of Personal Information Processors to verify ongoing adherence to contractual privacy obligations, with tools like WatchDog Security's Compliance Center helping organize evidence, review dates, and control gaps.

Put Philippines DPA (2012) compliance + 19 others on autopilot

Starting at $99/admin/mo — includes all frameworks, evidence automation, and AI-powered gap analysis.

Start Free Trial No credit card required

An outsourcing agreement is a mandatory contract between a Personal Information Controller and a Personal Information Processor outlining the terms, scope, and security requirements for outsourced data processing.

Under IRR Section 44, it must include the subject, duration, extent/type of processing, technical/organizational measures, subcontractor rules, monitoring rights, and data return/erasure protocols.

A contract is required whenever an organization (PIC) instructs or subcontracts a third party (PIP) to process personal data on its behalf, ensuring they are legally bound to protect the data.

A PIP must comply with the Act, uphold data subject rights, implement adequate organizational, physical, and technical security measures, and strictly follow the instructions of the controller.

Outsourcing involves a processor acting strictly on behalf of and under the instructions of a controller. Data sharing involves transferring data between two autonomous controllers for their own purposes.

Yes, the Implementing Rules and Regulations mandate formal agreements for outsourcing to ensure the PIP provides a comparable level of protection and complies with the Act.

The agreement must stipulate the specific technical and organizational measures to be taken, rules around data rectification and erasure, and the controller's rights to monitor the PIP's security.

Yes, provided that the outsourcing agreement explicitly defines the rules and rights regarding subcontracting, and the original PIP ensures the sub-processor meets all legal requirements.

The NPC requires a written agreement detailing the processing scope, the implementation of security measures by the PIP, and mechanisms for the controller to audit and monitor compliance.

Organizations should utilize the controller's monitoring rights defined in the outsourcing agreement to conduct security reviews, request compliance documentation, or perform technical assessments.

Outsourcing agreements are difficult to manage when vendor lists, risk reviews, contract status, and audit evidence are tracked separately. WatchDog Security's Vendor Risk Management can help maintain a vendor catalog, risk-tier PIPs, track assessment status, and connect vendor due diligence to the required outsourcing agreement workflow.

RA 10173 outsourcing compliance depends on proving that agreements, vendor assessments, monitoring activities, and offboarding evidence are current and complete. WatchDog Security's Compliance Center can help map those artifacts to the control, flag evidence gaps, and support repeatable review cycles across frameworks.

PHILIPPINES-DPA IRR Rule X, Section 44

"Agreements for outsourcing or subcontracting shall include the following: a. Subject and duration of work; b. The extent, type and purpose of data processing; c. Technical and organizational measures to be taken..."

PHILIPPINES-DPA IRR Rule X, Section 45

"The personal information processor shall comply with all the requirements of this Act and other applicable laws, in addition to obligations provided in the agreement with a personal information controller."

VersionDateAuthorDescription
1.0.02026-05-06WatchDog GRC TeamInitial publication