Third Parties

In the context of personal data processing, third parties ordinarily refer to other organizations or individuals who may be involved in the processing of personal data by a personal information controller.


Due diligence requires personal information controllers to take extra precaution when dealing with third parties. They should make use of any or all available means to ensure that the organizations or parties with whom they conduct business with, when processing personal data, also comply with privacy and data protection policies.

Back To Top


Data sharing is the disclosure or transfer to a third party of personal data under the control or custody of a personal information controller. Where necessary, the concerned parties draft a contract, joint issuance, or any similar document where the terms and conditions of a data sharing arrangement are properly laid out. The IRR of RA 10173 provides for the general guidelines governing data sharing. Meanwhile, NPC Circular No. 16-02 lists the specific rules that apply to data sharing involving government agencies.

Likewise, third parties may also refer to personal information processors (PIP), whose services have been contracted by a PIC for its data processing systems. In this light, it is important that the data processing handled by the PIP should be covered by an agreement to ensure the protection of personal information that will be handled by the PIP.

Back To Top

Due Diligence

All personal information controllers and personal information processors are required to conduct a privacy impact assessment (PIA) vis-à-vis each of their projects, programs, or activities that involve processing of personal data. A PIA essentially helps determine if a processing system contains loopholes or vulnerabilities that need to be addressed by the process owner.

After the conduct of the PIA, it is essential that the organization continues to monitor its data processing systems and to make sure that its privacy policies and measures are put in place to safeguard the personal information of the data subjects involved.

Back To Top


Notifications addressed to the Commission would involve either: (a) automated processing procedures; and (b) personal data breach.

Sec. 48 of the Implementing Rules and Regulations of the Data Privacy Act of 2012 (R.A. No. 10173) states that a personal information controllers that carry out automated processing systems are mandated to notify the Commission when its processing becomes the sole basis for making decisions about a data subject. The details required to be included in the notice are indicated in Sec. 48 (a) of the IRR.

In the event of a breach, the Commission should be notified of such occurrence, subject to the rules provided in NPC Circular No. 16-03.

Back To Top