Outsourcing Agreements
Plain English Translation
When an organization outsources data processing to a third party, it must enter into a formal outsourcing agreement that specifies the scope, duration, purpose, and technical and organizational measures required to protect personal data. The processor must comply with all obligations imposed by RA 10173 in addition to contractual requirements. The controller remains responsible for any breach or non-compliance by its processors.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Establish a standard Data Processing Agreement (DPA) template for all new vendor engagements processing personal data.
Required Actions (scaleup)
- Implement a vendor management system to track DPA signatures, expiration dates, and basic security questionnaires.
Required Actions (enterprise)
- Automate third-party risk management workflows with continuous compliance monitoring and regular on-site or technical audits of major PIPs.
An outsourcing agreement is a mandatory contract between a Personal Information Controller and a Personal Information Processor outlining the terms, scope, and security requirements for outsourced data processing.
Under IRR Section 44, it must include the subject, duration, extent/type of processing, technical/organizational measures, subcontractor rules, monitoring rights, and data return/erasure protocols.
A contract is required whenever an organization (PIC) instructs or subcontracts a third party (PIP) to process personal data on its behalf, ensuring they are legally bound to protect the data.
A PIP must comply with the Act, uphold data subject rights, implement adequate organizational, physical, and technical security measures, and strictly follow the instructions of the controller.
Outsourcing involves a processor acting strictly on behalf of and under the instructions of a controller. Data sharing involves transferring data between two autonomous controllers for their own purposes.
Yes, the Implementing Rules and Regulations mandate formal agreements for outsourcing to ensure the PIP provides a comparable level of protection and complies with the Act.
The agreement must stipulate the specific technical and organizational measures to be taken, rules around data rectification and erasure, and the controller's rights to monitor the PIP's security.
Yes, provided that the outsourcing agreement explicitly defines the rules and rights regarding subcontracting, and the original PIP ensures the sub-processor meets all legal requirements.
The NPC requires a written agreement detailing the processing scope, the implementation of security measures by the PIP, and mechanisms for the controller to audit and monitor compliance.
Organizations should utilize the controller's monitoring rights defined in the outsourcing agreement to conduct security reviews, request compliance documentation, or perform technical assessments.
Outsourcing agreements are difficult to manage when vendor lists, risk reviews, contract status, and audit evidence are tracked separately. WatchDog Security's Vendor Risk Management can help maintain a vendor catalog, risk-tier PIPs, track assessment status, and connect vendor due diligence to the required outsourcing agreement workflow.
RA 10173 outsourcing compliance depends on proving that agreements, vendor assessments, monitoring activities, and offboarding evidence are current and complete. WatchDog Security's Compliance Center can help map those artifacts to the control, flag evidence gaps, and support repeatable review cycles across frameworks.
"Agreements for outsourcing or subcontracting shall include the following: a. Subject and duration of work; b. The extent, type and purpose of data processing; c. Technical and organizational measures to be taken..."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-06 | WatchDog GRC Team | Initial publication |

