Outsourcing and subcontracting agreements

1. Subcontract of Personal Data

A personal information controller may subcontract or outsource the processing of personal data: Provided, that the personal information controller shall use contractual or other reasonable means to ensure that proper safeguards are in place, to ensure the confidentiality, integrity and availability of the personal data processed, prevent its use for unauthorized purposes, and generally, comply with the requirements of the Act, these Rules, other applicable laws for processing of personal data, and other issuances of the Commission. (Section 43, Rule X, IRR of the Data Privacy Act)

2. Agreements for Outsourcing

Processing by a personal information processor shall be governed by a contract or other legal act that binds the personal information processor to the personal information controller. (Section 44, Rule X, Ibid.)

a. Contents

a. The contract or legal act shall set out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, the obligations and rights of the personal information controller, and the geographic location of the processing under the subcontracting agreement. (Section 44[a], Rule X, Ibid.)

b. Personal information processor’s duties

b. The contract or other legal act shall stipulate, in particular, that the personal information processor shall:

1) Process the personal data only upon the documented instructions of...


Already a subscriber? Log in below. Not yet a member? Subscribe.


Similar Posts