The Data Privacy Act governs the processing of personal and sensitive personal information and seeks to regulate essentially the processing activities of personal information controllers (PIC), and personal information processors (PIP). One of those types of processing activities, which is very common nowadays and carried out at varying levels of complexity, is data sharing. The National Privacy Commission (NPC) defines data sharing as the sharing, disclosure, or transfer to a third party of personal data under the custody of a controller to one or more other controller/s.

Take note that data sharing only occurs between two or more controllers. However, whether one is acting as a controller is not dependent on labels but on whether it controls / determines the “why” of the particular processing activity in question. Thus, it is possible for an entity to be a controller and a processor at the same time depending only on the purpose/s for which the same personal information is being processed.

In the private sector, data sharing is permitted essentially if the consent of the data subject is obtained, and certain conditions are complied with. One such condition requires the execution of a data sharing agreement (DSA) if sharing is carried out for commercial purposes, like direct marketing. However, the NPC clarified that it may be possible to have data sharing without consent if such processing activity can be based on other lawful grounds for processing or if such activity can be justified under the “special cases” under the law.

DSA refers to a contract, joint issuance, or any similar document which sets out the obligations, responsibilities, and liabilities of the controllers involved in the transfer of personal data between or among them. Since these, among others, are what a DSA contains, it is highly advisable for commercial parties to execute one even if there is no mandatory requirement to do so as the execution of a DSA demonstrates accountability amongst the parties to the data sharing activity. By executing a DSA, the parties may show that they are taking their data privacy obligations seriously by laying down the “ground rules” and preparing for any foreseeable events or contingencies that may happen in the course of such processing activity and such other processing activities that may subsequently take place as a result of such sharing.

However, in reality, there may be instances where commercial parties tend to view the execution of a DSA (similar, for example, to the crafting of privacy policies or privacy management programmes) more as a formality rather than as a business application of a best practice in data privacy. The NPC (NPC Advisory No. 2025 – 01) has recently clarified this by urging PICs not to view the DSA as a mere formality but one that should truly reflect legal and factual realities because when a legal situation arises – either on NPC’s own initiative or upon a verified complaint by an affected data subject -- what the NPC will review is “the data sharing activity itself, whether or not covered by DSAs.” If this activity is not properly documented by the parties, either because there is no DSA or the DSA in place is not properly crafted, reviewed and/or executed, then parties might find themselves in a legally difficult situation.    

Data sharing has become one of the most common types of processing activities that PICs do in order to maximize the commercial value of data in our data driven world. As the NPC continues to regulate processing activities of controllers and processors, pursuant to the DPA, and as the data subjects’ level of awareness and familiarity with their rights and the corresponding obligations of controllers and processors continue to grow, controllers that take their data sharing activities more seriously, by diligently crafting a DSA and updating or revising it when necessary to reflect the realities on the ground, will have an edge in navigating the evolving privacy landscape more smoothly.