Create a bespoke document in minutes, or upload and review your own.
Get your first 2 documents free
Your data doesn't train Genie's AI
You keep IP ownership of your information
Data Processing Agreement
"I need a data processing agreement ensuring compliance with GDPR, detailing data retention for 5 years, breach notification within 72 hours, and third-party data sharing limited to EU-based processors only."
What is a Data Processing Agreement?
A Data Processing Agreement spells out how one company handles and protects another company's data when providing services. Under Philippine data privacy laws, particularly the Data Privacy Act of 2012, organizations must have these agreements when sharing personal information with vendors, cloud providers, or other third parties.
The agreement sets clear rules about data security, confidentiality, and proper handling of sensitive information. It defines who owns the data, what the processor can and cannot do with it, and how they'll protect it from breaches. For Filipino businesses working with international partners, these agreements help ensure compliance with both local and global privacy standards like GDPR.
When should you use a Data Processing Agreement?
You need a Data Processing Agreement whenever your company shares personal data with outside service providers in the Philippines. This includes common scenarios like hiring payroll processors, using cloud storage services, working with marketing agencies, or partnering with IT consultants who can access your customer database.
Under the Data Privacy Act, these agreements become essential when outsourcing any data handling tasks. For example, if you're a retail business using a third-party email marketing platform, or a hospital working with an external medical billing company, you must have this agreement in place before sharing any personal information. This protects both parties and ensures legal compliance.
What are the different types of Data Processing Agreement?
- Data Processing Contract: The standard, comprehensive version used with external service providers, covering all core data handling requirements under Philippine law
- Data Processing Addendum: A shorter form that attaches to existing service agreements, adding specific data protection terms
- Data Protection Agreement For Employees: Tailored for internal staff who handle sensitive data as part of their duties
- Intercompany Data Sharing Agreement: Used between separate companies for ongoing data exchange partnerships
- Intra Group Data Sharing Agreement: Specifically designed for data sharing between affiliated companies or subsidiaries
Who should typically use a Data Processing Agreement?
- Data Controllers: Companies or organizations in the Philippines that own and determine how personal data is processed, like hospitals, banks, or retailers
- Data Processors: Service providers who handle data on behalf of controllers, such as cloud storage companies, payroll processors, or marketing agencies
- Legal Teams: In-house lawyers or external counsel who draft and review Data Processing Agreements to ensure compliance
- Data Protection Officers: Required by Philippine law to oversee data privacy compliance and approve these agreements
- IT Security Teams: Technical staff who implement the security measures specified in the agreement
- Compliance Officers: Professionals who monitor adherence to the agreement's terms and data privacy regulations
How do you write a Data Processing Agreement?
- Identify Data Types: List all personal information that will be processed, including sensitive data categories under Philippine law
- Define Processing Activities: Document exactly how the data will be collected, stored, used, and deleted
- Map Data Flows: Outline where data will be stored and transferred, especially for international transfers
- Security Measures: Detail specific safeguards and encryption methods to protect the data
- Breach Protocol: Establish clear procedures for reporting and handling data breaches
- Compliance Checks: Verify alignment with Data Privacy Act requirements and NPC guidelines
- Review Process: Our platform generates a customized agreement incorporating all these elements, ensuring legal compliance
What should be included in a Data Processing Agreement?
- Parties and Roles: Clear identification of the data controller and processor with their legal responsibilities
- Data Scope: Detailed description of personal data types and processing activities covered
- Security Measures: Specific technical and organizational safeguards meeting DPA standards
- Processing Instructions: Written directives on permitted data handling and limitations
- Breach Protocols: Mandatory notification procedures and response timelines
- Confidentiality: Staff obligations and non-disclosure requirements
- Data Transfer Rules: Guidelines for cross-border data movement compliance
- Termination Terms: Procedures for data return or deletion upon agreement end
- Compliance Framework: References to Philippine Data Privacy Act and NPC guidelines
What's the difference between a Data Processing Agreement and a Data Sharing Agreement?
A Data Processing Agreement differs significantly from a Data Sharing Agreement, though they're often confused in Philippine business practice. While both deal with personal data handling, their core purposes and legal implications are distinct.
- Purpose and Scope: Data Processing Agreements govern how a service provider handles data on behalf of another company, while Data Sharing Agreements facilitate the exchange of data between equal partners who both act as data controllers
- Legal Relationship: Processing agreements create a controller-processor relationship with clear hierarchical responsibilities under the Data Privacy Act, whereas sharing agreements establish mutual obligations between independent controllers
- Data Control: In processing agreements, the processor must follow the controller's instructions strictly. In sharing agreements, each party has autonomy in how they use the shared data
- Compliance Requirements: Processing agreements need specific security measures and processor obligations, while sharing agreements focus more on mutual responsibilities and joint compliance
Download our whitepaper on the future of AI in Legal
ұԾ’s Security Promise
Genie is the safest place to draft. Here’s how we prioritise your privacy and security.
Your documents are private:
We do not train on your data; ұԾ’s AI improves independently
All data stored on Genie is private to your organisation
Your documents are protected:
Your documents are protected by ultra-secure 256-bit encryption
Our bank-grade security infrastructure undergoes regular external audits
We are ISO27001 certified, so your data is secure
Organizational security
You retain IP ownership of your documents
You have full control over your data and who gets to see it
Innovation in privacy:
Genie partnered with the Computational Privacy Department at Imperial College London
Together, we ran a £1 million research project on privacy and anonymity in legal contracts
Want to know more?
Visit our for more details and real-time security updates.
Read our Privacy Policy.